| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 Apr 2021 19:05:13 +0200
From: Christian Brauner <christian.brauner@...ntu.com>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: Jens Axboe <axboe@...nel.dk>,
syzbot <syzbot+c88a7030da47945a3cc3@...kaller.appspotmail.com>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com, io-uring@...r.kernel.org
Subject: Re: [syzbot] WARNING in mntput_no_expire (2)
On Sun, Apr 04, 2021 at 04:44:06PM +0000, Al Viro wrote:
> On Sun, Apr 04, 2021 at 06:40:40PM +0200, Christian Brauner wrote:
>
> > > Very interesting. What happens if you call loop() twice? And now I wonder
> > > whether it's root or cwd, actually... Hmm...
> > >
> > > How about this:
> > > fd = open("/proc/self/mountinfo", 0);
> > > mkdir("./newroot/foo", 0777);
> > > mount("./newroot/foo", "./newroot/foo", 0, MS_BIND, NULL);
> > > chroot("./newroot");
> > > chdir("/foo");
> > > while (1) {
> > > static char buf[4096];
> > > int n = read(fd, buf, 4096);
> > > if (n <= 0)
> > > break;
> > > write(1, buf, n);
> > > }
> > > close(fd);
> > > drop_caps();
> > > loop();
> > > as the end of namespace_sandbox_proc(), instead of
> > > chroot("./newroot");
> > > chdir("/");
> > > drop_caps();
> > > loop();
> > > sequence we have there?
> >
> > Uhum, well then we oops properly with a null-deref.
>
> Cute... Could you dump namei.o (ideally - with namei.s) from your build
> someplace public?
Yeah, I have at least namei.o
https://drive.google.com/file/d/1AvO1St0YltIrA86DXjp1Xg3ojtS9owGh/view?usp=sharing
Christian
Powered by blists - more mailing lists