lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+ZMXN=smH-0FN4Ui0zm6P-c=eEwG6fNJ9deTnc0M099UQ@mail.gmail.com>
Date:   Thu, 29 Sep 2022 13:10:19 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc:     Miklos Szeredi <miklos@...redi.hu>, linux-kernel@...r.kernel.org,
        syzbot <syzbot+8346a1aeed52cb04c9ba@...kaller.appspotmail.com>,
        syzkaller-bugs@...glegroups.com,
        Aleksandr Nogikh <nogikh@...gle.com>
Subject: Re: [syzbot] unexpected kernel reboot (8)

On Thu, 29 Sept 2022 at 12:25, Tetsuo Handa
<penguin-kernel@...ove.sakura.ne.jp> wrote:
>
> This is not a kernel bug but a fuzzer's bug.
>
> Looking at https://syzkaller.appspot.com/text?tag=ReproC&x=155622df080000 ,
> this reproducer is reading data from /dev/vcs to [0x20001dc0,0x20003DE0) range,
> and passing subset of this range [0x20002300,0x20003300) as "const void *data"
> argument of mount() syscall which is interpreted as a string.
>
> That is, this problem happens when console screen buffer by chance contained
> kernel messages which the kernel has printk()ed upon boot.
>
> (I defer "#syz invalid" because we need to somehow fix this problem on the fuzzer side.)

Oh, I see, I missed the read from /dev/vcs. Thanks for looking into it.
Thinking of possible solutions I think the easiest thing is to
stricten matching of the reboot message, e.g. require it to start from
the beginning of the line, don't have anything at the end, etc. The
real message should not be subject to any "corruptions".

+Aleksandr, please take care of this.

Not sure if there should be a policy on printing user-provided strings
to dmesg in general or not. Unpriv fs types like tmpfs/fuse
effectively allow the injection of arbitrary messages into dmesg w/o
the permission.


> On 2022/09/28 11:03, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    1707c39ae309 Merge tag 'driver-core-6.0-rc7' of git://git...
> > git tree:       upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=17324288880000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=122d7bd4fc8e0ecb
> > dashboard link: https://syzkaller.appspot.com/bug?extid=8346a1aeed52cb04c9ba
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ca1f54880000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=155622df080000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+8346a1aeed52cb04c9ba@...kaller.appspotmail.com
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ