lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <B3D40B9C-8FE8-463D-BEA4-8949331BCA23@m.fudan.edu.cn>
Date: Tue, 7 Jan 2025 16:47:50 +0800
From: Kun Hu <huk23@...udan.edu.cn>
Cc: linux-kernel@...r.kernel.org
Subject: Re: Bug: use-after-free in udf_statfs in fs/udf/super.c:2415


> 
> 
> 
> 
>> 2025年1月6日 23:08,Kun Hu <huk23@...udan.edu.cn> 写道:
>> 
>>> 
>>> 
>>> Well, checking the assembly RDI should contain the partition number but it
>>> is apparently some pointer. So the buffer for LVID got corrupted. How that
>>> happened is really impossible to say without a reproducer. The problem
>>> needn't even be in UDF code. So for now it is sadly impossible to do
>>> anything meaningful about this bug.
>>> 
>>> Honza
>>> 
>>> -- 
>>> Jan Kara <jack@...e.com>
>>> SUSE Labs, CR
>> 
>> 
>> Hi, Jan.
>> 
>> There was a bug report with the wrong subject link subject, but the error reported was actually in udf_final_lvid as well, here is the link to the bug
>> 
>> link: https://lore.kernel.org/lkml/7BCBA139-3942-436A-B7B1-72EDDE51072F@m.fudan.edu.cn/T/
>> 
>> Regarding why this link is mentioned above, it's because the current bug in the email we tried several times to get a replicator for c and syzlang, but the location of this bug report changed (see below for the replicator). The bug still seems to be the same bug that was previously found in the rc3 version, which is the link above.
>> 
>> c reproducer: https://drive.google.com/file/d/13R46qr1MD07VrFICxeBoeuwbuFVzJVBK/view?usp=sharing
>> syzlang reproducer: https://drive.google.com/file/d/1hQiJGYG3Dy1z9mGmsxtDKqJ1BElES2Hh/view?usp=sharing
>> 
>> I may be focusing on the Fuzzing method itself, locating this issue is a bit difficult for me, and this new c replicator is very redundant and doesn't seem to have much value? Do you see if I can provide any test information to find the root cause of this problem?
>> 
>> The above reproducer is the result I just got, I haven't disabled CONFIG_BLK_DEV_WRITE_MOUNTED yet. Do I need to disable it and then test to observe the result?
>> ——
>> thanks,
>> Kun Hu
> 
> 


Hi, Jan.

This crash has not been reproduced after disable CONFIG_BLK_DEV_WRITE_MOUNTED.

——
Thanks,
Kun Hu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ