| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2453211.1740559313@warthog.procyon.org.uk>
Date: Wed, 26 Feb 2025 08:41:53 +0000
From: David Howells <dhowells@...hat.com>
To: syzbot <syzbot+c0dc46208750f063d0e0@...kaller.appspotmail.com>
Cc: dhowells@...hat.com, Dominique Martinet <asmadeus@...ewreck.org>,
jlayton@...nel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, netfs@...ts.linux.dev,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [netfs?] kernel BUG in folio_unlock (3)
syzbot <syzbot+c0dc46208750f063d0e0@...kaller.appspotmail.com> wrote:
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141b4ba4580000
I'm not sure how this would even work.
memcpy((void*)0x4000000001c0, "syz\000", 4);
memcpy((void*)0x400000000480, "./file0\000", 8);
memcpy((void*)0x4000000004c0, "9p\000", 3);
memcpy((void*)0x400000000c00,
"\x56\xc7\x8e\x3c\x73\x3d\x76\x69\x72\x74\x69\x6f\x2c\x6e\x6f\x65\x78"
"\x74\x65\x6e\x64\x2c\x61\x63\x63\x81\x73\x73\x3d\x61\x6e\x79\x2c\x63"
"\x61\x63\x68\x65\x3d\x66\x73\x63\x61\x63\x68\x65\x2c\x76\x65\x72\x73"
"\x69\x6f\x6e\x3d\x39\x70\x32\x30\x30\x30\x2e\x75",
63);
syscall(__NR_mount, /*src=*/0x4000000001c0ul, /*dst=*/0x400000000480ul,
/*type=*/0x4000000004c0ul, /*flags=*/0ul, /*opts=*/0x400000000c00ul);
The options string is rubbish:
[pid 8084] mount("syz", "./file0", "9p", 0, "V\307\216<s=virtio,noextend,acc\201ss=any,cache=fscache,version=9p2000.u") = -1 EINVAL (Invalid argument)
David
Powered by blists - more mailing lists