| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABeNrKXCcXxviXQPdCk2R+o-M0VmOsowtWkTddQ5+Tua9eCrQg@mail.gmail.com>
Date: Wed, 23 Apr 2025 14:05:47 -0700
From: Kane York <kanepyork@...il.com>
To: syzbot+effe7da6578cd423f98f@...kaller.appspotmail.com
Cc: brauner@...nel.org, chao@...nel.org, jack@...e.cz, jaegeuk@...nel.org,
kent.overstreet@...ux.dev, linux-bcachefs@...r.kernel.org,
linux-f2fs-devel@...ts.sourceforge.net, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
viro@...iv.linux.org.uk
Subject: Re: [syzbot] [f2fs?] INFO: task hung in do_truncate (3)
This crash appears to entirely ignore the provided filesystem images and just
does tricky fallocate calls followed by a truncate, so it should be easier than
normal to diagnose.
The cwd is opened with O_DIRECT. (or this is EFAULT because path is nullptr?)
The victim file is created with O_NONBLOCK and O_SYNC; that fd is discarded.
The victim file is opened again with O_SYNC and FALLOC_FL_ZERO_RANGE is called
with a gargantuan size.
The victim file is opened again with O_APPEND (!) and FALLOC_FL_INSERT_RANGE is
called with a modest size.
Truncate is called midway through the just-inserted range.
Annotated calls below.
# https://syzkaller.appspot.com/bug?id=7d29d6d7a773d4f608a33cf6a7593faadb1b5803
# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{"threaded":true,"repeat":true,"procs":5,"slowdown":1,"sandbox":"none","sandbox_arg":0,"tun":true,"netdev":true,"resetnet":true,"cgroups":true,"binfmt_misc":true,"close_fds":true,"usb":true,"vhci":true,"wifi":true,"ieee802154":true,"sysctl":true,"swap":true,"tmpdir":true,"segv":true}
# mount file2
syz_mount_image$f2fs(&(0x7f0000000040),
&(0x7f00000000c0)='./file2\x00', 0x0,
&(0x7f0000000300)={[{@...nline_xattr}, {@...nline_dentry},
{@...jquota={'prjjquota', 0x3d, 'active_logs=4'}}, {@...mt_vfsv1},
{@...nline_data}, {@...eap}, {@...ckpoint_diasble}, {@...tboot},
{@...nc_mode_strict}, {@...card_unit_section}]}, 0x21, 0x552d,
&(0x7f000000abc0)="$[removed]")
# EBADF
pread64(0xffffffffffffffff, 0x0, 0x0, 0xfff)
# EBADF
openat$cgroup_freezer_state(0xffffffffffffffff, &(0x7f0000000080), 0x2, 0x0)
# openat(AT_FDCWD, nullptr, O_DIRECT, 0)
# EFAULT?
openat$nullb(0xffffffffffffff9c, 0x0, 0x4000, 0x0)
# mount 'bus'
syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00',
&(0x7f00000000c0)='./bus\x00', 0x20081e,
&(0x7f0000000040)={[{@...elalloc}, {@...ov}, {@...o_da_alloc}]}, 0x1,
0x4ef, &(0x7f00000003c0)="$[removed]")
# open file1
# O_RDWR | O_CREAT | O_NOCTTY | O_NONBLOCK | FASYNC | O_LARGEFILE | O_SYNC
# perm 0500
open(&(0x7f0000000080)='./file1\x00', 0x10b942, 0x140)
# open file1
# O_RDWR | O_CREAT | O_LARGEFILE | O_SYNC
# perm 0210
r0 = open(&(0x7f0000000100)='./file1\x00', 0x109042, 0x88)
# fallocate FALLOC_FL_ZERO_RANGE, offset 0, size 0x7000000
fallocate(r0, 0x10, 0x0, 0x7000000)
# openat(AT_FDCWD) file1
# O_WRONLY | O_CREAT | O_APPEND
# perm 0512
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x441, 0x14a)
# fallocate file1 FALLOC_FL_INSERT_RANGE, offset x4000, size x8000
# EPERM?
fallocate(r1, 0x20, 0x4000, 0x8000)
# truncate file1 size x8001
truncate(&(0x7f00000000c0)='./file1\x00', 0x8001)
Powered by blists - more mailing lists