| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4117981.1753106526@warthog.procyon.org.uk>
Date: Mon, 21 Jul 2025 15:02:06 +0100
From: David Howells <dhowells@...hat.com>
To: syzbot <syzbot+750f21d691e244b473b1@...kaller.appspotmail.com>
Cc: dhowells@...hat.com, linux-afs@...ts.infradead.org,
linux-kernel@...r.kernel.org, marc.dionne@...istor.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [afs?] INFO: task hung in afs_cell_purge (2)
Hi,
In this:
syz_mount_image$erofs(&(0x7f00000003c0), &(0x7f0000000880)='./file0\x00', 0x8000c6, &(0x7f0000000240)=ANY=[], 0x0, 0x17d, &(0x7f0000001ac0)="$eJzsmLFP+kAUx7/vyg/yMy6uLg4SxcHSFjUuxLA5mogaNwlUghYx0EGYdPH/cHZwdvOPMM7qYFwY3Uxqej3oQQR10MT4PsPj+7h313evyXcoGIb5szw+vNyvFe+EAWASaaTU/89GXCO0+tfb83Jraj1/OfeUv041robPIwBB8PnnJwDcFAz4Kg+Cwd1p9VuE6OstCCwovQOCqfQeBLaVdkHYVfpA042w3jT3a55rlhteJRRWGOwwOGHIDffXPSNUtP5IW2+1O4clz3Ob3yg+ml+3IJDX+tPfV282ljY/GwK20jkQNpVeRao3m2gk2v2nE/H5xg/fnwULFr9NxP4UXBDmNX9KaP6R9evH2Va7s1irl6pu1T1ynNyKtWRZy05WGlEUx/jff+lPE9r5/0bUJimJk5LvN+0o9nMniu85rpD+J5CZjfLQ+5Mju4nWSe0jqTLGmHKGYRiGYRiGYRiGYRiGYZgvMAOSX0EldIo4GcDZkNVvAQAA///an3MA")
how do I manually extract the erofs image source, if that is indeed what it
is? The obvious thought is that it's base64, but '$' isn't a valid character
for that.
Further, though syz-execprog does manage to extract it, it doesn't seem to
contain what the test is expecting:
[727ms] exec opts: procid=3 threaded=1 cover=0 comps=0 dedup=1 signal=0 timeouts=50/5000/1 prog=0 filter=0
spawned worker pid 2
#0 [731ms] -> syz_mount_image$erofs(0x200003c0, 0x20000880, 0x8000c6, 0x20000240, 0x0, 0x17d, 0x20001ac0)
syz_mount_image: size=381 loop='/dev/loop3' dir='./file0' fs='erofs' flags=8388806 opts=''
#0 [771ms] <- syz_mount_image$erofs=0x3
#0 [771ms] -> mkdirat(0xffffffffffffff9c, 0x20000840, 0xa4)
#0 [772ms] <- mkdirat=0x0
#0 [772ms] -> mount$overlay(0x0, 0x0, 0x0, 0x0, 0x0)
#0 [772ms] <- mount$overlay=0xffffffffffffffff errno=14
#0 [772ms] -> chdir(0x20000140)
#0 [773ms] <- chdir=0x0
#0 [773ms] -> mount$afs(0x0, 0x200001c0, 0x200002c0, 0x0, 0x20000580)
#0 [773ms] <- mount$afs=0xffffffffffffffff errno=2
#0 [774ms] -> chdir(0x200000c0)
#0 [775ms] <- chdir=0xffffffffffffffff errno=2
#0 [775ms] -> renameat2(0xffffffffffffff9c, 0x20000480, 0xffffffffffffff9c, 0x20000000, 0x2)
#0 [776ms] <- renameat2=0xffffffffffffffff errno=2 fault=0
2025/07/21 14:21:05 result: hanged=false err=<nil>
Here's an excerpt of the strace over the relevant thread region with the
write(stderr) syscalls filtered out:
memfd_create("syzkaller", 0) = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbdf4200000
write(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192) = 8192
munmap(0x7fbdf4200000, 8192) = 0
openat(AT_FDCWD, "/dev/loop6", O_RDWR) = 4
ioctl(4, LOOP_SET_FD, 3) = 0
close(3) = 0
mkdirat(AT_FDCWD, "./file0", 0777) = 0
mount("/dev/loop6", "./file0", "erofs", MS_NOSUID|MS_NODEV|MS_MANDLOCK|MS_DIRSYNC|MS_I_VERSION,
"") = 0
openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
ioctl(4, LOOP_CLR_FD) = 0
close(4) = 0
mkdirat(AT_FDCWD, "./bus", 0244) = 0
mount(NULL, NULL, NULL, 0, NULL) = -1 EFAULT (Bad address)
chdir("./bus") = 0
mount(NULL, "./file0", "afs", 0, "dyn") = -1 ENOENT (No such file or directory)
chdir("./file0") = -1 ENOENT (No such file or directory)
renameat2(AT_FDCWD, "./file1", AT_FDCWD, "./file0", RENAME_EXCHANGE) = -1 ENOENT (No such file or directory)
Can you see if this can be reproduced by installing kafs-client and doing:
systemctl start afs.mount
cd /afs
mv --exchange ./file0 ./file1
though possibly this needs running in its own network namespace.
I can't get syz-execprog to actually run the test properly, it would seem. I
suspect something it missing from my kernel, but I'm not sure what.
David
Powered by blists - more mailing lists