lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6hs2ou3giemh2j7lvaldr7akpmrwt56gdh3gjs7i5ouexljggp@2fpes7wzdu6l>
Date: Tue, 5 Aug 2025 09:38:28 -0400
From: Seyediman Seyedarab <imandevel@...il.com>
To: Sergey Senozhatsky <senozhatsky@...omium.org>
Cc: minchan@...nel.org, axboe@...nel.dk, linux-kernel@...r.kernel.org, 
	linux-block@...r.kernel.org, syzbot+1a281a451fd8c0945d07@...kaller.appspotmail.com
Subject: Re: [PATCH] zram: fix NULL pointer dereference in
 zcomp_available_show()

On 25/08/05 07:22PM, Sergey Senozhatsky wrote:
> On (25/08/03 02:25), Seyediman Seyedarab wrote:
> > Temporarily add a NULL check in zcomp_available_show() to prevent the
> > crash. The use-after-free issue requires a more comprehensive fix using
> > proper reference counting to ensure the zram structure isn't freed while
> > still in use.
> 
> Not without a reproducer, sorry.  Per my limited experience, attempts
> to fix syzkaller reports w/o reproducers often lead to regressions or
> just more problems.

It can be reproduced with the following code:
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>

int main()
{
    int hot_remove_fd, comp_alg_fd, disksize_fd;
    char buf[256];
    
    system("modprobe -r zram");
    system("modprobe zram");
    
    disksize_fd = open("/sys/block/zram0/disksize", O_WRONLY);
    if (disksize_fd >= 0) {
        write(disksize_fd, "1073741824", 10);
        close(disksize_fd);
    }

    hot_remove_fd = open("/sys/class/zram-control/hot_remove", O_WRONLY);
    comp_alg_fd = open("/sys/block/zram0/comp_algorithm", O_RDONLY);
    
    write(hot_remove_fd, "0", 1);
    
    for (int i = 0; i < 1000000; i++) {
        lseek(comp_alg_fd, 0, SEEK_SET);
        read(comp_alg_fd, buf, sizeof(buf));
        printf("comp_algorithm: %s", buf);
    }
}

Which produces corrupted output sometimes. (it's a race condition, so it
doesn't happen all the time...)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ