[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+YkJSLt+-0_wvSHfxi8J1Tn=H-NBeZ+E3h-TAKu53vyqw@mail.gmail.com>
Date: Mon, 2 Mar 2020 09:42:41 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Paul Moore <paul@...l-moore.com>
Cc: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
Eric Paris <eparis@...hat.com>,
syzbot <syzbot+9a5e789e4725b9ef1316@...kaller.appspotmail.com>,
a@...table.cc, b.a.t.m.a.n@...ts.open-mesh.org,
Dan Carpenter <dan.carpenter@...cle.com>,
David Miller <davem@...emloft.net>, fzago@...y.com,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
john.hammond@...el.com, linux-audit@...hat.com,
LKML <linux-kernel@...r.kernel.org>, mareklindner@...mailbox.ch,
netdev <netdev@...r.kernel.org>, sw@...onwunderlich.de,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
syzkaller <syzkaller@...glegroups.com>
Subject: Re: kernel panic: audit: backlog limit exceeded
On Fri, Feb 28, 2020 at 1:14 AM Paul Moore <paul@...l-moore.com> wrote:
>
> On Thu, Feb 27, 2020 at 10:40 AM Dmitry Vyukov <dvyukov@...gle.com> wrote:
> > On Mon, Feb 24, 2020 at 11:47 PM Paul Moore <paul@...l-moore.com> wrote:
> > > On Mon, Feb 24, 2020 at 5:43 PM Eric Paris <eparis@...hat.com> wrote:
> > > > https://syzkaller.appspot.com/x/repro.syz?x=151b1109e00000 (the
> > > > reproducer listed) looks like it is literally fuzzing the AUDIT_SET.
> > > > Which seems like this is working as designed if it is setting the
> > > > failure mode to 2.
> > >
> > > So it is, good catch :) I saw the panic and instinctively chalked
> > > that up to a mistaken config, not expecting that it was what was being
> > > tested.
> >
> > Yes, this audit failure mode is quite unpleasant for fuzzing. And
> > since this is not a top-level syscall argument value, it's effectively
> > impossible to filter out in the fuzzer. Maybe another use case for the
> > "fuzer lockdown" feature +Tetsuo proposed.
> > With the current state of the things, I think we only have an option
> > to disable fuzzing of audit. Which is pity because it has found 5 or
> > so real bugs in audit too.
> > But this happened anyway because audit is only reachable from init pid
> > namespace and syzkaller always unshares pid namespace for sandboxing
> > reasons, that was removed accidentally and that's how it managed to
> > find the bugs. But the unshare is restored now:
> > https://github.com/google/syzkaller/commit/5e0e1d1450d7c3497338082fc28912fdd7f93a3c
> >
> > As a side effect all other real bugs in audit will be auto-obsoleted
> > in future if not fixed because they will stop happening.
>
> On the plus side, I did submit fixes for the other real audit bugs
> that syzbot found recently and Linus pulled them into the tree today
> so at least we have that small victory.
+1!
> We could consider adding a fuzz-friendly build time config which would
> disable the panic failsafe, but it probably isn't worth it at the
> moment considering the syzbot's pid namespace limitations.
>
> --
> paul moore
> www.paul-moore.com
Powered by blists - more mailing lists