From: "Ubisectech Sirius" <bugreport@ubisectech.com>
To: "linux-trace-kernel" <linux-trace-kernel@vger.kernel.org>,
"linux-kernel" <linux-kernel@vger.kernel.org>
Cc: "mic" <mic@digikod.net>
Subject: WARNING in current_check_refer_path
Date: Sun, 28 Apr 2024 10:47:02 +0800 [thread overview]
Message-ID: <c426821d-8380-46c4-a494-7008bbd7dd13.bugreport@ubisectech.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3043 bytes --]
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Stack dump:
loop3: detected capacity change from 0 to 1024
------------[ cut here ]------------
WARNING: CPU: 0 PID: 30368 at security/landlock/fs.c:598 get_mode_access security/landlock/fs.c:598 [inline]
WARNING: CPU: 0 PID: 30368 at security/landlock/fs.c:598 get_mode_access security/landlock/fs.c:578 [inline]
WARNING: CPU: 0 PID: 30368 at security/landlock/fs.c:598 current_check_refer_path+0x955/0xa60 security/landlock/fs.c:758
Modules linked in:
CPU: 0 PID: 30368 Comm: syz-executor.3 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:get_mode_access security/landlock/fs.c:598 [inline]
RIP: 0010:get_mode_access security/landlock/fs.c:578 [inline]
RIP: 0010:current_check_refer_path+0x955/0xa60 security/landlock/fs.c:758
Code: e9 76 fb ff ff 41 bc fe ff ff ff e9 6b fb ff ff e8 00 99 77 fd 90 0f 0b 90 41 bc f3 ff ff ff e9 57 fb ff ff e8 ec 98 77 fd 90 <0f> 0b 90 31 db e9 86 f9 ff ff bb 00 08 00 00 e9 7c f9 ff ff 41 ba
RSP: 0018:ffffc90001fb7ba0 EFLAGS: 00010212
RAX: 0000000000000bc5 RBX: ffff88805feeb7b0 RCX: ffffc90006e15000
RDX: 0000000000040000 RSI: ffffffff84125d64 RDI: 0000000000000003
RBP: ffff8880123c5608 R08: 0000000000000003 R09: 000000000000c000
R10: 000000000000f000 R11: 0000000000000000 R12: ffff88805d32fc00
R13: ffff8880123c5608 R14: 0000000000000000 R15: 0000000000000001
FS: 00007fd70c4d8640(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c136000 CR3: 000000005b2a0000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
security_path_rename+0x124/0x230 security/security.c:1828
do_renameat2+0x9f6/0xd30 fs/namei.c:4983
__do_sys_rename fs/namei.c:5042 [inline]
__se_sys_rename fs/namei.c:5040 [inline]
__x64_sys_rename+0x81/0xa0 fs/namei.c:5040
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fd70b6900ed
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd70c4d8028 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 00007fd70b7cbf80 RCX: 00007fd70b6900ed
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000020000100
RBP: 00007fd70b6f14a6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fd70b7cbf80 R15: 00007fd70c4b8000
</TASK>
Thank you for taking the time to read this email and we look forward to working with you further.
[-- Attachment #2: poc.c --]
[-- Type: application/octet-stream, Size: 24750 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
#ifndef __NR_landlock_create_ruleset
#define __NR_landlock_create_ruleset 444
#endif
#ifndef __NR_landlock_restrict_self
#define __NR_landlock_restrict_self 446
#endif
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static unsigned long long procid;
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest, unsigned long* destlen,
const unsigned char* source, unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}
static long syz_mount_image(volatile long fsarg, volatile long dir,
volatile long flags, volatile long optsarg,
volatile long change_dir,
volatile unsigned long size, volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
intptr_t res = 0;
memcpy((void*)0x200000c0, "hfsplus\000", 8);
memcpy((void*)0x20000180, "./file2\000", 8);
memcpy((void*)0x200001c0,
"\x70\x61\x72\x74\x3d\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
"\x30\x30\x30\x31\x39\x62\x2c\x75\x6d\x61\x73\x6b\x3d\x30\x30\x30\x30"
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
"\x30\x31\x2c\x70\x61\x72\x74\x3d\x30\x78\x30\x30\x30\x30\x30\x30\x30"
"\x30\x30\x30\x30\x30\x31\x30\x30\x31\x2c\x6e\x6f\x62\x61\x72\x72\x69"
"\x65\x72\x2c\x64\x65\x63\x6f\x6d\x70\x6f\x73\x65\x2c\x63\x72\x65\x61"
"\x74\x6f\x72\x3d\x1e\xeb\x39\x07\x2c\x67\x69\x64\x3d",
115);
sprintf((char*)0x20000233, "0x%016llx", (long long)0);
memcpy((void*)0x20000245, ",gid=", 5);
sprintf((char*)0x2000024a, "0x%016llx", (long long)0);
memcpy((void*)0x2000025c, ",nls=iso8859-3,uid=", 19);
sprintf((char*)0x2000026f, "0x%016llx", (long long)0);
memcpy((void*)0x20000281,
"\x2c\x63\x72\x65\x61\x74\x6f\x72\x3d\xaf\x2a\xfe\x27\x2c\x75\x6d\x61"
"\x73\x6b\x3d\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x30"
"\x30\x30\x30\x30\x30\x30\x30\x30\x31\x28\x00",
45);
memcpy(
(void*)0x20000d40,
"\x78\x9c\xec\xdd\xcb\x6f\x1c\x77\x1d\x00\xf0\xef\xcc\xae\xed\x5d\x23\x25"
"\x4e\x9b\xb4\x05\x55\xc2\x6a\x44\x41\x58\x24\x7e\xc8\x05\x73\x89\x41\x08"
"\xf9\x50\xa1\x0a\x0e\x9c\x57\x89\xd3\x58\xd9\xb8\x95\xed\x82\x1b\x21\x70"
"\x79\x5e\x7b\xe8\x1f\x50\x0e\xbe\x71\x42\xe2\x1e\x54\xce\x70\x41\x70\xb4"
"\x38\x55\x42\xf4\xc2\xc9\xe2\xb2\x68\x1e\xbb\xde\x78\x77\xed\xdd\x38\xf1"
"\xc6\xf0\xf9\x44\xb3\xf3\x9b\xf9\xbd\xbf\x3b\x33\xbb\xb3\x56\x34\x01\xfc"
"\xdf\x5a\x9b\x8b\xea\xa3\x48\x62\x6d\xee\xcd\xdd\x6c\xfb\x60\x7f\xa9\x79"
"\xb0\xbf\x34\x55\x66\x37\x23\x22\x4b\xa7\x11\xd5\x62\x15\xc9\x66\x44\xf2"
"\x49\xc4\x6a\x14\x4b\x7c\x3e\xdb\x59\x96\x4f\x06\xf5\xf3\xd1\xc6\xca\xf7"
"\xff\xf6\xef\x83\x4f\x8b\xad\x6a\xb9\xe4\xe5\xd3\xde\x7a\x3f\x6b\x45\xc4"
"\x97\x86\x9f\xc5\x5e\xb9\xc4\x6c\x44\x54\xca\x75\xaf\x89\xde\x5d\xb5\xd3"
"\xdb\xbb\x3d\xb0\xbd\xc2\x54\x57\xba\xff\xfc\x93\x4e\x4e\x16\xb0\xeb\xed"
"\xc0\xc1\xb8\xb5\x7a\xec\x8d\x52\x7d\xe0\xf9\x0e\x5c\x1c\x49\xf1\xb9\xd9"
"\x63\x26\x62\xba\xfc\x98\xcc\x3f\xe7\xca\xab\x43\x7a\xbe\xa3\x7b\xfa\x46"
"\xba\xca\x01\x00\x00\xc0\x98\xad\xfd\xeb\xda\xe2\x28\xe5\xeb\xe5\xfa\xf2"
"\x61\x1c\xc6\xee\x85\xbf\x8d\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x73"
"\x55\x3e\xff\x3f\x29\x97\xb4\x9d\x9e\x8d\xa4\xfd\xfc\xff\xc9\x72\x5f\x94"
"\xe9\x0b\xed\xd1\xb8\x07\x00\x00\x00\x00\x00\x00\x00\x00\x3d\x26\x7a\xf6"
"\x4c\xb5\x13\xb7\xfa\xd7\xf8\xe2\x61\x1c\xc6\x6e\x5c\x6a\x6f\xb7\x92\xfc"
"\x6f\xfe\xaf\xe5\x1b\x57\xf3\xd7\xcf\xc5\x7b\xb1\x1d\xeb\xb1\x15\x37\x62"
"\x37\x1a\xb1\x13\x3b\xb1\x15\x0b\x11\x31\xd3\xd5\xd0\xe4\x6e\x63\x67\x67"
"\x6b\x61\x88\x9a\x8b\x7d\x6b\x2e\x3e\x3e\xae\xca\x70\x13\xae\x0d\x57\x0c"
"\x00\x00\x00\x00\x00\x00\x00\xfe\xe7\xfd\x3c\xd6\x8e\xfe\xfe\x0f\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcf\x83\x24\xa2\x52\xac\xf2\xe5\x6a"
"\x3b\x3d\x13\x69\x35\x22\x6a\x11\x31\x99\x95\xdb\x8b\xf8\x4b\x3b\x7d\x41"
"\x24\xfd\x76\x3e\x3a\xff\x71\x00\x00\x00\xc0\x99\xd4\x9e\xa0\xce\xe5\xc3"
"\x38\x8c\xdd\xb8\xd4\xde\x6e\x25\xf9\x3d\xff\x4b\xf9\xfd\x72\x2d\xde\x8b"
"\xcd\xd8\x89\x8d\xd8\x89\x66\xac\xc7\x9d\xf2\x1e\x3a\xbb\xeb\x4f\x0f\xf6"
"\x97\x9a\x07\xfb\x4b\x0f\xb2\xe5\xcc\x43\xcf\x5b\x8c\xe2\xb7\x87\xfe\x3d"
"\xbf\x92\x97\xa8\xc7\xdd\xd8\xc8\xf7\xdc\x88\xdb\xf9\x60\xee\x44\x9a\xd7"
"\xcc\xfc\x23\x22\x1e\xb4\xc7\xd4\x3b\xae\x0f\x3e\xcb\xda\xbe\x55\xf8\xf1"
"\x90\x23\xbb\x53\xae\xb3\xce\x3e\x6c\xff\x8a\x30\x75\xe6\x09\x3f\x05\x33"
"\x11\xd5\x34\x26\x3a\x11\x99\xcf\xc7\x56\x1c\x04\x57\xba\xa3\xd0\x1b\x89"
"\x6f\x7d\x36\xa8\xd1\xd5\x62\x55\x3d\xde\x53\x74\xf7\xb4\x10\x69\xe7\x97"
"\x9f\xab\x45\x0f\x59\xb2\x5f\x4f\xff\xe9\x8e\xf9\xad\x21\x67\x36\x5d\xae"
"\xb3\xf9\xfc\x7a\xd0\x2f\x37\x4f\x5b\xed\xa8\xd3\xbd\x81\x85\x3a\x91\x48"
"\x23\x8f\xc4\x62\xd7\xd1\xf7\xd2\xc9\x31\x8f\xf8\xf2\x1f\x7e\xf7\xe1\xbd"
"\xe6\xe6\xfd\x7b\x77\xb7\xe7\xce\x65\x4a\x67\x92\x9e\x9c\x7d\xfc\x98\x58"
"\xea\x8a\xc4\xcb\x43\x44\xe2\x87\xcf\x6d\x24\xaa\x27\x67\xf7\xc4\x65\x3e"
"\xdf\x79\xad\xb3\xbd\x16\xdf\x8d\x1f\xc4\x5c\xcc\xc6\x5b\xb1\x15\x1b\xf1"
"\xa3\x68\xc4\x4e\xac\x47\x52\xce\xb4\x51\x1e\xcf\xd9\xeb\xcc\xc9\x91\x5a"
"\x7d\x6c\xeb\xad\xd3\x46\x3e\x59\xbe\x2f\x95\x72\xa0\xa7\x8f\x69\x36\xbe"
"\x93\xa7\x1a\xf1\x5a\x5e\xf7\x52\x6c\x44\x12\xef\xc4\x9d\x58\x8f\x37\xf2"
"\x7f\x8b\xb1\x10\x5f\x8f\xe5\x58\x8e\x95\xae\x77\xf8\xda\xc0\x71\xe7\x73"
"\xcb\xaf\xb4\xe9\x68\x67\xfd\xf5\xaf\x94\x89\x7a\x44\xfc\xa6\x5c\x8f\x5b"
"\x71\x51\xc8\xe2\x7a\xa5\x2b\xae\xdd\xd7\xdc\x99\x3c\xaf\x7b\xcf\x51\x94"
"\x5e\x38\xf9\xdd\xfd\xa0\xe7\xda\x78\xfa\x94\xab\x5f\x28\x13\x59\x1f\xbf"
"\x38\xfd\x34\x3d\x47\xc7\x23\xb1\xd0\x15\x89\x17\x4f\x8e\xc4\x6f\x5b\xd9"
"\xeb\x76\x73\xf3\xfe\xd6\xbd\xc6\xbb\x7d\x3e\x5d\x5b\xc9\x44\xbe\xfe\xeb"
"\xf5\x88\x56\xab\xd8\xf7\x7a\x99\x97\x1d\x71\xbf\x3a\xfd\xeb\xcf\x1f\xcf"
"\x3a\xbf\x53\x74\x5d\xc7\xb2\xe3\xe5\x85\xa8\x95\x57\x92\x2b\x31\x51\x0c"
"\xad\xd2\xce\x7b\xb1\x73\x95\x79\x3c\x5e\x93\xe5\x5f\x5c\x8a\xbc\xf4\x58"
"\x5e\x2d\x3b\x9f\xd3\xa2\xa7\xe2\x4c\xfd\xde\xc0\x33\x75\xb2\xfc\x0e\xd7"
"\xdb\xd2\x62\x9e\xf7\x72\xdf\xbc\xa5\x3c\xef\x95\xae\xbc\xee\xef\x5b\x11"
"\xef\x44\xb3\xf3\x7d\x08\x80\xe7\xd8\xf4\x57\xa7\x27\xeb\xff\xac\xff\xb9"
"\xfe\x71\xfd\x97\xf5\x7b\xf5\x37\x6b\xdf\x9e\xfa\xc6\xd4\xab\x93\x31\xf1"
"\xa7\x89\x6f\x56\xe7\x2b\xaf\xa7\xaf\x26\xbf\x8f\x8f\xe3\xa7\x47\xf7\xff"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\xc0\x93\xdb\x7e\xff\xe1\xfd\x46\xb3\xb9\xbe\xd5\x3f"
"\x91\x56\x06\x66\x0d\x48\x44\xeb\xe1\xfd\x46\xfb\x49\x3e\xc3\xd6\x8a\xed"
"\xa4\x7c\x92\xce\x48\x7d\x8d\x2b\xd1\x79\xe4\xcf\x73\x32\x9e\x67\x92\x48"
"\x7a\xf6\x64\x33\x7e\x3a\x5d\xb4\x1f\x22\x38\x5a\xad\xf9\xde\x23\x6a\x75"
"\x9c\x81\xfa\xfb\xa8\xb5\xa2\x36\xd4\x94\xa7\xcb\x44\xeb\x72\x11\xa5\x91"
"\xba\x98\x39\x7e\x64\x46\x0c\x28\x3c\x55\x04\xb3\x32\xe0\x3c\x2d\xdf\xa2"
"\x27\x79\xb8\x28\x70\x21\xdc\xdc\x79\xf0\xee\xcd\xed\xf7\x1f\x7e\x6d\xe3"
"\x41\xe3\xed\xf5\xb7\xd7\x37\x27\x96\x97\x57\xe6\x57\x96\xdf\x58\xba\x79"
"\x77\xa3\xb9\x3e\x5f\xbc\x8e\x7b\x94\xc0\xb3\x70\xf4\xbd\x1d\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\xb8\x28\xce\xe3\xff\x4b\x8c\x7b\x8e\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xc0\xc5\xb6\x36\x17\xd5\x47\x91\xc4\xc2\xfc\x8d\xf9\x6c\xfb\x60\x7f\xa9"
"\x99\x2d\xed\xf4\x51\xc9\x6a\x44\xa4\x69\x44\xf2\x93\x88\xe4\x93\x88\xd5"
"\x28\x96\x98\xe9\x6a\x2e\x19\xd4\xcf\x47\x1b\x2b\x95\x88\xf8\xf4\xa8\xad"
"\x6a\xbb\x7c\x7a\x42\xbd\xd6\xd4\x50\xb3\xd8\x2b\x97\x98\x8d\x88\x4a\xb9"
"\x3e\x83\xc7\xda\xbb\x7d\xe6\xf6\x92\xce\x0c\xb3\x80\x5d\x6f\x07\x0e\xc6"
"\xed\xbf\x01\x00\x00\xff\xff\x42\xb5\xed\xe7",
1739);
syz_mount_image(/*fs=*/0x200000c0, /*dir=*/0x20000180,
/*flags=MS_POSIXACL|MS_REC|MS_SYNCHRONOUS|MS_NOEXEC*/ 0x14018,
/*opts=*/0x200001c0, /*chdir=*/0xdc, /*size=*/0x6cb,
/*img=*/0x20000d40);
memcpy((void*)0x20000040, "./file1\000", 8);
memcpy((void*)0x20000080, "./file0\000", 8);
syscall(__NR_rename, /*old=*/0x20000040ul, /*new=*/0x20000080ul);
*(uint64_t*)0x200002c0 = 1;
*(uint64_t*)0x200002c8 = 0;
res = syscall(__NR_landlock_create_ruleset, /*attr=*/0x200002c0ul,
/*size=*/0x10ul, /*flags=*/0ul);
if (res != -1)
r[0] = res;
syscall(__NR_landlock_restrict_self, /*ruleset_fd=*/r[0], /*flags=*/0ul);
syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x5423, /*arg=*/0ul);
memcpy((void*)0x20000100, "./file0\000", 8);
memcpy((void*)0x20000140, "./file0\000", 8);
syscall(__NR_rename, /*old=*/0x20000100ul, /*new=*/0x20000140ul);
return 0;
}
next reply other threads:[~2024-04-28 2:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-28 2:47 Ubisectech Sirius [this message]
2024-04-29 9:05 ` WARNING in current_check_refer_path Mickaël Salaün
2024-04-29 9:16 ` 回复:WARNING " Ubisectech Sirius
2024-04-29 14:46 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c426821d-8380-46c4-a494-7008bbd7dd13.bugreport@ubisectech.com \
--to=bugreport@ubisectech.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).