-
-
Save oswalpalash/bed0eba75def3cdd34a285428e9bcdc4 to your computer and use it in GitHub Desktop.
KASAN: use-after-free Read in inode_cgwb_move_to_attached
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// autogenerated by syzkaller (https://github.com/google/syzkaller) | |
#define _GNU_SOURCE | |
#include <endian.h> | |
#include <errno.h> | |
#include <fcntl.h> | |
#include <stddef.h> | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <sys/ioctl.h> | |
#include <sys/mount.h> | |
#include <sys/stat.h> | |
#include <sys/syscall.h> | |
#include <sys/types.h> | |
#include <unistd.h> | |
#include <linux/loop.h> | |
#ifndef __NR_memfd_create | |
#define __NR_memfd_create 319 | |
#endif | |
static unsigned long long procid; | |
struct fs_image_segment { | |
void* data; | |
uintptr_t size; | |
uintptr_t offset; | |
}; | |
static int setup_loop_device(long unsigned size, long unsigned nsegs, struct fs_image_segment* segs, const char* loopname, int* memfd_p, int* loopfd_p) | |
{ | |
int err = 0, loopfd = -1; | |
int memfd = syscall(__NR_memfd_create, "syzkaller", 0); | |
if (memfd == -1) { | |
err = errno; | |
goto error; | |
} | |
if (ftruncate(memfd, size)) { | |
err = errno; | |
goto error_close_memfd; | |
} | |
for (size_t i = 0; i < nsegs; i++) { | |
if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { | |
} | |
} | |
loopfd = open(loopname, O_RDWR); | |
if (loopfd == -1) { | |
err = errno; | |
goto error_close_memfd; | |
} | |
if (ioctl(loopfd, LOOP_SET_FD, memfd)) { | |
if (errno != EBUSY) { | |
err = errno; | |
goto error_close_loop; | |
} | |
ioctl(loopfd, LOOP_CLR_FD, 0); | |
usleep(1000); | |
if (ioctl(loopfd, LOOP_SET_FD, memfd)) { | |
err = errno; | |
goto error_close_loop; | |
} | |
} | |
*memfd_p = memfd; | |
*loopfd_p = loopfd; | |
return 0; | |
error_close_loop: | |
close(loopfd); | |
error_close_memfd: | |
close(memfd); | |
error: | |
errno = err; | |
return -1; | |
} | |
static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg, volatile long change_dir) | |
{ | |
struct fs_image_segment* segs = (struct fs_image_segment*)segments; | |
int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; | |
char* mount_opts = (char*)optsarg; | |
char* target = (char*)dir; | |
char* fs = (char*)fsarg; | |
char* source = NULL; | |
char loopname[64]; | |
if (need_loop_device) { | |
memset(loopname, 0, sizeof(loopname)); | |
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); | |
if (setup_loop_device(size, nsegs, segs, loopname, &memfd, &loopfd) == -1) | |
return -1; | |
source = loopname; | |
} | |
mkdir(target, 0777); | |
char opts[256]; | |
memset(opts, 0, sizeof(opts)); | |
if (strlen(mount_opts) > (sizeof(opts) - 32)) { | |
} | |
strncpy(opts, mount_opts, sizeof(opts) - 32); | |
if (strcmp(fs, "iso9660") == 0) { | |
flags |= MS_RDONLY; | |
} else if (strncmp(fs, "ext", 3) == 0) { | |
if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) | |
strcat(opts, ",errors=continue"); | |
} else if (strcmp(fs, "xfs") == 0) { | |
strcat(opts, ",nouuid"); | |
} | |
res = mount(source, target, fs, flags, opts); | |
if (res == -1) { | |
err = errno; | |
goto error_clear_loop; | |
} | |
res = open(target, O_RDONLY | O_DIRECTORY); | |
if (res == -1) { | |
err = errno; | |
goto error_clear_loop; | |
} | |
if (change_dir) { | |
res = chdir(target); | |
if (res == -1) { | |
err = errno; | |
} | |
} | |
error_clear_loop: | |
if (need_loop_device) { | |
ioctl(loopfd, LOOP_CLR_FD, 0); | |
close(loopfd); | |
close(memfd); | |
} | |
errno = err; | |
return res; | |
} | |
uint64_t r[1] = {0xffffffffffffffff}; | |
int main(void) | |
{ | |
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); | |
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); | |
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); | |
intptr_t res = 0; | |
memcpy((void*)0x200000c0, "vfat\000", 5); | |
memcpy((void*)0x20000080, "./file0\000", 8); | |
*(uint64_t*)0x20000140 = 0x20000000; | |
memcpy((void*)0x20000000, "\xeb\x3c\x90\x6d\x8d\x66\x73\xfd\xd2\x61\x74\x00\x02\x80\x01\x00\x02\x40\x00\x00\x04\xf8\x01", 23); | |
*(uint64_t*)0x20000148 = 0x17; | |
*(uint64_t*)0x20000150 = 0; | |
*(uint64_t*)0x20000158 = 0x20000400; | |
memcpy((void*)0x20000400, "\x57\x59\x5a\x4b\x41\x4c\x4c\x45\x52\x20\x20\x08\x5a\xc1\x9f\x69\xf2\xb2\xb1\xea\x1b\x8a\x0a\xc9\x13\x5e\xed\x1d\xf1\xd1\x00\x1c\xc2\xde\x85\x0f\x06\x00\x00\x00\x00\x00\x00\x00\xf7\xe7\x5e\xff\xac\x2a\xc4\xc1\x5e\x29\xfb\x3c\x18\xfa\xff\xf8\xd1\x98\xe3\x12\x47\x5f\xfa\x1d\x00\x00\x00\x00\x00\x00\xad\x25\x82\x2a\x17\xb1\x7f\x46\x3e\x10\x41\x79\xc1\x9c\x2a\xd2\xfb\xdd\xc0\x77\x7d\xf2\xec\x4f\x62\x82\x60\x86\x70\x4d\xc5\x75\xb6\x97\x06\xd1\x15\x47\x81\x27\xd9\xf0\xbe\x59\xcd\xc0\x76\x84\x48\x0b\xe4\xb8\x86\x93\x7d\x8f\xb4\xf0\xff\x94\xe3\xa7\x6e\xcb\xc6\x3c\x2a\xe0\xb3\x87\xef\x96\xd2\x06\x6a\x83\x2e\xb0\x74\x3d\x5b\x8d\x2d\xd7\x53\x1c\x1b\x63\xa8\xb2\x81\xdd\xaa\x3d\x1a\x5a\xb2\xe1\xe3\xed\x7a\xba\x34\x0e\xad\x25\x71\x05\xf3\x6c\xf4\x99\x31\x92\x41\x1d\x5a\xbb\x4c\x65\xf2\xe6\xc2\xb2\x8b\x69\xb9\x68\x1b\x56\xdb\xb1\x9b\x01\x1d\x41\xf6\x17\x3b\x1e\x9d\xe0\xae\x2d\x37\xcc\x0d\x67\x74\x57\xb0\x61\x22\x0e\x7a\xa9\x70\x46\x35\x16\xf0\x82\x4f\x1d\xf4\xdd\x9b\xbf\x16\x5f\xa3\xb0\xea\x49\xdc\xa4\x04\x73\x07\x74\x59\xda\xe8\xce\x5e\x07\x33\x2c\xa1\x1f\x60\xaa\x39\x88\x64\xd5\x2c\x56\x96\x0c\x7d\x5c\x65\xcf\x9f\xe7\xdf\x48\x48\x7d\xf8\x6c\x42\x22\xae\x62\x1f\x0c\x1e\xc0\xbc\x3c\xf7\x94\x3f\xa8\x31\x5d\x96\x31\x40\x0b\x5c\x16\x57\xd4\xfd\x72\x91\xfe\xbd\xc1\xf9\xe0\x04\x65\xfa\xac\x75\xf3\xd1\x60\x46\xef\x88\x84\xbe\xc8\x06\x7e\x1d\xe4\xd0\x6e\xcd\x94\x44\xd6\x3d\x34\x8e\xb2\x20\x9f\xbe\xbc\x00\xc1\xcf\x2a\x4a\x09\x6e\x52\xde\xe0\xdd\xd6\x81\xa9\xf8\xb9\x12\x55\xa8\xa5\xd4\xaf\xd8\x97\xa2\x39\xf4\xae\x53\x95\x97\x3e\xd6\x93\xfa\x0a\xcf\x68\x79\x7f\x73\xd1\xd5\xb7\x26\x90\xe6\x05\x63\xd9\x0d\x8b\x58\xde\x72\xaf\x8d\x1f\x7b\x7e\x9e\xe0\xa9\x39\xd1\x01\x8d\x95\xf0\xe4\x01\x37\x4c\x40\x10\x08\xa7\x0e\x5a\x4b\x32\x42\x3c\x70\xd2\xc6\x99\xeb\xdd\x13\x95\xf4\x00\x00\x00\x00\x00\x00\x00\x00", 450); | |
*(uint64_t*)0x20000160 = 0x1c2; | |
*(uint64_t*)0x20000168 = 0x100; | |
memcpy((void*)0x20000240, "\x69\x6f\x63\x68\x61\x72\x73\x65\x74\x3d\x63\x70\x38\x35\x32\x2c\x6e\x6f\x6e\x75\x6d\x74\x61\x69\x6c\x3d\x30\x2c\x66\x6c\x75\x73\x68\x2c\x73\x68\x6f\x72\x74\x6e\x61\x6d\x65\x3d\x6c\x6f\x77\x65\x72\x2c\x64\x65\x62\x75\x67\x2c\x75\x74\x66\x38\x3d\x31\x2c\x64\x69\x73\x63\x61\x72\x64\x2c\x73\x68\x6f\x72\x74\x6e\x61\x6d\x65\x3d\x6c\x6f\x77\x65\x72\x2c\x6e\x6f\x6e\x75\x6d\x74\x61\x69\x6c\x3d\x30\x2c\x75\x6e\x69\x5f\x78\x6c\x61\x74\x65\x3d\x31\x2c\x72\x6f\x64\x69\x72\x2c\x63\x6f\x64\x65\x70\x61\x67\x65\x3d\x39\x35\x30\x2c\x69\x6f\x63\x68\x61\x72\x73\x65\x74\x3d\x69\x73\x6f\x38\x38\x35\x39\x2d\x36\x2c\x75\x6e\x69\x5f\x78\x6c\x61\x74\x65\x3d\x31\x2c\x72\x6f\x64\x69\x72\x2c\x00\x39\xed\x94\x4f\x9d\x68\x77\xe1\x93\x46\x97\x0f\x21\xda\xcc\xbb\x5f\xde\xaf\x6b\xdb\x1e\x88\x5f\xd3\x81\x66\xbd\x55\x0c", 199); | |
syz_mount_image(0x200000c0, 0x20000080, 0x8000, 2, 0x20000140, 0x2010000, 0x20000240, 0); | |
memcpy((void*)0x20000140, "./file0\000", 8); | |
syscall(__NR_chdir, 0x20000140ul); | |
memcpy((void*)0x20000040, "./bus\000", 6); | |
res = syscall(__NR_creat, 0x20000040ul, 0ul); | |
if (res != -1) | |
r[0] = res; | |
memcpy((void*)0x20000100, "./bus\000", 6); | |
syscall(__NR_unlink, 0x20000100ul); | |
memcpy((void*)0x20000180, "1000000\000", 8); | |
syscall(__NR_write, r[0], 0x20000180ul, 8ul); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment