Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 16:49:23 +0100
From: Quentin Casasnovas <>
Cc: Vegard Nossum <>
Subject: Re: 2015 kernel CVEs

On Tue, Jan 19, 2016 at 12:49:17PM +0100, Hanno Böck wrote:
> On Tue, 19 Jan 2016 14:28:12 +0300
> Dan Carpenter <> wrote:
> > There was only a coupls CVEs that looks like they came from a
> > filesystem fuzzer where you create a corrupt filesystems and then try
> > use them.
> I tried that, but it didn't lead to any results in the kernel [1].
> What I did:
> * Use filesystem checking tools (fsck) and fuzz them with afl
> * Use the queue created by afl and try to mount these with a
>   kasan-enabled kernel
> My conclusion was that the filesystem code in the kernel is relatively
> robust (at least robust enough for this trivial fuzzing).
> But it led to a number of bugs discovered in filesystem fsck tools.

As an experimental toy project, we've managed to implement the glue to have
AFL run on the kernel code, using either a patched afl-as wrapper or a
slightly modified GCC extension written by Dmitry Vyukov for syzkaller
(-fsanitize-coverage=trace-pc), and our conclusion is quite different.

In the month Vegard Nossum has been using it, he reported at least a dozen
problems at mount or readdir time:








It should be noted that most of these problems were found relatively
quickly and without changing much the filesystem code, checksums weren't
disabled for example a part for superblock checksum in btrfs.  And that was
mostly fuzzing the mount/readdir syscalls so a lot more can probably be
found there.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.