Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 28 Aug 2018 17:45:37 +0800
From: Xiami <pengyu.tao@...li.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux kernel: FS_IOC_FSSETXATTR will lead to
 EXT4-fs shut down

On Tue, Aug 28, 2018 at 08:27:50AM +0000, zhrzhang(张洪睿) wrote:
> Hello:
>         when I fuzz,I found the kernel will always no output from machine, and error FS_IOC_FSSETXATTR contribute to this.
> 
>         the syzlog is as below:
> 
> r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0)
> ioctl$FS_IOC_FSSETXATTR(r0, 0x8004587d, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x8})

Your ioctl command 0x8004587d is exactly EXT4_IOC_SHUTDOWN defined in fs/ext4/ext4.h

> 
>         the poc will show like this:
> 
> #define _GNU_SOURCE
> 
> #include <endian.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <unistd.h>
> 
> uint64_t r[1] = {0xffffffffffffffff};
> 
> int main(void)
> {
> syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> long res = 0;
> memcpy((void*)0x20000140, "./file0", 8);
> res = syscall(__NR_creat, 0x20000140, 0);
> if (res != -1)
> r[0] = res;
> *(uint32_t*)0x20000080 = 0;
> *(uint32_t*)0x20000084 = 0;
> *(uint32_t*)0x20000088 = 0;
> *(uint32_t*)0x2000008c = 8;
> *(uint32_t*)0x20000090 = 0;
> *(uint64_t*)0x20000098 = 0;
> syscall(__NR_ioctl, r[0], 0x8004587d, 0x20000080);
> return 0;
> }
> ________________________________
> zhrzhang(张洪睿)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.