From: Niklas Cassel <cassel@kernel.org>
To: reveliofuzzing <reveliofuzzing@gmail.com>
Cc: Damien Le Moal <dlemoal@kernel.org>, linux-ide@vger.kernel.org
Subject: Re: out-of-bounds write in the function ata_pio_sector
Date: Mon, 20 Jan 2025 14:54:34 +0100 [thread overview]
Message-ID: <Z45VmuS-j0bEMf89@ryzen> (raw)
In-Reply-To: <CA+-ZZ_gtsDShKeZSupbrwCLtpCvW=p1=citKVXRrSDi3LoZ_9Q@mail.gmail.com>
On Fri, Jan 17, 2025 at 11:42:45AM -0500, reveliofuzzing wrote:
> >
> > However, the .config you provided does not match the bzImage.
> > E.g. the e1000/e1000e driver is not built-in in your .config,
> > so I get no networking, while it is enabled in your bzImage.
> > This makes me worried that you have other changes in your .config.
> > If you still have the exact config for this bzImage, could you please add
> > it as an attachment?
> Hi, we double-checked it but found the config shared above is the one we used.
> CONFIG_E1000XXX is enabled in this config.
You are right.
For some reason it got compiled as a module when I did "make olddefconfig",
with your config as base. Sorry about the confusion!
>
> >
> > I've been using the syz-executor binary that you attached, since the C code
> > pasted below does not compile, it seems like it has some unintended newlines.
> > Perhaps you could add it as an attachment instead?
> Here is the C program:
> https://drive.google.com/file/d/1Uvhqrn-ntEYQT2PBiQjp0xaor-32WYHO/view?usp=sharing
> Please let us know if you still can't compile it. We can take a look
> at how Syzkaller
> generates this C program and compiles it into the syz-executor binary.
Still does not compile for me.
It still appears to have some uninteded newlines.
You probably copy pasted it from an editor instead of uploading it/sending
it directly.
One example is:
line380: if (write(1, "executing program\n", sizeof("executing
line381: program\n") - 1)) {}
Strings in C are not allowed to span multiple lines without a backslash
immediately before the newline, or by using string concatenation.
>
> >
> > Also, you only talk about 6.12 kernel. Out of curiosity, have you managed to
> > reproduce this bug on v6.13-rc kernels? Have you tried?
> We haven't tried it yet, but we can do that in the next few days. Will keep you
> posted.
I got an off-list email that mentioned that you could reproduce on 6.13-rc7,
thank you!
Hopefully I will have some time to try to debug this sometime this week.
Kind regards,
Niklas
next prev parent reply other threads:[~2025-01-20 13:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-02 2:17 out-of-bounds write in the function ata_pio_sector reveliofuzzing
2025-01-02 10:40 ` Niklas Cassel
2025-01-02 16:23 ` reveliofuzzing
2025-01-17 14:26 ` Niklas Cassel
2025-01-17 16:42 ` reveliofuzzing
2025-01-20 13:54 ` Niklas Cassel [this message]
2025-01-20 16:47 ` reveliofuzzing
2025-01-22 14:59 ` Niklas Cassel
2025-01-29 3:09 ` Martin K. Petersen
2025-01-29 9:57 ` Niklas Cassel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z45VmuS-j0bEMf89@ryzen \
--to=cassel@kernel.org \
--cc=dlemoal@kernel.org \
--cc=linux-ide@vger.kernel.org \
--cc=reveliofuzzing@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.