From: "Ubisectech Sirius" <bugreport@ubisectech.com>
To: "linux-trace-kernel" <linux-trace-kernel@vger.kernel.org>,
"linux-kernel" <linux-kernel@vger.kernel.org>
Cc: "ast" <ast@kernel.org>, "daniel" <daniel@iogearbox.net>,
"andrii" <andrii@kernel.org>
Subject: WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
Date: Tue, 14 May 2024 15:27:23 +0800 [thread overview]
Message-ID: <da22ddaf-384f-4a38-8338-decbfdb929fc.bugreport@ubisectech.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2911 bytes --]
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Stack dump:
loop3: detected capacity change from 0 to 8
MTD: Attempt to mount non-MTD device "/dev/loop3"
------------[ cut here ]------------
WARNING: CPU: 1 PID: 10075 at mm/util.c:632 kvmalloc_node+0x199/0x1b0 mm/util.c:632
Modules linked in:
CPU: 1 PID: 10075 Comm: syz-executor.3 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:kvmalloc_node+0x199/0x1b0 mm/util.c:632
Code: 02 1d 00 eb aa e8 a7 49 c6 ff 41 81 e5 00 20 00 00 31 ff 44 89 ee e8 36 45 c6 ff 45 85 ed 0f 85 1b ff ff ff e8 88 49 c6 ff 90 <0f> 0b 90 e9 dd fe ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
RSP: 0018:ffffc90002007b60 EFLAGS: 00010212
RAX: 00000000000023e4 RBX: 0000000000000400 RCX: ffffc90003aaa000
RDX: 0000000000040000 RSI: ffffffff81c3acc8 RDI: 0000000000000005
RBP: 00000037ffffcec8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88805ff6e1b8
FS: 00007fc62205f640(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e026000 CR3: 000000005f338000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
kvmalloc include/linux/slab.h:738 [inline]
kvmalloc_array include/linux/slab.h:756 [inline]
kvcalloc include/linux/slab.h:761 [inline]
bpf_uprobe_multi_link_attach+0x3fe/0xf60 kernel/trace/bpf_trace.c:3239
link_create kernel/bpf/syscall.c:5012 [inline]
__sys_bpf+0x2e85/0x4e00 kernel/bpf/syscall.c:5453
__do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5485
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fc62128fd6d
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc62205f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fc6213cbf80 RCX: 00007fc62128fd6d
RDX: 0000000000000040 RSI: 00000000200001c0 RDI: 000000000000001c
RBP: 00007fc6212f14cd R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fc6213cbf80 R15: 00007fc62203f000
</TASK>
Thank you for taking the time to read this email and we look forward to working with you further.
[-- Attachment #2: poc.c --]
[-- Type: application/octet-stream, Size: 18890 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static unsigned long long procid;
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest, unsigned long* destlen,
const unsigned char* source, unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}
static long syz_mount_image(volatile long fsarg, volatile long dir,
volatile long flags, volatile long optsarg,
volatile long change_dir,
volatile unsigned long size, volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
intptr_t res = 0;
memcpy((void*)0x20000140, "cramfs\000", 7);
memcpy((void*)0x20000180, "./file0\000", 8);
memcpy(
(void*)0x20000400,
"\x78\x9c\xec\xd0\xbf\x6b\x1a\x61\x1c\xc7\xf1\xf7\xa3\x56\xed\x4f\x2d\xb5"
"\xd0\x16\x5a\x0b\x1d\x7a\x28\xe2\x79\x62\xb7\x0e\x5a\x2a\x3d\xa8\x3d\x68"
"\xb7\x4e\x82\x5e\x69\xc1\x1f\x25\x42\xc8\x18\x03\xd9\x32\xe4\x0f\x70\x88"
"\x09\x64\x12\x87\x90\x31\x43\x62\x26\x13\x85\x60\xfe\x8d\x1c\x64\x0b\x64"
"\x31\x3c\x77\x47\xe2\x9c\xf9\x79\x2d\x77\xf7\xfd\x7c\xf9\x1c\xcf\xf3\xf5"
"\xf3\x54\x23\x0e\x41\x3c\x5f\xda\xcd\xff\x4b\x76\xa7\x63\xd7\xdf\xff\xb4"
"\x2a\xe5\x5f\x7b\xfb\x07\xcf\x48\x42\x04\x88\xfa\xf9\xf5\xdc\x23\xf7\x0f"
"\x8b\xf0\x57\x3e\x43\xe0\x74\xa1\x0e\x1c\x3f\xf4\xcb\x6a\xed\x86\xfc\x76"
"\x8a\xa0\x01\xa5\xc7\xf0\xe7\x5f\xc3\xd6\xf1\x76\x1f\xc9\x59\x82\x5b\x72"
"\xa6\x7d\x80\xd1\x4b\x6f\xcf\x80\x80\xd3\x25\xca\xc2\x2c\xef\xef\xbd\x09"
"\xcd\x29\xc5\xee\xfa\xe6\x7d\xf8\x28\xfb\x9e\x7b\xb3\x9c\xf0\x4b\x7b\xe9"
"\xe1\xe0\xe4\xc7\x24\x60\x66\x52\xbb\x6f\x83\xac\x9b\xe9\xe4\x0b\x01\x2b"
"\xfe\x7c\x6c\x66\x52\xef\xec\x0d\xa3\xfc\x5a\x2e\xb7\xfa\xb0\x4d\xc9\xcd"
"\xcf\xb3\xe3\xcc\x59\x76\x38\x98\x4d\x27\x95\xef\x56\xc5\x9a\xe6\x0d\xe3"
"\x53\x5e\xcf\xe9\x7a\x61\x66\x9d\x4e\xcc\xc2\xea\x26\xa1\x6f\x4f\x96\xe1"
"\xb7\xd7\x17\xf6\xff\x98\x0a\x73\xe1\xbe\xac\x09\xe8\x09\x18\xb8\xb9\x73"
"\x24\x9e\x02\xa3\xad\x2b\xab\x89\x90\xc7\xbe\x6c\xc5\x41\xb8\x89\xbc\x5b"
"\x37\x89\x45\x16\x93\x5a\xf5\xd5\x83\x9d\x6a\x22\x1e\x20\xa8\x21\x50\x14"
"\x45\x51\x14\x45\x51\x14\x45\x51\x94\x7b\xba\x09\x00\x00\xff\xff\x86\xf5"
"\x68\x06",
344);
syz_mount_image(/*fs=*/0x20000140, /*dir=*/0x20000180, /*flags=*/0,
/*opts=*/0x20000340, /*chdir=*/1, /*size=*/0x158,
/*img=*/0x20000400);
memcpy((void*)0x20000040, "./file0\000", 8);
syscall(__NR_chdir, /*dir=*/0x20000040ul);
*(uint32_t*)0x20000680 = 2;
*(uint32_t*)0x20000684 = 3;
*(uint64_t*)0x20000688 = 0x20000080;
*(uint8_t*)0x20000080 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x20000081, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000081, 0, 4, 4);
*(uint16_t*)0x20000082 = 0;
*(uint32_t*)0x20000084 = 0;
*(uint8_t*)0x20000088 = 0;
*(uint8_t*)0x20000089 = 0;
*(uint16_t*)0x2000008a = 0;
*(uint32_t*)0x2000008c = 0;
*(uint8_t*)0x20000090 = 0x95;
*(uint8_t*)0x20000091 = 0;
*(uint16_t*)0x20000092 = 0;
*(uint32_t*)0x20000094 = 0;
*(uint64_t*)0x20000690 = 0x20000000;
memcpy((void*)0x20000000, "syzkaller\000", 10);
*(uint32_t*)0x20000698 = 0;
*(uint32_t*)0x2000069c = 0;
*(uint64_t*)0x200006a0 = 0;
*(uint32_t*)0x200006a8 = 0;
*(uint32_t*)0x200006ac = 0;
memset((void*)0x200006b0, 0, 16);
*(uint32_t*)0x200006c0 = 0;
*(uint32_t*)0x200006c4 = 0x30;
*(uint32_t*)0x200006c8 = 0;
*(uint32_t*)0x200006cc = 0;
*(uint64_t*)0x200006d0 = 0;
*(uint32_t*)0x200006d8 = 0;
*(uint32_t*)0x200006dc = 0;
*(uint64_t*)0x200006e0 = 0;
*(uint32_t*)0x200006e8 = 0;
*(uint32_t*)0x200006ec = 0;
*(uint32_t*)0x200006f0 = 0;
*(uint32_t*)0x200006f4 = 0;
*(uint64_t*)0x200006f8 = 0;
*(uint64_t*)0x20000700 = 0;
*(uint32_t*)0x20000708 = 0;
*(uint32_t*)0x2000070c = 0;
res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000680ul, /*size=*/0x90ul);
if (res != -1)
r[0] = res;
*(uint32_t*)0x200001c0 = r[0];
*(uint32_t*)0x200001c4 = 0;
*(uint32_t*)0x200001c8 = 0x30;
*(uint32_t*)0x200001cc = 0;
*(uint64_t*)0x200001d0 = 0x20000040;
memcpy((void*)0x20000040, "./file0\000", 8);
*(uint64_t*)0x200001d8 = 0x200000c0;
*(uint64_t*)0x200000c0 = 0;
*(uint64_t*)0x200001e0 = 0;
*(uint64_t*)0x200001e8 = 0;
*(uint32_t*)0x200001f0 = 0xffffff1f;
*(uint32_t*)0x200001f4 = 1;
*(uint32_t*)0x200001f8 = 0;
syscall(__NR_bpf, /*cmd=*/0x1cul, /*arg=*/0x200001c0ul, /*size=*/0x40ul);
return 0;
}
next reply other threads:[~2024-05-14 7:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-14 7:27 Ubisectech Sirius [this message]
2024-05-15 21:30 ` WARNING: kmalloc bug in bpf_uprobe_multi_link_attach Alexei Starovoitov
2024-05-15 21:47 ` Jiri Olsa
[not found] <CABOYnLz2e+_0P88RgoDy6epWz9xrM2zhfMQdVrcjNiPqrFcBeQ@mail.gmail.com>
2023-12-11 11:22 ` Masami Hiramatsu
-- strict thread matches above, loose matches on Subject: below --
2023-12-11 8:12 xingwei lee
2023-12-11 11:29 ` Hou Tao
2023-12-11 13:01 ` Jiri Olsa
2023-12-11 14:34 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=da22ddaf-384f-4a38-8338-decbfdb929fc.bugreport@ubisectech.com \
--to=bugreport@ubisectech.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.