From: Al Viro <viro@zeniv.linux.org.uk>
To: syzbot <syzbot+6004acbaa1893ad013f0@syzkaller.appspotmail.com>
Cc: arnd@arndb.de, axboe@kernel.dk, bp@alien8.de,
catalin.marinas@arm.com, christian@brauner.io,
dhowells@redhat.com, geert@linux-m68k.org, hare@suse.com,
heiko.carstens@de.ibm.com, hpa@zytor.com,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
luto@kernel.org, mingo@redhat.com,
syzkaller-bugs@googlegroups.com, tglx@linutronix.de,
x86@kernel.org
Subject: Re: general protection fault in do_move_mount (2)
Date: Tue, 18 Jun 2019 15:02:40 +0100 [thread overview]
Message-ID: <20190618140239.GA17978@ZenIV.linux.org.uk> (raw)
In-Reply-To: <000000000000bb362d058b96d54d@google.com>
On Tue, Jun 18, 2019 at 03:47:10AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 9e0babf2 Linux 5.2-rc5
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=138b310aa00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d16883d6c7f0d717
> dashboard link: https://syzkaller.appspot.com/bug?extid=6004acbaa1893ad013f0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154e8c2aa00000
IDGI...
mkdir(&(0x7f0000632000)='./file0\x00', 0x0)
mount(0x0, 0x0, 0x0, 0x0, 0x0)
syz_open_procfs(0x0, 0x0)
r0 = open(&(0x7f0000032ff8)='./file0\x00', 0x0, 0x0)
r1 = memfd_create(&(0x7f00000001c0)='\xb3', 0x0)
write$FUSE_DIRENT(r1, &(0x7f0000000080)=ANY=[], 0x29)
move_mount(r0, &(0x7f0000000040)='./file0\x00', 0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x66)
reads as if we'd done mkdir ./file0, opened it and then tried
to feed move_mount(2) "./file0" relative to that descriptor.
How the hell has that avoided an instant -ENOENT? On the first
pair, that is - the second one (AT_FDCWD, "./file0") is fine...
Confused... Incidentally, what the hell is
mount(0x0, 0x0, 0x0, 0x0, 0x0)
about? *IF* that really refers to mount(2) with
such arguments, all you'll get is -EFAULT. Way before
it gets to actually doing anything - it won't get past
/* ... and get the mountpoint */
retval = user_path(dir_name, &path);
if (retval)
return retval;
in do_mount(2)...
next prev parent reply other threads:[~2019-06-18 14:03 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-18 10:47 general protection fault in do_move_mount (2) syzbot
2019-06-18 14:02 ` Al Viro [this message]
2019-06-24 9:28 ` Dmitry Vyukov
2019-06-29 20:27 ` [PATCH] vfs: move_mount: reject moving kernel internal mounts Eric Biggers
2019-06-29 20:39 ` Al Viro
2019-07-01 1:08 ` Al Viro
2019-07-01 15:43 ` Eric Biggers
2019-07-01 7:38 ` David Howells
2019-07-01 11:19 ` Al Viro
2019-07-01 16:45 ` Eric Biggers
2019-07-01 18:22 ` Al Viro
2019-07-01 19:20 ` Al Viro
2019-07-02 18:22 ` Eric Biggers
2019-07-09 19:40 ` Eric Biggers
2019-07-09 20:54 ` Al Viro
2019-07-10 3:23 ` 6 new syscalls without tests (was: [PATCH] vfs: move_mount: reject moving kernel internal mounts) Eric Biggers
2019-07-05 9:01 ` move_mount.2 David Howells
2019-06-29 20:39 ` general protection fault in do_move_mount (2) Eric Biggers
2019-07-01 14:59 ` Dmitry Vyukov
2019-07-01 15:18 ` Eric Biggers
2019-07-05 12:17 ` Dmitry Vyukov
2019-07-05 13:02 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190618140239.GA17978@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=arnd@arndb.de \
--cc=axboe@kernel.dk \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=christian@brauner.io \
--cc=dhowells@redhat.com \
--cc=geert@linux-m68k.org \
--cc=hare@suse.com \
--cc=heiko.carstens@de.ibm.com \
--cc=hpa@zytor.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=syzbot+6004acbaa1893ad013f0@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.