From: "Ubisectech Sirius" <bugreport@ubisectech.com>
To: "linux-trace-kernel" <linux-trace-kernel@vger.kernel.org>,
"linux-kernel" <linux-kernel@vger.kernel.org>
Cc: "mic" <mic@digikod.net>
Subject: WARNING in current_check_refer_path
Date: Sun, 28 Apr 2024 10:47:02 +0800 [thread overview]
Message-ID: <c426821d-8380-46c4-a494-7008bbd7dd13.bugreport@ubisectech.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3043 bytes --]
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Stack dump:
loop3: detected capacity change from 0 to 1024
------------[ cut here ]------------
WARNING: CPU: 0 PID: 30368 at security/landlock/fs.c:598 get_mode_access security/landlock/fs.c:598 [inline]
WARNING: CPU: 0 PID: 30368 at security/landlock/fs.c:598 get_mode_access security/landlock/fs.c:578 [inline]
WARNING: CPU: 0 PID: 30368 at security/landlock/fs.c:598 current_check_refer_path+0x955/0xa60 security/landlock/fs.c:758
Modules linked in:
CPU: 0 PID: 30368 Comm: syz-executor.3 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:get_mode_access security/landlock/fs.c:598 [inline]
RIP: 0010:get_mode_access security/landlock/fs.c:578 [inline]
RIP: 0010:current_check_refer_path+0x955/0xa60 security/landlock/fs.c:758
Code: e9 76 fb ff ff 41 bc fe ff ff ff e9 6b fb ff ff e8 00 99 77 fd 90 0f 0b 90 41 bc f3 ff ff ff e9 57 fb ff ff e8 ec 98 77 fd 90 <0f> 0b 90 31 db e9 86 f9 ff ff bb 00 08 00 00 e9 7c f9 ff ff 41 ba
RSP: 0018:ffffc90001fb7ba0 EFLAGS: 00010212
RAX: 0000000000000bc5 RBX: ffff88805feeb7b0 RCX: ffffc90006e15000
RDX: 0000000000040000 RSI: ffffffff84125d64 RDI: 0000000000000003
RBP: ffff8880123c5608 R08: 0000000000000003 R09: 000000000000c000
R10: 000000000000f000 R11: 0000000000000000 R12: ffff88805d32fc00
R13: ffff8880123c5608 R14: 0000000000000000 R15: 0000000000000001
FS: 00007fd70c4d8640(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c136000 CR3: 000000005b2a0000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
security_path_rename+0x124/0x230 security/security.c:1828
do_renameat2+0x9f6/0xd30 fs/namei.c:4983
__do_sys_rename fs/namei.c:5042 [inline]
__se_sys_rename fs/namei.c:5040 [inline]
__x64_sys_rename+0x81/0xa0 fs/namei.c:5040
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fd70b6900ed
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd70c4d8028 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 00007fd70b7cbf80 RCX: 00007fd70b6900ed
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000020000100
RBP: 00007fd70b6f14a6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fd70b7cbf80 R15: 00007fd70c4b8000
</TASK>
Thank you for taking the time to read this email and we look forward to working with you further.
[-- Attachment #2: poc.c --]
[-- Type: application/octet-stream, Size: 24750 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
#ifndef __NR_landlock_create_ruleset
#define __NR_landlock_create_ruleset 444
#endif
#ifndef __NR_landlock_restrict_self
#define __NR_landlock_restrict_self 446
#endif
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static unsigned long long procid;
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest, unsigned long* destlen,
const unsigned char* source, unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}
static long syz_mount_image(volatile long fsarg, volatile long dir,
volatile long flags, volatile long optsarg,
volatile long change_dir,
volatile unsigned long size, volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
intptr_t res = 0;
memcpy((void*)0x200000c0, "hfsplus\000", 8);
memcpy((void*)0x20000180, "./file2\000", 8);
memcpy((void*)0x200001c0,
"\x70\x61\x72\x74\x3d\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
"\x30\x30\x30\x31\x39\x62\x2c\x75\x6d\x61\x73\x6b\x3d\x30\x30\x30\x30"
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
"\x30\x31\x2c\x70\x61\x72\x74\x3d\x30\x78\x30\x30\x30\x30\x30\x30\x30"
"\x30\x30\x30\x30\x30\x31\x30\x30\x31\x2c\x6e\x6f\x62\x61\x72\x72\x69"
"\x65\x72\x2c\x64\x65\x63\x6f\x6d\x70\x6f\x73\x65\x2c\x63\x72\x65\x61"
"\x74\x6f\x72\x3d\x1e\xeb\x39\x07\x2c\x67\x69\x64\x3d",
115);
sprintf((char*)0x20000233, "0x%016llx", (long long)0);
memcpy((void*)0x20000245, ",gid=", 5);
sprintf((char*)0x2000024a, "0x%016llx", (long long)0);
memcpy((void*)0x2000025c, ",nls=iso8859-3,uid=", 19);
sprintf((char*)0x2000026f, "0x%016llx", (long long)0);
memcpy((void*)0x20000281,
"\x2c\x63\x72\x65\x61\x74\x6f\x72\x3d\xaf\x2a\xfe\x27\x2c\x75\x6d\x61"
"\x73\x6b\x3d\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x30"
"\x30\x30\x30\x30\x30\x30\x30\x30\x31\x28\x00",
45);
memcpy(
(void*)0x20000d40,
"\x78\x9c\xec\xdd\xcb\x6f\x1c\x77\x1d\x00\xf0\xef\xcc\xae\xed\x5d\x23\x25"
"\x4e\x9b\xb4\x05\x55\xc2\x6a\x44\x41\x58\x24\x7e\xc8\x05\x73\x89\x41\x08"
"\xf9\x50\xa1\x0a\x0e\x9c\x57\x89\xd3\x58\xd9\xb8\x95\xed\x82\x1b\x21\x70"
"\x79\x5e\x7b\xe8\x1f\x50\x0e\xbe\x71\x42\xe2\x1e\x54\xce\x70\x41\x70\xb4"
"\x38\x55\x42\xf4\xc2\xc9\xe2\xb2\x68\x1e\xbb\xde\x78\x77\xed\xdd\x38\xf1"
"\xc6\xf0\xf9\x44\xb3\xf3\x9b\xf9\xbd\xbf\x3b\x33\xbb\xb3\x56\x34\x01\xfc"
"\xdf\x5a\x9b\x8b\xea\xa3\x48\x62\x6d\xee\xcd\xdd\x6c\xfb\x60\x7f\xa9\x79"
"\xb0\xbf\x34\x55\x66\x37\x23\x22\x4b\xa7\x11\xd5\x62\x15\xc9\x66\x44\xf2"
"\x49\xc4\x6a\x14\x4b\x7c\x3e\xdb\x59\x96\x4f\x06\xf5\xf3\xd1\xc6\xca\xf7"
"\xff\xf6\xef\x83\x4f\x8b\xad\x6a\xb9\xe4\xe5\xd3\xde\x7a\x3f\x6b\x45\xc4"
"\x97\x86\x9f\xc5\x5e\xb9\xc4\x6c\x44\x54\xca\x75\xaf\x89\xde\x5d\xb5\xd3"
"\xdb\xbb\x3d\xb0\xbd\xc2\x54\x57\xba\xff\xfc\x93\x4e\x4e\x16\xb0\xeb\xed"
"\xc0\xc1\xb8\xb5\x7a\xec\x8d\x52\x7d\xe0\xf9\x0e\x5c\x1c\x49\xf1\xb9\xd9"
"\x63\x26\x62\xba\xfc\x98\xcc\x3f\xe7\xca\xab\x43\x7a\xbe\xa3\x7b\xfa\x46"
"\xba\xca\x01\x00\x00\xc0\x98\xad\xfd\xeb\xda\xe2\x28\xe5\xeb\xe5\xfa\xf2"
"\x61\x1c\xc6\xee\x85\xbf\x8d\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x73"
"\x55\x3e\xff\x3f\x29\x97\xb4\x9d\x9e\x8d\xa4\xfd\xfc\xff\xc9\x72\x5f\x94"
"\xe9\x0b\xed\xd1\xb8\x07\x00\x00\x00\x00\x00\x00\x00\x00\x3d\x26\x7a\xf6"
"\x4c\xb5\x13\xb7\xfa\xd7\xf8\xe2\x61\x1c\xc6\x6e\x5c\x6a\x6f\xb7\x92\xfc"
"\x6f\xfe\xaf\xe5\x1b\x57\xf3\xd7\xcf\xc5\x7b\xb1\x1d\xeb\xb1\x15\x37\x62"
"\x37\x1a\xb1\x13\x3b\xb1\x15\x0b\x11\x31\xd3\xd5\xd0\xe4\x6e\x63\x67\x67"
"\x6b\x61\x88\x9a\x8b\x7d\x6b\x2e\x3e\x3e\xae\xca\x70\x13\xae\x0d\x57\x0c"
"\x00\x00\x00\x00\x00\x00\x00\xfe\xe7\xfd\x3c\xd6\x8e\xfe\xfe\x0f\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xcf\x83\x24\xa2\x52\xac\xf2\xe5\x6a"
"\x3b\x3d\x13\x69\x35\x22\x6a\x11\x31\x99\x95\xdb\x8b\xf8\x4b\x3b\x7d\x41"
"\x24\xfd\x76\x3e\x3a\xff\x71\x00\x00\x00\xc0\x99\xd4\x9e\xa0\xce\xe5\xc3"
"\x38\x8c\xdd\xb8\xd4\xde\x6e\x25\xf9\x3d\xff\x4b\xf9\xfd\x72\x2d\xde\x8b"
"\xcd\xd8\x89\x8d\xd8\x89\x66\xac\xc7\x9d\xf2\x1e\x3a\xbb\xeb\x4f\x0f\xf6"
"\x97\x9a\x07\xfb\x4b\x0f\xb2\xe5\xcc\x43\xcf\x5b\x8c\xe2\xb7\x87\xfe\x3d"
"\xbf\x92\x97\xa8\xc7\xdd\xd8\xc8\xf7\xdc\x88\xdb\xf9\x60\xee\x44\x9a\xd7"
"\xcc\xfc\x23\x22\x1e\xb4\xc7\xd4\x3b\xae\x0f\x3e\xcb\xda\xbe\x55\xf8\xf1"
"\x90\x23\xbb\x53\xae\xb3\xce\x3e\x6c\xff\x8a\x30\x75\xe6\x09\x3f\x05\x33"
"\x11\xd5\x34\x26\x3a\x11\x99\xcf\xc7\x56\x1c\x04\x57\xba\xa3\xd0\x1b\x89"
"\x6f\x7d\x36\xa8\xd1\xd5\x62\x55\x3d\xde\x53\x74\xf7\xb4\x10\x69\xe7\x97"
"\x9f\xab\x45\x0f\x59\xb2\x5f\x4f\xff\xe9\x8e\xf9\xad\x21\x67\x36\x5d\xae"
"\xb3\xf9\xfc\x7a\xd0\x2f\x37\x4f\x5b\xed\xa8\xd3\xbd\x81\x85\x3a\x91\x48"
"\x23\x8f\xc4\x62\xd7\xd1\xf7\xd2\xc9\x31\x8f\xf8\xf2\x1f\x7e\xf7\xe1\xbd"
"\xe6\xe6\xfd\x7b\x77\xb7\xe7\xce\x65\x4a\x67\x92\x9e\x9c\x7d\xfc\x98\x58"
"\xea\x8a\xc4\xcb\x43\x44\xe2\x87\xcf\x6d\x24\xaa\x27\x67\xf7\xc4\x65\x3e"
"\xdf\x79\xad\xb3\xbd\x16\xdf\x8d\x1f\xc4\x5c\xcc\xc6\x5b\xb1\x15\x1b\xf1"
"\xa3\x68\xc4\x4e\xac\x47\x52\xce\xb4\x51\x1e\xcf\xd9\xeb\xcc\xc9\x91\x5a"
"\x7d\x6c\xeb\xad\xd3\x46\x3e\x59\xbe\x2f\x95\x72\xa0\xa7\x8f\x69\x36\xbe"
"\x93\xa7\x1a\xf1\x5a\x5e\xf7\x52\x6c\x44\x12\xef\xc4\x9d\x58\x8f\x37\xf2"
"\x7f\x8b\xb1\x10\x5f\x8f\xe5\x58\x8e\x95\xae\x77\xf8\xda\xc0\x71\xe7\x73"
"\xcb\xaf\xb4\xe9\x68\x67\xfd\xf5\xaf\x94\x89\x7a\x44\xfc\xa6\x5c\x8f\x5b"
"\x71\x51\xc8\xe2\x7a\xa5\x2b\xae\xdd\xd7\xdc\x99\x3c\xaf\x7b\xcf\x51\x94"
"\x5e\x38\xf9\xdd\xfd\xa0\xe7\xda\x78\xfa\x94\xab\x5f\x28\x13\x59\x1f\xbf"
"\x38\xfd\x34\x3d\x47\xc7\x23\xb1\xd0\x15\x89\x17\x4f\x8e\xc4\x6f\x5b\xd9"
"\xeb\x76\x73\xf3\xfe\xd6\xbd\xc6\xbb\x7d\x3e\x5d\x5b\xc9\x44\xbe\xfe\xeb"
"\xf5\x88\x56\xab\xd8\xf7\x7a\x99\x97\x1d\x71\xbf\x3a\xfd\xeb\xcf\x1f\xcf"
"\x3a\xbf\x53\x74\x5d\xc7\xb2\xe3\xe5\x85\xa8\x95\x57\x92\x2b\x31\x51\x0c"
"\xad\xd2\xce\x7b\xb1\x73\x95\x79\x3c\x5e\x93\xe5\x5f\x5c\x8a\xbc\xf4\x58"
"\x5e\x2d\x3b\x9f\xd3\xa2\xa7\xe2\x4c\xfd\xde\xc0\x33\x75\xb2\xfc\x0e\xd7"
"\xdb\xd2\x62\x9e\xf7\x72\xdf\xbc\xa5\x3c\xef\x95\xae\xbc\xee\xef\x5b\x11"
"\xef\x44\xb3\xf3\x7d\x08\x80\xe7\xd8\xf4\x57\xa7\x27\xeb\xff\xac\xff\xb9"
"\xfe\x71\xfd\x97\xf5\x7b\xf5\x37\x6b\xdf\x9e\xfa\xc6\xd4\xab\x93\x31\xf1"
"\xa7\x89\x6f\x56\xe7\x2b\xaf\xa7\xaf\x26\xbf\x8f\x8f\xe3\xa7\x47\xf7\xff"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\xc0\x93\xdb\x7e\xff\xe1\xfd\x46\xb3\xb9\xbe\xd5\x3f"
"\x91\x56\x06\x66\x0d\x48\x44\xeb\xe1\xfd\x46\xfb\x49\x3e\xc3\xd6\x8a\xed"
"\xa4\x7c\x92\xce\x48\x7d\x8d\x2b\xd1\x79\xe4\xcf\x73\x32\x9e\x67\x92\x48"
"\x7a\xf6\x64\x33\x7e\x3a\x5d\xb4\x1f\x22\x38\x5a\xad\xf9\xde\x23\x6a\x75"
"\x9c\x81\xfa\xfb\xa8\xb5\xa2\x36\xd4\x94\xa7\xcb\x44\xeb\x72\x11\xa5\x91"
"\xba\x98\x39\x7e\x64\x46\x0c\x28\x3c\x55\x04\xb3\x32\xe0\x3c\x2d\xdf\xa2"
"\x27\x79\xb8\x28\x70\x21\xdc\xdc\x79\xf0\xee\xcd\xed\xf7\x1f\x7e\x6d\xe3"
"\x41\xe3\xed\xf5\xb7\xd7\x37\x27\x96\x97\x57\xe6\x57\x96\xdf\x58\xba\x79"
"\x77\xa3\xb9\x3e\x5f\xbc\x8e\x7b\x94\xc0\xb3\x70\xf4\xbd\x1d\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\xb8\x28\xce\xe3\xff\x4b\x8c\x7b\x8e\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xc0\xc5\xb6\x36\x17\xd5\x47\x91\xc4\xc2\xfc\x8d\xf9\x6c\xfb\x60\x7f\xa9"
"\x99\x2d\xed\xf4\x51\xc9\x6a\x44\xa4\x69\x44\xf2\x93\x88\xe4\x93\x88\xd5"
"\x28\x96\x98\xe9\x6a\x2e\x19\xd4\xcf\x47\x1b\x2b\x95\x88\xf8\xf4\xa8\xad"
"\x6a\xbb\x7c\x7a\x42\xbd\xd6\xd4\x50\xb3\xd8\x2b\x97\x98\x8d\x88\x4a\xb9"
"\x3e\x83\xc7\xda\xbb\x7d\xe6\xf6\x92\xce\x0c\xb3\x80\x5d\x6f\x07\x0e\xc6"
"\xed\xbf\x01\x00\x00\xff\xff\x42\xb5\xed\xe7",
1739);
syz_mount_image(/*fs=*/0x200000c0, /*dir=*/0x20000180,
/*flags=MS_POSIXACL|MS_REC|MS_SYNCHRONOUS|MS_NOEXEC*/ 0x14018,
/*opts=*/0x200001c0, /*chdir=*/0xdc, /*size=*/0x6cb,
/*img=*/0x20000d40);
memcpy((void*)0x20000040, "./file1\000", 8);
memcpy((void*)0x20000080, "./file0\000", 8);
syscall(__NR_rename, /*old=*/0x20000040ul, /*new=*/0x20000080ul);
*(uint64_t*)0x200002c0 = 1;
*(uint64_t*)0x200002c8 = 0;
res = syscall(__NR_landlock_create_ruleset, /*attr=*/0x200002c0ul,
/*size=*/0x10ul, /*flags=*/0ul);
if (res != -1)
r[0] = res;
syscall(__NR_landlock_restrict_self, /*ruleset_fd=*/r[0], /*flags=*/0ul);
syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x5423, /*arg=*/0ul);
memcpy((void*)0x20000100, "./file0\000", 8);
memcpy((void*)0x20000140, "./file0\000", 8);
syscall(__NR_rename, /*old=*/0x20000100ul, /*new=*/0x20000140ul);
return 0;
}
next reply other threads:[~2024-04-28 2:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-28 2:47 Ubisectech Sirius [this message]
2024-04-29 9:05 ` WARNING in current_check_refer_path Mickaël Salaün
2024-04-29 9:16 ` 回复:WARNING " Ubisectech Sirius
2024-04-29 14:46 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c426821d-8380-46c4-a494-7008bbd7dd13.bugreport@ubisectech.com \
--to=bugreport@ubisectech.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.