[Linux kernel bug] BUG: unable to handle kernel NULL pointer dereference in stack_depot_save_flags
From: Sam Sun
Date: Tue May 21 2024 - 09:57:40 EST
Dear developers and maintainers,
We encountered a null pointer dereference bug while using our modified
syzkaller. It was tested against the upstream kernel (6.9). The kernel
is compiled by clang-14, kernel config is attached to this email.
Kernel crash log is listed below.
```
BUG: kernel NULL pointer dereference, address: 0000000000000010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.9.0-05151-g1b294a1f3561 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:find_stack lib/stackdepot.c:553 [inline]
RIP: 0010:stack_depot_save_flags+0x1a0/0x850 lib/stackdepot.c:618
Code: 48 89 54 24 18 31 f6 4c 89 44 24 10 e8 69 be c7 ff 31 f6 4c 8b
44 24 10 48 8b 54 24 18 45 85 e4 75 62 4d 8b 3f 49 39 d7 74 5d <45> 39
77 10 75 f2 45 39 47 14 75 ec 31 c0 49 8b 4c c5 00 49 3b 4c
RSP: 0018:ffffc900001e7540 EFLAGS: 00010203
RAX: ffff8880bd200000 RBX: 0000000000000001 RCX: 00000000002086f0
RDX: ffff8880bd4086f0 RSI: 0000000000000000 RDI: 0000000080adfd56
RBP: 0000000000000010 R08: 0000000000000010 R09: ffffc900001e7510
R10: 0000000000000003 R11: ffffffff817b2e00 R12: 1ffff9200003ceb8
R13: ffffc900001e75e0 R14: 00000000fac2086f R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880be400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000000db34000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
save_stack+0xf7/0x1e0 mm/page_owner.c:157
__set_page_owner+0x89/0x560 mm/page_owner.c:325
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0x7d2/0x850 mm/page_alloc.c:3317
__alloc_pages+0x25e/0x580 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page+0x6b/0x1a0 mm/slub.c:2190
allocate_slab+0x5d/0x200 mm/slub.c:2353
new_slab mm/slub.c:2406 [inline]
___slab_alloc+0xa95/0xf20 mm/slub.c:3592
__slab_alloc mm/slub.c:3682 [inline]
__slab_alloc_node mm/slub.c:3735 [inline]
slab_alloc_node mm/slub.c:3908 [inline]
kmem_cache_alloc_node+0x245/0x390 mm/slub.c:3961
__alloc_skb+0x19b/0x3f0 net/core/skbuff.c:656
alloc_skb include/linux/skbuff.h:1308 [inline]
nlmsg_new include/net/netlink.h:1015 [inline]
inet6_prefix_notify net/ipv6/addrconf.c:6229 [inline]
addrconf_prefix_rcv+0x912/0x1660 net/ipv6/addrconf.c:2914
ndisc_router_discovery+0x17f8/0x38e0 net/ipv6/ndisc.c:1566
icmpv6_rcv+0x1068/0x18f0 net/ipv6/icmp.c:979
ip6_protocol_deliver_rcu+0x1064/0x1590 net/ipv6/ip6_input.c:438
ip6_input_finish+0x17d/0x2c0 net/ipv6/ip6_input.c:483
NF_HOOK include/linux/netfilter.h:314 [inline]
ip6_input net/ipv6/ip6_input.c:492 [inline]
ip6_mc_input+0x9b7/0xc00 net/ipv6/ip6_input.c:586
ip6_sublist_rcv_finish net/ipv6/ip6_input.c:88 [inline]
ip6_list_rcv_finish net/ipv6/ip6_input.c:146 [inline]
ip6_sublist_rcv+0xcb3/0xd20 net/ipv6/ip6_input.c:320
ipv6_list_rcv+0x431/0x480 net/ipv6/ip6_input.c:355
__netif_receive_skb_list_ptype net/core/dev.c:5667 [inline]
__netif_receive_skb_list_core+0x76a/0x9c0 net/core/dev.c:5715
__netif_receive_skb_list+0x42d/0x4d0 net/core/dev.c:5767
netif_receive_skb_list_internal+0x5e7/0x910 net/core/dev.c:5859
gro_normal_list include/net/gro.h:515 [inline]
napi_complete_done+0x30a/0x800 net/core/dev.c:6202
e1000_clean+0xf5d/0x3bc0 drivers/net/ethernet/intel/e1000/e1000_main.c:3809
__napi_poll+0xca/0x480 net/core/dev.c:6721
napi_poll net/core/dev.c:6790 [inline]
net_rx_action+0x7cb/0x1000 net/core/dev.c:6906
handle_softirqs+0x274/0x730 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xd7/0x1a0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x20 kernel/softirq.c:649
common_interrupt+0xaa/0xd0 arch/x86/kernel/irq.c:278
</IRQ>
<TASK>
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:default_idle+0x13/0x20 arch/x86/kernel/process.c:743
Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 76 ff ff ff cc cc
cc cc f3 0f 1e fa 66 90 0f 00 2d 13 07 39 00 f3 0f 1e fa fb f4 <fa> c3
66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa e9 d7 ff ff ff
RSP: 0018:ffffc9000017fdc8 EFLAGS: 000002c6
RAX: 9f03dcce11ef6a00 RBX: ffffffff8166d8ff RCX: 00000000000b05d1
RDX: 0000000000000001 RSI: ffffffff8b6c8be0 RDI: ffffffff8bce04a0
RBP: ffffc9000017ff20 R08: ffff8880be437d0b R09: 1ffff11017c86fa1
R10: dffffc0000000000 R11: ffffed1017c86fa2 R12: 1ffff9200002ffd2
R13: 1ffff1100c15b000 R14: 0000000000000001 R15: dffffc0000000000
default_idle_call+0x74/0xb0 kernel/sched/idle.c:117
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x20f/0x580 kernel/sched/idle.c:332
cpu_startup_entry+0x41/0x60 kernel/sched/idle.c:430
start_secondary+0x100/0x100 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x147
</TASK>
Modules linked in:
CR2: 0000000000000010
---[ end trace 0000000000000000 ]---
RIP: 0010:find_stack lib/stackdepot.c:553 [inline]
RIP: 0010:stack_depot_save_flags+0x1a0/0x850 lib/stackdepot.c:618
Code: 48 89 54 24 18 31 f6 4c 89 44 24 10 e8 69 be c7 ff 31 f6 4c 8b
44 24 10 48 8b 54 24 18 45 85 e4 75 62 4d 8b 3f 49 39 d7 74 5d <45> 39
77 10 75 f2 45 39 47 14 75 ec 31 c0 49 8b 4c c5 00 49 3b 4c
RSP: 0018:ffffc900001e7540 EFLAGS: 00010203
RAX: ffff8880bd200000 RBX: 0000000000000001 RCX: 00000000002086f0
RDX: ffff8880bd4086f0 RSI: 0000000000000000 RDI: 0000000080adfd56
RBP: 0000000000000010 R08: 0000000000000010 R09: ffffc900001e7510
R10: 0000000000000003 R11: ffffffff817b2e00 R12: 1ffff9200003ceb8
R13: ffffc900001e75e0 R14: 00000000fac2086f R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880be400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000000db34000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 48 89 54 24 18 mov %rdx,0x18(%rsp)
5: 31 f6 xor %esi,%esi
7: 4c 89 44 24 10 mov %r8,0x10(%rsp)
c: e8 69 be c7 ff callq 0xffc7be7a
11: 31 f6 xor %esi,%esi
13: 4c 8b 44 24 10 mov 0x10(%rsp),%r8
18: 48 8b 54 24 18 mov 0x18(%rsp),%rdx
1d: 45 85 e4 test %r12d,%r12d
20: 75 62 jne 0x84
22: 4d 8b 3f mov (%r15),%r15
25: 49 39 d7 cmp %rdx,%r15
28: 74 5d je 0x87
* 2a: 45 39 77 10 cmp %r14d,0x10(%r15) <-- trapping
instruction
2e: 75 f2 jne 0x22
30: 45 39 47 14 cmp %r8d,0x14(%r15)
34: 75 ec jne 0x22
36: 31 c0 xor %eax,%eax
38: 49 8b 4c c5 00 mov 0x0(%r13,%rax,8),%rcx
3d: 49 rex.WB
3e: 3b .byte 0x3b
3f: 4c rex.WR
```
The syz repro shows that it only consist of open to /dev/sg and an
ioctl to that device: (For how to execute syz repro, please refer to
introduction of syzkaller:
https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md)
```
r0 = syz_open_dev$sg(&(0x7f0000004f00), 0x0, 0x0)
ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1,
&(0x7f0000000040)=ANY=[@ANYBLOB="0000000007000000850a455584e48b565869e5b0ce4925"])
```
The C repro is listed below:
```
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
(uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
static void setup_sysctl()
{
char mypid[32];
snprintf(mypid, sizeof(mypid), "%d", getpid());
struct {
const char* name;
const char* data;
} files[] = {
{"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"},
{"/proc/sys/kernel/hung_task_check_interval_secs", "20"},
{"/proc/sys/net/core/bpf_jit_kallsyms", "1"},
{"/proc/sys/net/core/bpf_jit_harden", "0"},
{"/proc/sys/kernel/kptr_restrict", "0"},
{"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"},
{"/proc/sys/fs/mount-max", "100"},
{"/proc/sys/vm/oom_dump_tasks", "0"},
{"/proc/sys/debug/exception-trace", "0"},
{"/proc/sys/kernel/printk", "7 4 1 3"},
{"/proc/sys/kernel/keys/gc_delay", "1"},
{"/proc/sys/vm/oom_kill_allocating_task", "1"},
{"/proc/sys/kernel/ctrl-alt-del", "0"},
{"/proc/sys/kernel/cad_pid", mypid},
};
for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
if (!write_file(files[i].name, files[i].data))
printf("write to %s failed: %s\n", files[i].name, strerror(errno));
}
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[1] = {0xffffffffffffffff};
void execute_one(void)
{
intptr_t res = 0;
memcpy((void*)0x20004f00, "/dev/sg#\000", 9);
res = -1;
res = syz_open_dev(/*dev=*/0x20004f00, /*id=*/0, /*flags=*/0);
if (res != -1)
r[0] = res;
memcpy((void*)0x20000040,
"\x00\x00\x00\x00\x07\x00\x00\x00\x85\x0a\x45\x55\x84\xe4\x8b\x56\x58"
"\x69\xe5\xb0\xce\x49\x25",
23);
syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/1, /*arg=*/0x20000040ul);
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
setup_sysctl();
loop();
return 0;
}
```
We tested this C repro on the latest commit of the upstream kernel. It
still crashed but at a different location. Here is another bug that
crashes elsewhere but may have the same root cause:
```
BUG: Bad rss-counter state mm:ffff8880668dc280 type:MM_ANONPAGES val:2
BUG: non-zero pgtables_bytes on freeing mm: 4096
------------[ cut here ]------------
WARNING: CPU: 1 PID: 8096 at include/linux/mmap_lock.h:71
mmap_assert_write_locked include/linux/mmap_lock.h:71 [inline]
WARNING: CPU: 1 PID: 8096 at include/linux/mmap_lock.h:71
__is_vma_write_locked include/linux/mm.h:708 [inline]
WARNING: CPU: 1 PID: 8096 at include/linux/mmap_lock.h:71
vma_start_write include/linux/mm.h:727 [inline]
WARNING: CPU: 1 PID: 8096 at include/linux/mmap_lock.h:71
dup_mmap+0xf44/0x1a30 kernel/fork.c:671
Modules linked in:
CPU: 1 PID: 8096 Comm: syz-executor375 Not tainted 6.9.0-05151-g1b294a1f3561 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:mmap_assert_write_locked include/linux/mmap_lock.h:71 [inline]
RIP: 0010:__is_vma_write_locked include/linux/mm.h:708 [inline]
RIP: 0010:vma_start_write include/linux/mm.h:727 [inline]
RIP: 0010:dup_mmap+0xf44/0x1a30 kernel/fork.c:671
Code: 89 f7 48 c7 c6 ff ff ff ff e8 e8 9d cf 09 48 85 c0 0f 84 e0 00
00 00 48 89 c3 e8 27 76 3b 00 e9 d5 f7 ff ff e8 1d 76 3b 00 90 <0f> 0b
90 e9 3d f8 ff ff 48 c7 c1 6c 98 4b 8f 80 e1 07 80 c1 03 38
RSP: 0018:ffffc90002a8f8c0 EFLAGS: 00010293
RAX: ffffffff815305b3 RBX: 0000000000000000 RCX: ffff88801b580000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002a8fa28 R08: ffffffff8152fde5 R09: ffffffff8b227880
R10: 0000000000000004 R11: ffff88801b580000 R12: ffff88806bf89c10
R13: 1ffff1100d7f1382 R14: 0000000000000000 R15: dffffc0000000000
FS: 000055558d7ad880(0000) GS:ffff8880be400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000048 CR3: 0000000068130000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
dup_mm kernel/fork.c:1688 [inline]
copy_mm+0x143/0x430 kernel/fork.c:1737
copy_process+0x1810/0x3d30 kernel/fork.c:2390
kernel_clone+0x228/0x6b0 kernel/fork.c:2797
__do_sys_clone kernel/fork.c:2940 [inline]
__se_sys_clone kernel/fork.c:2924 [inline]
__x64_sys_clone+0x26b/0x2e0 kernel/fork.c:2924
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7f5a28557e7f
Code: ed 0f 85 64 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d
91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d
00 f0 ff ff 0f 87 f5 00 00 00 41 89 c5 85 c0 0f 85 fc 00 00
RSP: 002b:00007ffd62c1f6c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000001fa4 RCX: 00007f5a28557e7f
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000000 R08: 0000000000000000 R09: 000055558d7ad880
R10: 000055558d7adb50 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd62c1f700 R14: 0000000000000002 R15: 00007ffd62c1f720
</TASK>
```
The C repro is listed below:
```
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void use_temporary_dir(void)
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
exit(1);
if (chmod(tmpdir, 0777))
exit(1);
if (chdir(tmpdir))
exit(1);
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1,
(uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
#define FS_IOC_SETFLAGS _IOW('f', 2, long)
static void remove_dir(const char* dir)
{
int iter = 0;
DIR* dp = 0;
retry:
while (umount2(dir, MNT_DETACH | UMOUNT_NOFOLLOW) == 0) {
}
dp = opendir(dir);
if (dp == NULL) {
if (errno == EMFILE) {
exit(1);
}
exit(1);
}
struct dirent* ep = 0;
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
while (umount2(filename, MNT_DETACH | UMOUNT_NOFOLLOW) == 0) {
}
struct stat st;
if (lstat(filename, &st))
exit(1);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
int i;
for (i = 0;; i++) {
if (unlink(filename) == 0)
break;
if (errno == EPERM) {
int fd = open(filename, O_RDONLY);
if (fd != -1) {
long flags = 0;
if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) {
}
close(fd);
continue;
}
}
if (errno == EROFS) {
break;
}
if (errno != EBUSY || i > 100)
exit(1);
if (umount2(filename, MNT_DETACH | UMOUNT_NOFOLLOW))
exit(1);
}
}
closedir(dp);
for (int i = 0;; i++) {
if (rmdir(dir) == 0)
break;
if (i < 100) {
if (errno == EPERM) {
int fd = open(dir, O_RDONLY);
if (fd != -1) {
long flags = 0;
if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) {
}
close(fd);
continue;
}
}
if (errno == EROFS) {
break;
}
if (errno == EBUSY) {
if (umount2(dir, MNT_DETACH | UMOUNT_NOFOLLOW))
exit(1);
continue;
}
if (errno == ENOTEMPTY) {
if (iter < 100) {
iter++;
goto retry;
}
}
}
exit(1);
}
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
if (symlink("/dev/binderfs", "./binderfs")) {
}
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
char cwdbuf[32];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
exit(1);
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
if (chdir(cwdbuf))
exit(1);
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
remove_dir(cwdbuf);
}
}
uint64_t r[1] = {0xffffffffffffffff};
void execute_one(void)
{
intptr_t res = 0;
syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0xc0c0583b, /*arg=*/0ul);
memcpy((void*)0x20004f00, "/dev/sg#\000", 9);
res = -1;
res = syz_open_dev(/*dev=*/0x20004f00, /*id=*/0, /*flags=*/0);
if (res != -1)
r[0] = res;
memcpy((void*)0x20000040,
"\x00\x00\x00\x00\x07\x00\x00\x00\x85\x0a\x45\x55\x84\xe4\x8b\x56\x58"
"\x69\xe5\xb0\xce\x49\x25",
23);
syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/1, /*arg=*/0x20000040ul);
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
use_temporary_dir();
loop();
return 0;
}
```
If you have any questions, please contact us.
Reported by Yue Sun <samsun1006219@xxxxxxxxx>
Reported by xingwei lee <xrivendell7@xxxxxxxxx>
Best Regards,
Yue
Attachment:
config
Description: Binary data