Re: Linux kernel: FS_IOC_FSSETXATTR will lead to EXT4-fs shut down

[Xiami <pengyu.tao () yooli com>]

On Tue, Aug 28, 2018 at 08:27:50AM +0000, zhrzhang(张洪睿) wrote:
> Hello：
>         when I fuzz，I found the kernel will always no output from machine, and error FS_IOC_FSSETXATTR contribute to 
> this.
>
>         the syzlog is as below:
>
> r0 = creat(&(0x7f0000000140)='./file0\x00', 0x0)
> ioctl$FS_IOC_FSSETXATTR(r0, 0x8004587d, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x8})

Your ioctl command 0x8004587d is exactly EXT4_IOC_SHUTDOWN defined in fs/ext4/ext4.h

>         the poc will show like this:
>
> #define _GNU_SOURCE
>
> #include <endian.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <unistd.h>
>
> uint64_t r[1] = {0xffffffffffffffff};
>
> int main(void)
> {
> syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> long res = 0;
> memcpy((void*)0x20000140, "./file0", 8);
> res = syscall(__NR_creat, 0x20000140, 0);
> if (res != -1)
> r[0] = res;
> *(uint32_t*)0x20000080 = 0;
> *(uint32_t*)0x20000084 = 0;
> *(uint32_t*)0x20000088 = 0;
> *(uint32_t*)0x2000008c = 8;
> *(uint32_t*)0x20000090 = 0;
> *(uint64_t*)0x20000098 = 0;
> syscall(__NR_ioctl, r[0], 0x8004587d, 0x20000080);
> return 0;
> }
> ________________________________
> zhrzhang(张洪睿)