bcachefs
bcachefs copied to clipboard
Published
20 hours ago •
koverstreet
koverstreet
BUG: unable to handle page fault for address in lookup_bdev
Solution
The following uses of strndup_user should check for an error pointer on return (like https://github.com/koverstreet/bcachefs/blob/master/fs/bcachefs/chardev.c#L47 does) instead of a null value:
- https://github.com/koverstreet/bcachefs/blob/master/fs/bcachefs/chardev.c#L181
- https://github.com/koverstreet/bcachefs/blob/master/fs/bcachefs/chardev.c#L181
Reproducer
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
intptr_t res = 0;
memcpy((void*)0x200002c0, "./file0\000", 8);
res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x200002c0ul, 0x440ul, 0ul);
if (res != -1)
r[0] = res;
*(uint32_t*)0x20000780 = 0;
*(uint32_t*)0x20000784 = 0;
memcpy((void*)0x20000788, "./file0", 7);
syscall(__NR_ioctl, r[0], 0x4010bc06, 0x20000780ul);
return 0;
}
