Dmitry Vyukov
unread,Sep 29, 2022, 7:10:33 AM9/29/22Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Tetsuo Handa, Miklos Szeredi, linux-...@vger.kernel.org, syzbot, syzkall...@googlegroups.com, Aleksandr Nogikh
On Thu, 29 Sept 2022 at 12:25, Tetsuo Handa
<
penguin...@i-love.sakura.ne.jp> wrote:
>
> This is not a kernel bug but a fuzzer's bug.
>
> Looking at
https://syzkaller.appspot.com/text?tag=ReproC&x=155622df080000 ,
> this reproducer is reading data from /dev/vcs to [0x20001dc0,0x20003DE0) range,
> and passing subset of this range [0x20002300,0x20003300) as "const void *data"
> argument of mount() syscall which is interpreted as a string.
>
> That is, this problem happens when console screen buffer by chance contained
> kernel messages which the kernel has printk()ed upon boot.
>
> (I defer "#syz invalid" because we need to somehow fix this problem on the fuzzer side.)
Oh, I see, I missed the read from /dev/vcs. Thanks for looking into it.
Thinking of possible solutions I think the easiest thing is to
stricten matching of the reboot message, e.g. require it to start from
the beginning of the line, don't have anything at the end, etc. The
real message should not be subject to any "corruptions".
+Aleksandr, please take care of this.
Not sure if there should be a policy on printing user-provided strings
to dmesg in general or not. Unpriv fs types like tmpfs/fuse
effectively allow the injection of arbitrary messages into dmesg w/o
the permission.