panic: sandbox escaping file name "../file0"
6 views
Skip to first unread message
syzbot
Nov 24, 2018, 11:41:04 AM11/24/18
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 97aa0691961a In unp_internalize() check the length more ca..
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13fd3905400000
dashboard link: https://syzkaller.appspot.com/bug?extid=d9c61993721f4e6389f8
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d9c619...@syzkaller.appspotmail.com
panic: sandbox escaping file name "../file0"
goroutine 16 [running]:
github.com/google/syzkaller/prog.(*randGen).filename(0xc000759260,
0xc000544ac0, 0xbf4ec0, 0x498aee, 0xc000656780)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:161 +0x2ac
github.com/google/syzkaller/prog.(*BufferType).generate(0xbf4ec0,
0xc000759260, 0xc000544ac0, 0xc000079500, 0x1a5889a35249a32, 0xc0008ef960,
0x4f0c53, 0xc00092fce0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:646 +0x4fc
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc000759260,
0xc000544ac0, 0x8fd600, 0xbf4ec0, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:581 +0x1b6
github.com/google/syzkaller/prog.(*randGen).generateArg(0xc000759260,
0xc000544ac0, 0x8fd600, 0xbf4ec0, 0xaaaaaaaaaaaaaaaa, 0x38, 0x7437b2,
0x87a299, 0x3)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:530 +0x52
github.com/google/syzkaller/prog.(*PtrType).generate(0xbd1b40,
0xc000759260, 0xc000544ac0, 0x40b7ff, 0xc0007594a0, 0x20, 0x20, 0x8115a0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:729 +0x84
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc000759260,
0xc000544ac0, 0x8fda60, 0xbd1b40, 0xc0008efb00, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:581 +0x1b6
github.com/google/syzkaller/prog.(*randGen).generateArg(0xc000759260,
0xc000544ac0, 0x8fda60, 0xbd1b40, 0x2, 0x2, 0x0, 0x203000, 0xc0008efc60)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:530 +0x52
github.com/google/syzkaller/prog.(*randGen).generateArgs(0xc000759260,
0xc000544ac0, 0xbc6840, 0x2, 0x2, 0x14276daeea19286e, 0xc0008efd28,
0x72beae, 0x7f3580, 0xc00092f110, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:518 +0x11d
github.com/google/syzkaller/prog.(*randGen).generateParticularCall(0xc000759260,
0xc000544ac0,
0xbdd420, 0x6d, 0xc000544ac0, 0xc00090ac60)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:462 +0xd1
github.com/google/syzkaller/prog.(*randGen).generateCall(0xc000759260,
0xc000544ac0, 0xc00043f4c0, 0xc000544ac0, 0xc0008efdc0, 0x7311e7)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:454 +0xa4
github.com/google/syzkaller/prog.(*mutator).insertCall(0xc0008efe48, 0x14)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:118
+0xcb
github.com/google/syzkaller/prog.(*Prog).Mutate(0xc00043f4c0, 0x8f8660,
0xc00092fce0, 0x1e, 0xc0006b8680, 0xc000790000, 0x8f6, 0x900)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:32
+0x299
main.(*Proc).smashInput(0xc0006b86c0, 0xc000a8cb40)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:196
+0x103
main.(*Proc).loop(0xc0006b86c0)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:82
+0x177created by main.main
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:236
+0xfe2
OpenBSD/amd64 (worker.syzkaller) (tty00)
login: set $lines = 0
Password:
Login incorrect
login: trace
Password:
Login incorrect
login: show proc
Password:
Login incorrect
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 97aa0691961a In unp_internalize() check the length more ca..
git tree: https://github.com/openbsd/src.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13fd3905400000
dashboard link: https://syzkaller.appspot.com/bug?extid=d9c61993721f4e6389f8
compiler:
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d9c619...@syzkaller.appspotmail.com
panic: sandbox escaping file name "../file0"
goroutine 16 [running]:
github.com/google/syzkaller/prog.(*randGen).filename(0xc000759260,
0xc000544ac0, 0xbf4ec0, 0x498aee, 0xc000656780)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:161 +0x2ac
github.com/google/syzkaller/prog.(*BufferType).generate(0xbf4ec0,
0xc000759260, 0xc000544ac0, 0xc000079500, 0x1a5889a35249a32, 0xc0008ef960,
0x4f0c53, 0xc00092fce0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:646 +0x4fc
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc000759260,
0xc000544ac0, 0x8fd600, 0xbf4ec0, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:581 +0x1b6
github.com/google/syzkaller/prog.(*randGen).generateArg(0xc000759260,
0xc000544ac0, 0x8fd600, 0xbf4ec0, 0xaaaaaaaaaaaaaaaa, 0x38, 0x7437b2,
0x87a299, 0x3)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:530 +0x52
github.com/google/syzkaller/prog.(*PtrType).generate(0xbd1b40,
0xc000759260, 0xc000544ac0, 0x40b7ff, 0xc0007594a0, 0x20, 0x20, 0x8115a0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:729 +0x84
github.com/google/syzkaller/prog.(*randGen).generateArgImpl(0xc000759260,
0xc000544ac0, 0x8fda60, 0xbd1b40, 0xc0008efb00, 0x0, 0x0, 0x0, 0x0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:581 +0x1b6
github.com/google/syzkaller/prog.(*randGen).generateArg(0xc000759260,
0xc000544ac0, 0x8fda60, 0xbd1b40, 0x2, 0x2, 0x0, 0x203000, 0xc0008efc60)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:530 +0x52
github.com/google/syzkaller/prog.(*randGen).generateArgs(0xc000759260,
0xc000544ac0, 0xbc6840, 0x2, 0x2, 0x14276daeea19286e, 0xc0008efd28,
0x72beae, 0x7f3580, 0xc00092f110, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:518 +0x11d
github.com/google/syzkaller/prog.(*randGen).generateParticularCall(0xc000759260,
0xc000544ac0,
0xbdd420, 0x6d, 0xc000544ac0, 0xc00090ac60)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:462 +0xd1
github.com/google/syzkaller/prog.(*randGen).generateCall(0xc000759260,
0xc000544ac0, 0xc00043f4c0, 0xc000544ac0, 0xc0008efdc0, 0x7311e7)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:454 +0xa4
github.com/google/syzkaller/prog.(*mutator).insertCall(0xc0008efe48, 0x14)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:118
+0xcb
github.com/google/syzkaller/prog.(*Prog).Mutate(0xc00043f4c0, 0x8f8660,
0xc00092fce0, 0x1e, 0xc0006b8680, 0xc000790000, 0x8f6, 0x900)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/mutation.go:32
+0x299
main.(*Proc).smashInput(0xc0006b86c0, 0xc000a8cb40)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:196
+0x103
main.(*Proc).loop(0xc0006b86c0)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:82
+0x177created by main.main
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:236
+0xfe2
OpenBSD/amd64 (worker.syzkaller) (tty00)
login: set $lines = 0
Password:
Login incorrect
login: trace
Password:
Login incorrect
login: show proc
Password:
Login incorrect
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Greg Steuck
Nov 24, 2018, 12:01:02 PM11/24/18
to syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
Looks like Go and OpenBSD both using "panic" confuses the crash detector in syzkaller. If I understand correctly, the bug is in syzkaller itself:
--
You received this message because you are subscribed to the Google Groups "syzkaller-openbsd-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-openbsd...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/0000000000000be6bd057b6bc443%40google.com.
For more options, visit https://groups.google.com/d/optout.
--
nest.cx is Gmail hosted, use PGP for anything private. Key: http://goo.gl/6dMsr
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Dmitry Vyukov
Nov 25, 2018, 2:36:57 AM11/25/18
to Greg Steuck, syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
On Sat, Nov 24, 2018 at 6:00 PM, Greg Steuck <gr...@nest.cx> wrote:
> Looks like Go and OpenBSD both using "panic" confuses the crash detector in
> syzkaller. If I understand correctly, the bug is in syzkaller itself:
> https://github.com/google/syzkaller/blob/master/prog/rand.go#L161
Yes. We treat "panic: .*" as kernel bug:
> Looks like Go and OpenBSD both using "panic" confuses the crash detector in
> syzkaller. If I understand correctly, the bug is in syzkaller itself:
> https://github.com/google/syzkaller/blob/master/prog/rand.go#L161
https://github.com/google/syzkaller/blob/master/pkg/report/openbsd.go#L83
The question is how we distinguish them?
It's actually good that we caught it, because it's probably something
to fix. But on linux they fall into "lost connection" bucket which
nobody looks at usually.
But ideally they fall into a separate bug bucket:
https://github.com/google/syzkaller/issues/318
Greg Steuck
Nov 25, 2018, 3:11:27 AM11/25/18
to Dmitry Vyukov, syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
On Sat, Nov 24, 2018 at 11:36 PM Dmitry Vyukov <dvy...@google.com> wrote:
On Sat, Nov 24, 2018 at 6:00 PM, Greg Steuck <gr...@nest.cx> wrote:
> Looks like Go and OpenBSD both using "panic" confuses the crash detector in
> syzkaller. If I understand correctly, the bug is in syzkaller itself:
> https://github.com/google/syzkaller/blob/master/prog/rand.go#L161
Yes. We treat "panic: .*" as kernel bug:
https://github.com/google/syzkaller/blob/master/pkg/report/openbsd.go#L83
The question is how we distinguish them?
Easy, I'll just munge the Go errors before the are dumped to the console. Somewhere here:
Dmitry Vyukov
Nov 25, 2018, 3:13:42 AM11/25/18
to Greg Steuck, syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
syz-ci starts syz-manager, which starts a VM, which starts syz-fuzzer,
which panics.
Greg Steuck
Nov 25, 2018, 3:16:31 AM11/25/18
to Dmitry Vyukov, syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
Yeah, not that easy, but the basic idea should still hold. We just need to post-process the output of syz-fuzzer inside the VM.
Greg Steuck
Nov 25, 2018, 4:50:19 PM11/25/18
to Dmitry Vyukov, syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
I seem to have found a workaround for this particular panic (https://github.com/google/syzkaller/pull/826/files). Maybe we should not make syz-fuzzer panics easy to ignore and keep them in our face?
Dmitry Vyukov
Nov 26, 2018, 4:15:37 AM11/26/18
to Greg Steuck, syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
case of other OSes, detecting them in the first place.
Greg Steuck
Nov 26, 2018, 11:47:43 AM11/26/18
to Dmitry Vyukov, syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
I don't really understand the problem though. How does the panic message of syz-fuzzer even get to the console? Do you not start syz-fuzzer from an ssh session? Its stdout/error then be different from the console connection where kernel is blabbing.
Thanks
Greg
Dmitry Vyukov
Nov 27, 2018, 7:10:57 AM11/27/18
to Greg Steuck, syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
https://syzkaller.appspot.com/x/log.txt?x=13fd3905400000
black...@gmail.com
Dec 8, 2018, 9:58:51 PM12/8/18
to syzkaller-openbsd-bugs
#syz invalid
One more instance of https://github.com/google/syzkaller/commit/0b29b7f95253d645475f4cc66a74f653437fa72d
syzbot
Dec 8, 2018, 9:58:53 PM12/8/18
to black...@gmail.com, black...@gmail.com, syzkaller-o...@googlegroups.com
> #syz invalid
Can't find the corresponding bug.
> One more instance of
> https://github.com/google/syzkaller/commit/0b29b7f95253d645475f4cc66a74f653437fa72d
Can't find the corresponding bug.
> One more instance of
> https://github.com/google/syzkaller/commit/0b29b7f95253d645475f4cc66a74f653437fa72d
> --
> You received this message because you are subscribed to the Google
> Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-openbsd-bugs/1775b37f-10f7-422b-ae49-c969d10fbe14%40googlegroups.com.
> You received this message because you are subscribed to the Google
> Groups "syzkaller-openbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-openbsd...@googlegroups.com.
> To view this discussion on the web visit
Greg Steuck
Dec 8, 2018, 10:02:45 PM12/8/18
to syzbot+d9c619...@syzkaller.appspotmail.com, syzkaller-o...@googlegroups.com
#syz invalid
Reply all
Reply to author
Forward
0 new messages