shankarapailoor
unread,Jun 5, 2018, 12:53:54 AM6/5/18Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to da...@davemloft.net, linux-...@vger.kernel.org, syzk...@googlegroups.com, net...@vger.kernel.org
Hi,
I have been fuzzing Linux 4.17-rc7 with Syzkaller and found the
following crash:
https://pastebin.com/ixX3RB9j
Syzkaller isolated the cause of the bug to the following program:
socketpair$unix(0x1, 0x1, 0x0,
&(0x7f0000000000)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
getresuid(&(0x7f0000000080)=<r2=>0x0, &(0x7f00000000c0),
&(0x7f0000000700))r3 = getegid()
fchownat(r0, &(0x7f0000000040)='\x00', r2, r3, 0x1000)
dup3(r1, r0, 0x80000)
The problematic area appears to be here:
static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
{
int err = simple_setattr(dentry, iattr);
if (!err && (iattr->ia_valid & ATTR_UID)) {
struct socket *sock = SOCKET_I(d_inode(dentry));
sock->sk->sk_uid = iattr->ia_uid; //KASAN GPF
}
return err;
}
If dup3 is called concurrently with fchownat then can sock->sk be NULL?
--
Regards,
Shankara Pailoor