-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sys/linux: sanitize mount() #4143
base: master
Are you sure you want to change the base?
Conversation
If an ext* superblock has a "panic on error" bit set, we may end up with a kernel crash unless it was prohibited via mount options. For syz_mount_image(), we do ensure that mount options prevent this from happening. Perform similar sanitization also for plain mount() calls.
9b29a86
to
4fdba27
Compare
Codecov Report
|
if hadRemount { | ||
opts = "errors=remount-ro," + opts | ||
} else { | ||
opts = "errors=continue," + opts |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do it here:
https://github.com/google/syzkaller/blob/master/executor/common_linux.h#L3044-L3056
because fuzzer generally can't guarantee contents of data in memory (can overlap with other arguments, or be overwritten by concurrent syscall args/results).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we do sanitize syz_mount_image
, but not mount
directly, which we also have in the descriptions.
|
We need to refactor the whole call neutralization. It's easy to patch integer values, but to deal with strings/arrays, we need to (re-)allocate memory if the new string size is bigger than the old one. To perform that, we need a pointer to Also (since we are there anyway), now that we do not sanitize file images, we do not need a distinction between |
@a-nogikh can we close it? |
No, we still have the problem. |
Context: https://lore.kernel.org/all/000000000000530e0d060312199e@google.com/T/
If an ext* superblock has a "panic on error" bit set, we may end up with a kernel crash unless it was prohibited via mount options.
For syz_mount_image(), we do ensure that mount options prevent this from happening.
Perform similar sanitization also for plain mount() calls.