Re: [PATCH RFC] random: fix syzkaller fuzzer test int overflow
From: Chen Feng
Date: Fri Oct 27 2017 - 23:22:51 EST
Hi ted,
On 2017/10/26 23:04, Theodore Ts'o wrote:
> On Thu, Oct 26, 2017 at 04:25:15PM +0800, Chen Feng wrote:
>>
>>
>> On 2017/10/25 16:49, Theodore Ts'o wrote:
>>> Other people who have sent me fuzzer test reproducers are able to
>>> reproduce syzkaller logs into a simple C program. Can you explain to
>>> me what the heck:
>>>
>>>> r3 = syz_open_dev$urandom(&(0x7f000000a000)="2f6465762f7572616e646f6d00", 0x0, 0x0)
>>>
>>> means?
>>
>> Take a look at this:
>>
>> https://github.com/google/syzkaller/blob/master/sys/linux/random.txt
>
> Sorry, this *still* looks like gobbledygook.
>
> What ioctls are you executing, and with what arguments?
>
> *Please*, give me a C program I can compile.
I checked the ioctl. What's the purpose of RNDADDTOENTCNT ioctl to userspace?
We need to checked the user-input at credit_entropy_bits_safe.
+ if (INT_MAX - nbits < r->entropy_total)
+ return -EINVAL;
+
The test-code below:
void *random_ioctl_test(void *args)
{
int fd = -1;
int ret = -1;
int test_arg = 0x7fffffff;
fd = open("dev/urandom", 0x0, 0x0);
if (fd < 0) {
printf("open dev/urandom failed!\n");
return NULL;
}
ret = ioctl(fd, 0x40045201, &test_arg);
printf("random_ioctl ret=%d\n", ret);
close(fd);
return NULL;
}
int main(int argc, char *argv[])
{
int ret, i;
pthread_t thread[100];
for (i = 0; i < 100; i++) {
ret = pthread_create(&thread[i], NULL, random_ioctl_test, &i);
if (ret) {
printf("create thread %d fail with ret=%d\n", i, ret);
return -1;
}
}
for (i = 0; i < 100; i++) {
pthread_join(thread[i], NULL);
}
return 0;
}
>
> -Ted
>
> .
>