OpenBSD System Call Fuzzer - Triforce

testing system calls and other system features with the fuzzer. We'd be happy to answer any questions that come up. -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: [Bug 64] Any user can trigger a panic in mmap with an overlapping mapping

ode. Not sure if somebody is doing an errata for -stable > > for this. > > > > CVSROOT:/cvs > > Module name:src > > Changes by: t...@cvs.openbsd.org2016/07/29 14:44:40 > > > > Modified files: > > sys/uvm: uvm_map.c

[Bug 64] Any user can trigger a panic in mmap with an overlapping mapping

en("/tmp/mapfile", O_RDWR|O_CREAT, 0666); xperror(fd == -1, "/tmp/mapfile"); write(fd, "testing\n", 8); pg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); xperror(pg == MAP_FAILED, "mmap"); p = mmap(pg+

Re: mmap crash

ut not on a 256M, 512M or 1024M VM. I only get crashes and dmesg output when running as root. Testing done on amd64 using 5.9-stable from yesterday. -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: mmap crash

, which includes the fixes for the earlier reported mmap issues. -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

mmap crash

;); return 1; } return 0; } -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: [Bug 63] Any user can panic the kernel with the sysctl call.

> > I made the same change in my tree. So OK claudio@ > Thank you both for the quick turnaround. Do you know if there will be an errata for this? We want to post this to oss-sec, but will wait until an errata is published if one is planned. -- Tim Newsham | www.thenewsh.com

[Bug 63] Any user can panic the kernel with the sysctl call.

size_t sz = sizeof buf; int x; x = sysctl(name, 3, buf, &sz, 0, 0); if(x == -1) perror("sysctl"); printf("no crash!\n"); return 0; } Tim Newsham Distinguished Security Engineer, Security Consulting NCC Group Tim.Newsham@nccgroup.trust | PGP: B415 550D BEE9 07DB B4C9 F96C 8EFE CB2F 402D 3DF0

Re: read(2) on directories

SError: [Errno 21] Is a directory > > - todd > > -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Unmounting with MNT_DOOMED flag can lead to a kernel panic

x = unmount("/mnt", MNT_DOOMED); xperror(fd == -1, "unmount"); printf("no crash!\n"); return 0; } -- Tim Newsham Distinguished Security Engineer, Security Consulting NCC Group Tim.Newsham@nccgroup.trust | PGP: B415 550D BEE9 07DB B4C9 F96C 8EFE CB2F 402D 3DF0

[Bug49] Tmpfs mount with bad args can lead to a panic

Here's a bug related to tmpfs mounts. Forwarded Message Subject:[Bug49] Tmpfs mount with bad args can lead to a panic Date: Mon, 11 Jul 2016 10:07:33 -1000 From: Tim Newsham To: dera...@openbsd.org, Jesse Hertz Hi Theo, here's a low-severity

Re: __syscall dropping 6th arg on amd64

th the extra padding arg added). -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: __syscall dropping 6th arg on amd64

s. > That did the trick.. thank you. > Philip Guenther > chrisC: glad to be of assistance. -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: __syscall dropping 6th arg on amd64

CALL mmap(0,0x1,0x3,0x1002,-1,0) -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

__syscall dropping 6th arg on amd64

4096); p2 = __syscall(197, 0x10, 4*4096, 7, MAP_ANON, -1, 0); printf("p 0x%llx\n", p2); return 0; } -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Root can panic kernel with mknod on a tmpfs filesystem

gv[i]; x = mknod(fn, S_IFBLK | 0666, -1); if(x == -1) perror(fn); } printf("nothing happened!\n"); return 0; } -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com