System call fuzzing continued.

Work is ongoing on the system call fuzzer I wrote about last month. Since I initially talked about it, it’s found a few more bugs.

CVE-2010-4256: Pipe fcntl local denial of service.
The inode struct in the kernel contains this union..

union {
struct pipe_inode_info *i_pipe;
struct block_device *i_bdev;
struct cdev *i_cdev;

A missing “is this a pipe” check in pipe_fcntl allowed a user to perform pipe ioctl’s on inodes that were not pipes. (ie, block/char devs). Things blew up pretty quickly.

CVE-2010-4347: Incorrect sysfs permissions
One of the things the fuzzer does is to pass random file descriptors to syscalls that expect them. At first, it generated a few itself on startup by creating a bunch of files. I changed this to open any files that were readable/writable from sysfs, procfs and /dev. It prints out what it managed to open on startup. I immediately noticed something that stood out like a sore thumb.
/sys/kernel/debug/acpi/custom_method was world writable. As this file allows a user to upload new ACPI tables to the kernel, this is a fairly obvious local root. Thankfully debugfs isn’t mounted by default on most systems.
This discovery prompted a further investigation into S_IWUGO users in the kernel, which led to a slew of fixes (mostly in the staging tree). A patch is also pending to to warn about any new additions, as exporting a file from the kernel with this mode is nearly always a bad idea.

There’s still a lot more work to do, mostly annotating each and every system call.
An annotated syscall looks like this. It’s time consuming to read through every syscall and add every possible argument, so right now there are only a dozen or so (out of ~300) fully annotated syscalls. I suspect more kernel bugs to be found as coverage increases.

After lwn picked up on my last post, I got a number of interesting mails, some offering more suggestions for improvements. One interesting mail I got was from Tavis Ormandy at google, who has been working on a similar tool. We’ve taken some different design decisions which has meant that both tools may pick up on different bugs, so I don’t think either is really a replacement for the other. I’ve definitely found it inspirational to read through a ‘competing’ tool though. Worth checking out if you found my fuzzer interesting at all.

Finally, I changed the name of the project. There were a number of other syscall fuzzers out there all called ‘scrashme’. To differentiate, mine is now named ‘Trinity’. (Cloning information at original post has been updated). I chose the name after rat-holing on wikipedia for several hours, reading about nuclear tests. I always liked the Oppenheimer quote “Now I am become Death, the destroyer of worlds”. For a project that intentionally attempts to destroy, it seemed fitting.

Now, back to annotating..