On Tue, Oct 16, 2018 at 04:02:07PM +0200, Dmitry Vyukov wrote: > I am not sure how exactly this should be classified. To significant > degree these "$FOO" discriminations are informational and only really > affect the data format passed in. The problem is that putting something which is simply and plainly *wrong* is going to be actively misleading. You *have* to know what ioctl you are trying to be trying to execute because some of them require input data structures that you have to fill in, or that it requires a file descriptor as opposed to an integer or a pointer to a struct. I assume you're not just picking ioctl numbers purely at random, right? So I assume you had a table that said, this ioctl, 0x6611 takes a file descriptor, and has thus-and-so-a-name. If that name is wrong, I'd say it's pretty clearly a bug, right? (I'll again gently point out that a tiny amount of work in making syzkaller a tiny bit more developer toil would make it much more effective, since all of this extra developer toil --- now I know I can't even trust the $FOO discriminators to be right --- makes syzkaller less scalable by pursuading developers that it's not worthwhile to pay attention...) > > The patch I referenced in my previous e-mail protects against > > additional scenarios where someone might be trying to punch a whole > > into a file that is being swapped into the bootloader ioctl. This > > particular ioctl isn't yet being used by anyone, so it had some other > > issues as well, such as not interacting well with inline_data-enabled > > file systems --- not that any bootloader would be small enough that it > > would fit in an inline_data inode, but we're basically proofing the > > code against a malicious (or buggy) root-privileged program... such as > > syzbot. :-) > > ... or paving the way to opening all of this to non-root users. Why > not if not bugs? ;) The intent behind this particular ioctl is used to install a boot loader. It will *never* be opened to non-root users. It doesn't even make sense to make it available to pseudo-containers-root users. :-) - Ted
