From d1185f71a0ae0131a1dc76c72c8a176ee8045835 Mon Sep 17 00:00:00 2001 From: Florent Revest Date: Mon, 2 Jun 2025 18:31:11 +0200 Subject: executor: linux: fix syz_open_dev virtual file names range We noticed that syzkaller left some files with fairly unusual file names under /dev. Eg: ---------- 1 root root 0 May 30 14:42 vcs- ---------- 1 root root 0 May 30 14:48 vcs. ---------- 1 root root 136317631 May 30 14:42 vcs' ---------- 1 root root 0 May 30 14:48 vcs( ---------- 1 root root 0 May 30 14:43 vcs) ---------- 1 root root 0 May 30 14:43 vcs* ---------- 1 root root 136317633 May 30 14:46 vcs+ Funnily enough the characters after "vcs" are always within the '0'-10 to '0' ASCII range. We noticed that the syz_open_dev logic uses a modulo 10 on a signed number (the volatile long a1 argument) and in C the modulo of a negative number stays negative, so the result of this operation is in the '0'-10 to '0'+10 range. This is in turn casted to a char which is also signed and doesn't fix the glitch. By casting a1 to an unsigned long first, this keeps the result of the modulo operation signed and therefore the virtual file name suffix a number. --- executor/common_linux.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'executor/common_linux.h') diff --git a/executor/common_linux.h b/executor/common_linux.h index 8d99c2f93..3b1411098 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -2413,13 +2413,14 @@ static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) return open(buf, O_RDWR, 0); } else { // syz_open_dev(dev ptr[in, string["/dev/foo"]], id intptr, flags flags[open_flags]) fd + unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { - *hash = '0' + (char)(a1 % 10); // 10 devices should be enough for everyone. - a1 /= 10; + *hash = '0' + (char)(nb % 10); // 10 devices should be enough for everyone. + nb /= 10; } return open(buf, a2, 0); } -- cgit mrf-deployment