OpenBSD System Call Fuzzer - Triforce

2016-10-31 Thread Tim Newsham
system features with the fuzzer. We'd be happy to answer any questions that come up. -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: [Bug 64] Any user can trigger a panic in mmap with an overlapping mapping

2016-08-01 Thread Tim Newsham
> > Modified files: > > sys/uvm: uvm_map.c > > > > Log message: > > add a check that the arguments to isavail don't overflow. > > callers should probably check too, but checking here won't hurt. > > possible panic reported by tim newsham. > &

[Bug 64] Any user can trigger a panic in mmap with an overlapping mapping

2016-07-28 Thread Tim Newsham
/tmp/mapfile", O_RDWR|O_CREAT, 0666); xperror(fd == -1, "/tmp/mapfile"); write(fd, "testing\n", 8); pg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); xperror(pg == MAP_FAILED, "mmap"); p = mmap(pg+4096, 0xff

Re: mmap crash

2016-07-26 Thread Tim Newsham
1024M VM. I only get crashes and dmesg output when running as root. Testing done on amd64 using 5.9-stable from yesterday. -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: mmap crash

2016-07-26 Thread Tim Newsham
which includes the fixes for the earlier reported mmap issues. -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

mmap crash

2016-07-26 Thread Tim Newsham
return 1; } return 0; } -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: [Bug 63] Any user can panic the kernel with the sysctl call.

2016-07-25 Thread Tim Newsham
> > I made the same change in my tree. So OK claudio@ > Thank you both for the quick turnaround. Do you know if there will be an errata for this? We want to post this to oss-sec, but will wait until an errata is published if one is planned. -- Tim Newsham | www.thenewsh.com

[Bug 63] Any user can panic the kernel with the sysctl call.

2016-07-22 Thread Tim Newsham
buf; int x; x = sysctl(name, 3, buf, , 0, 0); if(x == -1) perror("sysctl"); printf("no crash!\n"); return 0; } Tim Newsham Distinguished Security Engineer, Security Consulting NCC Group Tim.Newsham@nccgroup.trust | PGP: B415 550D BEE9 07DB B4C9 F96C 8EFE CB2F 402D 3DF0

Re: read(2) on directories

2016-07-12 Thread Tim Newsham
: File "", line 1, in OSError: [Errno 21] Is a directory > > - todd > > -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Unmounting with MNT_DOOMED flag can lead to a kernel panic

2016-07-12 Thread Tim Newsham
/mnt", MNT_DOOMED); xperror(fd == -1, "unmount"); printf("no crash!\n"); return 0; } -- Tim Newsham Distinguished Security Engineer, Security Consulting NCC Group Tim.Newsham@nccgroup.trust | PGP: B415 550D BEE9 07DB B4C9 F96C 8EFE CB2F 402D 3DF0

[Bug49] Tmpfs mount with bad args can lead to a panic

2016-07-11 Thread Tim Newsham
Here's a bug related to tmpfs mounts. Forwarded Message Subject:[Bug49] Tmpfs mount with bad args can lead to a panic Date: Mon, 11 Jul 2016 10:07:33 -1000 From: Tim Newsham <tim.newsham@nccgroup.trust> To: dera...@openbsd.org, Jesse Hertz <Je

Re: __syscall dropping 6th arg on amd64

2016-07-08 Thread Tim Newsham
e extra padding arg added). -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: __syscall dropping 6th arg on amd64

2016-07-07 Thread Tim Newsham
in the full > 64bits. > That did the trick.. thank you. > Philip Guenther > chrisC: glad to be of assistance. -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Re: __syscall dropping 6th arg on amd64

2016-07-07 Thread Tim Newsham
s straight call: 1947 a.outCALL mmap(0,0x1,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

__syscall dropping 6th arg on amd64

2016-07-07 Thread Tim Newsham
*)0x10, 4*4096, 7, MAP_ANON, -1, 0); printf("p %p\n", p); munmap(p, 4*4096); p2 = __syscall(197, 0x10, 4*4096, 7, MAP_ANON, -1, 0); printf("p 0x%llx\n", p2); return 0; } -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com

Root can panic kernel with mknod on a tmpfs filesystem

2016-07-05 Thread Tim Newsham
gv[i]; x = mknod(fn, S_IFBLK | 0666, -1); if(x == -1) perror(fn); } printf("nothing happened!\n"); return 0; } -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com