Skip to content

Fix syz_open_dev virtual file names range #6068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tarasmadan merged 2 commits into from
Jun 4, 2025
Merged

Fix syz_open_dev virtual file names range #6068

tarasmadan merged 2 commits into from
Jun 4, 2025

Conversation

@FlorentRevest
Copy link
Collaborator

@FlorentRevest FlorentRevest commented Jun 3, 2025

No description provided.

@FlorentRevest
executor: linux: fix syz_open_dev virtual file names range
ce25f3a 
We noticed that syzkaller left some files with fairly unusual file names
under /dev. Eg:

----------   1 root    root             0 May 30 14:42 vcs-
----------   1 root    root             0 May 30 14:48 vcs.
----------   1 root    root     136317631 May 30 14:42 vcs'
----------   1 root    root             0 May 30 14:48 vcs(
----------   1 root    root             0 May 30 14:43 vcs)
----------   1 root    root             0 May 30 14:43 vcs*
----------   1 root    root     136317633 May 30 14:46 vcs+

Funnily enough the characters after "vcs" are always within the '0'-10
to '0' ASCII range. We noticed that the syz_open_dev logic uses a modulo
10 on a signed number (the volatile long a1 argument) and in C the
modulo of a negative number stays negative, so the result of this
operation is in the '0'-10 to '0'+10 range. This is in turn casted to a
char which is also signed and doesn't fix the glitch.

By casting a1 to an unsigned long first, this keeps the result of the
modulo operation signed and therefore the virtual file name suffix a
number.
@FlorentRevest
executor: linux: make syz_open_dev comment more correct
a0559d4 
The logic in that branch of the code relies on replacing # characters
with numbers. There's a comment in the code which shows a clarifying
example but it misses the # which I found mildly confusing.
@tarasmadan tarasmadan added this pull request to the merge queue Jun 4, 2025
Merged via the queue into google:master with commit e565f08 Jun 4, 2025
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dvyukov dvyukov dvyukov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@FlorentRevest @dvyukov @tarasmadan