what happens when you activity post
What if every web page had a little something like this embedded in it?
That’s an actual style. It should be the only one visible on this page. If there’s anything else visible, it’s not coming from me.
panic: bad dir
There’s a few possible causes for this, but inspection revealed that the most likely case might be a directory entry missing the nul terminator. The timing certainly seemed suspicious. Could there be an off by one?
memset(newdirp->d_name + (cnp->cn_namelen & ~(DIR_ROUNDUP-1)), 0, DIR_ROUNDUP);
Actually no. syzkaller had found a way to create filesystem corruption through one of the “expected” damage paths, but the test case was a little obfuscated. More study revealed it was calling mknod to create a new device that happened to be equal to
/dev/sd0c and opening it, and then calling pwrite to write some garbage to a random spot.
mknod("banana", 0777, 0x0402); open("banana") pwrite(3, "oops", 4, 0x9000);
Further complicating the matter was that syzkaller didn’t know that pwrite is one of the magic syscalls that takes a padding argument before off_t. This didn’t affect the test, per se, but makes it harder to interpret because syzkaller calls things directly. (The actual syscall in use was the iovec variant, pwritev.)
syscall(SYS_pwritev, r, 0x200002c0, 1, 0);
If you read the man page for pwritev that looks correct. But inspecting
src/sys/kern/syscalls.master reveals that the fourth argument is actually a pad argument, and the offset is the fifth argument. So the call above was writing to an offset that was not zero.
Not the first fuzzer to encounter this oddity. More details here.
In the end, it was just coincidence that syzkaller found a new way to corrupt its filesystem a few days after a filesystem commit.
Finally, figured out what seems to be the problem. The iphone introduces its own viewport meta tag, to define the screen dimensions, and control whether the user can zoom or not. A lot of sites abuse this to the point of unusability, so I very determinedly stayed clear. But without a viewport tag, safari is really dumb.
Without a viewport setting safari picks some defaults and renders the page to fit. They seem fine to me. The problem is that after leaving a page and coming back, safari has forgotten what size it picked, picks again, and then has to reflow all the page content. Even though it has picked exactly the same dimensions as the previous render. With the result that it forgets its scroll position and resets to the top of the page. Sigh. At least that’s what I’ve determined is going on.
So I finally broke down and added a viewport tag to the header. This required futzing with the CSS some more because now it rendered to a much smaller virtual canvas, but generally solvable.
Anyway, this frustrated me for a long time, I couldn’t find any useful information about it, and now it seems to work.