aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarco Vanotti <mvanotti@google.com>2019-09-11 13:29:09 -0700
committerMarco Vanotti <mvanotti@users.noreply.github.com>2019-09-12 21:17:27 -0300
commit40fa42bc2721bd9f0f3ca4546fedea692a4a4ffd (patch)
tree3e90d7a4aaca4a269926ea86814c22fb074a1095
parent0b7672eeaf94842c617283c09e26672f2b942078 (diff)
executor/fuchsia: close vmo handle in syz_mmap.
This commit fixes a handle leak in syz_mmap. The bug was pointed out by mdempsky during a code review. The `syz_mmap` function creates a VMO and maps it to a VMAR in the address specified by the `syz_mmap` parameters. Once a VMO is mapped to a vmar, the handle to the vmo can be closed without problems. The new code makes sure that `zx_handle_close(vmo_handle)` gets called before the `syz_mmap` function returns.
Diffstat
-rw-r--r--executor/common_fuchsia.h7
-rw-r--r--pkg/csource/generated.go5
2 files changed, 12 insertions, 0 deletions
diff --git a/executor/common_fuchsia.h b/executor/common_fuchsia.h
index 892cd853d..646173eba 100644
--- a/executor/common_fuchsia.h
+++ b/executor/common_fuchsia.h
@@ -185,12 +185,19 @@ long syz_mmap(size_t addr, size_t size)
status = zx_vmo_replace_as_executable(vmo, ZX_HANDLE_INVALID, &vmo);
if (status != ZX_OK) {
debug("zx_vmo_replace_as_executable failed with: %d\n", status);
+ // Don't need to zx_handle_close(vmo) because
+ // zx_vmo_replace_as_executable already invalidates it.
return status;
}
uintptr_t mapped_addr;
status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE | ZX_VM_FLAG_PERM_EXECUTE,
addr - info.base, vmo, 0, size,
&mapped_addr);
+
+ zx_status_t close_vmo_status = zx_handle_close(vmo);
+ if (close_vmo_status != ZX_OK) {
+ debug("zx_handle_close(vmo) failed with: %d\n", close_vmo_status);
+ }
return status;
}
#endif
diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index 908fff1db..9e9847ce8 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -957,6 +957,11 @@ long syz_mmap(size_t addr, size_t size)
status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE | ZX_VM_FLAG_PERM_EXECUTE,
addr - info.base, vmo, 0, size,
&mapped_addr);
+
+ zx_status_t close_vmo_status = zx_handle_close(vmo);
+ if (close_vmo_status != ZX_OK) {
+ debug("zx_handle_close(vmo) failed with: %d\n", close_vmo_status);
+ }
return status;
}
#endif
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-12 03:21:08 +0000