diff options
| author | Alexander Potapenko <glider@google.com> | 2024-02-27 18:41:07 +0100 |
|---|---|---|
| committer | Aleksandr Nogikh <nogikh@google.com> | 2024-03-05 12:52:22 +0000 |
| commit | a22c04686defba80427d67cd388d6b77a1aa67d0 (patch) | |
| tree | 92fea32ed1730d85e26a531f53e5e0b4fba74e77 | |
| parent | 18c4803efdcc256364c4dcfd9eca5176e277844f (diff) | |
executor: temporarily disable IORING_SETUP_CQE32 and IORING_SETUP_SQE128
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect
assumptions about the ring buffer size, causing the kernel to write
outside of the mapped memory, smashing whatever follows it.
This is a hotfix for https://github.com/google/syzkaller/issues/4531
that will stop the ci-upstream-gce-arm64 from generating random
coverage.
| -rw-r--r-- | executor/common_linux.h | 6 | ||||
| -rw-r--r-- | pkg/csource/generated.go | 4 |
2 files changed, 8 insertions, 2 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h index 6b96d8cea..85e19cf84 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -1935,6 +1935,8 @@ struct io_uring_params { #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL +#define IORING_SETUP_SQE128 (1U << 10) +#define IORING_SETUP_CQE32 (1U << 11) #include <sys/mman.h> #include <unistd.h> @@ -1950,7 +1952,9 @@ static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; - + // Temporarily disable IORING_SETUP_CQE32 and IORING_SETUP_SQE128 that may change SIZEOF_IO_URING_CQE and SIZEOF_IO_URING_SQE. + // Tracking bug: https://github.com/google/syzkaller/issues/4531. + setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32 fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); // Compute the ring sizes diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go index d27286693..7c01243ce 100644 --- a/pkg/csource/generated.go +++ b/pkg/csource/generated.go @@ -4451,6 +4451,8 @@ struct io_uring_params { #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL +#define IORING_SETUP_SQE128 (1U << 10) +#define IORING_SETUP_CQE32 (1U << 11) #include <sys/mman.h> #include <unistd.h> @@ -4460,7 +4462,7 @@ static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; - + setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32 fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32 sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32); uint32 cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; |