diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2018-05-14 11:17:24 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2018-05-14 11:17:24 +0200 |
| commit | aa5027ae05e6a8daf11c67b192178fa84aa39354 (patch) | |
| tree | b7a9c04ee2b8bef0b2770d537395454d716d0fc3 | |
| parent | 9fb3ae4dfd75706d58488fdc13f10fd7e9a8839c (diff) | |
executor: randomize output region addr
Fuzzer manages to corrupt output region and write random coverage again and again.
Randomize output region addr to make it harder.
| -rw-r--r-- | executor/executor_linux.cc | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/executor/executor_linux.cc b/executor/executor_linux.cc index d9177bce7..d9e84a66a 100644 --- a/executor/executor_linux.cc +++ b/executor/executor_linux.cc @@ -36,9 +36,6 @@ const unsigned long KCOV_TRACE_CMP = 1; const int kInFd = 3; const int kOutFd = 4; -// The address chosen must also work on 32-bit kernels with 1GB user address space. -void* const kOutputDataAddr = (void*)0x1b2bc20000ull; - uint32* output_data; uint32* output_pos; @@ -58,10 +55,13 @@ int main(int argc, char** argv) // The output region is the only thing in executor process for which consistency matters. // If it is corrupted ipc package will fail to parse its contents and panic. // But fuzzer constantly invents new ways of how to currupt the region, - // so we map the region at a (hopefully) hard to guess address surrounded by unmapped pages. - output_data = (uint32*)mmap(kOutputDataAddr, kMaxOutput, + // so we map the region at a (hopefully) hard to guess address with random offset, + // surrounded by unmapped pages. + // The address chosen must also work on 32-bit kernels with 1GB user address space. + void* preferred = (void*)(0x1b2bc20000ull + (1 << 20) * (getpid() % 128)); + output_data = (uint32*)mmap(preferred, kMaxOutput, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, kOutFd, 0); - if (output_data != kOutputDataAddr) + if (output_data != preferred) fail("mmap of output file failed"); if (mmap((void*)SYZ_DATA_OFFSET, SYZ_NUM_PAGES * SYZ_PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != (void*)SYZ_DATA_OFFSET) @@ -212,7 +212,7 @@ bool kcov_comparison_t::ignore() const // This can be a pointer (assuming 64-bit kernel). // First of all, we want avert fuzzer from our output region. // Without this fuzzer manages to discover and corrupt it. - uint64 out_start = (uint64)kOutputDataAddr; + uint64 out_start = (uint64)output_data; uint64 out_end = out_start + kMaxOutput; if (arg1 >= out_start && arg1 <= out_end) return true; |