diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2017-01-25 11:01:30 +0100 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2017-01-25 11:01:30 +0100 |
| commit | f810d0844478c385985e2d0fe0a6a603a7b1c8bd (patch) | |
| tree | 6f1c5ff716e3e22d1f3cda7d681d349fd7f659fb /csource | |
| parent | 40723a067e2216f643485b732f90202b38b59e4b (diff) | |
executor: protect against memory corruptions better
Fuzzer has figured out how to corrupt input/output shmem regions
abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative
text_size value that causes the memcpy to overwrite shmem regions.
Protect better against such cases:
1. Make text_size unsigned (there is already a check that it is less than 1000).
2. Map input region as readable only, we don't write to it.
3. Add address sanity check to segv_handler, if we see that we are writing
into executable data, it's better to crash instantly.
Diffstat (limited to 'csource')
| -rw-r--r-- | csource/common.go | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/csource/common.go b/csource/common.go index 48d645cc6..da5c7c91e 100644 --- a/csource/common.go +++ b/csource/common.go @@ -116,8 +116,14 @@ __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* uctx) { - if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED)) + uintptr_t addr = (uintptr_t)info->si_addr; + const uintptr_t prog_start = 1<<20; + const uintptr_t prog_end = 100<<20; + if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { + debug("SIGSEGV on %p, skipping\n", addr); _longjmp(segv_env, 1); + } + debug("SIGSEGV on %p, exiting\n", addr); doexit(sig); for (;;) { } @@ -711,7 +717,7 @@ static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uin (void)text_count; int text_type = 0; const void* text = 0; - int text_size = 0; + uintptr_t text_size = 0; NONFAILING(text_type = text_array_ptr[0].typ); NONFAILING(text = text_array_ptr[0].text); NONFAILING(text_size = text_array_ptr[0].size); |