executor: protect against memory corruptions better

Fuzzer has figured out how to corrupt input/output shmem regions abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative text_size value that causes the memcpy to overwrite shmem regions. Protect better against such cases: 1. Make text_size unsigned (there is already a check that it is less than 1000). 2. Map input region as readable only, we don't write to it. 3. Add address sanity check to segv_handler, if we see that we are writing into executable data, it's better to crash instantly.
author: Dmitry Vyukov <dvyukov@google.com> 2017-01-25 11:01:30 +0100
committer: Dmitry Vyukov <dvyukov@google.com> 2017-01-25 11:01:30 +0100
commit: f810d0844478c385985e2d0fe0a6a603a7b1c8bd (patch)
tree: 6f1c5ff716e3e22d1f3cda7d681d349fd7f659fb /executor/common_kvm_amd64.h
parent: 40723a067e2216f643485b732f90202b38b59e4b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/executor/common_kvm_amd64.h b/executor/common_kvm_amd64.h
index 558026d5c..f5d061bb1 100644
--- a/executor/common_kvm_amd64.h
+++ b/executor/common_kvm_amd64.h
@@ -287,7 +287,7 @@ static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uin
 	(void)text_count; // fuzzer can spoof count and we need just 1 text, so ignore text_count
 	int text_type = 0;
 	const void* text = 0;
-	int text_size = 0;
+	uintptr_t text_size = 0;
 	NONFAILING(text_type = text_array_ptr[0].typ);
 	NONFAILING(text = text_array_ptr[0].text);
 	NONFAILING(text_size = text_array_ptr[0].size);
author	Dmitry Vyukov <dvyukov@google.com>	2017-01-25 11:01:30 +0100
committer	Dmitry Vyukov <dvyukov@google.com>	2017-01-25 11:01:30 +0100
commit	f810d0844478c385985e2d0fe0a6a603a7b1c8bd (patch)
tree	6f1c5ff716e3e22d1f3cda7d681d349fd7f659fb /executor/common_kvm_amd64.h
parent	40723a067e2216f643485b732f90202b38b59e4b (diff)