executor: introduce __addrspace_guest

Apply __addrspace_guest to every guest function and use a C++ template
to statically validate that host functions are not passed to
executor_fn_guest_addr().
This only works in Clang builds of syz-executor, because GCC does not
support address spaces, and C reproducers cannot use templates.

The static check allows us to drop the dynamic checks in DEFINE_GUEST_FN_TO_GPA_FN().
While at it, replace DEFINE_GUEST_FN_TO_GPA_FN() with explicit declarations of
host_fn_guest_addr() and guest_fn_guest_addr().

1 files changed, 7 insertions, 1 deletions

diff --git a/executor/common_kvm_syzos.h b/executor/common_kvm_syzos.h
index a635d517b..be530319e 100644
--- a/executor/common_kvm_syzos.h
+++ b/executor/common_kvm_syzos.h
@@ -12,8 +12,11 @@
 // TODO(glider): once syz-env-old migrates to GCC>11 we can just use
 // __attribute__((no_stack_protector)).
 #if defined(__clang__)
+
 // Clang supports the no_stack_protector attribute.
 #define __no_stack_protector __attribute__((no_stack_protector))
+#define __addrspace_guest __attribute__((address_space(10)))
+
 #elif defined(__GNUC__)
 // The no_stack_protector attribute was introduced in GCC 11.1.
 #if __GNUC__ > 11
@@ -22,12 +25,15 @@
 // Fallback to the optimize attribute for older GCC versions.
 #define __no_stack_protector __attribute__((__optimize__("-fno-stack-protector")))
 #endif
+#define __addrspace_guest
+
 #else
 #define __no_stack_protector
+#define __addrspace_guest
 #endif
 
 // Host will map the code in this section into the guest address space.
-#define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector
+#define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest
 
 // Start/end of the guest section.
 extern char *__start_guest, *__stop_guest;