executor: protect against memory corruptions better

Fuzzer has figured out how to corrupt input/output shmem regions abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative text_size value that causes the memcpy to overwrite shmem regions. Protect better against such cases: 1. Make text_size unsigned (there is already a check that it is less than 1000). 2. Map input region as readable only, we don't write to it. 3. Add address sanity check to segv_handler, if we see that we are writing into executable data, it's better to crash instantly.
author: Dmitry Vyukov <dvyukov@google.com> 2017-01-25 11:01:30 +0100
committer: Dmitry Vyukov <dvyukov@google.com> 2017-01-25 11:01:30 +0100
commit: f810d0844478c385985e2d0fe0a6a603a7b1c8bd (patch)
tree: 6f1c5ff716e3e22d1f3cda7d681d349fd7f659fb /executor/executor.cc
parent: 40723a067e2216f643485b732f90202b38b59e4b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/executor/executor.cc b/executor/executor.cc
index 9ef2248be..03999559a 100644
--- a/executor/executor.cc
+++ b/executor/executor.cc
@@ -139,7 +139,7 @@ int main(int argc, char** argv)
 	}
 
 	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
-	if (mmap(&input_data[0], kMaxInput, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED, kInFd, 0) != &input_data[0])
+	if (mmap(&input_data[0], kMaxInput, PROT_READ, MAP_PRIVATE | MAP_FIXED, kInFd, 0) != &input_data[0])
 		fail("mmap of input file failed");
 	if (mmap(&output_data[0], kMaxOutput, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, kOutFd, 0) != &output_data[0])
 		fail("mmap of output file failed");
author	Dmitry Vyukov <dvyukov@google.com>	2017-01-25 11:01:30 +0100
committer	Dmitry Vyukov <dvyukov@google.com>	2017-01-25 11:01:30 +0100
commit	f810d0844478c385985e2d0fe0a6a603a7b1c8bd (patch)
tree	6f1c5ff716e3e22d1f3cda7d681d349fd7f659fb /executor/executor.cc
parent	40723a067e2216f643485b732f90202b38b59e4b (diff)