executor: fail on SEGV during clone()

As was found out in #2921, fork bombs are still possible in Linux-based
instances. One of the possible reasons is described below.

An invalid stack can be passed to the clone() call, thus causing it to stumble
on an invalid memory access right during returning from the clone() call. This
is in turn catched by the NONFAILING() macro and the control actually jumps
over it and eventually both the child and the parent continue executing the
same code.

Prevent it by handling SIGSEGV and SIGBUS differently during the clone process.

Co-authored-by: Andrei Vagin <avagin@google.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/executor/executor_linux.h b/executor/executor_linux.h
index 8666d929b..3f422f6f2 100644
--- a/executor/executor_linux.h
+++ b/executor/executor_linux.h
@@ -224,6 +224,17 @@ NORETURN void doexit(int status)
 	}
 }
 
+// If we need to kill just a single thread (e.g. after cloning), exit_group is not
+// the right choice - it will kill all threads, which might eventually lead to
+// unnecessary SYZFAIL errors.
+NORETURN void doexit_thread(int status)
+{
+	volatile unsigned i;
+	syscall(__NR_exit, status);
+	for (i = 0;; i++) {
+	}
+}
+
 #define SYZ_HAVE_FEATURES 1
 static feature_t features[] = {
     {"leak", setup_leak},