sys/openbsd: avoid /dev/fd node creation - syz - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Greg Steuck <gnezdo@google.com>	2019-01-12 13:20:22 -0800
committer	Dmitry Vyukov <dvyukov@google.com>	2019-01-14 09:48:45 +0100
commit	77c702cf1a02ef4bb695e9daa9339afb3cbd5d89 (patch)
tree	aeedbb9480a51758ff791b9c584b1fc278d34c8c /executor/executor_test.h
parent	c3f3344c78d6f69e1494297262c453f8ed10a844 (diff)

sys/openbsd: avoid /dev/fd node creation

Prevents corpus explosion with corrupted coverage data. The two parallel runs of: `doas ./syz-execprog -cover -coverfile /tmp/{fixed,unfixed} r.syz` show markedly different coverage pictures: unfixed: ``` 2019/01/12 13:55:38 parsed 1 programs 2019/01/12 13:55:38 executed programs: 0 2019/01/12 13:55:38 call #0: signal 821, coverage 2438 2019/01/12 13:55:38 call #1: signal 243, coverage 1363 2019/01/12 13:55:38 call #2: signal 502, coverage 1993 2019/01/12 13:55:38 call #3: signal 15, coverage 44 2019/01/12 13:55:38 call #4: signal 335, coverage 8196 ``` fixed: ``` 2019/01/12 13:51:57 parsed 1 programs 2019/01/12 13:51:57 executed programs: 0 2019/01/12 13:51:57 call #0: signal 837, coverage 2491 2019/01/12 13:51:57 call #1: signal 241, coverage 1341 2019/01/12 13:51:57 call #2: signal 27, coverage 61 2019/01/12 13:51:57 call #3: signal 13, coverage 44 2019/01/12 13:51:57 call #4: signal 39, coverage 299 ``` The contents of `r.syz` is ``` mknod(&(0x7f0000000180)='./file0\x00', 0x2006, 0x10000016e8) r0 = open(&(0x7f0000000100)='./file0\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0, 0x0) writev(0xffffffffffffffff, &(0x7f0000002480)=[{&(0x7f0000001480)="<junk>", 0x573}], 0x1) lstat(&(0x7f0000000240)='./file0\x00', &(0x7f0000000000)) ``` So, it's the final lstat which was getting that extra coverage. In particular, the end of unfixed.4 has some 4734 values 0xffffffff00000000.

Diffstat (limited to 'executor/executor_test.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: