executor: introduce syz_pidfd_open()

This kernel interface provides access to fds of other processes, which is readily abused by the fuzzer to mangle parent syz-executor fds. Pid=1 is the parent syz-executor process when PID namespace is created. Sanitize it in the new syz_pidfd_open() pseudo-syscall. We could not patch the argument in sys/linux/init.go because the first argument is a resource.
author: Aleksandr Nogikh <nogikh@google.com> 2023-12-18 11:58:39 +0100
committer: Aleksandr Nogikh <nogikh@google.com> 2023-12-19 00:16:19 +0000
commit: 3ad490ea48468e50fe91f6f6b2ca4cbc74d924bf (patch)
tree: d6960156ac4fcbeb908fbbbba79c8716d8e47172 /executor
parent: 924661f4beda6a647079237cc843df44626fc44b (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h
index 2f10ae3d6..85f9b966a 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -5655,3 +5655,21 @@ static void setup_swap()
 }
 
 #endif
+
+#if SYZ_EXECUTOR || __NR_syz_pidfd_open
+#include <sys/syscall.h>
+
+// TODO: long-term we should improve our sandboxing rules since there are also
+// many other opportunities for a fuzzer process to access what it shouldn't.
+// Here we only shut down one of the recently discovered ways.
+static long syz_pidfd_open(volatile long pid, volatile long flags)
+{
+	if (pid == 1) {
+		// Under a PID namespace, pid=1 is the parent process.
+		// We don't want a forked child to mangle parent syz-executor's fds.
+		pid = 0;
+	}
+	return syscall(__NR_pidfd_open, pid, flags);
+}
+
+#endif
author	Aleksandr Nogikh <nogikh@google.com>	2023-12-18 11:58:39 +0100
committer	Aleksandr Nogikh <nogikh@google.com>	2023-12-19 00:16:19 +0000
commit	3ad490ea48468e50fe91f6f6b2ca4cbc74d924bf (patch)
tree	d6960156ac4fcbeb908fbbbba79c8716d8e47172 /executor
parent	924661f4beda6a647079237cc843df44626fc44b (diff)