diff options
| author | Ethan Graham <ethangraham@google.com> | 2025-09-18 14:13:45 +0000 |
|---|---|---|
| committer | Aleksandr Nogikh <nogikh@google.com> | 2025-09-22 09:11:54 +0000 |
| commit | 0ac7291ca51f87df8022da0f66178546e855701a (patch) | |
| tree | 9f0f40794061c15b5cfae099bfbd9cc65c649d76 /executor | |
| parent | 00c475bd12fe0219cd0564fc64272452b40d372c (diff) | |
prog: fix syz_kfuzztest_run allocation strategy
Previously, the generated KFuzzTest programs were reusing the address of
the top-level input struct. A problem could arise when the encoded blob
is large and overflows into another allocated region - this certainly
happens in the case where the input struct points to some large char
buffer, for example.
While this wasn't directly a problem, it could lead to racy behavior
when running KFuzzTest targets concurrently.
To fix this, we now introduce an additional buffer parameter into
syz_kfuzztest_run that is as big as the maximum accepted input size in
the KFuzzTest kernel code. When this buffer is allocated, we ensure that
we have some allocated space in the program that can hold the entire
encoded input.
This works in practice, but has not been tested with concurrent
KFuzzTest executions yet.
Diffstat (limited to 'executor')
| -rw-r--r-- | executor/common_linux.h | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h index 76325ff6d..5d477a16a 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -5865,15 +5865,15 @@ static long syz_pidfd_open(volatile long pid, volatile long flags) #include <unistd.h> static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, - volatile long input_data_size) + volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { debug("syz_kfuzztest_run: test name was NULL\n"); return -1; } - if (!input_data || input_data_size == 0) { - debug("syz_kfuzztest_run: input data was NULL\n"); + if (!buffer) { + debug("syz_kfuzztest_run: buffer was NULL\n"); return -1; } @@ -5890,7 +5890,7 @@ static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_d return -1; } - ssize_t bytes_written = write(fd, (void*)input_data, (size_t)input_data_size); + ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { debug("syz_kfuzztest_run: failed to write to %s, reason: %s\n", buf, strerror(errno)); close(fd); |