diff options
| author | Hrutvik Kanabar <hrutvik@google.com> | 2022-09-07 09:12:47 +0000 |
|---|---|---|
| committer | Aleksandr Nogikh <wp32pw@gmail.com> | 2022-09-13 17:27:56 +0200 |
| commit | 988628d10c15f7387c830d883a12a4b6f0fac901 (patch) | |
| tree | 11176befa1704fed71186c057df89bf9ac524bc5 /executor | |
| parent | df924ba40c5a88541acf63d6aa4ae561619a9745 (diff) | |
sys/linux, tools/syz-imagegen: allow `syz_mount_image` to change directory
Add a boolean argument to the `syz_mount_image` pseudo-syscall. When
this is true, `syz_mount_image` will change directory to the mountpoint
after mounting the image passed.
Experimentation suggests that to reproduce many non-`ext4` filesystem
bugs, it is sufficient to mount the filesystem within an `ext4`-based VM
and then change directory to the mountpoint before executing code.
This change aims to increase the probability that a mount operation will
be succeeded by the corresponding change in directory, and so increase
the probability of finding non-`ext4` bugs.
We also have to update the `syz-imagegen` tool. Now it generates seed
`syz_mount_image` calls with change of directory enabled. The previous
behaviour (i.e. no change of directory) will be recovered by use of
existing corpuses and fuzzing the change-of-directory argument.
The next commit will regenerate all `syz_mount_image` seeds.
Diffstat (limited to 'executor')
| -rw-r--r-- | executor/common_linux.h | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h index d7e3726a3..4c525760a 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -2860,13 +2860,13 @@ error_clear_loop: #include <string.h> #include <sys/mount.h> -// syz_mount_image(fs ptr[in, string[disk_filesystems]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[vfat_options]]) fd_dir +// syz_mount_image(fs ptr[in, string[disk_filesystems]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[vfat_options]], chdir bool8) fd_dir // fs_image_segment { // data ptr[in, array[int8]] // size len[data, intptr] // offset intptr // } -static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) +static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg, volatile long change_dir) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; @@ -2920,6 +2920,14 @@ static long syz_mount_image(volatile long fsarg, volatile long dir, volatile uns if (res == -1) { debug("syz_mount_image > open error: %d\n", errno); err = errno; + goto error_clear_loop; + } + if (change_dir) { + res = chdir(target); + if (res == -1) { + debug("syz_mount_image > chdir error: %d\n", errno); + err = errno; + } } error_clear_loop: |