diff options
| author | Alexander Potapenko <glider@google.com> | 2025-05-12 16:03:45 +0200 |
|---|---|---|
| committer | Alexander Potapenko <glider@google.com> | 2025-05-12 15:38:13 +0000 |
| commit | f6671af7193a6d6860e38e17e108afb5934568dc (patch) | |
| tree | 1cd78eea64fb18d97302e52b5d498360104a6b44 /executor | |
| parent | 77908e5f2ae80bee6d434bca762a25a0a5fc6a83 (diff) | |
executor: arm64: syzos: prevent jump table emission
When compiling SYZOS into the executor binary, the compiler often
attempts to emit a jump table, putting it into the data section
of the executor. SYZOS is unable to access that data and crashes.
Use primes multiplied by 10 to defeat the compiler's heuristics
for jump table emission.
Diffstat (limited to 'executor')
| -rw-r--r-- | executor/common_kvm_arm64_syzos.h | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/executor/common_kvm_arm64_syzos.h b/executor/common_kvm_arm64_syzos.h index 63b571cb3..70074bfbf 100644 --- a/executor/common_kvm_arm64_syzos.h +++ b/executor/common_kvm_arm64_syzos.h @@ -18,17 +18,21 @@ // Start/end of the guest section. extern char *__start_guest, *__stop_guest; +// Compilers will eagerly try to transform the switch statement in guest_main() +// into a jump table, unless the cases are sparse enough. +// We use prime numbers multiplied by 10 to prevent this behavior. +// Remember these constants must match those in sys/linux/dev_kvm_arm64.txt. typedef enum { - SYZOS_API_UEXIT, - SYZOS_API_CODE, - SYZOS_API_MSR, - SYZOS_API_SMC, - SYZOS_API_HVC, - SYZOS_API_IRQ_SETUP, - SYZOS_API_MEMWRITE, - SYZOS_API_ITS_SETUP, - SYZOS_API_ITS_SEND_CMD, - SYZOS_API_MRS, + SYZOS_API_UEXIT = 0, + SYZOS_API_CODE = 10, + SYZOS_API_MSR = 20, + SYZOS_API_SMC = 30, + SYZOS_API_HVC = 50, + SYZOS_API_IRQ_SETUP = 70, + SYZOS_API_MEMWRITE = 110, + SYZOS_API_ITS_SETUP = 130, + SYZOS_API_ITS_SEND_CMD = 170, + SYZOS_API_MRS = 190, SYZOS_API_STOP, // Must be the last one } syzos_api_id; |