diff options
| author | Aleksandr Nogikh <nogikh@google.com> | 2022-01-12 14:40:51 +0000 |
|---|---|---|
| committer | Aleksandr Nogikh <wp32pw@gmail.com> | 2022-01-13 17:03:14 +0100 |
| commit | d6f3385b1a3f2fba8e14d6794bece1dcdd9e479e (patch) | |
| tree | c3163643d321b913450df84f41731b71d5874243 /sys/linux/test | |
| parent | 6baa7baec59a790c452b0b1c97447475eb6c1afe (diff) | |
all: add syz_clone() and syz_clone3() pseudo calls
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
Diffstat (limited to 'sys/linux/test')
| -rw-r--r-- | sys/linux/test/landlock_ptrace | 7 | ||||
| -rw-r--r-- | sys/linux/test/syz_clone | 1 | ||||
| -rw-r--r-- | sys/linux/test/syz_clone3 | 3 |
3 files changed, 6 insertions, 5 deletions
diff --git a/sys/linux/test/landlock_ptrace b/sys/linux/test/landlock_ptrace index e3037386d..ad63f3e5c 100644 --- a/sys/linux/test/landlock_ptrace +++ b/sys/linux/test/landlock_ptrace @@ -1,13 +1,10 @@ # Creates independent Landlock hierarchies and try different tracer/tracee # schemas (without scheduling control). -# -# fork() is not available for the following architectures: -# requires: -arch=arm64 -arch=riscv64 capset(&AUTO={0x20080522, 0x0}, &AUTO={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) prctl$PR_SET_NO_NEW_PRIVS(0x26, 0x1) -r0 = fork() +r0 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) # PTRACE_ATTACH and PTRACE_DETACH @@ -17,7 +14,7 @@ ptrace(0x11, r0) r1 = landlock_create_ruleset(&AUTO={0x100}, AUTO, 0x0) landlock_restrict_self(r1, 0x0) -r2 = fork() +r2 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r0) ptrace(0x11, r0) diff --git a/sys/linux/test/syz_clone b/sys/linux/test/syz_clone new file mode 100644 index 000000000..23022429c --- /dev/null +++ b/sys/linux/test/syz_clone @@ -0,0 +1 @@ +syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) diff --git a/sys/linux/test/syz_clone3 b/sys/linux/test/syz_clone3 new file mode 100644 index 000000000..5539d7f86 --- /dev/null +++ b/sys/linux/test/syz_clone3 @@ -0,0 +1,3 @@ +# requires: arch=amd64 + +syz_clone3(&AUTO={0x11, 0x0, 0x0, 0x0, {0x11}, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0}}, AUTO) |