diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2024-04-25 14:00:41 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2024-04-29 14:53:56 +0000 |
| commit | 88ec97282e185df0bdc0d760bcd5f0a2e4891362 (patch) | |
| tree | 95b6a8de04d1edcddd7526df75328c5da8c664df /sys/linux | |
| parent | 337657e0d5b5c120b163c09fbcfc49ae5897cb39 (diff) | |
pkg/host: explicitly disable syz_execute_func
Disable the syscall in descriptions rather than in the code.
This makes it more visible for users that it's disabled,
and makes it less special (will not need to move this logic to host).
Also change the condition in syz-sysgen to be more precise,
otherwise syz_execute_func becomes unused function.
Diffstat (limited to 'sys/linux')
| -rw-r--r-- | sys/linux/sys.txt | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt index 57af33efe..7b03e851e 100644 --- a/sys/linux/sys.txt +++ b/sys/linux/sys.txt @@ -93,7 +93,21 @@ type padto64[T] { type signalno int32[0:65] type signalnoptr intptr[0:65] -syz_execute_func(text ptr[in, text[target]]) +# syz_execute_func caused multiple problems: +# 1. First it lead to corpus explosion. The program used existing values in registers +# to pollute output area. We tried to zero registers (though, not reliably). +# 2. It lead to explosion again. The exact mechanics are unknown, here is one sample: +# syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4 +# 430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44 +# 9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464 +# 660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100") +# 3. The code can also execute syscalls (and it is know to), but it's not subject to +# target.SanitizeCall. As the result it can do things that programs are not supposed to do. +# 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable +# to syz_execute_func based on corpus contents. Mechanics are also not known. +# It also did not cause finding of any new bugs (at least not that I know of). +# So it's disabled on all OSes until we figure out how to resolve all these problems. +syz_execute_func(text ptr[in, text[target]]) (disabled) # Exclude /sys/power/state as reported in https://lkml.org/lkml/2021/5/27/653 openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*:-/sys/power/state"]], flags flags[open_flags], mode flags[open_mode]) fd |