all: add syz_clone() and syz_clone3() pseudo calls

As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.

We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.

Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.

Also introduce syz_clone() to still be able to fuzz it on older systems.

1 files changed, 5 insertions, 3 deletions

diff --git a/sys/targets/targets.go b/sys/targets/targets.go
index a975ad27a..7255f7963 100644
--- a/sys/targets/targets.go
+++ b/sys/targets/targets.go
@@ -458,9 +458,11 @@ var oses = map[string]osCommon{
 		ExecutorUsesForkServer: true,
 		KernelObject:           "vmlinux",
 		PseudoSyscallDeps: map[string][]string{
-			"syz_read_part_table": []string{"memfd_create"},
-			"syz_mount_image":     []string{"memfd_create"},
-			"syz_io_uring_setup":  []string{"io_uring_setup"},
+			"syz_read_part_table": {"memfd_create"},
+			"syz_mount_image":     {"memfd_create"},
+			"syz_io_uring_setup":  {"io_uring_setup"},
+			"syz_clone3":          {"clone3", "exit"},
+			"syz_clone":           {"clone", "exit"},
 		},
 		cflags: []string{"-static-pie"},
 	},