1 files changed, 15 insertions, 1 deletions

diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt
index 57af33efe..7b03e851e 100644
--- a/sys/linux/sys.txt
+++ b/sys/linux/sys.txt
@@ -93,7 +93,21 @@ type padto64[T] {
 type signalno int32[0:65]
 type signalnoptr intptr[0:65]
 
-syz_execute_func(text ptr[in, text[target]])
+# syz_execute_func caused multiple problems:
+# 1. First it lead to corpus explosion. The program used existing values in registers
+# to pollute output area. We tried to zero registers (though, not reliably).
+# 2. It lead to explosion again. The exact mechanics are unknown, here is one sample:
+# syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4
+#	430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44
+#	9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464
+#	660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100")
+# 3. The code can also execute syscalls (and it is know to), but it's not subject to
+# target.SanitizeCall. As the result it can do things that programs are not supposed to do.
+# 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable
+# to syz_execute_func based on corpus contents. Mechanics are also not known.
+# It also did not cause finding of any new bugs (at least not that I know of).
+# So it's disabled on all OSes until we figure out how to resolve all these problems.
+syz_execute_func(text ptr[in, text[target]]) (disabled)
 
 # Exclude /sys/power/state as reported in https://lkml.org/lkml/2021/5/27/653
 openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*:-/sys/power/state"]], flags flags[open_flags], mode flags[open_mode]) fd