From f4e53c1037f48d9bf1790df955b0cc7028a7008e Mon Sep 17 00:00:00 2001
From: Marco Vanotti <mvanotti@google.com>
Date: Fri, 30 Aug 2019 08:30:37 -0700
Subject: executor/fuchsia: don't crash on syz_mmap failure.

syz_mmap is a pseudo-syscall that can be used by syzkaller in fuzzing
programs, however, it is also used to setup the environment for
syz-executor. syz-executor already checks the return value[0] when it is
used for setting up the environment, so it doesn't make sense for the
function to crash (most probably, in a fuzzing program it will be called
with arguments that would make it fail).

The previous behavior was causing a bunch of "Lost connection to test
machine" syzkaller crashes which were meaningless. An example of a
program in which syz_mmap would crash would be any program in which the
handle to the root vmar is closed before calling syz_mmap.

[0]:
https://github.com/google/syzkaller/blob/a60cb4cd840ce786236a00480e8bb1025e0c5fef/executor/executor_fuchsia.h#L15
---
 executor/common_fuchsia.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'executor/common_fuchsia.h')

diff --git a/executor/common_fuchsia.h b/executor/common_fuchsia.h
index 5099100d0..892cd853d 100644
--- a/executor/common_fuchsia.h
+++ b/executor/common_fuchsia.h
@@ -172,8 +172,10 @@ long syz_mmap(size_t addr, size_t size)
 	zx_handle_t root = zx_vmar_root_self();
 	zx_info_vmar_t info;
 	zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0);
-	if (status != ZX_OK)
-		fail("zx_object_get_info(ZX_INFO_VMAR) failed: %d", status);
+	if (status != ZX_OK) {
+		debug("zx_object_get_info(ZX_INFO_VMAR) failed: %d", status);
+		return status;
+	}
 	zx_handle_t vmo;
 	status = zx_vmo_create(size, 0, &vmo);
 	if (status != ZX_OK) {
@@ -181,8 +183,10 @@ long syz_mmap(size_t addr, size_t size)
 		return status;
 	}
 	status = zx_vmo_replace_as_executable(vmo, ZX_HANDLE_INVALID, &vmo);
-	if (status != ZX_OK)
+	if (status != ZX_OK) {
+		debug("zx_vmo_replace_as_executable failed with: %d\n", status);
 		return status;
+	}
 	uintptr_t mapped_addr;
 	status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE | ZX_VM_FLAG_PERM_EXECUTE,
 			     addr - info.base, vmo, 0, size,
-- 
cgit mrf-deployment