From f810d0844478c385985e2d0fe0a6a603a7b1c8bd Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Wed, 25 Jan 2017 11:01:30 +0100
Subject: executor: protect against memory corruptions better

Fuzzer has figured out how to corrupt input/output shmem regions
abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative
text_size value that causes the memcpy to overwrite shmem regions.
Protect better against such cases:
1. Make text_size unsigned (there is already a check that it is less than 1000).
2. Map input region as readable only, we don't write to it.
3. Add address sanity check to segv_handler, if we see that we are writing
   into executable data, it's better to crash instantly.
---
 executor/common_kvm_amd64.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'executor/common_kvm_amd64.h')

diff --git a/executor/common_kvm_amd64.h b/executor/common_kvm_amd64.h
index 558026d5c..f5d061bb1 100644
--- a/executor/common_kvm_amd64.h
+++ b/executor/common_kvm_amd64.h
@@ -287,7 +287,7 @@ static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uin
 	(void)text_count; // fuzzer can spoof count and we need just 1 text, so ignore text_count
 	int text_type = 0;
 	const void* text = 0;
-	int text_size = 0;
+	uintptr_t text_size = 0;
 	NONFAILING(text_type = text_array_ptr[0].typ);
 	NONFAILING(text = text_array_ptr[0].text);
 	NONFAILING(text_size = text_array_ptr[0].size);
-- 
cgit mrf-deployment