From 81b7a40ac5bab47ffe0b732c66522cfc922df3ad Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Tue, 2 Apr 2024 12:08:29 +0200 Subject: executor: ignore ENOENT for socket calls Don't treat ENOENT from socket call as fatal. Fuzzer manages to make all socket calls for a particular protocol fail using NLBL_MGMT_C_REMOVE netlink function. --- executor/common_linux.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'executor/common_linux.h') diff --git a/executor/common_linux.h b/executor/common_linux.h index 85e19cf84..eea0fd2cf 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -3328,6 +3328,13 @@ static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, i switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: + // ENOENT can be returned if smack lsm is used. Smack tried to aplly netlbl to created sockets, + // but the fuzzer can manage to remove netlbl entry for SOCK_STREAM/IPPROTO_TCP using + // NLBL_MGMT_C_REMOVE, which is unfortunately global (not part of net namespace). In this state + // creation of such sockets will fail all the time in all processes (so in some sense the machine + // is indeed broken), but ignoring the error is still probably the best option given we allow + // the fuzzer to invoke NLBL_MGMT_C_REMOVE in the first place. + case ENOENT: return; } failmsg("iptable checkpoint: socket(SOCK_STREAM, IPPROTO_TCP) failed", "family=%d", family); @@ -3381,6 +3388,7 @@ static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int fa switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: + case ENOENT: return; } failmsg("iptable: socket(SOCK_STREAM, IPPROTO_TCP) failed", "family=%d", family); @@ -3427,6 +3435,7 @@ static void checkpoint_arptables(void) switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: + case ENOENT: return; } fail("arptable checkpoint: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) failed"); @@ -3477,6 +3486,7 @@ static void reset_arptables() switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: + case ENOENT: return; } fail("arptable: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); @@ -3570,6 +3580,7 @@ static void checkpoint_ebtables(void) switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: + case ENOENT: return; } fail("ebtable checkpoint: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); @@ -3611,6 +3622,7 @@ static void reset_ebtables() switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: + case ENOENT: return; } fail("ebtable: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)"); -- cgit mrf-deployment