From a22c04686defba80427d67cd388d6b77a1aa67d0 Mon Sep 17 00:00:00 2001 From: Alexander Potapenko Date: Tue, 27 Feb 2024 18:41:07 +0100 Subject: executor: temporarily disable IORING_SETUP_CQE32 and IORING_SETUP_SQE128 IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for https://github.com/google/syzkaller/issues/4531 that will stop the ci-upstream-gce-arm64 from generating random coverage. --- executor/common_linux.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'executor/common_linux.h') diff --git a/executor/common_linux.h b/executor/common_linux.h index 6b96d8cea..85e19cf84 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -1935,6 +1935,8 @@ struct io_uring_params { #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL +#define IORING_SETUP_SQE128 (1U << 10) +#define IORING_SETUP_CQE32 (1U << 11) #include #include @@ -1950,7 +1952,9 @@ static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; - + // Temporarily disable IORING_SETUP_CQE32 and IORING_SETUP_SQE128 that may change SIZEOF_IO_URING_CQE and SIZEOF_IO_URING_SQE. + // Tracking bug: https://github.com/google/syzkaller/issues/4531. + setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32 fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); // Compute the ring sizes -- cgit mrf-deployment