From d34966d146f584d390b49f213d1fccd59548dc6d Mon Sep 17 00:00:00 2001
From: Mark Johnston <markj@FreeBSD.org>
Date: Tue, 18 Feb 2025 15:12:31 +0000
Subject: executor: fix cover_protect() on FreeBSD

During machine checks, syzkaller will execute calls with coverage
disabled, in which case per-thread coverage structures are zeroed out.
write_output() will temporarily map the coverage data as writeable via
CoverAccessScope, whether or not cover is enabled.  In effect,
write_output() may trigger a call mprotect(0, kCoverSize, PROT_RW).

On FreeBSD, mprotect() silently ignores unmapped regions, so this does
not result in an error.  In fact, kCoverSize is now large enough that
this ends up removing the eXecute bit from part of syz-executor's text
region.

Make CoverAccessScope a no-op if coverage is not enabled.  Modify BSD
cover_protect() and cover_unprotect() to fail if invoked when coverage
is disabled.
---
 executor/executor.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'executor/executor.cc')

diff --git a/executor/executor.cc b/executor/executor.cc
index 7a0c115b8..a262bff83 100644
--- a/executor/executor.cc
+++ b/executor/executor.cc
@@ -521,11 +521,13 @@ public:
 		if (used_)
 			fail("recursion in CoverAccessScope");
 		used_ = true;
-		cover_unprotect(cov_);
+		if (flag_coverage)
+			cover_unprotect(cov_);
 	}
 	~CoverAccessScope()
 	{
-		cover_protect(cov_);
+		if (flag_coverage)
+			cover_protect(cov_);
 		used_ = false;
 	}
 
-- 
cgit mrf-deployment