From f810d0844478c385985e2d0fe0a6a603a7b1c8bd Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Wed, 25 Jan 2017 11:01:30 +0100
Subject: executor: protect against memory corruptions better

Fuzzer has figured out how to corrupt input/output shmem regions
abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative
text_size value that causes the memcpy to overwrite shmem regions.
Protect better against such cases:
1. Make text_size unsigned (there is already a check that it is less than 1000).
2. Map input region as readable only, we don't write to it.
3. Add address sanity check to segv_handler, if we see that we are writing
   into executable data, it's better to crash instantly.
---
 executor/executor.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'executor/executor.cc')

diff --git a/executor/executor.cc b/executor/executor.cc
index 9ef2248be..03999559a 100644
--- a/executor/executor.cc
+++ b/executor/executor.cc
@@ -139,7 +139,7 @@ int main(int argc, char** argv)
 	}
 
 	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
-	if (mmap(&input_data[0], kMaxInput, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED, kInFd, 0) != &input_data[0])
+	if (mmap(&input_data[0], kMaxInput, PROT_READ, MAP_PRIVATE | MAP_FIXED, kInFd, 0) != &input_data[0])
 		fail("mmap of input file failed");
 	if (mmap(&output_data[0], kMaxOutput, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, kOutFd, 0) != &output_data[0])
 		fail("mmap of output file failed");
-- 
cgit mrf-deployment