From aa5027ae05e6a8daf11c67b192178fa84aa39354 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Mon, 14 May 2018 11:17:24 +0200 Subject: executor: randomize output region addr Fuzzer manages to corrupt output region and write random coverage again and again. Randomize output region addr to make it harder. --- executor/executor_linux.cc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'executor/executor_linux.cc') diff --git a/executor/executor_linux.cc b/executor/executor_linux.cc index d9177bce7..d9e84a66a 100644 --- a/executor/executor_linux.cc +++ b/executor/executor_linux.cc @@ -36,9 +36,6 @@ const unsigned long KCOV_TRACE_CMP = 1; const int kInFd = 3; const int kOutFd = 4; -// The address chosen must also work on 32-bit kernels with 1GB user address space. -void* const kOutputDataAddr = (void*)0x1b2bc20000ull; - uint32* output_data; uint32* output_pos; @@ -58,10 +55,13 @@ int main(int argc, char** argv) // The output region is the only thing in executor process for which consistency matters. // If it is corrupted ipc package will fail to parse its contents and panic. // But fuzzer constantly invents new ways of how to currupt the region, - // so we map the region at a (hopefully) hard to guess address surrounded by unmapped pages. - output_data = (uint32*)mmap(kOutputDataAddr, kMaxOutput, + // so we map the region at a (hopefully) hard to guess address with random offset, + // surrounded by unmapped pages. + // The address chosen must also work on 32-bit kernels with 1GB user address space. + void* preferred = (void*)(0x1b2bc20000ull + (1 << 20) * (getpid() % 128)); + output_data = (uint32*)mmap(preferred, kMaxOutput, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, kOutFd, 0); - if (output_data != kOutputDataAddr) + if (output_data != preferred) fail("mmap of output file failed"); if (mmap((void*)SYZ_DATA_OFFSET, SYZ_NUM_PAGES * SYZ_PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != (void*)SYZ_DATA_OFFSET) @@ -212,7 +212,7 @@ bool kcov_comparison_t::ignore() const // This can be a pointer (assuming 64-bit kernel). // First of all, we want avert fuzzer from our output region. // Without this fuzzer manages to discover and corrupt it. - uint64 out_start = (uint64)kOutputDataAddr; + uint64 out_start = (uint64)output_data; uint64 out_end = out_start + kMaxOutput; if (arg1 >= out_start && arg1 <= out_end) return true; -- cgit mrf-deployment