From 365fba2440cee3aed74c774867a1f43e3e2f7aac Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Sat, 18 Apr 2020 14:43:29 +0200 Subject: executor: surround the data mapping with PROT_NONE pages Surround the main data mapping with PROT_NONE pages to make virtual address layout more consistent across different configurations (static/non-static build) and C repros. One observed case before: executor had a mapping above the data mapping (output region), while C repros did not have that mapping above, as the result in one case VMA had next link, while in the other it didn't and it caused a bug to not reproduce with the C repro. The bug that reproduces only with the mapping above: https://lkml.org/lkml/2020/4/17/819 --- executor/executor_linux.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'executor/executor_linux.h') diff --git a/executor/executor_linux.h b/executor/executor_linux.h index 33f4e377a..47804f4f4 100644 --- a/executor/executor_linux.h +++ b/executor/executor_linux.h @@ -59,12 +59,21 @@ static inline __u64 kcov_remote_handle(__u64 subsys, __u64 inst) static bool detect_kernel_bitness(); -static void os_init(int argc, char** argv, void* data, size_t data_size) +static void os_init(int argc, char** argv, char* data, size_t data_size) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); is_kernel_64_bit = detect_kernel_bitness(); + // Surround the main data mapping with PROT_NONE pages to make virtual address layout more consistent + // across different configurations (static/non-static build) and C repros. + // One observed case before: executor had a mapping above the data mapping (output region), + // while C repros did not have that mapping above, as the result in one case VMA had next link, + // while in the other it didn't and it caused a bug to not reproduce with the C repro. + if (mmap(data - SYZ_PAGE_SIZE, SYZ_PAGE_SIZE, PROT_NONE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data - SYZ_PAGE_SIZE) + fail("mmap of left data PROT_NONE page failed"); if (mmap(data, data_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data) fail("mmap of data segment failed"); + if (mmap(data + data_size, SYZ_PAGE_SIZE, PROT_NONE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data + data_size) + fail("mmap of right data PROT_NONE page failed"); } static __thread cover_t* current_cover; -- cgit mrf-deployment