From f6671af7193a6d6860e38e17e108afb5934568dc Mon Sep 17 00:00:00 2001 From: Alexander Potapenko Date: Mon, 12 May 2025 16:03:45 +0200 Subject: executor: arm64: syzos: prevent jump table emission When compiling SYZOS into the executor binary, the compiler often attempts to emit a jump table, putting it into the data section of the executor. SYZOS is unable to access that data and crashes. Use primes multiplied by 10 to defeat the compiler's heuristics for jump table emission. --- executor/common_kvm_arm64_syzos.h | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) (limited to 'executor') diff --git a/executor/common_kvm_arm64_syzos.h b/executor/common_kvm_arm64_syzos.h index 63b571cb3..70074bfbf 100644 --- a/executor/common_kvm_arm64_syzos.h +++ b/executor/common_kvm_arm64_syzos.h @@ -18,17 +18,21 @@ // Start/end of the guest section. extern char *__start_guest, *__stop_guest; +// Compilers will eagerly try to transform the switch statement in guest_main() +// into a jump table, unless the cases are sparse enough. +// We use prime numbers multiplied by 10 to prevent this behavior. +// Remember these constants must match those in sys/linux/dev_kvm_arm64.txt. typedef enum { - SYZOS_API_UEXIT, - SYZOS_API_CODE, - SYZOS_API_MSR, - SYZOS_API_SMC, - SYZOS_API_HVC, - SYZOS_API_IRQ_SETUP, - SYZOS_API_MEMWRITE, - SYZOS_API_ITS_SETUP, - SYZOS_API_ITS_SEND_CMD, - SYZOS_API_MRS, + SYZOS_API_UEXIT = 0, + SYZOS_API_CODE = 10, + SYZOS_API_MSR = 20, + SYZOS_API_SMC = 30, + SYZOS_API_HVC = 50, + SYZOS_API_IRQ_SETUP = 70, + SYZOS_API_MEMWRITE = 110, + SYZOS_API_ITS_SETUP = 130, + SYZOS_API_ITS_SEND_CMD = 170, + SYZOS_API_MRS = 190, SYZOS_API_STOP, // Must be the last one } syzos_api_id; -- cgit mrf-deployment