From d6f3385b1a3f2fba8e14d6794bece1dcdd9e479e Mon Sep 17 00:00:00 2001 From: Aleksandr Nogikh Date: Wed, 12 Jan 2022 14:40:51 +0000 Subject: all: add syz_clone() and syz_clone3() pseudo calls As was pointed out in #2921, the current approach of limiting the number of pids per process does not work on all Linux-based kernels. We could just treat fork, clone and clone3 in a special way (e.g. exit on a zero return). However, in that case we also need to sanitize the arguments for clone and clone3 - if CLONE_VM is passed and stack is 0, the forked child processes (threads) will become nearly unindentifiable and will corrupt syz-executor's memory. While we could sanitize clone's arguments, we cannot do so for clone3 - nothing can guarantee that they will not be changed concurrently. Instead of calling those syscalls directly, introduce a special pseudo syscall syz_clone3. It copies and sanitizes the arguments and then executes clone3 (or fork, if we're on an older kernel) in such a way so as to prevent fork bombs from happening. Also introduce syz_clone() to still be able to fuzz it on older systems. --- pkg/csource/csource.go | 1 + 1 file changed, 1 insertion(+) (limited to 'pkg/csource/csource.go') diff --git a/pkg/csource/csource.go b/pkg/csource/csource.go index 1ba433f45..9c820a2e8 100644 --- a/pkg/csource/csource.go +++ b/pkg/csource/csource.go @@ -116,6 +116,7 @@ func (ctx *context) generateSource() ([]byte, error) { timeouts := ctx.sysTarget.Timeouts(ctx.opts.Slowdown) replacements["PROGRAM_TIMEOUT_MS"] = fmt.Sprint(int(timeouts.Program / time.Millisecond)) timeoutExpr := fmt.Sprint(int(timeouts.Syscall / time.Millisecond)) + replacements["BASE_CALL_TIMEOUT_MS"] = timeoutExpr for i, call := range ctx.p.Calls { if timeout := call.Meta.Attrs.Timeout; timeout != 0 { timeoutExpr += fmt.Sprintf(" + (call == %v ? %v : 0)", i, timeout*uint64(timeouts.Scale)) -- cgit mrf-deployment