From c3e9afb345d6b479ca401f18ceba6f7ae43e45ab Mon Sep 17 00:00:00 2001 From: Marco Vanotti Date: Wed, 4 Mar 2020 18:34:01 -0800 Subject: executor/fuchsia: Don't map memory as executable. Fuchsia has strict controls over who can map memory as executable. Refactoring syz-executor to be able to do that involves a non trivial amount of work: it needs to run as a fuchsia component and replace stdin for some other mechanism to communicate with syz-fuzzer (probably a fidl service and a thin client that proxies stdin/stdout to syz-fuzzer via ssh). Mapping memory as executable doesn't seem to be used or needed in syz-executor at all. After talking with Dmitry, he mentioned that it was used in a deprecated feature: `syz_execute_func` which would execute random code. It also allows more scenarios during fuzzing. For now, I'm removing that option to allow syzkaller continue fuzzing. This change also refactors all of the error messages adding a string representation of the `zx_status_t` in error logs. --- pkg/csource/generated.go | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) (limited to 'pkg/csource/generated.go') diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go index 25f16d58f..6f81981a3 100644 --- a/pkg/csource/generated.go +++ b/pkg/csource/generated.go @@ -1944,6 +1944,7 @@ static int do_sandbox_setuid(void) #include #include #include +#include #include #if SYZ_EXECUTOR || __NR_get_root_resource @@ -1975,7 +1976,7 @@ static zx_status_t update_exception_thread_regs(zx_handle_t exception) zx_handle_t thread; zx_status_t status = zx_exception_get_thread(exception, &thread); if (status != ZX_OK) { - debug("zx_exception_get_thread failed: %d\n", status); + debug("zx_exception_get_thread failed: %s (%d)\n", zx_status_get_string(status), status); return status; } @@ -1983,8 +1984,8 @@ static zx_status_t update_exception_thread_regs(zx_handle_t exception) status = zx_thread_read_state(thread, ZX_THREAD_STATE_GENERAL_REGS, ®s, sizeof(regs)); if (status != ZX_OK) { - debug("zx_thread_read_state failed: %d (%d)\n", - (int)sizeof(regs), status); + debug("zx_thread_read_state failed: %d %s (%d)\n", + (int)sizeof(regs), zx_status_get_string(status), status); } else { #if GOARCH_amd64 regs.rip = (uint64)(void*)&segv_handler; @@ -1995,7 +1996,7 @@ static zx_status_t update_exception_thread_regs(zx_handle_t exception) #endif status = zx_thread_write_state(thread, ZX_THREAD_STATE_GENERAL_REGS, ®s, sizeof(regs)); if (status != ZX_OK) { - debug("zx_thread_write_state failed: %d\n", status); + debug("zx_thread_write_state failed: %s (%d)\n", zx_status_get_string(status), status); } } @@ -2009,7 +2010,7 @@ static void* ex_handler(void* arg) for (int i = 0; i < 10000; i++) { zx_status_t status = zx_object_wait_one(exception_channel, ZX_CHANNEL_READABLE, ZX_TIME_INFINITE, NULL); if (status != ZX_OK) { - debug("zx_object_wait_one failed: %d\n", status); + debug("zx_object_wait_one failed: %s (%d)\n", zx_status_get_string(status), status); continue; } @@ -2017,20 +2018,20 @@ static void* ex_handler(void* arg) zx_handle_t exception; status = zx_channel_read(exception_channel, 0, &info, &exception, sizeof(info), 1, NULL, NULL); if (status != ZX_OK) { - debug("zx_channel_read failed: %d\n", status); + debug("zx_channel_read failed: %s (%d)\n", zx_status_get_string(status), status); continue; } debug("got exception: type=%d tid=%llu\n", info.type, (unsigned long long)(info.tid)); status = update_exception_thread_regs(exception); if (status != ZX_OK) { - debug("failed to update exception thread registers: %d\n", status); + debug("failed to update exception thread registers: %s (%d)\n", zx_status_get_string(status), status); } uint32 state = ZX_EXCEPTION_STATE_HANDLED; status = zx_object_set_property(exception, ZX_PROP_EXCEPTION_STATE, &state, sizeof(state)); if (status != ZX_OK) { - debug("zx_object_set_property(ZX_PROP_EXCEPTION_STATE) failed: %d\n", status); + debug("zx_object_set_property(ZX_PROP_EXCEPTION_STATE) failed: %s (%d)\n", zx_status_get_string(status), status); } zx_handle_close(exception); } @@ -2043,7 +2044,7 @@ static void install_segv_handler(void) zx_status_t status; zx_handle_t exception_channel; if ((status = zx_task_create_exception_channel(zx_process_self(), 0, &exception_channel)) != ZX_OK) - fail("zx_task_create_exception_channel failed: %d", status); + fail("zx_task_create_exception_channel failed: %s (%d)", zx_status_get_string(status), status); pthread_t th; if (pthread_create(&th, 0, ex_handler, (void*)(long)exception_channel)) fail("pthread_create failed"); @@ -2113,28 +2114,24 @@ long syz_mmap(size_t addr, size_t size) zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { - debug("zx_object_get_info(ZX_INFO_VMAR) failed: %d", status); + debug("zx_object_get_info(ZX_INFO_VMAR) failed: %s (%d)", zx_status_get_string(status), status); return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { - debug("zx_vmo_create failed with: %d\n", status); - return status; - } - status = zx_vmo_replace_as_executable(vmo, ZX_HANDLE_INVALID, &vmo); - if (status != ZX_OK) { - debug("zx_vmo_replace_as_executable failed with: %d\n", status); + debug("zx_vmo_create failed: %s (%d)\n", zx_status_get_string(status), status); return status; } + uintptr_t mapped_addr; - status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE | ZX_VM_FLAG_PERM_EXECUTE, + status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { - debug("zx_handle_close(vmo) failed with: %d\n", close_vmo_status); + debug("zx_handle_close(vmo) failed with: %s (%d)\n", zx_status_get_string(close_vmo_status), close_vmo_status); } return status; } -- cgit mrf-deployment