From 3ad490ea48468e50fe91f6f6b2ca4cbc74d924bf Mon Sep 17 00:00:00 2001 From: Aleksandr Nogikh Date: Mon, 18 Dec 2023 11:58:39 +0100 Subject: executor: introduce syz_pidfd_open() This kernel interface provides access to fds of other processes, which is readily abused by the fuzzer to mangle parent syz-executor fds. Pid=1 is the parent syz-executor process when PID namespace is created. Sanitize it in the new syz_pidfd_open() pseudo-syscall. We could not patch the argument in sys/linux/init.go because the first argument is a resource. --- pkg/csource/generated.go | 12 ++++++++++++ pkg/host/syscalls_linux.go | 1 + 2 files changed, 13 insertions(+) (limited to 'pkg') diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go index 4c3fae47c..e65b95095 100644 --- a/pkg/csource/generated.go +++ b/pkg/csource/generated.go @@ -11823,6 +11823,18 @@ static void setup_swap() #endif +#if SYZ_EXECUTOR || __NR_syz_pidfd_open +#include +static long syz_pidfd_open(volatile long pid, volatile long flags) +{ + if (pid == 1) { + pid = 0; + } + return syscall(__NR_pidfd_open, pid, flags); +} + +#endif + #elif GOOS_test #include diff --git a/pkg/host/syscalls_linux.go b/pkg/host/syscalls_linux.go index b1bcbfb8b..d59fe491b 100644 --- a/pkg/host/syscalls_linux.go +++ b/pkg/host/syscalls_linux.go @@ -327,6 +327,7 @@ var syzkallSupport = map[string]func(*prog.Syscall, *prog.Target, string) (bool, "syz_clone3": alwaysSupported, "syz_pkey_set": isSyzPkeySetSupported, "syz_socket_connect_nvme_tcp": isSyzSocketConnectNvmeTCPSupported, + "syz_pidfd_open": alwaysSupported, } func isSupportedSyzkall(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) { -- cgit mrf-deployment