From ce441f065b6eebb166bb006dfd28ea0c6b730384 Mon Sep 17 00:00:00 2001
From: Anton Lindqvist <anton@basename.se>
Date: Thu, 3 Sep 2020 22:18:31 +0200
Subject: executor: improve opendir(3) error handling

While investigating an OpenBSD reproducer[1][2] I discovered the
following:

* All threads are stuck on the last `sleep(1000000)` syscall in main(),
  hence no output for the test machine.

* Each executor process created in loop() performs one iteration but
  exits abnormally during the call to remove_dir().

* Calling remove_dir() will eventually invoke itself recursively since
  one of the executed syscall is `mkdir("./file0", 0)` meaning that it
  will try to remove the directory created by execute_one(). However,
  `opendir(3)` fails with `EACCES` due to the permissions passed to
  `mkdir(2)` is zero.

Instead of exiting, trying to remove the problematic directory in a best
effort manner makes the reproducer continue executing the generated
syscalls. This work around might be considered to narrow. Another option
would be to replace the `sleep(1000000)` with `waitpid(-1, NULL, 0)`
until ECHILD is hit.

[1] https://syzkaller.appspot.com/bug?id=6f7ce2a0536580a94f65f44e478732ec505e88af
[2] https://syzkaller.appspot.com/text?tag=ReproC&x=10fd1a71900000
---
 pkg/csource/generated.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'pkg')

diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index 84ef284a9..65abca7e7 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -179,6 +179,7 @@ static void use_temporary_dir(void)
 #if GOOS_akaros || GOOS_netbsd || GOOS_freebsd || GOOS_openbsd || GOOS_test
 #if (SYZ_EXECUTOR || SYZ_REPEAT) && SYZ_EXECUTOR_USES_FORK_SERVER && (SYZ_EXECUTOR || SYZ_USE_TMP_DIR)
 #include <dirent.h>
+#include <errno.h>
 #include <stdio.h>
 #include <string.h>
 #include <sys/stat.h>
@@ -187,8 +188,14 @@ static void use_temporary_dir(void)
 static void remove_dir(const char* dir)
 {
 	DIR* dp = opendir(dir);
-	if (dp == NULL)
+	if (dp == NULL) {
+		if (errno == EACCES) {
+			if (rmdir(dir))
+				exitf("rmdir(%s) failed", dir);
+			return;
+		}
 		exitf("opendir(%s) failed", dir);
+	}
 	struct dirent* ep = 0;
 	while ((ep = readdir(dp))) {
 		if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
-- 
cgit mrf-deployment