From 1808de66ce1b8db0fc76b5b6398e3386ca2e7ad6 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Tue, 28 Nov 2017 16:25:45 +0100 Subject: prog: repair arrays/buffers with incorrect size in Deserialize For string[N] we successfully deserialize a string of any length. Similarly for a fixed-size array[T, N] we successfully deserialize an array of any size. Such programs later crash in foreachSubargOffset because static size Type.Size() does not match what we've calculated iterating over fields. The crash happens only in SerializeForExec in syz-fuzzer, which is especially bad. Fix this from both sides: 1. Validate sizes of arrays/buffers in Validate. 2. Repair incorrect sizes in Deserialize. --- prog/encoding_test.go | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'prog/encoding_test.go') diff --git a/prog/encoding_test.go b/prog/encoding_test.go index 8b7b84a2d..20753bfdc 100644 --- a/prog/encoding_test.go +++ b/prog/encoding_test.go @@ -109,9 +109,18 @@ func TestDeserialize(t *testing.T) { "syz_test$struct(&(0x7f0000000000)=0x0)", regexp.MustCompile(`bad const type.*`), }, + { + `syz_test$regression1(&(0x7f0000000000)=[{"000000"}, {"0000000000"}])`, + nil, + }, + { + `syz_test$regression2(&(0x7f0000000000)=[0x1, 0x2, 0x3, 0x4, 0x5, 0x6])`, + nil, + }, } + buf := make([]byte, ExecBufferSize) for _, test := range tests { - _, err := target.Deserialize([]byte(test.data)) + p, err := target.Deserialize([]byte(test.data)) if err != nil { if test.err == nil { t.Fatalf("deserialization failed with\n%s\ndata:\n%s\n", err, test.data) @@ -119,8 +128,12 @@ func TestDeserialize(t *testing.T) { if !test.err.MatchString(err.Error()) { t.Fatalf("deserialization failed with\n%s\nwhich doesn't match\n%s\ndata:\n%s\n", err, test.err, test.data) } - } else if test.err != nil { - t.Fatalf("deserialization should have failed with:\n%s\ndata:\n%s\n", test.err, test.data) + } else { + if test.err != nil { + t.Fatalf("deserialization should have failed with:\n%s\ndata:\n%s\n", + test.err, test.data) + } + p.SerializeForExec(buf, 0) } } } -- cgit mrf-deployment