sys, executor: incorrect handling of syz_io_uring_setup() #4531
Assignees
Labels
Comments
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Feb 27, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for google#4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Feb 27, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for google#4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Feb 27, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for google#4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Feb 27, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for google#4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
github-merge-queue bot
pushed a commit
that referenced
this issue
Mar 5, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for #4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Apr 4, 2024
Because the executor may place other mappings next to the buffer used by kcov, occasional out-of-bound writes to them may corrupt the coverage, creating garbage PCs (see google#4531). To prevent those, map two extra pages for the kcov buffer, and protect them, so that OOB writes cause a segfault. Fixes google#4532
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Apr 4, 2024
Because the executor may place other mappings next to the buffer used by kcov, occasional out-of-bound writes to them may corrupt the coverage, creating garbage PCs (see google#4531). To prevent those, map two extra pages for the kcov buffer, and protect them, so that OOB writes cause a segfault. Fixes google#4532
github-merge-queue bot
pushed a commit
that referenced
this issue
Apr 4, 2024
Because the executor may place other mappings next to the buffer used by kcov, occasional out-of-bound writes to them may corrupt the coverage, creating garbage PCs (see #4531). To prevent those, map two extra pages for the kcov buffer, and protect them, so that OOB writes cause a segfault. Fixes #4532
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following program:
consistently smashes the kcov mapping for me on ARM64 QEMU.
This happens under the following conditions:
syzkaller/executor/common_linux.h
Line 1943 in d367cbe
IORING_SETUP_CQE32and/orIORING_SETUP_SQE128are passed toio_uring_setup(), leading to incorrect calculation of the ring buffer size.The described problem leads to ci-upstream-gce-arm64 generating tens of thousands of invalid kcov signals, boosting some random programs that happen to set up the uring.
The text was updated successfully, but these errors were encountered: