-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sys, executor: incorrect handling of syz_io_uring_setup() #4531
Labels
Comments
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Feb 27, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for google#4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Feb 27, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for google#4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Feb 27, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for google#4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Feb 27, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for google#4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
github-merge-queue bot
pushed a commit
that referenced
this issue
Mar 5, 2024
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect assumptions about the ring buffer size, causing the kernel to write outside of the mapped memory, smashing whatever follows it. This is a hotfix for #4531 that will stop the ci-upstream-gce-arm64 from generating random coverage.
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Apr 4, 2024
Because the executor may place other mappings next to the buffer used by kcov, occasional out-of-bound writes to them may corrupt the coverage, creating garbage PCs (see google#4531). To prevent those, map two extra pages for the kcov buffer, and protect them, so that OOB writes cause a segfault. Fixes google#4532
ramosian-glider
added a commit
to ramosian-glider/syzkaller
that referenced
this issue
Apr 4, 2024
Because the executor may place other mappings next to the buffer used by kcov, occasional out-of-bound writes to them may corrupt the coverage, creating garbage PCs (see google#4531). To prevent those, map two extra pages for the kcov buffer, and protect them, so that OOB writes cause a segfault. Fixes google#4532
github-merge-queue bot
pushed a commit
that referenced
this issue
Apr 4, 2024
Because the executor may place other mappings next to the buffer used by kcov, occasional out-of-bound writes to them may corrupt the coverage, creating garbage PCs (see #4531). To prevent those, map two extra pages for the kcov buffer, and protect them, so that OOB writes cause a segfault. Fixes #4532
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following program:
consistently smashes the kcov mapping for me on ARM64 QEMU.
This happens under the following conditions:
syzkaller/executor/common_linux.h
Line 1943 in d367cbe
IORING_SETUP_CQE32
and/orIORING_SETUP_SQE128
are passed toio_uring_setup()
, leading to incorrect calculation of the ring buffer size.The described problem leads to ci-upstream-gce-arm64 generating tens of thousands of invalid kcov signals, boosting some random programs that happen to set up the uring.
The text was updated successfully, but these errors were encountered: