reactos/syzkaller
1
0
Fork 0
mirror of https://github.com/reactos/syzkaller.git synced 2024-11-27 05:10:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
769c9b7a94
syzkaller/executor/executor_fuchsia.h
Marco Vanotti c3e9afb345 executor/fuchsia: Don't map memory as executable. 
Fuchsia has strict controls over who can map memory as executable.
Refactoring syz-executor to be able to do that involves a non trivial
amount of work: it needs to run as a fuchsia component and replace stdin
for some other mechanism to communicate with syz-fuzzer (probably a fidl
service and a thin client that proxies stdin/stdout to syz-fuzzer via
ssh).

Mapping memory as executable doesn't seem to be used or needed in
syz-executor at all. After talking with Dmitry, he mentioned that it was
used in a deprecated feature: `syz_execute_func` which would execute
random code. It also allows more scenarios during fuzzing.

For now, I'm removing that option to allow syzkaller continue fuzzing.

This change also refactors all of the error messages adding a string
representation of the `zx_status_t` in error logs.
2020-06-05 16:46:48 -03:00

43 lines
1.4 KiB
C
Raw Blame History

// Copyright 2017 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
#include <errno.h>
#include <pthread.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <zircon/status.h>
#include <zircon/syscalls.h>
#include "nocover.h"
static void os_init(int argc, char** argv, void* data, size_t data_size)
{
zx_status_t status = syz_mmap((size_t)data, data_size);
if (status != ZX_OK)
fail("mmap of data segment failed: %s (%d)", zx_status_get_string(status), status);
}
static intptr_t execute_syscall(const call_t* c, intptr_t a[kMaxArgs])
{
intptr_t res = c->call(a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8]);
if (strncmp(c->name, "zx_", 3) == 0) {
// Convert zircon error convention to the libc convention that executor expects.
// The following calls return arbitrary integers instead of error codes.
if (res == ZX_OK ||
!strcmp(c->name, "zx_debuglog_read") ||
!strcmp(c->name, "zx_clock_get") ||
!strcmp(c->name, "zx_clock_get_monotonic") ||
!strcmp(c->name, "zx_deadline_after") ||
!strcmp(c->name, "zx_ticks_get"))
return 0;
errno = (-res) & 0x7f;
return -1;
}
// We cast libc functions to signature returning intptr_t,
// as the result int -1 is returned as 0x00000000ffffffff rather than full -1.
if (res == 0xffffffff)
res = (intptr_t)-1;
return res;
}
Reference in New Issue View Git Blame Copy Permalink