Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arm64: executor: support data relocations in SyzOS #5565

Open
ramosian-glider opened this issue Dec 3, 2024 · 0 comments
Open

arm64: executor: support data relocations in SyzOS #5565

ramosian-glider opened this issue Dec 3, 2024 · 0 comments
Assignees
@ramosian-glider
Labels
bug

Comments

@ramosian-glider
Copy link
Member

Right now SyzOS code cannot reference global variables from .data or .bss, it also gets broken if the compiler decides to play some clever tricks like creating a jump table or memcpy()ing a struct initializer from .rodata.

Because we cannot possibly make the compiler emit the guest-relevant data into a separate section, fixing this problem will require mapping all data sections into the guest address space, and fixing all the relocations. Alternatively, we can try to keep SyzOS relocation-free by scanning the code for ADRP instructions and reporting errors.
@ramosian-glider ramosian-glider self-assigned this Dec 3, 2024
ramosian-glider added a commit to ramosian-glider/syzkaller that referenced this issue Dec 3, 2024
@ramosian-glider
executor: arm64: detect data relocations in SyzOS
62300cc 
Detect and report ADRP instructions in the linked binaries to avoid
crashes inside SyzOS.

See google#5565 for more context.
ramosian-glider added a commit to ramosian-glider/syzkaller that referenced this issue Dec 3, 2024
@ramosian-glider
sys/targets: arm64: compile with -fno-jump-tables
4594620 
Prevent the compiler from generating jump tables that may kick in
at random places and break SyzOS execution
(google#5565)
ramosian-glider added a commit to ramosian-glider/syzkaller that referenced this issue Dec 5, 2024
@ramosian-glider
executor: arm64: detect data relocations in SyzOS
253ba3f 
Detect and report ADRP instructions in the linked binaries to avoid
crashes inside SyzOS.

See google#5565 for more context.
ramosian-glider added a commit to ramosian-glider/syzkaller that referenced this issue Dec 5, 2024
@ramosian-glider
executor: arm64: rewrite guest_handle_its_send_cmd() without a switch
596c73e 
Prevent the compiler from generating a jump table by replacing a switch
with a series of if statements.
This is ugly, but lets us work around crashes caused by google#5565
ramosian-glider added a commit to ramosian-glider/syzkaller that referenced this issue Dec 5, 2024
@ramosian-glider
executor: arm64: detect data relocations in SyzOS
6550493 
Detect and report ADRP instructions in the linked binaries to avoid
crashes inside SyzOS.

See google#5565 for more context.
ramosian-glider added a commit to ramosian-glider/syzkaller that referenced this issue Dec 5, 2024
@ramosian-glider
executor: arm64: rewrite guest_handle_its_send_cmd() without a switch
67663ef 
Prevent the compiler from generating a jump table by replacing a switch
with a series of if statements.
This is ugly, but lets us work around crashes caused by google#5565
github-merge-queue bot pushed a commit that referenced this issue Dec 5, 2024
@ramosian-glider
executor: arm64: detect data relocations in SyzOS
1eac590 
Detect and report ADRP instructions in the linked binaries to avoid
crashes inside SyzOS.

See #5565 for more context.
github-merge-queue bot pushed a commit that referenced this issue Dec 5, 2024
@ramosian-glider
executor: arm64: rewrite guest_handle_its_send_cmd() without a switch
dc321da 
Prevent the compiler from generating a jump table by replacing a switch
with a series of if statements.
This is ugly, but lets us work around crashes caused by #5565
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ramosian-glider ramosian-glider

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ramosian-glider