[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Question] fuzz: double-fetches in a memory region map session
From: |
Qiuhao Li |
Subject: |
Re: [Question] fuzz: double-fetches in a memory region map session |
Date: |
Sat, 14 Aug 2021 10:57:55 +0800 |
User-agent: |
Evolution 3.40.0-1 |
On Fri, 2021-08-13 at 06:50 -0400, Alexander Bulekov wrote:
> >
> > My question is about address_space_map() -- How do we emulate double-
> > fetch
> > bugs in the same map/unmap session? For example:
> >
>
> Hi Qiuhao,
> Right now we don't. One strategy would be to use mprotect. When the
> code
> fetches data the first time, we get a SEGV, where we unprotect the
> page,
> write a pattern, and enable single-stepping. Then, after the
> single-step, re-protect the page, and disable single-step.
>
Brilliant! I can always get a lot of inspiration from you :)
> On OSS-Fuzz, we disabled double-fetch detection, for now, as we did not
> want reproducers for normal-bugs to inadvertently contain
> double-fetches. To make the double-fetch detection useful for
> developers, we probably need to limit the double fetch capability to
> only fill the DMA regions twice, rather than 10 or 20 times. Then, in
> the report, we could give the call-stacks (from the SEGV handler, or
> dma_read hook) of the exact locations in the code that read from the
> same address twice.
Got it, this is indeed the most practical solution. I will try to
detect double-fetch bugs via pattern-based analysis [1]. But it may be
hard to write PoCs to convince and help developers fix bugs, and we
can't identify those bugs caused by the compiler [2] or preprocessor.
[1]
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-pengfei
[2]
https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html
Thanks,
Qiuhao Li