On Fri, 2021-08-13 at 06:50 -0400, Alexander Bulekov wrote: > > > > My question is about address_space_map() -- How do we emulate double- > > fetch > > bugs in the same map/unmap session? For example: > > > > Hi Qiuhao, > Right now we don't. One strategy would be to use mprotect. When the > code > fetches data the first time, we get a SEGV, where we unprotect the > page, > write a pattern, and enable single-stepping. Then, after the > single-step, re-protect the page, and disable single-step. >
Brilliant! I can always get a lot of inspiration from you :) > On OSS-Fuzz, we disabled double-fetch detection, for now, as we did not > want reproducers for normal-bugs to inadvertently contain > double-fetches. To make the double-fetch detection useful for > developers, we probably need to limit the double fetch capability to > only fill the DMA regions twice, rather than 10 or 20 times. Then, in > the report, we could give the call-stacks (from the SEGV handler, or > dma_read hook) of the exact locations in the code that read from the > same address twice. Got it, this is indeed the most practical solution. I will try to detect double-fetch bugs via pattern-based analysis [1]. But it may be hard to write PoCs to convince and help developers fix bugs, and we can't identify those bugs caused by the compiler [2] or preprocessor. [1] https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-pengfei [2] https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html Thanks, Qiuhao Li
