executor/fuchsia: close vmo handle in syz_mmap.

This commit fixes a handle leak in syz_mmap. The bug was pointed out by mdempsky during a code review. The `syz_mmap` function creates a VMO and maps it to a VMAR in the address specified by the `syz_mmap` parameters. Once a VMO is mapped to a vmar, the handle to the vmo can be closed without problems. The new code makes sure that `zx_handle_close(vmo_handle)` gets called before the `syz_mmap` function returns.
google · Sep 13, 2019 · 40fa42b · 40fa42b
1 parent 0b7672e
commit 40fa42b
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/executor/common_fuchsia.h b/executor/common_fuchsia.h
@@ -185,12 +185,19 @@ long syz_mmap(size_t addr, size_t size)
 	status = zx_vmo_replace_as_executable(vmo, ZX_HANDLE_INVALID, &vmo);
 	if (status != ZX_OK) {
 		debug("zx_vmo_replace_as_executable failed with: %d\n", status);
+		// Don't need to zx_handle_close(vmo) because
+		// zx_vmo_replace_as_executable already invalidates it.
 		return status;
 	}
 	uintptr_t mapped_addr;
 	status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE | ZX_VM_FLAG_PERM_EXECUTE,
 			     addr - info.base, vmo, 0, size,
 			     &mapped_addr);
+
+	zx_status_t close_vmo_status = zx_handle_close(vmo);
+	if (close_vmo_status != ZX_OK) {
+		debug("zx_handle_close(vmo) failed with: %d\n", close_vmo_status);
+	}
 	return status;
 }
 #endif

diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
@@ -957,6 +957,11 @@ long syz_mmap(size_t addr, size_t size)
 	status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE | ZX_VM_FLAG_PERM_EXECUTE,
 			     addr - info.base, vmo, 0, size,
 			     &mapped_addr);
+
+	zx_status_t close_vmo_status = zx_handle_close(vmo);
+	if (close_vmo_status != ZX_OK) {
+		debug("zx_handle_close(vmo) failed with: %d\n", close_vmo_status);
+	}
 	return status;
 }
 #endif