zero out stack, etc

Author: nia-e

src/shims/trace/child.rs

@@ -179,6 +179,10 @@ pub unsafe fn init_sv() -> Result<(), SvInitError> {
     // SAFETY: Calling sysconf(_SC_PAGESIZE) is always safe and cannot error.
     let page_size = unsafe { libc::sysconf(libc::_SC_PAGESIZE) }.try_into().unwrap();
 
+    // Set up the pagesize used in the memory protection functions.
+    // SAFETY: sysconf(_SC_PAGESIZE) is always safe and doesn't error
+    super::parent::PAGE_SIZE.store(page_size, std::sync::atomic::Ordering::Relaxed);
+
     unsafe {
         // TODO: Maybe use clone3() instead for better signalling of when the child exits?
         // SAFETY: Caller upholds that only one thread exists.
@@ -200,8 +204,7 @@ pub unsafe fn init_sv() -> Result<(), SvInitError> {
                     match ptrace::seize(child, options) {
                         // Ptrace works :D
                         Ok(_) => {
-                            let code = sv_loop(listener, child, event_tx, confirm_tx, page_size)
-                                .unwrap_err();
+                            let code = sv_loop(listener, child, event_tx, confirm_tx).unwrap_err();
                             // If a return code of 0 is not explicitly given, assume something went
                             // wrong and return 1.
                             std::process::exit(code.unwrap_or(1))
@@ -228,12 +231,6 @@ pub unsafe fn init_sv() -> Result<(), SvInitError> {
                 // SAFETY: prctl PR_SET_PDEATHSIG is always safe to call.
                 let ret = libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGTERM);
                 assert_eq!(ret, 0);
-                // Set up the pagesize used in the memory protection functions.
-                // SAFETY: sysconf(_SC_PAGESIZE) is always safe and doesn't error
-                super::parent::PAGE_SIZE.store(
-                    libc::sysconf(libc::_SC_PAGESIZE).try_into().unwrap(),
-                    std::sync::atomic::Ordering::Relaxed,
-                );
                 // First make sure the parent succeeded with ptracing us!
                 signal::raise(signal::SIGSTOP).unwrap();
                 // If we're the child process, save the supervisor info.

src/shims/trace/parent.rs

@@ -238,8 +238,10 @@ pub fn sv_loop(
     init_pid: unistd::Pid,
     event_tx: ipc::IpcSender<MemEvents>,
     confirm_tx: ipc::IpcSender<Confirmation>,
-    page_size: usize,
 ) -> Result<!, Option<i32>> {
+    let page_size = PAGE_SIZE.load(std::sync::atomic::Ordering::Relaxed);
+    assert_ne!(page_size, 0);
+
     // Things that we return to the child process.
     let mut acc_events = Vec::new();
 
@@ -289,6 +291,7 @@ pub fn sv_loop(
                 event_tx.send(MemEvents { acc_events }).unwrap();
                 // And reset our values.
                 acc_events = Vec::new();
+                ch_pages = Vec::new();
                 ch_stack = None;
 
                 // No need to monitor syscalls anymore, they'd just be ignored.
@@ -550,6 +553,12 @@ fn handle_segfault(
         // - Parse executed code to estimate size & type of access
         // - Reprotect the memory
         // - Continue
+
+        // Zero out the stack
+        for a in (ch_stack..ch_stack.strict_add(FAKE_STACK_SIZE)).step_by(ARCH_WORD_SIZE) {
+            ptrace::write(pid, std::ptr::with_exposed_provenance_mut(a), 0).unwrap();
+        }
+
         let stack_ptr = ch_stack.strict_add(FAKE_STACK_SIZE / 2);
         let regs_bak = ptrace::getregs(pid).unwrap();
         let mut new_regs = regs_bak;
@@ -591,6 +600,11 @@ fn handle_segfault(
         // Also, don't let it continue with unprotected memory if something errors!
         let _ = wait::waitid(wait::Id::Pid(pid), WAIT_FLAGS).map_err(|_| ExecError::Died(None))?;
 
+        // Zero it out again to be safe
+        for a in (ch_stack..ch_stack.strict_add(FAKE_STACK_SIZE)).step_by(ARCH_WORD_SIZE) {
+            ptrace::write(pid, std::ptr::with_exposed_provenance_mut(a), 0).unwrap();
+        }
+
         // Save registers and grab the bytes that were executed. This would
         // be really nasty if it was a jump or similar but those thankfully
         // won't do memory accesses and so can't trigger this!