2015-10-12 08:16:57 +00:00
|
|
|
// Copyright 2015 syzkaller project authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
// Conservative resource-related analysis of programs.
|
|
|
|
// The analysis figures out what files descriptors are [potentially] opened
|
|
|
|
// at a particular point in program, what pages are [potentially] mapped,
|
|
|
|
// what files were already referenced in calls, etc.
|
|
|
|
|
|
|
|
package prog
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
)
|
|
|
|
|
|
|
|
type state struct {
|
2017-09-14 17:25:01 +00:00
|
|
|
target *Target
|
2015-10-14 14:55:09 +00:00
|
|
|
ct *ChoiceTable
|
|
|
|
files map[string]bool
|
2018-05-05 08:13:04 +00:00
|
|
|
resources map[string][]*ResultArg
|
2015-10-14 14:55:09 +00:00
|
|
|
strings map[string]bool
|
2018-02-19 18:35:04 +00:00
|
|
|
ma *memAlloc
|
|
|
|
va *vmaAlloc
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// analyze analyzes the program p up to but not including call c.
|
2015-10-14 14:55:09 +00:00
|
|
|
func analyze(ct *ChoiceTable, p *Prog, c *Call) *state {
|
2017-09-14 17:25:01 +00:00
|
|
|
s := newState(p.Target, ct)
|
2018-02-26 12:33:11 +00:00
|
|
|
resources := true
|
2015-10-12 08:16:57 +00:00
|
|
|
for _, c1 := range p.Calls {
|
|
|
|
if c1 == c {
|
2018-02-26 12:33:11 +00:00
|
|
|
resources = false
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
2018-02-26 12:33:11 +00:00
|
|
|
s.analyzeImpl(c1, resources)
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2017-09-14 17:25:01 +00:00
|
|
|
func newState(target *Target, ct *ChoiceTable) *state {
|
2015-10-12 08:16:57 +00:00
|
|
|
s := &state{
|
2017-09-14 17:25:01 +00:00
|
|
|
target: target,
|
2015-10-14 14:55:09 +00:00
|
|
|
ct: ct,
|
|
|
|
files: make(map[string]bool),
|
2018-05-05 08:13:04 +00:00
|
|
|
resources: make(map[string][]*ResultArg),
|
2015-10-14 14:55:09 +00:00
|
|
|
strings: make(map[string]bool),
|
2018-02-19 18:35:04 +00:00
|
|
|
ma: newMemAlloc(target.NumPages * target.PageSize),
|
|
|
|
va: newVmaAlloc(target.NumPages),
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *state) analyze(c *Call) {
|
2018-02-26 12:33:11 +00:00
|
|
|
s.analyzeImpl(c, true)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *state) analyzeImpl(c *Call, resources bool) {
|
2018-02-18 12:49:48 +00:00
|
|
|
ForeachArg(c, func(arg Arg, _ *ArgCtx) {
|
2018-02-19 18:35:04 +00:00
|
|
|
switch a := arg.(type) {
|
|
|
|
case *PointerArg:
|
|
|
|
switch {
|
|
|
|
case a.IsNull():
|
|
|
|
case a.VmaSize != 0:
|
|
|
|
s.va.noteAlloc(a.Address/s.target.PageSize, a.VmaSize/s.target.PageSize)
|
|
|
|
default:
|
|
|
|
s.ma.noteAlloc(a.Address, a.Res.Size())
|
|
|
|
}
|
|
|
|
}
|
2017-07-11 14:49:08 +00:00
|
|
|
switch typ := arg.Type().(type) {
|
2017-09-05 08:46:34 +00:00
|
|
|
case *ResourceType:
|
2018-05-05 08:13:04 +00:00
|
|
|
a := arg.(*ResultArg)
|
2018-02-26 12:33:11 +00:00
|
|
|
if resources && typ.Dir() != DirIn {
|
2018-05-05 08:13:04 +00:00
|
|
|
s.resources[typ.Desc.Name] = append(s.resources[typ.Desc.Name], a)
|
2016-08-27 16:27:50 +00:00
|
|
|
// TODO: negative PIDs and add them as well (that's process groups).
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
2017-09-05 08:46:34 +00:00
|
|
|
case *BufferType:
|
2017-07-11 14:49:08 +00:00
|
|
|
a := arg.(*DataArg)
|
2017-12-13 19:12:13 +00:00
|
|
|
if typ.Dir() != DirOut && len(a.Data()) != 0 {
|
2018-03-02 15:14:57 +00:00
|
|
|
val := string(a.Data())
|
|
|
|
// Remove trailing zero padding.
|
|
|
|
for len(val) >= 2 && val[len(val)-1] == 0 && val[len(val)-2] == 0 {
|
|
|
|
val = val[:len(val)-1]
|
|
|
|
}
|
2016-10-29 21:55:35 +00:00
|
|
|
switch typ.Kind {
|
2017-09-05 08:46:34 +00:00
|
|
|
case BufferString:
|
2018-03-02 15:14:57 +00:00
|
|
|
s.strings[val] = true
|
2017-09-05 08:46:34 +00:00
|
|
|
case BufferFilename:
|
2018-04-02 12:21:45 +00:00
|
|
|
if len(val) < 3 {
|
|
|
|
// This is not our file, probalby one of specialFiles.
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if val[len(val)-1] == 0 {
|
|
|
|
val = val[:len(val)-1]
|
|
|
|
}
|
2018-03-02 15:14:57 +00:00
|
|
|
s.files[val] = true
|
2016-10-29 21:55:35 +00:00
|
|
|
}
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-02-18 12:49:48 +00:00
|
|
|
type ArgCtx struct {
|
|
|
|
Parent *[]Arg // GroupArg.Inner (for structs) or Call.Args containing this arg
|
|
|
|
Base *PointerArg // pointer to the base of the heap object containing this arg
|
|
|
|
Offset uint64 // offset of this arg from the base
|
|
|
|
Stop bool // if set by the callback, subargs of this arg are not visited
|
2015-12-31 14:24:08 +00:00
|
|
|
}
|
|
|
|
|
2018-02-18 12:49:48 +00:00
|
|
|
func ForeachSubArg(arg Arg, f func(Arg, *ArgCtx)) {
|
|
|
|
foreachArgImpl(arg, ArgCtx{}, f)
|
2015-12-31 14:24:08 +00:00
|
|
|
}
|
|
|
|
|
2018-02-18 12:49:48 +00:00
|
|
|
func ForeachArg(c *Call, f func(Arg, *ArgCtx)) {
|
|
|
|
ctx := ArgCtx{}
|
|
|
|
if c.Ret != nil {
|
|
|
|
foreachArgImpl(c.Ret, ctx, f)
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
2018-02-18 12:49:48 +00:00
|
|
|
ctx.Parent = &c.Args
|
|
|
|
for _, arg := range c.Args {
|
|
|
|
foreachArgImpl(arg, ctx, f)
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-02-18 12:49:48 +00:00
|
|
|
func foreachArgImpl(arg Arg, ctx ArgCtx, f func(Arg, *ArgCtx)) {
|
|
|
|
f(arg, &ctx)
|
|
|
|
if ctx.Stop {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
switch a := arg.(type) {
|
|
|
|
case *GroupArg:
|
|
|
|
if _, ok := a.Type().(*StructType); ok {
|
|
|
|
ctx.Parent = &a.Inner
|
|
|
|
}
|
2018-02-18 13:12:50 +00:00
|
|
|
var totalSize uint64
|
2018-02-18 12:49:48 +00:00
|
|
|
for _, arg1 := range a.Inner {
|
|
|
|
foreachArgImpl(arg1, ctx, f)
|
2018-02-18 13:12:50 +00:00
|
|
|
if !arg1.Type().BitfieldMiddle() {
|
|
|
|
size := arg1.Size()
|
|
|
|
ctx.Offset += size
|
|
|
|
totalSize += size
|
|
|
|
}
|
|
|
|
}
|
2018-02-25 13:44:29 +00:00
|
|
|
claimedSize := a.Size()
|
|
|
|
varlen := a.Type().Varlen()
|
|
|
|
if varlen && totalSize > claimedSize || !varlen && totalSize != claimedSize {
|
2018-02-24 13:33:36 +00:00
|
|
|
panic(fmt.Sprintf("bad group arg size %v, should be <= %v for %#v type %#v",
|
|
|
|
totalSize, claimedSize, a, a.Type()))
|
2018-02-18 12:49:48 +00:00
|
|
|
}
|
|
|
|
case *PointerArg:
|
|
|
|
if a.Res != nil {
|
|
|
|
ctx.Base = a
|
2018-02-18 13:12:50 +00:00
|
|
|
ctx.Offset = 0
|
2018-02-18 12:49:48 +00:00
|
|
|
foreachArgImpl(a.Res, ctx, f)
|
|
|
|
}
|
|
|
|
case *UnionArg:
|
|
|
|
foreachArgImpl(a.Option, ctx, f)
|
|
|
|
}
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
|
2018-02-18 13:16:07 +00:00
|
|
|
func RequiredFeatures(p *Prog) (bitmasks, csums bool) {
|
2017-05-18 14:08:43 +00:00
|
|
|
for _, c := range p.Calls {
|
2018-02-18 12:49:48 +00:00
|
|
|
ForeachArg(c, func(arg Arg, _ *ArgCtx) {
|
2017-07-11 14:49:08 +00:00
|
|
|
if a, ok := arg.(*ConstArg); ok {
|
|
|
|
if a.Type().BitfieldOffset() != 0 || a.Type().BitfieldLength() != 0 {
|
2018-02-18 13:16:07 +00:00
|
|
|
bitmasks = true
|
2017-05-18 14:08:43 +00:00
|
|
|
}
|
|
|
|
}
|
2017-09-05 08:46:34 +00:00
|
|
|
if _, ok := arg.Type().(*CsumType); ok {
|
2018-02-18 13:16:07 +00:00
|
|
|
csums = true
|
2017-05-29 16:22:55 +00:00
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
2018-02-18 13:16:07 +00:00
|
|
|
return
|
2017-05-29 16:22:55 +00:00
|
|
|
}
|
2018-06-29 18:34:43 +00:00
|
|
|
|
|
|
|
type CallInfo struct {
|
|
|
|
Executed bool
|
|
|
|
Errno int
|
|
|
|
Signal []uint32
|
|
|
|
}
|
|
|
|
|
|
|
|
const (
|
|
|
|
fallbackSignalErrno = iota
|
|
|
|
fallbackSignalCtor
|
|
|
|
fallbackSignalFlags
|
|
|
|
fallbackCallMask = 0x3fff
|
|
|
|
)
|
|
|
|
|
|
|
|
func (p *Prog) FallbackSignal(info []CallInfo) {
|
|
|
|
resources := make(map[*ResultArg]*Call)
|
|
|
|
for i, c := range p.Calls {
|
|
|
|
inf := &info[i]
|
|
|
|
if !inf.Executed {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
id := c.Meta.ID
|
|
|
|
inf.Signal = append(inf.Signal, encodeFallbackSignal(fallbackSignalErrno, id, inf.Errno))
|
|
|
|
if inf.Errno != 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
ForeachArg(c, func(arg Arg, _ *ArgCtx) {
|
|
|
|
if a, ok := arg.(*ResultArg); ok {
|
|
|
|
resources[a] = c
|
|
|
|
}
|
|
|
|
})
|
|
|
|
// Specifically look only at top-level arguments,
|
|
|
|
// deeper arguments can produce too much false signal.
|
2018-06-30 11:28:11 +00:00
|
|
|
flags := 0
|
2018-06-29 18:34:43 +00:00
|
|
|
for _, arg := range c.Args {
|
|
|
|
switch a := arg.(type) {
|
|
|
|
case *ResultArg:
|
2018-06-30 11:28:11 +00:00
|
|
|
flags <<= 1
|
2018-06-29 18:34:43 +00:00
|
|
|
if a.Res != nil {
|
|
|
|
ctor := resources[a.Res]
|
|
|
|
if ctor != nil {
|
|
|
|
inf.Signal = append(inf.Signal,
|
|
|
|
encodeFallbackSignal(fallbackSignalCtor, id, ctor.Meta.ID))
|
|
|
|
}
|
|
|
|
} else {
|
2018-06-30 11:28:11 +00:00
|
|
|
if a.Val != a.Type().(*ResourceType).SpecialValues()[0] {
|
|
|
|
flags |= 1
|
2018-06-29 18:34:43 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
case *ConstArg:
|
2018-06-30 11:28:11 +00:00
|
|
|
const width = 3
|
|
|
|
flags <<= width
|
2018-06-29 18:34:43 +00:00
|
|
|
switch typ := a.Type().(type) {
|
|
|
|
case *FlagsType:
|
2018-06-30 11:28:11 +00:00
|
|
|
if typ.BitMask {
|
|
|
|
for i, v := range typ.Vals {
|
|
|
|
if a.Val&v != 0 {
|
|
|
|
flags ^= 1 << (uint(i) % width)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
for i, v := range typ.Vals {
|
|
|
|
if a.Val == v {
|
|
|
|
flags |= i % (1 << width)
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
2018-06-29 18:34:43 +00:00
|
|
|
}
|
|
|
|
case *LenType:
|
2018-06-30 11:28:11 +00:00
|
|
|
flags <<= 1
|
2018-06-29 18:34:43 +00:00
|
|
|
if a.Val == 0 {
|
2018-06-30 11:28:11 +00:00
|
|
|
flags |= 1
|
2018-06-29 18:34:43 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
case *PointerArg:
|
2018-06-30 11:28:11 +00:00
|
|
|
flags <<= 1
|
2018-06-29 18:34:43 +00:00
|
|
|
if a.IsNull() {
|
2018-06-30 11:28:11 +00:00
|
|
|
flags |= 1
|
2018-06-29 18:34:43 +00:00
|
|
|
}
|
|
|
|
}
|
2018-06-30 11:28:11 +00:00
|
|
|
}
|
|
|
|
if flags != 0 {
|
|
|
|
inf.Signal = append(inf.Signal,
|
|
|
|
encodeFallbackSignal(fallbackSignalFlags, id, flags))
|
2018-06-29 18:34:43 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func DecodeFallbackSignal(s uint32) (callID, errno int) {
|
|
|
|
typ, id, aux := decodeFallbackSignal(s)
|
|
|
|
switch typ {
|
|
|
|
case fallbackSignalErrno:
|
|
|
|
return id, aux
|
|
|
|
case fallbackSignalCtor, fallbackSignalFlags:
|
|
|
|
return id, 0
|
|
|
|
default:
|
|
|
|
panic(fmt.Sprintf("bad fallback signal type %v", typ))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func encodeFallbackSignal(typ, id, aux int) uint32 {
|
|
|
|
if typ & ^3 != 0 {
|
|
|
|
panic(fmt.Sprintf("bad fallback signal type %v", typ))
|
|
|
|
}
|
|
|
|
if id & ^fallbackCallMask != 0 {
|
|
|
|
panic(fmt.Sprintf("bad call id in fallback signal %v", id))
|
|
|
|
}
|
|
|
|
return uint32(typ) | uint32(id&0x3fff)<<2 | uint32(aux)<<16
|
|
|
|
}
|
|
|
|
|
|
|
|
func decodeFallbackSignal(s uint32) (typ, id, aux int) {
|
|
|
|
return int(s & 3), int((s >> 2) & fallbackCallMask), int(s >> 16)
|
|
|
|
}
|