2015-10-12 08:16:57 +00:00
|
|
|
// Copyright 2015 syzkaller project authors. All rights reserved.
|
|
|
|
|
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
|
|
// Conservative resource-related analysis of programs.
|
|
|
|
|
// The analysis figures out what files descriptors are [potentially] opened
|
|
|
|
|
// at a particular point in program, what pages are [potentially] mapped,
|
|
|
|
|
// what files were already referenced in calls, etc.
|
|
|
|
|
|
|
|
|
|
package prog
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
|
|
"github.com/google/syzkaller/sys"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
maxPages = 4 << 10
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type state struct {
|
2015-10-14 14:55:09 +00:00
|
|
|
ct *ChoiceTable
|
|
|
|
|
files map[string]bool
|
2016-08-27 16:27:50 +00:00
|
|
|
resources map[string][]*Arg
|
2015-10-14 14:55:09 +00:00
|
|
|
strings map[string]bool
|
|
|
|
|
pages [maxPages]bool
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// analyze analyzes the program p up to but not including call c.
|
2015-10-14 14:55:09 +00:00
|
|
|
func analyze(ct *ChoiceTable, p *Prog, c *Call) *state {
|
|
|
|
|
s := newState(ct)
|
2015-10-12 08:16:57 +00:00
|
|
|
for _, c1 := range p.Calls {
|
|
|
|
|
if c1 == c {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
s.analyze(c1)
|
|
|
|
|
}
|
|
|
|
|
return s
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-14 14:55:09 +00:00
|
|
|
func newState(ct *ChoiceTable) *state {
|
2015-10-12 08:16:57 +00:00
|
|
|
s := &state{
|
2015-10-14 14:55:09 +00:00
|
|
|
ct: ct,
|
|
|
|
|
files: make(map[string]bool),
|
2016-08-27 16:27:50 +00:00
|
|
|
resources: make(map[string][]*Arg),
|
2015-10-14 14:55:09 +00:00
|
|
|
strings: make(map[string]bool),
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
|
return s
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *state) analyze(c *Call) {
|
|
|
|
|
foreachArgArray(&c.Args, c.Ret, func(arg, base *Arg, _ *[]*Arg) {
|
|
|
|
|
switch typ := arg.Type.(type) {
|
2016-10-19 14:20:37 +00:00
|
|
|
case *sys.ResourceType:
|
2016-10-19 12:41:46 +00:00
|
|
|
if arg.Type.Dir() != sys.DirIn {
|
2016-08-27 16:27:50 +00:00
|
|
|
s.resources[typ.Desc.Name] = append(s.resources[typ.Desc.Name], arg)
|
|
|
|
|
// TODO: negative PIDs and add them as well (that's process groups).
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
2016-10-19 14:20:37 +00:00
|
|
|
case *sys.BufferType:
|
2016-10-29 21:55:35 +00:00
|
|
|
if arg.Type.Dir() != sys.DirOut && arg.Kind == ArgData && len(arg.Data) != 0 {
|
|
|
|
|
switch typ.Kind {
|
|
|
|
|
case sys.BufferString:
|
|
|
|
|
s.strings[string(arg.Data)] = true
|
|
|
|
|
case sys.BufferFilename:
|
|
|
|
|
s.files[string(arg.Data)] = true
|
|
|
|
|
}
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
switch c.Meta.Name {
|
|
|
|
|
case "mmap":
|
|
|
|
|
// Filter out only very wrong arguments.
|
|
|
|
|
length := c.Args[1]
|
|
|
|
|
if length.AddrPage == 0 && length.AddrOffset == 0 {
|
|
|
|
|
break
|
|
|
|
|
}
|
2016-08-26 05:09:25 +00:00
|
|
|
if flags, fd := c.Args[4], c.Args[3]; flags.Val&sys.MAP_ANONYMOUS == 0 && fd.Kind == ArgConst && fd.Val == sys.InvalidFD {
|
2015-10-12 08:16:57 +00:00
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
s.addressable(c.Args[0], length, true)
|
|
|
|
|
case "munmap":
|
|
|
|
|
s.addressable(c.Args[0], c.Args[1], false)
|
|
|
|
|
case "mremap":
|
|
|
|
|
s.addressable(c.Args[4], c.Args[2], true)
|
2015-10-13 15:06:01 +00:00
|
|
|
case "io_submit":
|
|
|
|
|
if arr := c.Args[2].Res; arr != nil {
|
|
|
|
|
for _, ptr := range arr.Inner {
|
|
|
|
|
if ptr.Kind == ArgPointer {
|
|
|
|
|
if ptr.Res != nil && ptr.Res.Type.Name() == "iocb" {
|
2016-08-27 16:27:50 +00:00
|
|
|
s.resources["iocbptr"] = append(s.resources["iocbptr"], ptr)
|
2015-10-13 15:06:01 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *state) addressable(addr, size *Arg, ok bool) {
|
|
|
|
|
if addr.Kind != ArgPointer || size.Kind != ArgPageSize {
|
|
|
|
|
panic("mmap/munmap/mremap args are not pages")
|
|
|
|
|
}
|
|
|
|
|
n := size.AddrPage
|
|
|
|
|
if size.AddrOffset != 0 {
|
|
|
|
|
n++
|
|
|
|
|
}
|
|
|
|
|
if addr.AddrPage+n > uintptr(len(s.pages)) {
|
2016-10-11 12:24:25 +00:00
|
|
|
panic(fmt.Sprintf("address is out of bounds: page=%v len=%v (%v, %v) bound=%v, addr: %+v, size: %+v",
|
|
|
|
|
addr.AddrPage, n, size.AddrPage, size.AddrOffset, len(s.pages), addr, size))
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
|
for i := uintptr(0); i < n; i++ {
|
|
|
|
|
s.pages[addr.AddrPage+i] = ok
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-31 14:24:08 +00:00
|
|
|
func foreachSubargImpl(arg *Arg, parent *[]*Arg, f func(arg, base *Arg, parent *[]*Arg)) {
|
2015-10-12 08:16:57 +00:00
|
|
|
var rec func(arg, base *Arg, parent *[]*Arg)
|
|
|
|
|
rec = func(arg, base *Arg, parent *[]*Arg) {
|
|
|
|
|
f(arg, base, parent)
|
|
|
|
|
for _, arg1 := range arg.Inner {
|
|
|
|
|
parent1 := parent
|
2016-09-03 10:36:49 +00:00
|
|
|
if _, ok := arg.Type.(*sys.StructType); ok {
|
2015-10-12 08:16:57 +00:00
|
|
|
parent1 = &arg.Inner
|
|
|
|
|
}
|
|
|
|
|
rec(arg1, base, parent1)
|
|
|
|
|
}
|
|
|
|
|
if arg.Kind == ArgPointer && arg.Res != nil {
|
|
|
|
|
rec(arg.Res, arg, parent)
|
|
|
|
|
}
|
2015-12-29 14:00:57 +00:00
|
|
|
if arg.Kind == ArgUnion {
|
|
|
|
|
rec(arg.Option, base, parent)
|
|
|
|
|
}
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
2015-12-31 14:24:08 +00:00
|
|
|
rec(arg, nil, parent)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func foreachSubarg(arg *Arg, f func(arg, base *Arg, parent *[]*Arg)) {
|
|
|
|
|
foreachSubargImpl(arg, nil, f)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func foreachArgArray(args *[]*Arg, ret *Arg, f func(arg, base *Arg, parent *[]*Arg)) {
|
2015-10-12 08:16:57 +00:00
|
|
|
for _, arg := range *args {
|
2015-12-31 14:24:08 +00:00
|
|
|
foreachSubargImpl(arg, args, f)
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
|
if ret != nil {
|
2015-12-31 14:24:08 +00:00
|
|
|
foreachSubargImpl(ret, nil, f)
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func foreachArg(c *Call, f func(arg, base *Arg, parent *[]*Arg)) {
|
|
|
|
|
foreachArgArray(&c.Args, nil, f)
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-25 15:18:05 +00:00
|
|
|
func foreachSubargOffset(arg *Arg, f func(arg *Arg, offset uintptr)) {
|
|
|
|
|
var rec func(*Arg, uintptr) uintptr
|
|
|
|
|
rec = func(arg1 *Arg, offset uintptr) uintptr {
|
|
|
|
|
switch arg1.Kind {
|
|
|
|
|
case ArgGroup:
|
2017-04-27 18:31:00 +00:00
|
|
|
f(arg1, offset)
|
2017-01-25 15:18:05 +00:00
|
|
|
var totalSize uintptr
|
|
|
|
|
for _, arg2 := range arg1.Inner {
|
|
|
|
|
size := rec(arg2, offset)
|
|
|
|
|
if arg2.Type.BitfieldLength() == 0 || arg2.Type.BitfieldLast() {
|
|
|
|
|
offset += size
|
|
|
|
|
totalSize += size
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if totalSize > arg1.Size() {
|
|
|
|
|
panic(fmt.Sprintf("bad group arg size %v, should be <= %v for %+v", totalSize, arg1.Size(), arg1))
|
|
|
|
|
}
|
|
|
|
|
case ArgUnion:
|
2017-04-27 18:31:00 +00:00
|
|
|
f(arg1, offset)
|
2017-01-25 15:18:05 +00:00
|
|
|
size := rec(arg1.Option, offset)
|
|
|
|
|
offset += size
|
|
|
|
|
if size > arg1.Size() {
|
|
|
|
|
panic(fmt.Sprintf("bad union arg size %v, should be <= %v for arg %+v with type %+v", size, arg1.Size(), arg1, arg1.Type))
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
f(arg1, offset)
|
|
|
|
|
}
|
|
|
|
|
return arg1.Size()
|
|
|
|
|
}
|
|
|
|
|
rec(arg, 0)
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-12 08:16:57 +00:00
|
|
|
func sanitizeCall(c *Call) {
|
2015-10-16 16:16:10 +00:00
|
|
|
switch c.Meta.CallName {
|
2015-10-12 08:16:57 +00:00
|
|
|
case "mmap":
|
|
|
|
|
// Add MAP_FIXED flag, otherwise it produces non-deterministic results.
|
|
|
|
|
addr := c.Args[0]
|
|
|
|
|
if addr.Kind != ArgPointer {
|
|
|
|
|
panic("mmap address is not ArgPointer")
|
|
|
|
|
}
|
|
|
|
|
length := c.Args[1]
|
|
|
|
|
if length.Kind != ArgPageSize {
|
|
|
|
|
panic("mmap length is not ArgPageSize")
|
|
|
|
|
}
|
|
|
|
|
flags := c.Args[3]
|
|
|
|
|
if flags.Kind != ArgConst {
|
|
|
|
|
panic("mmap flag arg is not const")
|
|
|
|
|
}
|
2016-08-26 05:09:25 +00:00
|
|
|
flags.Val |= sys.MAP_FIXED
|
2015-10-12 08:16:57 +00:00
|
|
|
case "mremap":
|
|
|
|
|
// Add MREMAP_FIXED flag, otherwise it produces non-deterministic results.
|
|
|
|
|
flags := c.Args[3]
|
|
|
|
|
if flags.Kind != ArgConst {
|
|
|
|
|
panic("mremap flag arg is not const")
|
|
|
|
|
}
|
2016-08-26 05:09:25 +00:00
|
|
|
if flags.Val&sys.MREMAP_MAYMOVE != 0 {
|
|
|
|
|
flags.Val |= sys.MREMAP_FIXED
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
2016-11-18 09:24:13 +00:00
|
|
|
case "mknod", "mknodat":
|
2016-08-22 01:07:55 +00:00
|
|
|
mode := c.Args[1]
|
2017-02-14 10:56:41 +00:00
|
|
|
dev := c.Args[2]
|
2016-11-18 09:24:13 +00:00
|
|
|
if c.Meta.CallName == "mknodat" {
|
|
|
|
|
mode = c.Args[2]
|
2017-02-14 10:56:41 +00:00
|
|
|
dev = c.Args[3]
|
2016-11-18 09:24:13 +00:00
|
|
|
}
|
2017-02-14 10:56:41 +00:00
|
|
|
if mode.Kind != ArgConst || dev.Kind != ArgConst {
|
2016-08-22 01:07:55 +00:00
|
|
|
panic("mknod mode is not const")
|
|
|
|
|
}
|
|
|
|
|
// Char and block devices read/write io ports, kernel memory and do other nasty things.
|
|
|
|
|
// TODO: not required if executor drops privileges.
|
2017-02-14 10:56:41 +00:00
|
|
|
switch mode.Val & (sys.S_IFREG | sys.S_IFCHR | sys.S_IFBLK | sys.S_IFIFO | sys.S_IFSOCK) {
|
|
|
|
|
case sys.S_IFREG, sys.S_IFIFO, sys.S_IFSOCK:
|
|
|
|
|
case sys.S_IFBLK:
|
|
|
|
|
if dev.Val>>8 == 7 {
|
|
|
|
|
break // loop
|
|
|
|
|
}
|
|
|
|
|
mode.Val &^= sys.S_IFBLK
|
|
|
|
|
mode.Val |= sys.S_IFREG
|
|
|
|
|
case sys.S_IFCHR:
|
|
|
|
|
mode.Val &^= sys.S_IFCHR
|
|
|
|
|
mode.Val |= sys.S_IFREG
|
2016-08-22 01:07:55 +00:00
|
|
|
}
|
2015-10-12 08:16:57 +00:00
|
|
|
case "syslog":
|
|
|
|
|
cmd := c.Args[0]
|
|
|
|
|
// These disable console output, but we need it.
|
2016-08-26 05:09:25 +00:00
|
|
|
if cmd.Val == sys.SYSLOG_ACTION_CONSOLE_OFF || cmd.Val == sys.SYSLOG_ACTION_CONSOLE_ON {
|
|
|
|
|
cmd.Val = sys.SYSLOG_ACTION_SIZE_UNREAD
|
2015-10-12 08:16:57 +00:00
|
|
|
}
|
2016-08-22 01:07:55 +00:00
|
|
|
case "ioctl":
|
|
|
|
|
cmd := c.Args[1]
|
|
|
|
|
// Freeze kills machine. Though, it is an interesting functions,
|
|
|
|
|
// so we need to test it somehow.
|
|
|
|
|
// TODO: not required if executor drops privileges.
|
2016-08-26 05:09:25 +00:00
|
|
|
if uint32(cmd.Val) == sys.FIFREEZE {
|
|
|
|
|
cmd.Val = sys.FITHAW
|
2016-08-22 01:07:55 +00:00
|
|
|
}
|
2015-10-20 10:09:56 +00:00
|
|
|
case "ptrace":
|
|
|
|
|
// PTRACE_TRACEME leads to unkillable processes, see:
|
|
|
|
|
// https://groups.google.com/forum/#!topic/syzkaller/uGzwvhlCXAw
|
2016-08-26 05:09:25 +00:00
|
|
|
if c.Args[0].Val == sys.PTRACE_TRACEME {
|
2015-10-20 10:09:56 +00:00
|
|
|
c.Args[0].Val = ^uintptr(0)
|
|
|
|
|
}
|
2015-10-12 08:16:57 +00:00
|
|
|
case "exit", "exit_group":
|
|
|
|
|
code := c.Args[0]
|
|
|
|
|
// These codes are reserved by executor.
|
|
|
|
|
if code.Val%128 == 67 || code.Val%128 == 68 {
|
|
|
|
|
code.Val = 1
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-05-18 14:08:43 +00:00
|
|
|
|
|
|
|
|
func RequiresBitmasks(p *Prog) bool {
|
|
|
|
|
result := false
|
|
|
|
|
for _, c := range p.Calls {
|
|
|
|
|
foreachArg(c, func(arg, _ *Arg, _ *[]*Arg) {
|
|
|
|
|
if arg.Kind == ArgConst {
|
|
|
|
|
if arg.Type.BitfieldOffset() != 0 || arg.Type.BitfieldLength() != 0 {
|
|
|
|
|
result = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
return result
|
|
|
|
|
}
|
2017-05-29 16:22:55 +00:00
|
|
|
|
|
|
|
|
func RequiresChecksums(p *Prog) bool {
|
|
|
|
|
result := false
|
|
|
|
|
for _, c := range p.Calls {
|
|
|
|
|
foreachArg(c, func(arg, _ *Arg, _ *[]*Arg) {
|
|
|
|
|
if _, ok := arg.Type.(*sys.CsumType); ok {
|
|
|
|
|
result = true
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
return result
|
|
|
|
|
}
|
