syzkaller/host/host.go

// Copyright 2015 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

package host

import (
	"bytes"
	"io/ioutil"
	"os"
	"strconv"
	"strings"
	"syscall"

	"github.com/google/syzkaller/sys"
)

// DetectSupportedSyscalls returns list on supported syscalls on host.
func DetectSupportedSyscalls() (map[*sys.Call]bool, error) {
	// There are 3 possible strategies:
	// 1. Executes all syscalls with presumably invalid arguments and check for ENOSYS.
	//    But not all syscalls are safe to execute. For example, pause will hang,
	//    while setpgrp will push the process into own process group.
	// 2. Check presence of /sys/kernel/debug/tracing/events/syscalls/sys_enter_* files.
	//    This requires root and CONFIG_FTRACE_SYSCALLS. Also it lies for some syscalls.
	//    For example, on x86_64 it says that sendfile is not present (only sendfile64).
	// 3. Check sys_syscallname in /proc/kallsyms.
	//    Requires CONFIG_KALLSYMS. Seems to be the most reliable. That's what we use here.

	kallsyms, _ := ioutil.ReadFile("/proc/kallsyms")
	supported := make(map[*sys.Call]bool)
	for _, c := range sys.Calls {
		if isSupported(kallsyms, c) {
			supported[c] = true
		}
	}
	return supported, nil
}

func isSupported(kallsyms []byte, c *sys.Call) bool {
	if c.NR == -1 {
		return false // don't even have a syscall number
	}
	if strings.HasPrefix(c.CallName, "syz_") {
		return isSupportedSyzkall(c)
	}
	if strings.HasPrefix(c.Name, "socket$") {
		return isSupportedSocket(c)
	}
	if strings.HasPrefix(c.Name, "open$") {
		return isSupportedOpen(c)
	}
	if strings.HasPrefix(c.Name, "openat$") {
		return isSupportedOpenAt(c)
	}
	if len(kallsyms) == 0 {
		return true
	}
	return bytes.Index(kallsyms, []byte(" T sys_"+c.CallName+"\n")) != -1
}

func isSupportedSyzkall(c *sys.Call) bool {
	switch c.CallName {
	case "syz_test":
		return false
	case "syz_open_dev":
		fname, ok := extractStringConst(c.Args[0])
		if !ok {
			panic("first open arg is not a pointer to string const")
		}
		if syscall.Getuid() != 0 {
			return false
		}
		var check func(dev string) bool
		check = func(dev string) bool {
			if !strings.Contains(dev, "#") {
				_, err := os.Stat(dev)
				return err == nil
			}
			for i := 0; i < 10; i++ {
				if check(strings.Replace(dev, "#", strconv.Itoa(i), 1)) {
					return true
				}
			}
			return false
		}
		return check(fname)
	case "syz_open_pts":
		return true
	case "syz_fuse_mount":
		_, err := os.Stat("/dev/fuse")
		return err == nil
	case "syz_fuseblk_mount":
		_, err := os.Stat("/dev/fuse")
		return err == nil && syscall.Getuid() == 0
	case "syz_emit_ethernet":
		_, err := os.Stat("/dev/net/tun")
		return err == nil && syscall.Getuid() == 0
	default:
		panic("unknown syzkall: " + c.Name)
	}
}

func isSupportedSocket(c *sys.Call) bool {
	af, ok := c.Args[0].(*sys.ConstType)
	if !ok {
		println(c.Name)
		panic("socket family is not const")
	}
	fd, err := syscall.Socket(int(af.Val), 0, 0)
	if fd != -1 {
		syscall.Close(fd)
	}
	return err != syscall.ENOSYS && err != syscall.EAFNOSUPPORT
}

func isSupportedOpen(c *sys.Call) bool {
	fname, ok := extractStringConst(c.Args[0])
	if !ok {
		return true
	}
	fd, err := syscall.Open(fname, syscall.O_RDONLY, 0)
	if fd != -1 {
		syscall.Close(fd)
	}
	return err == nil
}

func isSupportedOpenAt(c *sys.Call) bool {
	fname, ok := extractStringConst(c.Args[1])
	if !ok {
		return true
	}
	fd, err := syscall.Open(fname, syscall.O_RDONLY, 0)
	if fd != -1 {
		syscall.Close(fd)
	}
	return err == nil
}

func extractStringConst(typ sys.Type) (string, bool) {
	ptr, ok := typ.(*sys.PtrType)
	if !ok {
		panic("first open arg is not a pointer to string const")
	}
	str, ok := ptr.Type.(*sys.BufferType)
	if !ok || str.Kind != sys.BufferString || len(str.Values) != 1 {
		return "", false
	}
	v := str.Values[0]
	v = v[:len(v)-1] // string terminating \x00
	return v, true
}
host: detect unsupported syscalls Also detect transitively unsupported syscalls, that is, syscalls for which all syscalls that can create input arguments are disabled. 2015-12-27 11:20:00 +00:00			`// Copyright 2015 syzkaller project authors. All rights reserved.`
			`// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.`

			`package host`

			`import (`
			`"bytes"`
			`"io/ioutil"`
			`"os"`
sys: open a bunch of new devices 2016-01-25 18:08:17 +00:00			`"strconv"`
host: detect unsupported syscalls Also detect transitively unsupported syscalls, that is, syscalls for which all syscalls that can create input arguments are disabled. 2015-12-27 11:20:00 +00:00			`"strings"`
			`"syscall"`

			`"github.com/google/syzkaller/sys"`
			`)`

			`// DetectSupportedSyscalls returns list on supported syscalls on host.`
			`func DetectSupportedSyscalls() (map[*sys.Call]bool, error) {`
			`// There are 3 possible strategies:`
			`// 1. Executes all syscalls with presumably invalid arguments and check for ENOSYS.`
			`// But not all syscalls are safe to execute. For example, pause will hang,`
			`// while setpgrp will push the process into own process group.`
			`// 2. Check presence of /sys/kernel/debug/tracing/events/syscalls/sys_enter_* files.`
			`// This requires root and CONFIG_FTRACE_SYSCALLS. Also it lies for some syscalls.`
			`// For example, on x86_64 it says that sendfile is not present (only sendfile64).`
			`// 3. Check sys_syscallname in /proc/kallsyms.`
			`// Requires CONFIG_KALLSYMS. Seems to be the most reliable. That's what we use here.`

host: detect at least some unsupported syscalls if kallsyms is not available We know how to detect availability of at least some syscalls without kallsyms. Do it. 2016-08-14 01:15:38 +00:00			`kallsyms, _ := ioutil.ReadFile("/proc/kallsyms")`
host: detect unsupported syscalls Also detect transitively unsupported syscalls, that is, syscalls for which all syscalls that can create input arguments are disabled. 2015-12-27 11:20:00 +00:00			`supported := make(map[*sys.Call]bool)`
			`for _, c := range sys.Calls {`
host: detect more unsupported syscalls 2015-12-28 09:45:30 +00:00			`if isSupported(kallsyms, c) {`
host: detect unsupported syscalls Also detect transitively unsupported syscalls, that is, syscalls for which all syscalls that can create input arguments are disabled. 2015-12-27 11:20:00 +00:00			`supported[c] = true`
			`}`
			`}`
			`return supported, nil`
			`}`

			`func isSupported(kallsyms []byte, c *sys.Call) bool {`
			`if c.NR == -1 {`
			`return false // don't even have a syscall number`
			`}`
host: detect more unsupported syscalls 2015-12-28 09:45:30 +00:00			`if strings.HasPrefix(c.CallName, "syz_") {`
host: detect at least some unsupported syscalls if kallsyms is not available We know how to detect availability of at least some syscalls without kallsyms. Do it. 2016-08-14 01:15:38 +00:00			`return isSupportedSyzkall(c)`
host: detect more unsupported syscalls 2015-12-28 09:45:30 +00:00			`}`
			`if strings.HasPrefix(c.Name, "socket$") {`
host: detect at least some unsupported syscalls if kallsyms is not available We know how to detect availability of at least some syscalls without kallsyms. Do it. 2016-08-14 01:15:38 +00:00			`return isSupportedSocket(c)`
host: detect unsupported syscalls Also detect transitively unsupported syscalls, that is, syscalls for which all syscalls that can create input arguments are disabled. 2015-12-27 11:20:00 +00:00			`}`
host: detect more unsupported syscalls 2015-12-28 09:45:30 +00:00			`if strings.HasPrefix(c.Name, "open$") {`
host: detect at least some unsupported syscalls if kallsyms is not available We know how to detect availability of at least some syscalls without kallsyms. Do it. 2016-08-14 01:15:38 +00:00			`return isSupportedOpen(c)`
			`}`
sys: replace syz_open_dev with openat In lots of cases we don't need the special syz_open_dev call, openat will do just fine. Standard syscalls are preferrable, so use them. 2017-01-05 14:13:12 +00:00			`if strings.HasPrefix(c.Name, "openat$") {`
			`return isSupportedOpenAt(c)`
			`}`
host: detect at least some unsupported syscalls if kallsyms is not available We know how to detect availability of at least some syscalls without kallsyms. Do it. 2016-08-14 01:15:38 +00:00			`if len(kallsyms) == 0 {`
			`return true`
host: detect more unsupported syscalls 2015-12-28 09:45:30 +00:00			`}`
			`return bytes.Index(kallsyms, []byte(" T sys_"+c.CallName+"\n")) != -1`
			`}`

host: detect at least some unsupported syscalls if kallsyms is not available We know how to detect availability of at least some syscalls without kallsyms. Do it. 2016-08-14 01:15:38 +00:00			`func isSupportedSyzkall(c *sys.Call) bool {`
host: detect unsupported syscalls Also detect transitively unsupported syscalls, that is, syscalls for which all syscalls that can create input arguments are disabled. 2015-12-27 11:20:00 +00:00			`switch c.CallName {`
sys, prog: add tests for description parsing and serialization Add sys/test.txt file with description of syscalls for tests. These descriptions can be used to ensure that we can parse everything we clain we can parse. Use these descriptions to write several tests for exec serialization (one test shows that alignment handling is currently incorrect). These test descriptions can also be used to write e.g. mutation tests. Update #78 2016-09-28 18:06:42 +00:00			`case "syz_test":`
			`return false`
sys: introduce a generic syz_open_dev helper syscall 2016-01-13 17:57:12 +00:00			`case "syz_open_dev":`
sys: add string flags Allow to define string flags in txt descriptions. E.g.: filesystem = "ext2", "ext3", "ext4" and then use it in string type: ptr[in, string[filesystem]] 2016-10-31 21:15:13 +00:00			`fname, ok := extractStringConst(c.Args[0])`
sys: introduce a generic syz_open_dev helper syscall 2016-01-13 17:57:12 +00:00			`if !ok {`
			`panic("first open arg is not a pointer to string const")`
			`}`
			`if syscall.Getuid() != 0 {`
			`return false`
			`}`
sys: open a bunch of new devices 2016-01-25 18:08:17 +00:00			`var check func(dev string) bool`
			`check = func(dev string) bool {`
			`if !strings.Contains(dev, "#") {`
			`_, err := os.Stat(dev)`
			`return err == nil`
			`}`
			`for i := 0; i < 10; i++ {`
			`if check(strings.Replace(dev, "#", strconv.Itoa(i), 1)) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`
sys: add string flags Allow to define string flags in txt descriptions. E.g.: filesystem = "ext2", "ext3", "ext4" and then use it in string type: ptr[in, string[filesystem]] 2016-10-31 21:15:13 +00:00			`return check(fname)`
sys: introduce a generic syz_open_dev helper syscall 2016-01-13 17:57:12 +00:00			`case "syz_open_pts":`
			`return true`
host: detect unsupported syscalls Also detect transitively unsupported syscalls, that is, syscalls for which all syscalls that can create input arguments are disabled. 2015-12-27 11:20:00 +00:00			`case "syz_fuse_mount":`
			`_, err := os.Stat("/dev/fuse")`
			`return err == nil`
			`case "syz_fuseblk_mount":`
			`_, err := os.Stat("/dev/fuse")`
			`return err == nil && syscall.Getuid() == 0`
executor: emit ethernet traffic 2016-10-04 14:12:12 +00:00			`case "syz_emit_ethernet":`
			`_, err := os.Stat("/dev/net/tun")`
			`return err == nil && syscall.Getuid() == 0`
host: detect unsupported syscalls Also detect transitively unsupported syscalls, that is, syscalls for which all syscalls that can create input arguments are disabled. 2015-12-27 11:20:00 +00:00			`default:`
sys: introduce a generic syz_open_dev helper syscall 2016-01-13 17:57:12 +00:00			`panic("unknown syzkall: " + c.Name)`
host: detect unsupported syscalls Also detect transitively unsupported syscalls, that is, syscalls for which all syscalls that can create input arguments are disabled. 2015-12-27 11:20:00 +00:00			`}`
			`}`
host: detect more unsupported syscalls 2015-12-28 09:45:30 +00:00
host: detect at least some unsupported syscalls if kallsyms is not available We know how to detect availability of at least some syscalls without kallsyms. Do it. 2016-08-14 01:15:38 +00:00			`func isSupportedSocket(c *sys.Call) bool {`
sys: always use pointers to types Currently we store most types by value in sys.Type. This is somewhat counter-intuitive for C++ programmers, because one can't easily update the type object. Store pointers to type objects for all types. It also makes it easier to update types, e.g. adding paddings. 2016-10-19 14:20:37 +00:00			`af, ok := c.Args[0].(*sys.ConstType)`
host: detect more unsupported syscalls 2015-12-28 09:45:30 +00:00			`if !ok {`
			`println(c.Name)`
			`panic("socket family is not const")`
			`}`
			`fd, err := syscall.Socket(int(af.Val), 0, 0)`
			`if fd != -1 {`
			`syscall.Close(fd)`
			`}`
			`return err != syscall.ENOSYS && err != syscall.EAFNOSUPPORT`
			`}`

host: detect at least some unsupported syscalls if kallsyms is not available We know how to detect availability of at least some syscalls without kallsyms. Do it. 2016-08-14 01:15:38 +00:00			`func isSupportedOpen(c *sys.Call) bool {`
sys: add string flags Allow to define string flags in txt descriptions. E.g.: filesystem = "ext2", "ext3", "ext4" and then use it in string type: ptr[in, string[filesystem]] 2016-10-31 21:15:13 +00:00			`fname, ok := extractStringConst(c.Args[0])`
host: detect more unsupported syscalls 2015-12-28 09:45:30 +00:00			`if !ok {`
			`return true`
			`}`
sys: add string flags Allow to define string flags in txt descriptions. E.g.: filesystem = "ext2", "ext3", "ext4" and then use it in string type: ptr[in, string[filesystem]] 2016-10-31 21:15:13 +00:00			`fd, err := syscall.Open(fname, syscall.O_RDONLY, 0)`
host: detect more unsupported syscalls 2015-12-28 09:45:30 +00:00			`if fd != -1 {`
			`syscall.Close(fd)`
			`}`
			`return err == nil`
			`}`
sys: add string flags Allow to define string flags in txt descriptions. E.g.: filesystem = "ext2", "ext3", "ext4" and then use it in string type: ptr[in, string[filesystem]] 2016-10-31 21:15:13 +00:00
sys: replace syz_open_dev with openat In lots of cases we don't need the special syz_open_dev call, openat will do just fine. Standard syscalls are preferrable, so use them. 2017-01-05 14:13:12 +00:00			`func isSupportedOpenAt(c *sys.Call) bool {`
			`fname, ok := extractStringConst(c.Args[1])`
			`if !ok {`
			`return true`
			`}`
			`fd, err := syscall.Open(fname, syscall.O_RDONLY, 0)`
			`if fd != -1 {`
			`syscall.Close(fd)`
			`}`
			`return err == nil`
			`}`

sys: add string flags Allow to define string flags in txt descriptions. E.g.: filesystem = "ext2", "ext3", "ext4" and then use it in string type: ptr[in, string[filesystem]] 2016-10-31 21:15:13 +00:00			`func extractStringConst(typ sys.Type) (string, bool) {`
			`ptr, ok := typ.(*sys.PtrType)`
			`if !ok {`
			`panic("first open arg is not a pointer to string const")`
			`}`
			`str, ok := ptr.Type.(*sys.BufferType)`
			`if !ok \|\| str.Kind != sys.BufferString \|\| len(str.Values) != 1 {`
			`return "", false`
			`}`
			`v := str.Values[0]`
			`v = v[:len(v)-1] // string terminating \x00`
			`return v, true`
			`}`