reactos/syzkaller
1
0
Fork 0
mirror of https://github.com/reactos/syzkaller.git synced 2025-02-14 16:38:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #108 from xairy/fix-align

Browse Source 
Fix alignment and padding
This commit is contained in:
Andrey Konovalov 2017-01-18 19:37:40 +01:00 committed by GitHub
commit 43383bd973
9 changed files with 282 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
prog/encodingexec.go
View File

@ -38,47 +38,45 @@ func (p *Prog) SerializeForExec(pid int) []byte {
w := &execContext{args: make(map[*Arg]*argInfo)}
for _, c := range p.Calls {
// Calculate arg offsets within structs.
foreachArg(c, func(arg, base *Arg, _ *[]*Arg) {
if base == nil || arg.Kind == ArgGroup || arg.Kind == ArgUnion {
return
}
if w.args[base] == nil {
w.args[base] = &argInfo{}
}
w.args[arg] = &argInfo{Offset: w.args[base].CurSize}
if arg.Type.BitfieldLength() == 0 || arg.Type.BitfieldLast() {
w.args[base].CurSize += arg.Size()
}
})
// Generate copyin instructions that fill in data into pointer arguments.
foreachArg(c, func(arg, _ *Arg, _ *[]*Arg) {
if arg.Kind == ArgPointer && arg.Res != nil {
var rec func(*Arg)
rec = func(arg1 *Arg) {
var rec func(*Arg, uintptr) uintptr
rec = func(arg1 *Arg, offset uintptr) uintptr {
w.args[arg1] = &argInfo{Offset: offset}
if arg1.Kind == ArgGroup {
var totalSize uintptr
for _, arg2 := range arg1.Inner {
rec(arg2)
size := rec(arg2, offset)
if arg2.Type.BitfieldLength() == 0 || arg2.Type.BitfieldLast() {
offset += size
totalSize += size
}
}
return
if totalSize > arg1.Size() {
panic(fmt.Sprintf("bad group arg size %v, should be <= %v for %+v", totalSize, arg1.Size(), arg1))
}
return arg1.Size()
}
if arg1.Kind == ArgUnion {
rec(arg1.Option)
return
size := rec(arg1.Option, offset)
offset += size
if size > arg1.Size() {
panic(fmt.Sprintf("bad union arg size %v, should be <= %v for %+v", size, arg1.Size(), arg1))
}
return arg1.Size()
}
if sys.IsPad(arg1.Type) {
return
}
if arg1.Kind == ArgData && len(arg1.Data) == 0 {
return
}
if arg1.Type.Dir() != sys.DirOut {
if !sys.IsPad(arg1.Type) &&
!(arg1.Kind == ArgData && len(arg1.Data) == 0) &&
arg1.Type.Dir() != sys.DirOut {
w.write(ExecInstrCopyin)
w.write(physicalAddr(arg) + w.args[arg1].Offset)
w.write(physicalAddr(arg) + offset)
w.writeArg(arg1, pid)
instrSeq++
}
return arg1.Size()
}
rec(arg.Res)
rec(arg.Res, 0)
}
})
// Generate the call itself.
@ -136,9 +134,8 @@ type execContext struct {
}
type argInfo struct {
Offset uintptr // from base pointer
CurSize uintptr
Idx uintptr // instruction index
Offset uintptr // from base pointer
Idx uintptr // instruction index
}
func (w *execContext) write(v uintptr) {

76
prog/encodingexec_test.go
View File

@ -90,6 +90,49 @@ func TestSerializeForExec(t *testing.T) {
instrEOF,
},
},
{
"syz_test$align2(&(0x7f0000000000)={0x42, {[0x43]}, {[0x44]}})",
[]uint64{
instrCopyin, dataOffset + 0, argConst, 1, 0x42, 0, 0,
instrCopyin, dataOffset + 1, argConst, 2, 0x43, 0, 0,
instrCopyin, dataOffset + 4, argConst, 2, 0x44, 0, 0,
callID("syz_test$align2"), 1, argConst, ptrSize, dataOffset, 0, 0,
instrEOF,
},
},
{
"syz_test$align3(&(0x7f0000000000)={0x42, {0x43}, {0x44}})",
[]uint64{
instrCopyin, dataOffset + 0, argConst, 1, 0x42, 0, 0,
instrCopyin, dataOffset + 1, argConst, 1, 0x43, 0, 0,
instrCopyin, dataOffset + 4, argConst, 1, 0x44, 0, 0,
callID("syz_test$align3"), 1, argConst, ptrSize, dataOffset, 0, 0,
instrEOF,
},
},
{
"syz_test$align4(&(0x7f0000000000)={{0x42, 0x43}, 0x44})",
[]uint64{
instrCopyin, dataOffset + 0, argConst, 1, 0x42, 0, 0,
instrCopyin, dataOffset + 1, argConst, 2, 0x43, 0, 0,
instrCopyin, dataOffset + 4, argConst, 1, 0x44, 0, 0,
callID("syz_test$align4"), 1, argConst, ptrSize, dataOffset, 0, 0,
instrEOF,
},
},
{
"syz_test$align5(&(0x7f0000000000)={{0x42, []}, {0x43, [0x44, 0x45, 0x46]}, 0x47})",
[]uint64{
instrCopyin, dataOffset + 0, argConst, 8, 0x42, 0, 0,
instrCopyin, dataOffset + 8, argConst, 8, 0x43, 0, 0,
instrCopyin, dataOffset + 16, argConst, 2, 0x44, 0, 0,
instrCopyin, dataOffset + 18, argConst, 2, 0x45, 0, 0,
instrCopyin, dataOffset + 20, argConst, 2, 0x46, 0, 0,
instrCopyin, dataOffset + 24, argConst, 1, 0x47, 0, 0,
callID("syz_test$align5"), 1, argConst, ptrSize, dataOffset, 0, 0,
instrEOF,
},
},
{
"syz_test$union0(&(0x7f0000000000)={0x1, @f2=0x2})",
[]uint64{
@ -99,6 +142,24 @@ func TestSerializeForExec(t *testing.T) {
instrEOF,
},
},
{
"syz_test$union1(&(0x7f0000000000)={@f1=0x42, 0x43})",
[]uint64{
instrCopyin, dataOffset + 0, argConst, 4, 0x42, 0, 0,
instrCopyin, dataOffset + 8, argConst, 1, 0x43, 0, 0,
callID("syz_test$union1"), 1, argConst, ptrSize, dataOffset, 0, 0,
instrEOF,
},
},
{
"syz_test$union2(&(0x7f0000000000)={@f1=0x42, 0x43})",
[]uint64{
instrCopyin, dataOffset + 0, argConst, 4, 0x42, 0, 0,
instrCopyin, dataOffset + 4, argConst, 1, 0x43, 0, 0,
callID("syz_test$union2"), 1, argConst, ptrSize, dataOffset, 0, 0,
instrEOF,
},
},
{
"syz_test$array0(&(0x7f0000000000)={0x1, [@f0=0x2, @f1=0x3], 0x4})",
[]uint64{
@ -152,7 +213,7 @@ func TestSerializeForExec(t *testing.T) {
},
},
{
"syz_test$bf(&(0x7f0000000000)={0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42})",
"syz_test$bf0(&(0x7f0000000000)={0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42})",
[]uint64{
instrCopyin, dataOffset + 0, argConst, 2, 0x42, 0, 10,
instrCopyin, dataOffset + 8, argConst, 8, 0x42, 0, 0,
@ -162,7 +223,18 @@ func TestSerializeForExec(t *testing.T) {
instrCopyin, dataOffset + 24, argConst, 2, 0x42, 0, 11,
instrCopyin, dataOffset + 26, argConst, 2, 0x4200, 0, 11,
instrCopyin, dataOffset + 28, argConst, 1, 0x42, 0, 0,
callID("syz_test$bf"), 1, argConst, ptrSize, dataOffset, 0, 0,
callID("syz_test$bf0"), 1, argConst, ptrSize, dataOffset, 0, 0,
instrEOF,
},
},
{
"syz_test$bf1(&(0x7f0000000000)={{0x42, 0x42, 0x42}, 0x42})",
[]uint64{
instrCopyin, dataOffset + 0, argConst, 4, 0x42, 0, 10,
instrCopyin, dataOffset + 0, argConst, 4, 0x42, 10, 10,
instrCopyin, dataOffset + 0, argConst, 4, 0x42, 20, 10,
instrCopyin, dataOffset + 4, argConst, 1, 0x42, 0, 0,
callID("syz_test$bf1"), 1, argConst, ptrSize, dataOffset, 0, 0,
instrEOF,
},
},

11
prog/mutation.go
View File

@ -5,6 +5,7 @@ package prog
import (
"fmt"
"math"
"math/rand"
"unsafe"
@ -88,7 +89,7 @@ func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, corpus []*Pro
panic(fmt.Sprintf("bad arg kind for BufferType: %v", arg.Kind))
}
minLen := int(0)
maxLen := ^int(0)
maxLen := math.MaxInt32
if a.Kind == sys.BufferBlobRange {
minLen = int(a.RangeBegin)
maxLen = int(a.RangeEnd)
@ -96,7 +97,13 @@ func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, corpus []*Pro
arg.Data = mutateData(r, data, minLen, maxLen)
case sys.BufferString:
if r.bin() {
arg.Data = mutateData(r, append([]byte{}, arg.Data...), int(0), ^int(0))
minLen := int(0)
maxLen := math.MaxInt32
if a.Length != 0 {
minLen = int(a.Length)
maxLen = int(a.Length)
}
arg.Data = mutateData(r, append([]byte{}, arg.Data...), minLen, maxLen)
} else {
arg.Data = r.randString(s, a.Values, a.Dir())
}

18
prog/prog.go
View File

@ -112,11 +112,25 @@ func (a *Arg) Size() uintptr {
case *sys.StructType:
var size uintptr
for _, fld := range a.Inner {
size += fld.Size()
if fld.Type.BitfieldLength() == 0 || fld.Type.BitfieldLast() {
size += fld.Size()
}
}
align := typ.Align()
if size%align != 0 {
if typ.Varlen {
size += align - size%align
} else {
panic(fmt.Sprintf("struct %+v with type %+v has static size %v, which isn't aligned to %v", a, typ, size, align))
}
}
return size
case *sys.UnionType:
return a.Option.Size()
if !typ.Varlen {
return typ.Size()
} else {
return a.Option.Size()
}
case *sys.ArrayType:
var size uintptr
for _, in := range a.Inner {

7
prog/validation.go
View File

@ -97,6 +97,13 @@ func (c *Call) validate(ctx *validCtx) error {
if arg.Val >= uintptr(typ1.ValuesPerProc) {
return fmt.Errorf("syscall %v: per proc arg '%v' has bad value '%v'", c.Meta.Name, typ.Name(), arg.Val)
}
case *sys.BufferType:
switch typ1.Kind {
case sys.BufferString:
if typ1.Length != 0 && len(arg.Data) != int(typ1.Length) {
return fmt.Errorf("syscall %v: string arg '%v' has size %v, which should be %v", c.Meta.Name, len(arg.Data), typ1.Length)
}
}
}
switch arg.Kind {
case ArgConst:

43
sys/align.go
View File

@ -22,6 +22,7 @@ func initAlign() {
rec(f)
}
markBitfields(t1)
markVarlen(t1)
addAlignment(t1)
}
case *UnionType:
@ -76,13 +77,38 @@ func markBitfields(t *StructType) {
}
}
func markVarlen(t *StructType) {
for i, f := range t.Fields {
if at, ok := f.(*StructType); ok && at.Varlen {
t.Varlen = true
}
if at, ok := f.(*UnionType); ok && at.Varlen {
t.Varlen = true
}
if at, ok := f.(*ArrayType); ok && (at.Kind == ArrayRandLen || (at.Kind == ArrayRangeLen && at.RangeBegin != at.RangeEnd)) {
t.Varlen = true
}
if at, ok := f.(*BufferType); ok && (at.Kind == BufferBlobRand || (at.Kind == BufferBlobRange && at.RangeBegin != at.RangeEnd)) {
t.Varlen = true
}
if !t.packed && t.Varlen && i != len(t.Fields)-1 {
panic(fmt.Sprintf("variable length field %+v in the middle of a struct %+v", f, t))
}
}
}
func addAlignment(t *StructType) {
if t.packed {
// If a struct is packed, statically sized and has explicitly set alignment, add a padding.
if !t.Varlen && t.align != 0 && t.Size()%t.align != 0 {
pad := t.align - t.Size()%t.align
t.Fields = append(t.Fields, makePad(pad))
}
return
}
var fields []Type
var off, align uintptr
varLen := false
var off uintptr
align := t.align
for i, f := range t.Fields {
a := f.Align()
if align < a {
@ -97,21 +123,12 @@ func addAlignment(t *StructType) {
}
}
fields = append(fields, f)
if at, ok := f.(*ArrayType); ok && (at.Kind == ArrayRandLen || (at.Kind == ArrayRangeLen && at.RangeBegin != at.RangeEnd)) {
varLen = true
}
if at, ok := f.(*BufferType); ok && (at.Kind == BufferBlobRand || (at.Kind == BufferBlobRange && at.RangeBegin != at.RangeEnd)) {
varLen = true
}
if varLen && i != len(t.Fields)-1 {
panic("embed array in middle of a struct")
}
if (f.BitfieldLength() == 0 || f.BitfieldLast()) && !varLen {
if (f.BitfieldLength() == 0 || f.BitfieldLast()) && !t.Varlen {
// Increase offset if the current field is not a bitfield or it's the last bitfield in a set.
off += f.Size()
}
}
if align != 0 && off%align != 0 && !varLen {
if align != 0 && off%align != 0 && !t.Varlen {
pad := align - off%align
off += pad
fields = append(fields, makePad(pad))

13
sys/decl.go
View File

@ -222,6 +222,7 @@ type BufferType struct {
Text TextKind // for BufferText
SubKind string
Values []string // possible values for BufferString kind
Length uintptr // max string length for BufferString kind
}
func (t *BufferType) Size() uintptr {
@ -292,6 +293,7 @@ func (t *PtrType) Align() uintptr {
type StructType struct {
TypeCommon
Fields []Type
Varlen bool
padded bool
packed bool
align uintptr
@ -303,7 +305,9 @@ func (t *StructType) Size() uintptr {
}
var size uintptr
for _, f := range t.Fields {
size += f.Size()
if f.BitfieldLength() == 0 || f.BitfieldLast() {
size += f.Size()
}
}
return size
}
@ -312,6 +316,9 @@ func (t *StructType) Align() uintptr {
if t.align != 0 {
return t.align // overrided by user attribute
}
if t.packed {
return 1
}
var align uintptr
for _, f := range t.Fields {
if a1 := f.Align(); align < a1 {
@ -324,11 +331,11 @@ func (t *StructType) Align() uintptr {
type UnionType struct {
TypeCommon
Options []Type
varlen bool
Varlen bool
}
func (t *UnionType) Size() uintptr {
if t.varlen {
if t.Varlen {
panic("union size is not statically known")
}
size := t.Options[0].Size()

122
sys/test.txt
View File

@ -6,16 +6,23 @@
syz_test()
# Integer types.
syz_test$int(a0 intptr, a1 int8, a2 int16, a3 int32, a4 int64)
# Opt arguments
syz_test$opt0(a0 intptr[opt])
syz_test$opt1(a0 ptr[in, intptr, opt])
syz_test$opt2(a0 vma[opt])
# Struct alignment.
# Alignment and padding
syz_test$align0(a0 ptr[in, syz_align0])
syz_test$align1(a0 ptr[in, syz_align1])
syz_test$align2(a0 ptr[in, syz_align2])
syz_test$align3(a0 ptr[in, syz_align3])
syz_test$align4(a0 ptr[in, syz_align4])
syz_test$align5(a0 ptr[in, syz_align5])
syz_align0 {
f0 int16
@ -33,22 +40,93 @@ syz_align1 {
f4 int64
} [packed]
# Unions.
syz_align2_packed {
f0 array[int16, 1]
} [packed]
syz_test$union0(a0 ptr[in, syz_union_struct])
syz_union_struct {
f int64
u syz_union0
syz_align2_not_packed {
f0 array[int16, 1]
}
syz_align2 {
f0 int8
f1 syz_align2_packed
f2 syz_align2_not_packed
}
syz_align3_noalign {
f0 int8
}
syz_align3_align4 {
f0 int8
} [align_4]
syz_align3 {
f0 int8
f1 syz_align3_noalign
f2 syz_align3_align4
}
syz_align4_internal {
f0 int8
f1 int16
} [packed, align_4]
syz_align4 {
f0 syz_align4_internal
f1 int8
}
syz_align5_internal {
f0 int64
f1 array[int16, 0:3]
}
syz_align5 {
f0 syz_align5_internal
f1 syz_align5_internal
f2 int8
} [packed]
# Unions
syz_test$union0(a0 ptr[in, syz_union0_struct])
syz_test$union1(a0 ptr[in, syz_union1_struct])
syz_test$union2(a0 ptr[in, syz_union2_struct])
syz_union0 [
f0 int64
f1 array[int64, 10]
f2 int8
]
# Arrays.
syz_union0_struct {
f int64
u syz_union0
}
syz_union1 [
f0 int64
f1 int32
]
syz_union1_struct {
f0 syz_union1
f1 int8
} [packed]
syz_union2 [
f0 int64
f1 int32
] [varlen]
syz_union2_struct {
f0 syz_union2
f1 int8
} [packed]
# Arrays
syz_test$array0(a0 ptr[in, syz_array_struct])
syz_test$array1(a0 ptr[in, syz_array_trailing])
@ -77,7 +155,7 @@ syz_array_blob {
f2 int16
}
# Length.
# Length
syz_test$length0(a0 ptr[in, syz_length_int_struct])
syz_test$length1(a0 ptr[in, syz_length_const_struct])
@ -178,7 +256,7 @@ syz_length_bytesize_struct {
f5 bytesize8[f0, int8]
}
# Big endian.
# Big endian
syz_test$end0(a0 ptr[in, syz_end_int_struct])
syz_test$end1(a0 ptr[in, syz_end_var_struct])
@ -199,18 +277,18 @@ syz_end_var_struct {
f2 flags[syz_end_flags, int64be]
} [packed]
# Vma type.
# Vma type
syz_test$vma0(v0 vma, l0 len[v0], v1 vma[5], l1 len[v1], v2 vma[7:9], l2 len[v2])
# Text type.
# Text type
syz_test$text_x86_real(a0 ptr[in, text[x86_real]], a1 len[a0])
syz_test$text_x86_16(a0 ptr[in, text[x86_16]], a1 len[a0])
syz_test$text_x86_32(a0 ptr[in, text[x86_32]], a1 len[a0])
syz_test$text_x86_64(a0 ptr[in, text[x86_64]], a1 len[a0])
# Regression tests.
# Regression tests
syz_test$regression0(a0 ptr[inout, syz_regression0_struct])
@ -218,11 +296,11 @@ syz_regression0_struct {
f0 buffer[out]
}
# Bitfields.
# Bitfields
syz_bf_flags = 0, 1, 2
syz_bf_struct {
syz_bf_struct0 {
f0 flags[syz_bf_flags, int16:10]
f1 int64
f2 const[0x42, int16:5]
@ -233,4 +311,16 @@ syz_bf_struct {
f7 int8
}
syz_test$bf(a0 ptr[in, syz_bf_struct])
syz_bf_struct1_internal {
f0 int32:10
f1 int32:10
f2 int32:10
}
syz_bf_struct1 {
f0 syz_bf_struct1_internal
f1 int8
}
syz_test$bf0(a0 ptr[in, syz_bf_struct0])
syz_test$bf1(a0 ptr[in, syz_bf_struct1])

6
sysgen/sysgen.go
View File

@ -275,7 +275,7 @@ func generateStructEntry(str Struct, key structKey, out io.Writer) {
}
varlen := ""
if str.Varlen {
varlen = ", varlen: true"
varlen = ", Varlen: true"
}
align := ""
if str.Align != 0 {
@ -433,8 +433,8 @@ func generateArg(
for i, s := range vals {
vals[i] = s + "\x00"
}
var size uint64
if len(a) >= 2 {
var size uint64
if v, ok := consts[a[1]]; ok {
size = v
} else {
@ -454,7 +454,7 @@ func generateArg(
vals[i] = s
}
}
fmt.Fprintf(out, "&BufferType{%v, Kind: BufferString, SubKind: %q, Values: %#v}", common(), subkind, vals)
fmt.Fprintf(out, "&BufferType{%v, Kind: BufferString, SubKind: %q, Values: %#v, Length: %v}", common(), subkind, vals, size)
case "salg_type":
if want := 0; len(a) != want {
failf("wrong number of arguments for %v arg %v, want %v, got %v", typ, name, want, len(a))