sys/openbsd: add missing padding arguments

Due to missing padding arguments, stack garbage could end up being used as actual arguments. More reading for the curious[1]. While here, add missing descriptions for pread and pwrite. [1] https://flak.tedunangst.com/post/syzkaller-found-a-bug
2025-03-01 08:05:38 +00:00 · 2019-05-11 20:38:41 +02:00 · 2019-05-11 20:38:41 +02:00 · 5f302c04a2
commit 5f302c04a2
parent 45065351dd
6 changed files with 34 additions and 7 deletions
--- a/executor/defs.h
+++ b/executor/defs.h
@ -130,7 +130,7 @@

 #if GOARCH_amd64
 #define GOARCH "amd64"
-#define SYZ_REVISION "216c98ad3498631ce9d36fbfa6fa8f98d1f2c5cb"
+#define SYZ_REVISION "1b6671ad8d712ebbd04cdedcec2c7d0d224996b9"
 #define SYZ_EXECUTOR_USES_FORK_SERVER 1
 #define SYZ_EXECUTOR_USES_SHMEM 1
 #define SYZ_PAGE_SIZE 4096
--- a/executor/syscalls.h
+++ b/executor/syscalls.h
@ -15278,7 +15278,9 @@ const call_t syscalls[] = {
    {"pipe2", 101},
    {"pledge", 108},
    {"poll", 252},
+    {"pread", 173},
    {"preadv", 267},
+    {"pwrite", 174},
    {"pwritev", 268},
    {"read", 3},
    {"readlink", 58},
--- a/sys/openbsd/fs.txt
+++ b/sys/openbsd/fs.txt
@ -20,11 +20,13 @@ openat(fd fd_dir, file ptr[in, filename], flags flags[open_flags], mode flags[op
 close(fd fd)
 read(fd fd, buf buffer[out], count len[buf])
 readv(fd fd, vec ptr[in, array[iovec_out]], vlen len[vec])
-preadv(fd fd, vec ptr[in, array[iovec_out]], vlen len[vec], off fileoff)
+pread(fd fd, buf buffer[in], nbyte len[buf], pad const[0], off fileoff)
+preadv(fd fd, vec ptr[in, array[iovec_out]], vlen len[vec], pad const[0], off fileoff)
 write(fd fd, buf buffer[in], count len[buf])
 writev(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec])
-pwritev(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec], off fileoff)
-lseek(fd fd, offset fileoff, whence flags[seek_whence])
+pwrite(fd fd, buf buffer[in], nbyte len[buf], pad const[0], off fileoff)
+pwritev(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec], pad const[0], off fileoff)
+lseek(fd fd, pad const[0], offset fileoff, whence flags[seek_whence])
 dup(oldfd fd) fd
 dup2(oldfd fd, newfd fd) fd
 pipe2(pipefd ptr[out, pipefd], flags flags[pipe_flags])
--- a/sys/openbsd/fs_amd64.const
+++ b/sys/openbsd/fs_amd64.const
@ -28,7 +28,9 @@ SYS_lseek = 199
 SYS_open = 5
 SYS_openat = 321
 SYS_pipe2 = 101
+SYS_pread = 173
 SYS_preadv = 267
+SYS_pwrite = 174
 SYS_pwritev = 268
 SYS_read = 3
 SYS_readv = 120
--- a/sys/openbsd/gen/amd64.go
+++ b/sys/openbsd/gen/amd64.go
@ -916,6 +916,7 @@ var syscalls_amd64 = []*Syscall{
 	}},
 	{NR: 201, Name: "ftruncate", CallName: "ftruncate", Args: []Type{
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd", FldName: "fd", TypeSize: 4}},
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "pad", TypeSize: 8}}},
 		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "len", TypeSize: 8}}},
 	}},
 	{NR: 99, Name: "getdents", CallName: "getdents", Args: []Type{
@ -1624,6 +1625,7 @@ var syscalls_amd64 = []*Syscall{
 	}},
 	{NR: 199, Name: "lseek", CallName: "lseek", Args: []Type{
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd", FldName: "fd", TypeSize: 4}},
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "pad", TypeSize: 8}}},
 		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fileoff", FldName: "offset", TypeSize: 8}}, Kind: 1},
 		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "seek_whence", FldName: "whence", TypeSize: 8}}, Vals: []uint64{0, 1, 2}, BitMask: true},
 	}},
@ -1833,16 +1835,32 @@ var syscalls_amd64 = []*Syscall{
 		&LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "nfds", TypeSize: 8}}, Buf: "fds"},
 		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "timeout", TypeSize: 4}}},
 	}},
+	{NR: 173, Name: "pread", CallName: "pread", Args: []Type{
+		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd", FldName: "fd", TypeSize: 4}},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "buf", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "array", IsVarlen: true}}},
+		&LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "nbyte", TypeSize: 8}}, Buf: "buf"},
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "pad", TypeSize: 8}}},
+		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fileoff", FldName: "off", TypeSize: 8}}, Kind: 1},
+	}},
 	{NR: 267, Name: "preadv", CallName: "preadv", Args: []Type{
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd", FldName: "fd", TypeSize: 4}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "vec", TypeSize: 8}, Type: &ArrayType{TypeCommon: TypeCommon{TypeName: "array", IsVarlen: true}, Type: &StructType{Key: StructKey{Name: "iovec_out"}}}},
 		&LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "vlen", TypeSize: 8}}, Buf: "vec"},
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "pad", TypeSize: 8}}},
+		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fileoff", FldName: "off", TypeSize: 8}}, Kind: 1},
+	}},
+	{NR: 174, Name: "pwrite", CallName: "pwrite", Args: []Type{
+		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd", FldName: "fd", TypeSize: 4}},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "buf", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "array", IsVarlen: true}}},
+		&LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "nbyte", TypeSize: 8}}, Buf: "buf"},
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "pad", TypeSize: 8}}},
 		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fileoff", FldName: "off", TypeSize: 8}}, Kind: 1},
 	}},
 	{NR: 268, Name: "pwritev", CallName: "pwritev", Args: []Type{
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd", FldName: "fd", TypeSize: 4}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "vec", TypeSize: 8}, Type: &ArrayType{TypeCommon: TypeCommon{TypeName: "array", IsVarlen: true}, Type: &StructType{Key: StructKey{Name: "iovec_in"}}}},
 		&LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "vlen", TypeSize: 8}}, Buf: "vec"},
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "pad", TypeSize: 8}}},
 		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fileoff", FldName: "off", TypeSize: 8}}, Kind: 1},
 	}},
 	{NR: 3, Name: "read", CallName: "read", Args: []Type{
@ -2251,6 +2269,7 @@ var syscalls_amd64 = []*Syscall{
 	{Name: "syz_open_pts", CallName: "syz_open_pts", Ret: &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_tty", FldName: "ret", TypeSize: 4, ArgDir: 1}}},
 	{NR: 200, Name: "truncate", CallName: "truncate", Args: []Type{
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "file", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}},
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "pad", TypeSize: 8}}},
 		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "len", TypeSize: 8}}},
 	}},
 	{NR: 10, Name: "unlink", CallName: "unlink", Args: []Type{
@ -2626,7 +2645,9 @@ var consts_amd64 = []ConstValue{
 	{Name: "SYS_pipe2", Value: 101},
 	{Name: "SYS_pledge", Value: 108},
 	{Name: "SYS_poll", Value: 252},
+	{Name: "SYS_pread", Value: 173},
 	{Name: "SYS_preadv", Value: 267},
+	{Name: "SYS_pwrite", Value: 174},
 	{Name: "SYS_pwritev", Value: 268},
 	{Name: "SYS_read", Value: 3},
 	{Name: "SYS_readlink", Value: 58},
@ -2853,4 +2874,4 @@ var consts_amd64 = []ConstValue{
 	{Name: "__MAP_NOREPLACE", Value: 2048},
 }

-const revision_amd64 = "216c98ad3498631ce9d36fbfa6fa8f98d1f2c5cb"
+const revision_amd64 = "1b6671ad8d712ebbd04cdedcec2c7d0d224996b9"
--- a/sys/openbsd/sys.txt
+++ b/sys/openbsd/sys.txt
@ -92,8 +92,8 @@ renameat(oldfd fd_dir, old ptr[in, filename], newfd fd_dir, new ptr[in, filename
 mkdir(path ptr[in, filename], mode flags[open_mode])
 mkdirat(fd fd_dir, path ptr[in, filename], mode flags[open_mode])
 rmdir(path ptr[in, filename])
-truncate(file ptr[in, filename], len intptr)
-ftruncate(fd fd, len intptr)
+truncate(file ptr[in, filename], pad const[0], len intptr)
+ftruncate(fd fd, pad const[0], len intptr)
 flock(fd fd, op flags[flock_op])
 fsync(fd fd)
 # fdatasync(fd fd)