From 6ce17935cb99fa11aaa2f2d1889261da6b298013 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Mon, 15 Oct 2018 18:53:00 +0200 Subject: [PATCH] sys/linux: prohibit FAN_OPEN_PERM and FAN_ACCESS_PERM FAN_OPEN_PERM and FAN_ACCESS_PERM require the program to reply to open requests. If that does not happen, the program will hang in an unkillable state forever. See the following bug for details: https://groups.google.com/d/msg/syzkaller-bugs/pD-vbqJu6U0/kGH30p3lBgAJ --- executor/defs.h | 10 +-- executor/syscalls.h | 1 + sys/linux/aio_arm.const | 2 +- sys/linux/gen/386.go | 8 +- sys/linux/gen/amd64.go | 8 +- sys/linux/gen/arm.go | 15 +++- sys/linux/gen/arm64.go | 6 +- sys/linux/gen/ppc64le.go | 6 +- sys/linux/init.go | 13 +++- sys/linux/init_test.go | 153 +++++++++++++++++++++++++++++++++++++++ sys/linux/sys.txt | 8 +- 11 files changed, 202 insertions(+), 28 deletions(-) create mode 100644 sys/linux/init_test.go diff --git a/executor/defs.h b/executor/defs.h index 26996a0a..cdd8519e 100644 --- a/executor/defs.h +++ b/executor/defs.h @@ -60,7 +60,7 @@ #if GOARCH_386 #define GOARCH "386" -#define SYZ_REVISION "642a145ebbc67e85c1215435c6b534d306e9817c" +#define SYZ_REVISION "7d1cc6599aafad3c0b0ee7e24d0ea18a1310f4f6" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -70,7 +70,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "4bf7088eb1e77eb4525156890f346c4c426308df" +#define SYZ_REVISION "ef47a3e33a5764e82cb1ccb694fd34a5311053b4" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -80,7 +80,7 @@ #if GOARCH_arm #define GOARCH "arm" -#define SYZ_REVISION "87d9b5b947c05cd6232361b1c5ed052568f6d8ed" +#define SYZ_REVISION "15223c241125b3b97cca255736128daf2364eb5f" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -90,7 +90,7 @@ #if GOARCH_arm64 #define GOARCH "arm64" -#define SYZ_REVISION "4c268588881cd3c4d4195b7ec7fb71c90732ef6c" +#define SYZ_REVISION "788811e4e0b7f2906517c1b548e5d719bb4eb681" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -100,7 +100,7 @@ #if GOARCH_ppc64le #define GOARCH "ppc64le" -#define SYZ_REVISION "cdf0eb7c11ca182ba6df6598c596f4da9c7a489c" +#define SYZ_REVISION "3fa983482ac8a3d065ca2cd99d5fd18b973d0b9f" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 diff --git a/executor/syscalls.h b/executor/syscalls.h index cda0b0ab..a949540b 100644 --- a/executor/syscalls.h +++ b/executor/syscalls.h @@ -6200,6 +6200,7 @@ const call_t syscalls[] = { {"io_cancel", 247}, {"io_destroy", 244}, {"io_getevents", 245}, + {"io_pgetevents", 399}, {"io_setup", 243}, {"io_submit", 246}, {"ioctl", 54}, diff --git a/sys/linux/aio_arm.const b/sys/linux/aio_arm.const index 1bca789d..f8c43277 100644 --- a/sys/linux/aio_arm.const +++ b/sys/linux/aio_arm.const @@ -12,6 +12,6 @@ IOCB_FLAG_RESFD = 1 __NR_io_cancel = 247 __NR_io_destroy = 244 __NR_io_getevents = 245 -# __NR_io_pgetevents is not set +__NR_io_pgetevents = 399 __NR_io_setup = 243 __NR_io_submit = 246 diff --git a/sys/linux/gen/386.go b/sys/linux/gen/386.go index 8084c6c7..e8483d03 100644 --- a/sys/linux/gen/386.go +++ b/sys/linux/gen/386.go @@ -22781,7 +22781,7 @@ var syscalls_386 = []*Syscall{ &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "seconds", TypeSize: 4}}}, }}, {NR: 384, Name: "arch_prctl", CallName: "arch_prctl", Args: []Type{ - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "arch_prctl_code", FldName: "code", TypeSize: 4}}, Vals: []uint64{4098, 4099, 4097, 4100}}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "arch_prctl_code", FldName: "code", TypeSize: 4}}, Vals: []uint64{4099, 4097, 4100}}, &PtrType{TypeCommon: TypeCommon{TypeName: "buffer", FldName: "addr", TypeSize: 4}, Type: &BufferType{TypeCommon: TypeCommon{IsVarlen: true}}}, }}, {NR: 361, Name: "bind", CallName: "bind", Args: []Type{ @@ -23291,7 +23291,7 @@ var syscalls_386 = []*Syscall{ {NR: 339, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{ &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}}, &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 4}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true}, - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 4}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 4}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true}, &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}}, &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 4}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}}, }}, @@ -30592,7 +30592,7 @@ var syscalls_386 = []*Syscall{ &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 4}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}}, }}, {NR: 26, Name: "ptrace", CallName: "ptrace", Args: []Type{ - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 4}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 4}}, Vals: []uint64{16904, 8, 16903, 16, 17}}, &ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}}, }}, {NR: 26, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{ @@ -41321,4 +41321,4 @@ var consts_386 = []ConstValue{ {Name: "bpf_insn_load_imm_dw", Value: 24}, } -const revision_386 = "642a145ebbc67e85c1215435c6b534d306e9817c" +const revision_386 = "7d1cc6599aafad3c0b0ee7e24d0ea18a1310f4f6" diff --git a/sys/linux/gen/amd64.go b/sys/linux/gen/amd64.go index 5118406f..121e128e 100644 --- a/sys/linux/gen/amd64.go +++ b/sys/linux/gen/amd64.go @@ -23231,7 +23231,7 @@ var syscalls_amd64 = []*Syscall{ &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "seconds", TypeSize: 8}}}, }}, {NR: 158, Name: "arch_prctl", CallName: "arch_prctl", Args: []Type{ - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "arch_prctl_code", FldName: "code", TypeSize: 8}}, Vals: []uint64{4098, 4099, 4097, 4100}}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "arch_prctl_code", FldName: "code", TypeSize: 8}}, Vals: []uint64{4099, 4097, 4100}}, &PtrType{TypeCommon: TypeCommon{TypeName: "buffer", FldName: "addr", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{IsVarlen: true}}}, }}, {NR: 49, Name: "bind", CallName: "bind", Args: []Type{ @@ -23741,7 +23741,7 @@ var syscalls_amd64 = []*Syscall{ {NR: 301, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{ &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}}, &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 8}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true}, - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true}, &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}}, &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}}, }}, @@ -31112,7 +31112,7 @@ var syscalls_amd64 = []*Syscall{ &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 8}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}}, }}, {NR: 101, Name: "ptrace", CallName: "ptrace", Args: []Type{ - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{16904, 8, 16903, 16, 17}}, &ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}}, }}, {NR: 101, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{ @@ -42015,4 +42015,4 @@ var consts_amd64 = []ConstValue{ {Name: "bpf_insn_load_imm_dw", Value: 24}, } -const revision_amd64 = "4bf7088eb1e77eb4525156890f346c4c426308df" +const revision_amd64 = "ef47a3e33a5764e82cb1ccb694fd34a5311053b4" diff --git a/sys/linux/gen/arm.go b/sys/linux/gen/arm.go index a0c4f896..c455f58d 100644 --- a/sys/linux/gen/arm.go +++ b/sys/linux/gen/arm.go @@ -23193,7 +23193,7 @@ var syscalls_arm = []*Syscall{ {NR: 368, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{ &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}}, &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 4}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true}, - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 4}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 4}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true}, &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}}, &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 4}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}}, }}, @@ -24958,6 +24958,14 @@ var syscalls_arm = []*Syscall{ &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "events", TypeSize: 4}, Type: &ArrayType{TypeCommon: TypeCommon{TypeName: "array", ArgDir: 1, IsVarlen: true}, Type: &StructType{Key: StructKey{Name: "io_event", Dir: 1}}}}, &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "timeout", TypeSize: 4, IsOptional: true}, Type: &StructType{Key: StructKey{Name: "timespec"}}}, }}, + {NR: 399, Name: "io_pgetevents", CallName: "io_pgetevents", Args: []Type{ + &ResourceType{TypeCommon: TypeCommon{TypeName: "io_ctx", FldName: "ctx", TypeSize: 4}}, + &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "min_nr", TypeSize: 4}}}, + &LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "nr", TypeSize: 4}}, Buf: "events"}, + &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "events", TypeSize: 4}, Type: &ArrayType{TypeCommon: TypeCommon{TypeName: "array", ArgDir: 1, IsVarlen: true}, Type: &StructType{Key: StructKey{Name: "io_event", Dir: 1}}}}, + &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "timeout", TypeSize: 4, IsOptional: true}, Type: &StructType{Key: StructKey{Name: "timespec"}}}, + &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "usig", TypeSize: 4, IsOptional: true}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}}, + }}, {NR: 243, Name: "io_setup", CallName: "io_setup", Args: []Type{ &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "n", TypeSize: 4}}}, &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "ctx", TypeSize: 4}, Type: &ResourceType{TypeCommon: TypeCommon{TypeName: "io_ctx", TypeSize: 4, ArgDir: 1}}}, @@ -30380,7 +30388,7 @@ var syscalls_arm = []*Syscall{ &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 4}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}}, }}, {NR: 26, Name: "ptrace", CallName: "ptrace", Args: []Type{ - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 4}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 4}}, Vals: []uint64{16904, 8, 16903, 16, 17}}, &ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}}, }}, {NR: 26, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{ @@ -40986,6 +40994,7 @@ var consts_arm = []ConstValue{ {Name: "__NR_io_cancel", Value: 247}, {Name: "__NR_io_destroy", Value: 244}, {Name: "__NR_io_getevents", Value: 245}, + {Name: "__NR_io_pgetevents", Value: 399}, {Name: "__NR_io_setup", Value: 243}, {Name: "__NR_io_submit", Value: 246}, {Name: "__NR_ioctl", Value: 54}, @@ -41187,4 +41196,4 @@ var consts_arm = []ConstValue{ {Name: "bpf_insn_load_imm_dw", Value: 24}, } -const revision_arm = "87d9b5b947c05cd6232361b1c5ed052568f6d8ed" +const revision_arm = "15223c241125b3b97cca255736128daf2364eb5f" diff --git a/sys/linux/gen/arm64.go b/sys/linux/gen/arm64.go index 2b14c8fe..2761f261 100644 --- a/sys/linux/gen/arm64.go +++ b/sys/linux/gen/arm64.go @@ -23497,7 +23497,7 @@ var syscalls_arm64 = []*Syscall{ {NR: 263, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{ &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}}, &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 8}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true}, - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true}, &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}}, &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}}, }}, @@ -30662,7 +30662,7 @@ var syscalls_arm64 = []*Syscall{ &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 8}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}}, }}, {NR: 117, Name: "ptrace", CallName: "ptrace", Args: []Type{ - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{16904, 8, 16903, 16, 17}}, &ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}}, }}, {NR: 117, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{ @@ -41409,4 +41409,4 @@ var consts_arm64 = []ConstValue{ {Name: "bpf_insn_load_imm_dw", Value: 24}, } -const revision_arm64 = "4c268588881cd3c4d4195b7ec7fb71c90732ef6c" +const revision_arm64 = "788811e4e0b7f2906517c1b548e5d719bb4eb681" diff --git a/sys/linux/gen/ppc64le.go b/sys/linux/gen/ppc64le.go index 49d6a9c1..d2f04250 100644 --- a/sys/linux/gen/ppc64le.go +++ b/sys/linux/gen/ppc64le.go @@ -22540,7 +22540,7 @@ var syscalls_ppc64le = []*Syscall{ {NR: 324, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{ &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}}, &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 8}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true}, - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true}, &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}}, &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}}, }}, @@ -29153,7 +29153,7 @@ var syscalls_ppc64le = []*Syscall{ &PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 8}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}}, }}, {NR: 26, Name: "ptrace", CallName: "ptrace", Args: []Type{ - &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}}, + &FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{16904, 8, 16903, 16, 17}}, &ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}}, }}, {NR: 26, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{ @@ -38765,4 +38765,4 @@ var consts_ppc64le = []ConstValue{ {Name: "bpf_insn_load_imm_dw", Value: 24}, } -const revision_ppc64le = "cdf0eb7c11ca182ba6df6598c596f4da9c7a489c" +const revision_ppc64le = "3fa983482ac8a3d065ca2cd99d5fd18b973d0b9f" diff --git a/sys/linux/init.go b/sys/linux/init.go index d4ab7da7..f545abdf 100644 --- a/sys/linux/init.go +++ b/sys/linux/init.go @@ -21,6 +21,8 @@ func InitTarget(target *prog.Target) { FITHAW: target.ConstMap["FITHAW"], EXT4_IOC_SHUTDOWN: target.ConstMap["EXT4_IOC_SHUTDOWN"], EXT4_IOC_MIGRATE: target.ConstMap["EXT4_IOC_MIGRATE"], + FAN_OPEN_PERM: target.ConstMap["FAN_OPEN_PERM"], + FAN_ACCESS_PERM: target.ConstMap["FAN_ACCESS_PERM"], PTRACE_TRACEME: target.ConstMap["PTRACE_TRACEME"], CLOCK_REALTIME: target.ConstMap["CLOCK_REALTIME"], ARCH_SET_FS: target.ConstMap["ARCH_SET_FS"], @@ -95,6 +97,8 @@ type arch struct { FITHAW uint64 EXT4_IOC_SHUTDOWN uint64 EXT4_IOC_MIGRATE uint64 + FAN_OPEN_PERM uint64 + FAN_ACCESS_PERM uint64 PTRACE_TRACEME uint64 CLOCK_REALTIME uint64 ARCH_SET_FS uint64 @@ -128,11 +132,18 @@ func (arch *arch) sanitizeCall(c *prog.Call) { if uint64(uint32(cmd.Val)) == arch.EXT4_IOC_SHUTDOWN { cmd.Val = arch.EXT4_IOC_MIGRATE } + case "fanotify_mark": + // FAN_OPEN_PERM and FAN_ACCESS_PERM require the program to reply to open requests. + // If that does not happen, the program will hang in an unkillable state forever. + // See the following bug for details: + // https://groups.google.com/d/msg/syzkaller-bugs/pD-vbqJu6U0/kGH30p3lBgAJ + mask := c.Args[2].(*prog.ConstArg) + mask.Val &^= arch.FAN_OPEN_PERM | arch.FAN_ACCESS_PERM case "ptrace": req := c.Args[0].(*prog.ConstArg) // PTRACE_TRACEME leads to unkillable processes, see: // https://groups.google.com/forum/#!topic/syzkaller/uGzwvhlCXAw - if req.Val == arch.PTRACE_TRACEME { + if uint64(uint32(req.Val)) == arch.PTRACE_TRACEME { req.Val = ^uint64(0) } case "arch_prctl": diff --git a/sys/linux/init_test.go b/sys/linux/init_test.go new file mode 100644 index 00000000..090fa779 --- /dev/null +++ b/sys/linux/init_test.go @@ -0,0 +1,153 @@ +// Copyright 2018 syzkaller project authors. All rights reserved. +// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +package linux_test + +import ( + "fmt" + "strings" + "testing" + + "github.com/google/syzkaller/prog" + _ "github.com/google/syzkaller/sys/linux/gen" +) + +func TestSanitize(t *testing.T) { + target, err := prog.GetTarget("linux", "amd64") + if err != nil { + t.Fatal(err) + } + tests := []struct { + input string + output string + }{ + { + `syslog(0x10000000006, 0x0, 0x0)`, + `syslog(0x9, 0x0, 0x0)`, + }, + { + `syslog(0x10000000007, 0x0, 0x0)`, + `syslog(0x9, 0x0, 0x0)`, + }, + { + `syslog(0x1, 0x0, 0x0)`, + `syslog(0x1, 0x0, 0x0)`, + }, + + { + `ptrace(0xf000000000, 0x0)`, + `ptrace(0xffffffffffffffff, 0x0)`, + }, + { + `ptrace$peek(0x0)`, + `ptrace$peek(0xffffffffffffffff, 0x0, &(0x7f0000000000))`, + }, + { + `ptrace(0x1)`, + `ptrace(0x1, 0x0)`, + }, + { + `arch_prctl(0xf00000001002, 0x0)`, + `arch_prctl(0x1001, 0x0)`, + }, + { + `arch_prctl(0x1003, 0x0)`, + `arch_prctl(0x1003, 0x0)`, + }, + { + `ioctl(0x0, 0x200000c0045877, 0x0)`, + `ioctl(0x0, 0xc0045878, 0x0)`, + }, + { + `ioctl$int_in(0x0, 0x2000008004587d, 0x0)`, + `ioctl$int_in(0x0, 0x6609, 0x0)`, + }, + { + `fanotify_mark(0x1, 0x2, 0x407fe029, 0x3, 0x0)`, + `fanotify_mark(0x1, 0x2, 0x407ce029, 0x3, 0x0)`, + }, + { + `fanotify_mark(0xffffffffffffffff, 0xffffffffffffffff, 0xfffffffffffcffff, 0xffffffffffffffff, 0x0)`, + `fanotify_mark(0xffffffffffffffff, 0xffffffffffffffff, 0xfffffffffffcffff, 0xffffffffffffffff, 0x0)`, + }, + { + `syz_init_net_socket$bt_hci(0x1, 0x0, 0x0)`, + `syz_init_net_socket$bt_hci(0xffffffffffffffff, 0x0, 0x0)`, + }, + { + `syz_init_net_socket$bt_hci(0x27, 0x0, 0x0)`, + `syz_init_net_socket$bt_hci(0x27, 0x0, 0x0)`, + }, + { + `syz_init_net_socket$bt_hci(0x1a, 0x0, 0x0)`, + `syz_init_net_socket$bt_hci(0x1a, 0x0, 0x0)`, + }, + { + `syz_init_net_socket$bt_hci(0x1f, 0x0, 0x0)`, + `syz_init_net_socket$bt_hci(0x1f, 0x0, 0x0)`, + }, + { + `mmap(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)`, + `mmap(0x0, 0x0, 0x0, 0x10, 0x0, 0x0)`, + }, + { + `mremap(0x0, 0x0, 0x0, 0xcc, 0x0)`, + `mremap(0x0, 0x0, 0x0, 0xcc, 0x0)`, + }, + { + `mremap(0x0, 0x0, 0x0, 0xcd, 0x0)`, + `mremap(0x0, 0x0, 0x0, 0xcf, 0x0)`, + }, + { + ` +mknod(0x0, 0x1000, 0x0) +mknod(0x0, 0x8000, 0x0) +mknod(0x0, 0xc000, 0x0) +mknod(0x0, 0x2000, 0x0) +mknod(0x0, 0x6000, 0x0) +mknod(0x0, 0x6000, 0x700) +`, + ` +mknod(0x0, 0x1000, 0x0) +mknod(0x0, 0x8000, 0x0) +mknod(0x0, 0xc000, 0x0) +mknod(0x0, 0x8000, 0x0) +mknod(0x0, 0x8000, 0x0) +mknod(0x0, 0x6000, 0x700) +`, + }, + { + ` +exit(0x3) +exit(0x43) +exit(0xc3) +exit(0xc4) +exit_group(0x5a) +exit_group(0x44) +exit_group(0x444) +`, + ` +exit(0x3) +exit(0x1) +exit(0x1) +exit(0x1) +exit_group(0x5a) +exit_group(0x1) +exit_group(0x1) +`, + }, + } + for i, test := range tests { + t.Run(fmt.Sprint(i), func(t *testing.T) { + p, err := target.Deserialize([]byte(test.input)) + if err != nil { + t.Fatal(err) + } + got := strings.TrimSpace(string(p.Serialize())) + want := strings.TrimSpace(test.output) + if got != want { + t.Fatalf("input:\n%v\ngot:\n%v\nwant:\n%s", test.input, got, want) + } + }) + } +} diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt index 371667fc..8b45e3d0 100644 --- a/sys/linux/sys.txt +++ b/sys/linux/sys.txt @@ -880,7 +880,7 @@ prctl_endian = PR_ENDIAN_BIG, PR_ENDIAN_LITTLE, PR_ENDIAN_PPC_LITTLE prctl_fpexc = PR_FP_EXC_SW_ENABLE, PR_FP_EXC_DIV, PR_FP_EXC_OVF, PR_FP_EXC_UND, PR_FP_EXC_RES, PR_FP_EXC_INV, PR_FP_EXC_DISABLED, PR_FP_EXC_NONRECOV, PR_FP_EXC_ASYNC, PR_FP_EXC_PRECISE prctl_seccomp_mode = SECCOMP_MODE_DISABLED, SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER prctl_mm_option = PR_SET_MM_START_CODE, PR_SET_MM_END_CODE, PR_SET_MM_START_DATA, PR_SET_MM_END_DATA, PR_SET_MM_START_STACK, PR_SET_MM_START_BRK, PR_SET_MM_BRK -arch_prctl_code = ARCH_SET_FS, ARCH_GET_FS, ARCH_SET_GS, ARCH_GET_GS +arch_prctl_code = ARCH_GET_FS, ARCH_SET_GS, ARCH_GET_GS epoll_flags = EPOLL_CLOEXEC epoll_ev = POLLIN, POLLOUT, POLLRDHUP, POLLPRI, POLLERR, POLLHUP, EPOLLET, EPOLLONESHOT, EPOLLEXCLUSIVE, EPOLLWAKEUP pollfd_events = POLLIN, POLLPRI, POLLOUT, POLLERR, POLLHUP, POLLNVAL, POLLRDNORM, POLLRDBAND, POLLWRNORM, POLLWRBAND, POLLMSG, POLLREMOVE, POLLRDHUP, POLLFREE, POLL_BUSY_LOOP @@ -905,7 +905,7 @@ inotify_mask = IN_ACCESS, IN_ATTRIB, IN_CLOSE_WRITE, IN_CLOSE_NOWRITE, IN_CREATE fanotify_flags = FAN_CLASS_PRE_CONTENT, FAN_CLASS_CONTENT, FAN_CLASS_NOTIF, FAN_CLOEXEC, FAN_NONBLOCK, FAN_UNLIMITED_QUEUE, FAN_UNLIMITED_MARKS, FAN_ENABLE_AUDIT fanotify_events = O_RDONLY, O_WRONLY, O_RDWR, O_LARGEFILE, O_CLOEXEC, O_APPEND, O_DSYNC, O_NOATIME, O_NONBLOCK, O_SYNC fanotify_mark = FAN_MARK_ADD, FAN_MARK_REMOVE, FAN_MARK_FLUSH, FAN_MARK_DONT_FOLLOW, FAN_MARK_ONLYDIR, FAN_MARK_MOUNT, FAN_MARK_IGNORED_MASK, FAN_MARK_IGNORED_SURV_MODIFY -fanotify_mask = FAN_ACCESS, FAN_MODIFY, FAN_CLOSE_WRITE, FAN_CLOSE_NOWRITE, FAN_OPEN, FAN_OPEN_PERM, FAN_ACCESS_PERM, FAN_ONDIR, FAN_EVENT_ON_CHILD +fanotify_mask = FAN_ACCESS, FAN_MODIFY, FAN_CLOSE_WRITE, FAN_CLOSE_NOWRITE, FAN_OPEN, FAN_ONDIR, FAN_EVENT_ON_CHILD faccessat_flags = 0x100, 0x200, 0x400, 0x800, 0x1000 futex_op = FUTEX_WAIT, FUTEX_WAIT_BITSET, FUTEX_WAKE, FUTEX_REQUEUE, FUTEX_CMP_REQUEUE sync_file_flags = SYNC_FILE_RANGE_WAIT_BEFORE, SYNC_FILE_RANGE_WRITE, SYNC_FILE_RANGE_WAIT_AFTER @@ -931,7 +931,7 @@ sched_attr_flags = 0 sched_attr_flags2 = 0, SCHED_FLAG_RESET_ON_FORK sched_attr_size = 48 mempolicy_flags = 0, MPOL_F_MEMS_ALLOWED, MPOL_F_ADDR, MPOL_F_NODE -ptrace_req = PTRACE_TRACEME, PTRACE_LISTEN, PTRACE_KILL, PTRACE_INTERRUPT, PTRACE_ATTACH, PTRACE_DETACH +ptrace_req = PTRACE_LISTEN, PTRACE_KILL, PTRACE_INTERRUPT, PTRACE_ATTACH, PTRACE_DETACH ptrace_req_peek = PTRACE_PEEKTEXT, PTRACE_PEEKDATA ptrace_req_poke = PTRACE_POKETEXT, PTRACE_POKEDATA ptrace_req_getregs = PTRACE_GETREGS, PTRACE_GETFPREGS @@ -958,7 +958,7 @@ fiemap_extent_flags = FIEMAP_EXTENT_LAST, FIEMAP_EXTENT_UNKNOWN, FIEMAP_EXTENT_D getrandom_flags = GRND_NONBLOCK, GRND_RANDOM clone_flags = CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_PTRACE, CLONE_VFORK, CLONE_PARENT, CLONE_THREAD, CLONE_NEWNS, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID, CLONE_UNTRACED, CLONE_CHILD_SETTID, CLONE_NEWCGROUP, CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET, CLONE_IO -_ = KCOV_INIT_TRACE, KCOV_ENABLE, KCOV_DISABLE, KCOV_TRACE_PC, KCOV_TRACE_CMP, FIFREEZE, __NR_mmap2 +_ = KCOV_INIT_TRACE, KCOV_ENABLE, KCOV_DISABLE, KCOV_TRACE_PC, KCOV_TRACE_CMP, FIFREEZE, FAN_OPEN_PERM, FAN_ACCESS_PERM, PTRACE_TRACEME, ARCH_SET_FS, __NR_mmap2 # Not yet implemented syscalls #define __NR_umask 95