From 85c573157db1baae51178263fe3289c8329e6dc2 Mon Sep 17 00:00:00 2001
From: Anton Lindqvist <anton@basename.se>
Date: Tue, 21 May 2019 23:17:22 +0200
Subject: [PATCH] pkg/csource: add ability to annotate syscalls using comments
 in C reproducers

Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).

This commit introduces an optional annotate function on a per target basis.

Example for the OpenBSD target:

  $ cat prog.in
  mknod(0x0, 0x0, 0x4503)
  getpid()
  $ syz-prog2c -prog prog.in
  int main(void)
  {
    syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
    syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
    syscall(SYS_getpid);
    return 0;
  }
---
 pkg/csource/csource.go |  7 ++++++-
 prog/target.go         |  6 ++++++
 sys/openbsd/init.go    | 16 ++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/pkg/csource/csource.go b/pkg/csource/csource.go
index c8513286..75b5a5e0 100644
--- a/pkg/csource/csource.go
+++ b/pkg/csource/csource.go
@@ -239,7 +239,12 @@ func (ctx *context) emitCall(w *bytes.Buffer, call prog.ExecCall, ci int, haveCo
 		}
 		fmt.Fprintf(w, "0")
 	}
-	fmt.Fprintf(w, ");\n")
+	fmt.Fprintf(w, ");")
+	comment := ctx.target.AnnotateCall(call)
+	if len(comment) != 0 {
+		fmt.Fprintf(w, " /* %s */", comment)
+	}
+	fmt.Fprintf(w, "\n")
 	if trace {
 		cast := ""
 		if !native && !strings.HasPrefix(callName, "syz_") {
diff --git a/prog/target.go b/prog/target.go
index b64af002..da9b3255 100644
--- a/prog/target.go
+++ b/prog/target.go
@@ -31,6 +31,11 @@ type Target struct {
 	// SanitizeCall neutralizes harmful calls.
 	SanitizeCall func(c *Call)
 
+	// AnnotateCall annotates a syscall invocation in C reproducers.
+	// The returned string will be placed inside a comment except for the
+	// empty string which will omit the comment.
+	AnnotateCall func(c ExecCall) string
+
 	// SpecialTypes allows target to do custom generation/mutation for some struct's and union's.
 	// Map key is struct/union name for which custom generation/mutation is required.
 	// Map value is custom generation/mutation function that will be called
@@ -106,6 +111,7 @@ func AllTargets() []*Target {
 
 func (target *Target) lazyInit() {
 	target.SanitizeCall = func(c *Call) {}
+	target.AnnotateCall = func(c ExecCall) string { return "" }
 	target.initTarget()
 	target.initArch(target)
 	target.ConstMap = nil // currently used only by initArch
diff --git a/sys/openbsd/init.go b/sys/openbsd/init.go
index bce74fba..c42fe049 100644
--- a/sys/openbsd/init.go
+++ b/sys/openbsd/init.go
@@ -4,6 +4,8 @@
 package openbsd
 
 import (
+	"fmt"
+
 	"github.com/google/syzkaller/prog"
 	"github.com/google/syzkaller/sys/targets"
 )
@@ -17,6 +19,7 @@ func InitTarget(target *prog.Target) {
 
 	target.MakeMmap = targets.MakePosixMmap(target)
 	target.SanitizeCall = arch.SanitizeCall
+	target.AnnotateCall = arch.annotateCall
 }
 
 type arch struct {
@@ -107,3 +110,16 @@ func (arch *arch) SanitizeCall(c *prog.Call) {
 		arch.unix.SanitizeCall(c)
 	}
 }
+
+func (arch *arch) annotateCall(c prog.ExecCall) string {
+	devArg := 2
+	switch c.Meta.Name {
+	case "mknodat":
+		devArg = 3
+		fallthrough
+	case "mknod":
+		dev := c.Args[devArg].(prog.ExecArgConst).Value
+		return fmt.Sprintf("major = %v, minor = %v", devmajor(dev), devminor(dev))
+	}
+	return ""
+}