pkg/csource: add ability to annotate syscalls using comments in C reproducers

Providing additional info, especially regarding syscall arguments, in reproducers can be helpful. An example is device numbers passed to mknod(2). This commit introduces an optional annotate function on a per target basis. Example for the OpenBSD target: $ cat prog.in mknod(0x0, 0x0, 0x4503) getpid() $ syz-prog2c -prog prog.in int main(void) { syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0); syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */ syscall(SYS_getpid); return 0; }
2024-11-27 05:10:43 +00:00 · 2019-05-21 23:17:22 +02:00 · 2019-05-21 23:17:22 +02:00 · 85c573157d
commit 85c573157d
parent 0dadcd9d91
3 changed files with 28 additions and 1 deletions
--- a/pkg/csource/csource.go
+++ b/pkg/csource/csource.go
@ -239,7 +239,12 @@ func (ctx *context) emitCall(w *bytes.Buffer, call prog.ExecCall, ci int, haveCo
 		}
 		fmt.Fprintf(w, "0")
 	}
-	fmt.Fprintf(w, ");\n")
+	fmt.Fprintf(w, ");")
+	comment := ctx.target.AnnotateCall(call)
+	if len(comment) != 0 {
+		fmt.Fprintf(w, " /* %s */", comment)
+	}
+	fmt.Fprintf(w, "\n")
 	if trace {
 		cast := ""
 		if !native && !strings.HasPrefix(callName, "syz_") {
--- a/prog/target.go
+++ b/prog/target.go
@ -31,6 +31,11 @@ type Target struct {
 	// SanitizeCall neutralizes harmful calls.
 	SanitizeCall func(c *Call)

+	// AnnotateCall annotates a syscall invocation in C reproducers.
+	// The returned string will be placed inside a comment except for the
+	// empty string which will omit the comment.
+	AnnotateCall func(c ExecCall) string
+
 	// SpecialTypes allows target to do custom generation/mutation for some struct's and union's.
 	// Map key is struct/union name for which custom generation/mutation is required.
 	// Map value is custom generation/mutation function that will be called
@ -106,6 +111,7 @@ func AllTargets() []*Target {

 func (target *Target) lazyInit() {
 	target.SanitizeCall = func(c *Call) {}
+	target.AnnotateCall = func(c ExecCall) string { return "" }
 	target.initTarget()
 	target.initArch(target)
 	target.ConstMap = nil // currently used only by initArch
--- a/sys/openbsd/init.go
+++ b/sys/openbsd/init.go
@ -4,6 +4,8 @@
 package openbsd

 import (
+	"fmt"
+
 	"github.com/google/syzkaller/prog"
 	"github.com/google/syzkaller/sys/targets"
 )
@ -17,6 +19,7 @@ func InitTarget(target *prog.Target) {

 	target.MakeMmap = targets.MakePosixMmap(target)
 	target.SanitizeCall = arch.SanitizeCall
+	target.AnnotateCall = arch.annotateCall
 }

 type arch struct {
@ -107,3 +110,16 @@ func (arch *arch) SanitizeCall(c *prog.Call) {
 		arch.unix.SanitizeCall(c)
 	}
 }
+
+func (arch *arch) annotateCall(c prog.ExecCall) string {
+	devArg := 2
+	switch c.Meta.Name {
+	case "mknodat":
+		devArg = 3
+		fallthrough
+	case "mknod":
+		dev := c.Args[devArg].(prog.ExecArgConst).Value
+		return fmt.Sprintf("major = %v, minor = %v", devmajor(dev), devminor(dev))
+	}
+	return ""
+}