mirror of
https://github.com/reactos/syzkaller.git
synced 2024-11-30 23:00:29 +00:00
11fa8bb3de
Caught by existing tests, just happens very infrequently.
211 lines
5.8 KiB
Go
211 lines
5.8 KiB
Go
// Copyright 2017 syzkaller project authors. All rights reserved.
|
|
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
|
|
|
package prog
|
|
|
|
import (
|
|
"fmt"
|
|
"math/rand"
|
|
"sort"
|
|
"sync"
|
|
)
|
|
|
|
// Target describes target OS/arch pair.
|
|
type Target struct {
|
|
OS string
|
|
Arch string
|
|
Revision string // unique hash representing revision of the descriptions
|
|
PtrSize uint64
|
|
PageSize uint64
|
|
DataOffset uint64
|
|
|
|
Syscalls []*Syscall
|
|
Resources []*ResourceDesc
|
|
Structs []*KeyedStruct
|
|
Consts []ConstValue
|
|
|
|
// Syscall used by MakeMmap.
|
|
// It has some special meaning because there are usually too many of them.
|
|
MmapSyscall *Syscall
|
|
|
|
// MakeMmap creates call that maps [start, start+npages) page range.
|
|
MakeMmap func(start, npages uint64) *Call
|
|
|
|
// AnalyzeMmap analyzes the call c regarding mapping/unmapping memory.
|
|
// If it maps/unmaps any memory returns [start, start+npages) range,
|
|
// otherwise returns npages = 0.
|
|
AnalyzeMmap func(c *Call) (start, npages uint64, mapped bool)
|
|
|
|
// SanitizeCall neutralizes harmful calls.
|
|
SanitizeCall func(c *Call)
|
|
|
|
// SpecialTypes allows target to do custom generation/mutation for some struct's and union's.
|
|
// Map key is struct/union name for which custom generation/mutation is required.
|
|
// Map value is custom generation/mutation function that will be called
|
|
// for the corresponding type. g is helper object that allows generate random numbers,
|
|
// allocate memory, etc. typ is the struct/union type. old is the old value of the struct/union
|
|
// for mutation, or nil for generation. The function returns a new value of the struct/union,
|
|
// and optionally any calls that need to be inserted before the arg reference.
|
|
SpecialTypes map[string]func(g *Gen, typ Type, old Arg) (Arg, []*Call)
|
|
|
|
// Special strings that can matter for the target.
|
|
// Used as fallback when string type does not have own dictionary.
|
|
StringDictionary []string
|
|
|
|
// Filled by prog package:
|
|
init sync.Once
|
|
initArch func(target *Target)
|
|
SyscallMap map[string]*Syscall
|
|
ConstMap map[string]uint64
|
|
resourceMap map[string]*ResourceDesc
|
|
// Maps resource name to a list of calls that can create the resource.
|
|
resourceCtors map[string][]*Syscall
|
|
}
|
|
|
|
var targets = make(map[string]*Target)
|
|
|
|
func RegisterTarget(target *Target, initArch func(target *Target)) {
|
|
key := target.OS + "/" + target.Arch
|
|
if targets[key] != nil {
|
|
panic(fmt.Sprintf("duplicate target %v", key))
|
|
}
|
|
target.initArch = initArch
|
|
targets[key] = target
|
|
}
|
|
|
|
func GetTarget(OS, arch string) (*Target, error) {
|
|
key := OS + "/" + arch
|
|
target := targets[key]
|
|
if target == nil {
|
|
var supported []string
|
|
for _, t := range targets {
|
|
supported = append(supported, fmt.Sprintf("%v/%v", t.OS, t.Arch))
|
|
}
|
|
sort.Strings(supported)
|
|
return nil, fmt.Errorf("unknown target: %v (supported: %v)", key, supported)
|
|
}
|
|
target.init.Do(target.lazyInit)
|
|
return target, nil
|
|
}
|
|
|
|
func AllTargets() []*Target {
|
|
var res []*Target
|
|
for _, target := range targets {
|
|
target.init.Do(target.lazyInit)
|
|
res = append(res, target)
|
|
}
|
|
sort.Slice(res, func(i, j int) bool {
|
|
if res[i].OS != res[j].OS {
|
|
return res[i].OS < res[j].OS
|
|
}
|
|
return res[i].Arch < res[j].Arch
|
|
})
|
|
return res
|
|
}
|
|
|
|
func (target *Target) lazyInit() {
|
|
target.SanitizeCall = func(c *Call) {}
|
|
target.initTarget()
|
|
target.initArch(target)
|
|
target.ConstMap = nil // currently used only by initArch
|
|
}
|
|
|
|
func (target *Target) initTarget() {
|
|
target.ConstMap = make(map[string]uint64)
|
|
for _, c := range target.Consts {
|
|
target.ConstMap[c.Name] = c.Value
|
|
}
|
|
|
|
target.resourceMap = make(map[string]*ResourceDesc)
|
|
for _, res := range target.Resources {
|
|
target.resourceMap[res.Name] = res
|
|
}
|
|
|
|
keyedStructs := make(map[StructKey]*StructDesc)
|
|
for _, desc := range target.Structs {
|
|
keyedStructs[desc.Key] = desc.Desc
|
|
}
|
|
target.Structs = nil
|
|
|
|
target.SyscallMap = make(map[string]*Syscall)
|
|
for _, c := range target.Syscalls {
|
|
target.SyscallMap[c.Name] = c
|
|
ForeachType(c, func(t0 Type) {
|
|
switch t := t0.(type) {
|
|
case *ResourceType:
|
|
t.Desc = target.resourceMap[t.TypeName]
|
|
if t.Desc == nil {
|
|
panic("no resource desc")
|
|
}
|
|
case *StructType:
|
|
t.StructDesc = keyedStructs[t.Key]
|
|
if t.StructDesc == nil {
|
|
panic("no struct desc")
|
|
}
|
|
case *UnionType:
|
|
t.StructDesc = keyedStructs[t.Key]
|
|
if t.StructDesc == nil {
|
|
panic("no union desc")
|
|
}
|
|
}
|
|
})
|
|
}
|
|
|
|
target.resourceCtors = make(map[string][]*Syscall)
|
|
for _, res := range target.Resources {
|
|
target.resourceCtors[res.Name] = target.calcResourceCtors(res.Kind, false)
|
|
}
|
|
}
|
|
|
|
type Gen struct {
|
|
r *randGen
|
|
s *state
|
|
}
|
|
|
|
func (g *Gen) Rand() *rand.Rand {
|
|
return g.r.Rand
|
|
}
|
|
|
|
func (g *Gen) NOutOf(n, outOf int) bool {
|
|
return g.r.nOutOf(n, outOf)
|
|
}
|
|
|
|
func (g *Gen) Alloc(ptrType Type, data Arg) (Arg, []*Call) {
|
|
return g.r.addr(g.s, ptrType, data.Size(), data)
|
|
}
|
|
|
|
func (g *Gen) GenerateArg(typ Type, pcalls *[]*Call) Arg {
|
|
return g.generateArg(typ, pcalls, false)
|
|
}
|
|
|
|
func (g *Gen) GenerateSpecialArg(typ Type, pcalls *[]*Call) Arg {
|
|
return g.generateArg(typ, pcalls, true)
|
|
}
|
|
|
|
func (g *Gen) generateArg(typ Type, pcalls *[]*Call, ignoreSpecial bool) Arg {
|
|
arg, calls := g.r.generateArgImpl(g.s, typ, ignoreSpecial)
|
|
*pcalls = append(*pcalls, calls...)
|
|
g.r.target.assignSizesArray([]Arg{arg})
|
|
return arg
|
|
}
|
|
|
|
func (g *Gen) MutateArg(arg0 Arg) (calls []*Call) {
|
|
updateSizes := true
|
|
for stop := false; !stop; stop = g.r.oneOf(3) {
|
|
args, bases, parents := g.r.target.mutationSubargs(arg0)
|
|
if len(args) == 0 {
|
|
// TODO(dvyukov): probably need to return this condition
|
|
// and updateSizes to caller so that Mutate can act accordingly.
|
|
return
|
|
}
|
|
idx := g.r.Intn(len(args))
|
|
arg, base, parent := args[idx], bases[idx], parents[idx]
|
|
newCalls, ok := g.r.target.mutateArg(g.r, g.s, arg, base, parent, &updateSizes)
|
|
if !ok {
|
|
continue
|
|
}
|
|
calls = append(calls, newCalls...)
|
|
}
|
|
return calls
|
|
}
|