mirror of
https://github.com/reactos/syzkaller.git
synced 2024-11-24 11:59:58 +00:00
40957b8193
Otherwise C repros print infinite stream of the same leaks again and again.
2765 lines
81 KiB
C
2765 lines
81 KiB
C
// Copyright 2016 syzkaller project authors. All rights reserved.
|
||
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
||
|
||
// This file is shared between executor and csource package.
|
||
|
||
#include <stdlib.h>
|
||
#include <sys/syscall.h>
|
||
#include <sys/types.h>
|
||
#include <unistd.h>
|
||
|
||
#if SYZ_EXECUTOR
|
||
const int kExtraCoverSize = 256 << 10;
|
||
struct cover_t;
|
||
static void cover_reset(cover_t* cov);
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_THREADED
|
||
#include <linux/futex.h>
|
||
#include <pthread.h>
|
||
|
||
typedef struct {
|
||
int state;
|
||
} event_t;
|
||
|
||
static void event_init(event_t* ev)
|
||
{
|
||
ev->state = 0;
|
||
}
|
||
|
||
static void event_reset(event_t* ev)
|
||
{
|
||
ev->state = 0;
|
||
}
|
||
|
||
static void event_set(event_t* ev)
|
||
{
|
||
if (ev->state)
|
||
fail("event already set");
|
||
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
|
||
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
|
||
}
|
||
|
||
static void event_wait(event_t* ev)
|
||
{
|
||
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
|
||
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
|
||
}
|
||
|
||
static int event_isset(event_t* ev)
|
||
{
|
||
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
|
||
}
|
||
|
||
static int event_timedwait(event_t* ev, uint64 timeout)
|
||
{
|
||
uint64 start = current_time_ms();
|
||
uint64 now = start;
|
||
for (;;) {
|
||
uint64 remain = timeout - (now - start);
|
||
struct timespec ts;
|
||
ts.tv_sec = remain / 1000;
|
||
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
|
||
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
|
||
if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
|
||
return 1;
|
||
now = current_time_ms();
|
||
if (now - start > timeout)
|
||
return 0;
|
||
}
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_REPEAT || SYZ_TUN_ENABLE || SYZ_FAULT_INJECTION || SYZ_SANDBOX_NONE || \
|
||
SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP || \
|
||
SYZ_FAULT_INJECTION || SYZ_ENABLE_LEAK || SYZ_ENABLE_BINFMT_MISC
|
||
#include <errno.h>
|
||
#include <fcntl.h>
|
||
#include <stdarg.h>
|
||
#include <stdbool.h>
|
||
#include <string.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
static bool write_file(const char* file, const char* what, ...)
|
||
{
|
||
char buf[1024];
|
||
va_list args;
|
||
va_start(args, what);
|
||
vsnprintf(buf, sizeof(buf), what, args);
|
||
va_end(args);
|
||
buf[sizeof(buf) - 1] = 0;
|
||
int len = strlen(buf);
|
||
|
||
int fd = open(file, O_WRONLY | O_CLOEXEC);
|
||
if (fd == -1)
|
||
return false;
|
||
if (write(fd, buf, len) != len) {
|
||
int err = errno;
|
||
close(fd);
|
||
debug("write(%s) failed: %d\n", file, err);
|
||
errno = err;
|
||
return false;
|
||
}
|
||
close(fd);
|
||
return true;
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV || SYZ_TUN_ENABLE
|
||
#include <arpa/inet.h>
|
||
#include <net/if.h>
|
||
#include <netinet/in.h>
|
||
#include <string.h>
|
||
#include <sys/socket.h>
|
||
#include <sys/types.h>
|
||
|
||
#include <linux/if_addr.h>
|
||
#include <linux/if_link.h>
|
||
#include <linux/in6.h>
|
||
#include <linux/neighbour.h>
|
||
#include <linux/net.h>
|
||
#include <linux/netlink.h>
|
||
#include <linux/rtnetlink.h>
|
||
#include <linux/veth.h>
|
||
|
||
static struct {
|
||
char* pos;
|
||
int nesting;
|
||
struct nlattr* nested[8];
|
||
char buf[1024];
|
||
} nlmsg;
|
||
|
||
static void netlink_init(int typ, int flags, const void* data, int size)
|
||
{
|
||
memset(&nlmsg, 0, sizeof(nlmsg));
|
||
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
|
||
hdr->nlmsg_type = typ;
|
||
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
|
||
memcpy(hdr + 1, data, size);
|
||
nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
|
||
}
|
||
|
||
static void netlink_attr(int typ, const void* data, int size)
|
||
{
|
||
struct nlattr* attr = (struct nlattr*)nlmsg.pos;
|
||
attr->nla_len = sizeof(*attr) + size;
|
||
attr->nla_type = typ;
|
||
memcpy(attr + 1, data, size);
|
||
nlmsg.pos += NLMSG_ALIGN(attr->nla_len);
|
||
}
|
||
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
static void netlink_nest(int typ)
|
||
{
|
||
struct nlattr* attr = (struct nlattr*)nlmsg.pos;
|
||
attr->nla_type = typ;
|
||
nlmsg.pos += sizeof(*attr);
|
||
nlmsg.nested[nlmsg.nesting++] = attr;
|
||
}
|
||
|
||
static void netlink_done(void)
|
||
{
|
||
struct nlattr* attr = nlmsg.nested[--nlmsg.nesting];
|
||
attr->nla_len = nlmsg.pos - (char*)attr;
|
||
}
|
||
#endif
|
||
|
||
static int netlink_send(int sock)
|
||
{
|
||
if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting)
|
||
fail("nlmsg overflow/bad nesting");
|
||
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
|
||
hdr->nlmsg_len = nlmsg.pos - nlmsg.buf;
|
||
struct sockaddr_nl addr;
|
||
memset(&addr, 0, sizeof(addr));
|
||
addr.nl_family = AF_NETLINK;
|
||
unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr));
|
||
if (n != hdr->nlmsg_len)
|
||
fail("short netlink write: %d/%d", n, hdr->nlmsg_len);
|
||
n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0);
|
||
if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))
|
||
fail("short netlink read: %d", n);
|
||
if (hdr->nlmsg_type != NLMSG_ERROR)
|
||
fail("short netlink ack: %d", hdr->nlmsg_type);
|
||
return -((struct nlmsgerr*)(hdr + 1))->error;
|
||
}
|
||
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
static void netlink_add_device_impl(const char* type, const char* name)
|
||
{
|
||
struct ifinfomsg hdr;
|
||
memset(&hdr, 0, sizeof(hdr));
|
||
netlink_init(RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
|
||
if (name)
|
||
netlink_attr(IFLA_IFNAME, name, strlen(name));
|
||
netlink_nest(IFLA_LINKINFO);
|
||
netlink_attr(IFLA_INFO_KIND, type, strlen(type));
|
||
}
|
||
|
||
static void netlink_add_device(int sock, const char* type, const char* name)
|
||
{
|
||
netlink_add_device_impl(type, name);
|
||
netlink_done();
|
||
int err = netlink_send(sock);
|
||
debug("netlink: adding device %s type %s: %s\n", name, type, strerror(err));
|
||
(void)err;
|
||
}
|
||
|
||
static void netlink_add_veth(int sock, const char* name, const char* peer)
|
||
{
|
||
netlink_add_device_impl("veth", name);
|
||
netlink_nest(IFLA_INFO_DATA);
|
||
netlink_nest(VETH_INFO_PEER);
|
||
nlmsg.pos += sizeof(struct ifinfomsg);
|
||
netlink_attr(IFLA_IFNAME, peer, strlen(peer));
|
||
netlink_done();
|
||
netlink_done();
|
||
netlink_done();
|
||
int err = netlink_send(sock);
|
||
debug("netlink: adding device %s type veth peer %s: %s\n", name, peer, strerror(err));
|
||
(void)err;
|
||
}
|
||
|
||
static void netlink_add_hsr(int sock, const char* name, const char* slave1, const char* slave2)
|
||
{
|
||
netlink_add_device_impl("hsr", name);
|
||
netlink_nest(IFLA_INFO_DATA);
|
||
int ifindex1 = if_nametoindex(slave1);
|
||
netlink_attr(IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
|
||
int ifindex2 = if_nametoindex(slave2);
|
||
netlink_attr(IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
|
||
netlink_done();
|
||
netlink_done();
|
||
int err = netlink_send(sock);
|
||
debug("netlink: adding device %s type hsr slave1 %s slave2 %s: %s\n",
|
||
name, slave1, slave2, strerror(err));
|
||
(void)err;
|
||
}
|
||
#endif
|
||
|
||
static void netlink_device_change(int sock, const char* name, bool up,
|
||
const char* master, const void* mac, int macsize)
|
||
{
|
||
struct ifinfomsg hdr;
|
||
memset(&hdr, 0, sizeof(hdr));
|
||
if (up)
|
||
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
|
||
netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr));
|
||
netlink_attr(IFLA_IFNAME, name, strlen(name));
|
||
if (master) {
|
||
int ifindex = if_nametoindex(master);
|
||
netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex));
|
||
}
|
||
if (macsize)
|
||
netlink_attr(IFLA_ADDRESS, mac, macsize);
|
||
int err = netlink_send(sock);
|
||
debug("netlink: device %s up master %s: %s\n", name, master, strerror(err));
|
||
(void)err;
|
||
}
|
||
|
||
static int netlink_add_addr(int sock, const char* dev, const void* addr, int addrsize)
|
||
{
|
||
struct ifaddrmsg hdr;
|
||
memset(&hdr, 0, sizeof(hdr));
|
||
hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
|
||
hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
|
||
hdr.ifa_scope = RT_SCOPE_UNIVERSE;
|
||
hdr.ifa_index = if_nametoindex(dev);
|
||
netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr));
|
||
netlink_attr(IFA_LOCAL, addr, addrsize);
|
||
netlink_attr(IFA_ADDRESS, addr, addrsize);
|
||
return netlink_send(sock);
|
||
}
|
||
|
||
static void netlink_add_addr4(int sock, const char* dev, const char* addr)
|
||
{
|
||
struct in_addr in_addr;
|
||
inet_pton(AF_INET, addr, &in_addr);
|
||
int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
|
||
debug("netlink: add addr %s dev %s: %s\n", addr, dev, strerror(err));
|
||
(void)err;
|
||
}
|
||
|
||
static void netlink_add_addr6(int sock, const char* dev, const char* addr)
|
||
{
|
||
struct in6_addr in6_addr;
|
||
inet_pton(AF_INET6, addr, &in6_addr);
|
||
int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
|
||
debug("netlink: add addr %s dev %s: %s\n", addr, dev, strerror(err));
|
||
(void)err;
|
||
}
|
||
|
||
#if SYZ_EXECUTOR || SYZ_TUN_ENABLE
|
||
static void netlink_add_neigh(int sock, const char* name,
|
||
const void* addr, int addrsize, const void* mac, int macsize)
|
||
{
|
||
struct ndmsg hdr;
|
||
memset(&hdr, 0, sizeof(hdr));
|
||
hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
|
||
hdr.ndm_ifindex = if_nametoindex(name);
|
||
hdr.ndm_state = NUD_PERMANENT;
|
||
netlink_init(RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
|
||
netlink_attr(NDA_DST, addr, addrsize);
|
||
netlink_attr(NDA_LLADDR, mac, macsize);
|
||
int err = netlink_send(sock);
|
||
debug("netlink: add neigh %s addr %d lladdr %d: %s\n",
|
||
name, addrsize, macsize, strerror(err));
|
||
(void)err;
|
||
}
|
||
#endif
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_TUN_ENABLE
|
||
#include <arpa/inet.h>
|
||
#include <errno.h>
|
||
#include <fcntl.h>
|
||
#include <net/if.h>
|
||
#include <net/if_arp.h>
|
||
#include <stdarg.h>
|
||
#include <stdbool.h>
|
||
#include <sys/ioctl.h>
|
||
#include <sys/stat.h>
|
||
|
||
#include <linux/if_ether.h>
|
||
#include <linux/if_tun.h>
|
||
#include <linux/ip.h>
|
||
#include <linux/tcp.h>
|
||
|
||
static int tunfd = -1;
|
||
static int tun_frags_enabled;
|
||
|
||
// We just need this to be large enough to hold headers that we parse (ethernet/ip/tcp).
|
||
// Rest of the packet (if any) will be silently truncated which is fine.
|
||
#define SYZ_TUN_MAX_PACKET_SIZE 1000
|
||
|
||
#define TUN_IFACE "syz_tun"
|
||
|
||
#define LOCAL_MAC 0xaaaaaaaaaaaa
|
||
#define REMOTE_MAC 0xaaaaaaaaaabb
|
||
|
||
#define LOCAL_IPV4 "172.20.20.170"
|
||
#define REMOTE_IPV4 "172.20.20.187"
|
||
|
||
#define LOCAL_IPV6 "fe80::aa"
|
||
#define REMOTE_IPV6 "fe80::bb"
|
||
|
||
#ifndef IFF_NAPI
|
||
#define IFF_NAPI 0x0010
|
||
#endif
|
||
#ifndef IFF_NAPI_FRAGS
|
||
#define IFF_NAPI_FRAGS 0x0020
|
||
#endif
|
||
|
||
static void initialize_tun(void)
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_tun)
|
||
return;
|
||
#endif
|
||
tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
|
||
if (tunfd == -1) {
|
||
#if SYZ_EXECUTOR
|
||
fail("tun: can't open /dev/net/tun");
|
||
#else
|
||
printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
|
||
printf("otherwise fuzzing or reproducing might not work as intended\n");
|
||
return;
|
||
#endif
|
||
}
|
||
// Remap tun onto higher fd number to hide it from fuzzer and to keep
|
||
// fd numbers stable regardless of whether tun is opened or not (also see kMaxFd).
|
||
const int kTunFd = 240;
|
||
if (dup2(tunfd, kTunFd) < 0)
|
||
fail("dup2(tunfd, kTunFd) failed");
|
||
close(tunfd);
|
||
tunfd = kTunFd;
|
||
|
||
struct ifreq ifr;
|
||
memset(&ifr, 0, sizeof(ifr));
|
||
strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
|
||
ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
|
||
if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
|
||
// IFF_NAPI_FRAGS requires root, so try without it.
|
||
ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
|
||
if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
|
||
fail("tun: ioctl(TUNSETIFF) failed");
|
||
}
|
||
// If IFF_NAPI_FRAGS is not supported it will be silently dropped,
|
||
// so query the effective flags.
|
||
if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
|
||
fail("tun: ioctl(TUNGETIFF) failed");
|
||
tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
|
||
debug("tun_frags_enabled=%d\n", tun_frags_enabled);
|
||
|
||
// Disable IPv6 DAD, otherwise the address remains unusable until DAD completes.
|
||
// Don't panic because this is an optional config.
|
||
char sysctl[64];
|
||
sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
|
||
write_file(sysctl, "0");
|
||
// Disable IPv6 router solicitation to prevent IPv6 spam.
|
||
// Don't panic because this is an optional config.
|
||
sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
|
||
write_file(sysctl, "0");
|
||
// There seems to be no way to disable IPv6 MTD to prevent more IPv6 spam.
|
||
|
||
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
|
||
if (sock == -1)
|
||
fail("socket(AF_NETLINK) failed");
|
||
|
||
netlink_add_addr4(sock, TUN_IFACE, LOCAL_IPV4);
|
||
netlink_add_addr6(sock, TUN_IFACE, LOCAL_IPV6);
|
||
uint64 macaddr = REMOTE_MAC;
|
||
struct in_addr in_addr;
|
||
inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
|
||
netlink_add_neigh(sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN);
|
||
struct in6_addr in6_addr;
|
||
inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
|
||
netlink_add_neigh(sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN);
|
||
macaddr = LOCAL_MAC;
|
||
netlink_device_change(sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN);
|
||
close(sock);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
#include <arpa/inet.h>
|
||
#include <errno.h>
|
||
#include <fcntl.h>
|
||
#include <net/if.h>
|
||
#include <net/if_arp.h>
|
||
#include <stdarg.h>
|
||
#include <stdbool.h>
|
||
#include <sys/ioctl.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/uio.h>
|
||
|
||
#include <linux/if_ether.h>
|
||
#include <linux/if_tun.h>
|
||
#include <linux/ip.h>
|
||
#include <linux/tcp.h>
|
||
|
||
// Addresses are chosen to be in the same subnet as tun addresses.
|
||
#define DEV_IPV4 "172.20.20.%d"
|
||
#define DEV_IPV6 "fe80::%02x"
|
||
#define DEV_MAC 0x00aaaaaaaaaa
|
||
|
||
// We test in a separate namespace, which does not have any network devices initially (even lo).
|
||
// Create/up as many as we can.
|
||
static void initialize_netdevices(void)
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_net_dev)
|
||
return;
|
||
#endif
|
||
// TODO: add the following devices:
|
||
// - vlan
|
||
// - vxlan
|
||
// - macvlan
|
||
// - ipvlan
|
||
// - macsec
|
||
// - ipip
|
||
// - lowpan
|
||
// - ipoib
|
||
// - geneve
|
||
// - vrf
|
||
// - rmnet
|
||
// - openvswitch
|
||
// Naive attempts to add devices of these types fail with various errors.
|
||
// Also init namespace contains the following devices (which presumably can't be
|
||
// created in non-init namespace), can we use them somehow?
|
||
// - ifb0/1
|
||
// - wpan0/1
|
||
// - hwsim0
|
||
// - teql0
|
||
// - eql
|
||
char netdevsim[16];
|
||
sprintf(netdevsim, "netdevsim%d", (int)procid);
|
||
struct {
|
||
const char* type;
|
||
const char* dev;
|
||
} devtypes[] = {
|
||
// Note: ip6erspan device can't be added if ip6gretap exists in the same namespace.
|
||
{"ip6gretap", "ip6gretap0"},
|
||
{"bridge", "bridge0"},
|
||
{"vcan", "vcan0"},
|
||
{"bond", "bond0"},
|
||
{"team", "team0"},
|
||
{"dummy", "dummy0"},
|
||
{"nlmon", "nlmon0"},
|
||
{"caif", "caif0"},
|
||
{"batadv", "batadv0"},
|
||
// Note: adding device vxcan0 fails.
|
||
{"vxcan", "vxcan1"},
|
||
// Note: netdevsim devices can't have the same name even in different namespaces.
|
||
{"netdevsim", netdevsim},
|
||
// This adds connected veth0 and veth1 devices.
|
||
{"veth", 0},
|
||
};
|
||
const char* devmasters[] = {"bridge", "bond", "team"};
|
||
// If you extend this array, also update netdev_addr_id in vnet.txt.
|
||
struct {
|
||
const char* name;
|
||
int macsize;
|
||
bool noipv6;
|
||
} devices[] = {
|
||
{"lo", ETH_ALEN},
|
||
{"sit0", 0},
|
||
{"bridge0", ETH_ALEN},
|
||
{"vcan0", 0, true},
|
||
{"tunl0", 0},
|
||
{"gre0", 0},
|
||
{"gretap0", ETH_ALEN},
|
||
{"ip_vti0", 0},
|
||
{"ip6_vti0", 0},
|
||
{"ip6tnl0", 0},
|
||
{"ip6gre0", 0},
|
||
{"ip6gretap0", ETH_ALEN},
|
||
{"erspan0", ETH_ALEN},
|
||
{"bond0", ETH_ALEN},
|
||
{"veth0", ETH_ALEN},
|
||
{"veth1", ETH_ALEN},
|
||
{"team0", ETH_ALEN},
|
||
{"veth0_to_bridge", ETH_ALEN},
|
||
{"veth1_to_bridge", ETH_ALEN},
|
||
{"veth0_to_bond", ETH_ALEN},
|
||
{"veth1_to_bond", ETH_ALEN},
|
||
{"veth0_to_team", ETH_ALEN},
|
||
{"veth1_to_team", ETH_ALEN},
|
||
{"veth0_to_hsr", ETH_ALEN},
|
||
{"veth1_to_hsr", ETH_ALEN},
|
||
{"hsr0", 0},
|
||
{"dummy0", ETH_ALEN},
|
||
{"nlmon0", 0},
|
||
{"vxcan1", 0, true},
|
||
{"caif0", ETH_ALEN}, // TODO: up'ing caif fails with ENODEV
|
||
{"batadv0", ETH_ALEN},
|
||
{netdevsim, ETH_ALEN},
|
||
};
|
||
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
|
||
if (sock == -1)
|
||
fail("socket(AF_NETLINK) failed");
|
||
unsigned i;
|
||
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
|
||
netlink_add_device(sock, devtypes[i].type, devtypes[i].dev);
|
||
// This creates connected bridge/bond/team_slave devices of type veth,
|
||
// and makes them slaves of bridge/bond/team devices, respectively.
|
||
// Note: slave devices don't need MAC/IP addresses, only master devices.
|
||
// veth0_to_* is not slave devices, which still need ip addresses.
|
||
for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
|
||
char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
|
||
sprintf(slave0, "%s_slave_0", devmasters[i]);
|
||
sprintf(veth0, "veth0_to_%s", devmasters[i]);
|
||
netlink_add_veth(sock, slave0, veth0);
|
||
sprintf(slave1, "%s_slave_1", devmasters[i]);
|
||
sprintf(veth1, "veth1_to_%s", devmasters[i]);
|
||
netlink_add_veth(sock, slave1, veth1);
|
||
sprintf(master, "%s0", devmasters[i]);
|
||
netlink_device_change(sock, slave0, false, master, 0, 0);
|
||
netlink_device_change(sock, slave1, false, master, 0, 0);
|
||
}
|
||
// bond/team_slave_* will set up automatically when set their master.
|
||
// But bridge_slave_* need to set up manually.
|
||
netlink_device_change(sock, "bridge_slave_0", true, 0, 0, 0);
|
||
netlink_device_change(sock, "bridge_slave_1", true, 0, 0, 0);
|
||
|
||
// Setup hsr device (slightly different from what we do for devmasters).
|
||
netlink_add_veth(sock, "hsr_slave_0", "veth0_to_hsr");
|
||
netlink_add_veth(sock, "hsr_slave_1", "veth1_to_hsr");
|
||
netlink_add_hsr(sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
|
||
netlink_device_change(sock, "hsr_slave_0", true, 0, 0, 0);
|
||
netlink_device_change(sock, "hsr_slave_1", true, 0, 0, 0);
|
||
|
||
for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
|
||
// Assign some unique address to devices. Some devices won't up without this.
|
||
// Shift addresses by 10 because 0 subnet address can mean special things.
|
||
char addr[32];
|
||
sprintf(addr, DEV_IPV4, i + 10);
|
||
netlink_add_addr4(sock, devices[i].name, addr);
|
||
if (!devices[i].noipv6) {
|
||
sprintf(addr, DEV_IPV6, i + 10);
|
||
netlink_add_addr6(sock, devices[i].name, addr);
|
||
}
|
||
uint64 macaddr = DEV_MAC + ((i + 10ull) << 40);
|
||
netlink_device_change(sock, devices[i].name, true, 0, &macaddr, devices[i].macsize);
|
||
}
|
||
close(sock);
|
||
}
|
||
|
||
// Same as initialize_netdevices, but called in init net namespace.
|
||
static void initialize_netdevices_init(void)
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_net_dev)
|
||
return;
|
||
#endif
|
||
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
|
||
if (sock == -1)
|
||
fail("socket(AF_NETLINK) failed");
|
||
struct {
|
||
const char* type;
|
||
int macsize;
|
||
bool noipv6;
|
||
bool noup;
|
||
} devtypes[] = {
|
||
// NETROM device, see net/netrom/{af_netrom,nr_dev}.c
|
||
{"nr", 7, true},
|
||
// ROSE device, see net/rose/{af_rose,rose_dev}.c
|
||
// We don't up it yet because it crashes kernel right away:
|
||
// https://groups.google.com/d/msg/syzkaller/v-4B3zoBC-4/02SCKEzJBwAJ
|
||
{"rose", 5, true, true},
|
||
};
|
||
unsigned i;
|
||
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
|
||
char dev[32], addr[32];
|
||
sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
|
||
// Note: syscall descriptions know these addresses.
|
||
sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
|
||
netlink_add_addr4(sock, dev, addr);
|
||
if (!devtypes[i].noipv6) {
|
||
sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1);
|
||
netlink_add_addr6(sock, dev, addr);
|
||
}
|
||
int macsize = devtypes[i].macsize;
|
||
uint64 macaddr = 0xbbbbbb + ((unsigned long long)i << (8 * (macsize - 2))) +
|
||
(procid << (8 * (macsize - 1)));
|
||
netlink_device_change(sock, dev, !devtypes[i].noup, 0, &macaddr, macsize);
|
||
}
|
||
close(sock);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_TUN_ENABLE && (__NR_syz_extract_tcp_res || SYZ_REPEAT)
|
||
#include <errno.h>
|
||
|
||
static int read_tun(char* data, int size)
|
||
{
|
||
if (tunfd < 0)
|
||
return -1;
|
||
|
||
int rv = read(tunfd, data, size);
|
||
if (rv < 0) {
|
||
if (errno == EAGAIN)
|
||
return -1;
|
||
// Tun sometimes returns this, unclear if it's a kernel bug or not.
|
||
if (errno == EBADFD)
|
||
return -1;
|
||
fail("tun: read failed with %d", rv);
|
||
}
|
||
return rv;
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_emit_ethernet && SYZ_TUN_ENABLE
|
||
#include <stdbool.h>
|
||
#include <sys/uio.h>
|
||
|
||
#define MAX_FRAGS 4
|
||
struct vnet_fragmentation {
|
||
uint32 full;
|
||
uint32 count;
|
||
uint32 frags[MAX_FRAGS];
|
||
};
|
||
|
||
static long syz_emit_ethernet(volatile long a0, volatile long a1, volatile long a2)
|
||
{
|
||
// syz_emit_ethernet(len len[packet], packet ptr[in, eth_packet], frags ptr[in, vnet_fragmentation, opt])
|
||
// vnet_fragmentation {
|
||
// full int32[0:1]
|
||
// count int32[1:4]
|
||
// frags array[int32[0:4096], 4]
|
||
// }
|
||
if (tunfd < 0)
|
||
return (uintptr_t)-1;
|
||
|
||
uint32 length = a0;
|
||
char* data = (char*)a1;
|
||
debug_dump_data(data, length);
|
||
|
||
struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2;
|
||
struct iovec vecs[MAX_FRAGS + 1];
|
||
uint32 nfrags = 0;
|
||
if (!tun_frags_enabled || frags == NULL) {
|
||
vecs[nfrags].iov_base = data;
|
||
vecs[nfrags].iov_len = length;
|
||
nfrags++;
|
||
} else {
|
||
bool full = true;
|
||
uint32 i, count = 0;
|
||
NONFAILING(full = frags->full);
|
||
NONFAILING(count = frags->count);
|
||
if (count > MAX_FRAGS)
|
||
count = MAX_FRAGS;
|
||
for (i = 0; i < count && length != 0; i++) {
|
||
uint32 size = 0;
|
||
NONFAILING(size = frags->frags[i]);
|
||
if (size > length)
|
||
size = length;
|
||
vecs[nfrags].iov_base = data;
|
||
vecs[nfrags].iov_len = size;
|
||
nfrags++;
|
||
data += size;
|
||
length -= size;
|
||
}
|
||
if (length != 0 && (full || nfrags == 0)) {
|
||
vecs[nfrags].iov_base = data;
|
||
vecs[nfrags].iov_len = length;
|
||
nfrags++;
|
||
}
|
||
}
|
||
return writev(tunfd, vecs, nfrags);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_REPEAT && SYZ_TUN_ENABLE
|
||
static void flush_tun()
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_tun)
|
||
return;
|
||
#endif
|
||
char data[SYZ_TUN_MAX_PACKET_SIZE];
|
||
while (read_tun(&data[0], sizeof(data)) != -1) {
|
||
}
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_extract_tcp_res && SYZ_TUN_ENABLE
|
||
#ifndef __ANDROID__
|
||
// Can't include <linux/ipv6.h>, since it causes
|
||
// conflicts due to some structs redefinition.
|
||
struct ipv6hdr {
|
||
__u8 priority : 4,
|
||
version : 4;
|
||
__u8 flow_lbl[3];
|
||
|
||
__be16 payload_len;
|
||
__u8 nexthdr;
|
||
__u8 hop_limit;
|
||
|
||
struct in6_addr saddr;
|
||
struct in6_addr daddr;
|
||
};
|
||
#endif
|
||
|
||
struct tcp_resources {
|
||
uint32 seq;
|
||
uint32 ack;
|
||
};
|
||
|
||
static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2)
|
||
{
|
||
// syz_extract_tcp_res(res ptr[out, tcp_resources], seq_inc int32, ack_inc int32)
|
||
|
||
if (tunfd < 0)
|
||
return (uintptr_t)-1;
|
||
|
||
char data[SYZ_TUN_MAX_PACKET_SIZE];
|
||
int rv = read_tun(&data[0], sizeof(data));
|
||
if (rv == -1)
|
||
return (uintptr_t)-1;
|
||
size_t length = rv;
|
||
debug_dump_data(data, length);
|
||
|
||
struct tcphdr* tcphdr;
|
||
|
||
if (length < sizeof(struct ethhdr))
|
||
return (uintptr_t)-1;
|
||
struct ethhdr* ethhdr = (struct ethhdr*)&data[0];
|
||
|
||
if (ethhdr->h_proto == htons(ETH_P_IP)) {
|
||
if (length < sizeof(struct ethhdr) + sizeof(struct iphdr))
|
||
return (uintptr_t)-1;
|
||
struct iphdr* iphdr = (struct iphdr*)&data[sizeof(struct ethhdr)];
|
||
if (iphdr->protocol != IPPROTO_TCP)
|
||
return (uintptr_t)-1;
|
||
if (length < sizeof(struct ethhdr) + iphdr->ihl * 4 + sizeof(struct tcphdr))
|
||
return (uintptr_t)-1;
|
||
tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + iphdr->ihl * 4];
|
||
} else {
|
||
if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr))
|
||
return (uintptr_t)-1;
|
||
struct ipv6hdr* ipv6hdr = (struct ipv6hdr*)&data[sizeof(struct ethhdr)];
|
||
// TODO: parse and skip extension headers.
|
||
if (ipv6hdr->nexthdr != IPPROTO_TCP)
|
||
return (uintptr_t)-1;
|
||
if (length < sizeof(struct ethhdr) + sizeof(struct ipv6hdr) + sizeof(struct tcphdr))
|
||
return (uintptr_t)-1;
|
||
tcphdr = (struct tcphdr*)&data[sizeof(struct ethhdr) + sizeof(struct ipv6hdr)];
|
||
}
|
||
|
||
struct tcp_resources* res = (struct tcp_resources*)a0;
|
||
NONFAILING(res->seq = htonl((ntohl(tcphdr->seq) + (uint32)a1)));
|
||
NONFAILING(res->ack = htonl((ntohl(tcphdr->ack_seq) + (uint32)a2)));
|
||
|
||
debug("extracted seq: %08x\n", res->seq);
|
||
debug("extracted ack: %08x\n", res->ack);
|
||
|
||
return 0;
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_usb_connect
|
||
#include <errno.h>
|
||
#include <fcntl.h>
|
||
#include <linux/usb/ch9.h>
|
||
#include <stdarg.h>
|
||
#include <stdbool.h>
|
||
#include <stddef.h>
|
||
#include <stdio.h>
|
||
#include <sys/mount.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
#include "common_usb.h"
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_open_dev
|
||
#include <fcntl.h>
|
||
#include <string.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
|
||
{
|
||
if (a0 == 0xc || a0 == 0xb) {
|
||
// syz_open_dev$char(dev const[0xc], major intptr, minor intptr) fd
|
||
// syz_open_dev$block(dev const[0xb], major intptr, minor intptr) fd
|
||
char buf[128];
|
||
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8)a1, (uint8)a2);
|
||
return open(buf, O_RDWR, 0);
|
||
} else {
|
||
// syz_open_dev(dev strconst, id intptr, flags flags[open_flags]) fd
|
||
char buf[1024];
|
||
char* hash;
|
||
NONFAILING(strncpy(buf, (char*)a0, sizeof(buf) - 1));
|
||
buf[sizeof(buf) - 1] = 0;
|
||
while ((hash = strchr(buf, '#'))) {
|
||
*hash = '0' + (char)(a1 % 10); // 10 devices should be enough for everyone.
|
||
a1 /= 10;
|
||
}
|
||
return open(buf, a2, 0);
|
||
}
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_open_procfs
|
||
#include <fcntl.h>
|
||
#include <string.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
static long syz_open_procfs(volatile long a0, volatile long a1)
|
||
{
|
||
// syz_open_procfs(pid pid, file ptr[in, string[procfs_file]]) fd
|
||
|
||
char buf[128];
|
||
memset(buf, 0, sizeof(buf));
|
||
if (a0 == 0) {
|
||
NONFAILING(snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1));
|
||
} else if (a0 == -1) {
|
||
NONFAILING(snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1));
|
||
} else {
|
||
NONFAILING(snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1));
|
||
}
|
||
int fd = open(buf, O_RDWR);
|
||
if (fd == -1)
|
||
fd = open(buf, O_RDONLY);
|
||
return fd;
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_open_pts
|
||
#include <fcntl.h>
|
||
#include <sys/ioctl.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
static long syz_open_pts(volatile long a0, volatile long a1)
|
||
{
|
||
// syz_openpts(fd fd[tty], flags flags[open_flags]) fd[tty]
|
||
int ptyno = 0;
|
||
if (ioctl(a0, TIOCGPTN, &ptyno))
|
||
return -1;
|
||
char buf[128];
|
||
sprintf(buf, "/dev/pts/%d", ptyno);
|
||
return open(buf, a1, 0);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_init_net_socket
|
||
#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
|
||
#include <fcntl.h>
|
||
#include <sched.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
#include <unistd.h>
|
||
|
||
const int kInitNetNsFd = 239; // see kMaxFd
|
||
// syz_init_net_socket opens a socket in init net namespace.
|
||
// Used for families that can only be created in init net namespace.
|
||
static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto)
|
||
{
|
||
int netns = open("/proc/self/ns/net", O_RDONLY);
|
||
if (netns == -1)
|
||
return netns;
|
||
if (setns(kInitNetNsFd, 0))
|
||
return -1;
|
||
int sock = syscall(__NR_socket, domain, type, proto);
|
||
int err = errno;
|
||
if (setns(netns, 0))
|
||
fail("setns(netns) failed");
|
||
close(netns);
|
||
errno = err;
|
||
return sock;
|
||
}
|
||
#else
|
||
static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto)
|
||
{
|
||
return syscall(__NR_socket, domain, type, proto);
|
||
}
|
||
#endif
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_genetlink_get_family_id
|
||
#include <errno.h>
|
||
#include <linux/genetlink.h>
|
||
#include <linux/netlink.h>
|
||
#include <sys/socket.h>
|
||
#include <sys/types.h>
|
||
|
||
static long syz_genetlink_get_family_id(volatile long name)
|
||
{
|
||
char buf[512] = {0};
|
||
struct nlmsghdr* hdr = (struct nlmsghdr*)buf;
|
||
struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr);
|
||
struct nlattr* attr = (struct nlattr*)(genlhdr + 1);
|
||
hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ;
|
||
hdr->nlmsg_type = GENL_ID_CTRL;
|
||
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
|
||
genlhdr->cmd = CTRL_CMD_GETFAMILY;
|
||
attr->nla_type = CTRL_ATTR_FAMILY_NAME;
|
||
attr->nla_len = sizeof(*attr) + GENL_NAMSIZ;
|
||
NONFAILING(strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ));
|
||
struct iovec iov = {hdr, hdr->nlmsg_len};
|
||
struct sockaddr_nl addr = {0};
|
||
addr.nl_family = AF_NETLINK;
|
||
debug("syz_genetlink_get_family_id(%s)\n", (char*)(attr + 1));
|
||
int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
|
||
if (fd == -1) {
|
||
debug("syz_genetlink_get_family_id: socket failed: %d\n", errno);
|
||
return -1;
|
||
}
|
||
struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0};
|
||
if (sendmsg(fd, &msg, 0) == -1) {
|
||
debug("syz_genetlink_get_family_id: sendmsg failed: %d\n", errno);
|
||
close(fd);
|
||
return -1;
|
||
}
|
||
ssize_t n = recv(fd, buf, sizeof(buf), 0);
|
||
close(fd);
|
||
if (n <= 0) {
|
||
debug("syz_genetlink_get_family_id: recv failed: %d\n", errno);
|
||
return -1;
|
||
}
|
||
if (hdr->nlmsg_type != GENL_ID_CTRL) {
|
||
debug("syz_genetlink_get_family_id: wrong reply type: %d\n", hdr->nlmsg_type);
|
||
return -1;
|
||
}
|
||
for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) {
|
||
if (attr->nla_type == CTRL_ATTR_FAMILY_ID)
|
||
return *(uint16*)(attr + 1);
|
||
}
|
||
debug("syz_genetlink_get_family_id: no CTRL_ATTR_FAMILY_ID attr\n");
|
||
return -1;
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_mount_image || __NR_syz_read_part_table
|
||
#include <errno.h>
|
||
#include <fcntl.h>
|
||
#include <linux/loop.h>
|
||
#include <sys/ioctl.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
struct fs_image_segment {
|
||
void* data;
|
||
uintptr_t size;
|
||
uintptr_t offset;
|
||
};
|
||
|
||
#define IMAGE_MAX_SEGMENTS 4096
|
||
#define IMAGE_MAX_SIZE (129 << 20)
|
||
|
||
#if GOARCH_386
|
||
#define SYZ_memfd_create 356
|
||
#elif GOARCH_amd64
|
||
#define SYZ_memfd_create 319
|
||
#elif GOARCH_arm
|
||
#define SYZ_memfd_create 385
|
||
#elif GOARCH_arm64
|
||
#define SYZ_memfd_create 279
|
||
#elif GOARCH_ppc64le
|
||
#define SYZ_memfd_create 360
|
||
#endif
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_read_part_table
|
||
// syz_read_part_table(size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]])
|
||
static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments)
|
||
{
|
||
char loopname[64], linkname[64];
|
||
int loopfd, err = 0, res = -1;
|
||
unsigned long i, j;
|
||
// See the comment in syz_mount_image.
|
||
struct fs_image_segment* segs = (struct fs_image_segment*)segments;
|
||
|
||
if (nsegs > IMAGE_MAX_SEGMENTS)
|
||
nsegs = IMAGE_MAX_SEGMENTS;
|
||
for (i = 0; i < nsegs; i++) {
|
||
if (segs[i].size > IMAGE_MAX_SIZE)
|
||
segs[i].size = IMAGE_MAX_SIZE;
|
||
segs[i].offset %= IMAGE_MAX_SIZE;
|
||
if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size)
|
||
segs[i].offset = IMAGE_MAX_SIZE - segs[i].size;
|
||
if (size < segs[i].offset + segs[i].offset)
|
||
size = segs[i].offset + segs[i].offset;
|
||
}
|
||
if (size > IMAGE_MAX_SIZE)
|
||
size = IMAGE_MAX_SIZE;
|
||
int memfd = syscall(SYZ_memfd_create, "syz_read_part_table", 0);
|
||
if (memfd == -1) {
|
||
err = errno;
|
||
goto error;
|
||
}
|
||
if (ftruncate(memfd, size)) {
|
||
err = errno;
|
||
goto error_close_memfd;
|
||
}
|
||
for (i = 0; i < nsegs; i++) {
|
||
if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
|
||
debug("syz_read_part_table: pwrite[%u] failed: %d\n", (int)i, errno);
|
||
}
|
||
}
|
||
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
|
||
loopfd = open(loopname, O_RDWR);
|
||
if (loopfd == -1) {
|
||
err = errno;
|
||
goto error_close_memfd;
|
||
}
|
||
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
|
||
if (errno != EBUSY) {
|
||
err = errno;
|
||
goto error_close_loop;
|
||
}
|
||
ioctl(loopfd, LOOP_CLR_FD, 0);
|
||
usleep(1000);
|
||
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
|
||
err = errno;
|
||
goto error_close_loop;
|
||
}
|
||
}
|
||
struct loop_info64 info;
|
||
if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) {
|
||
err = errno;
|
||
goto error_clear_loop;
|
||
}
|
||
#if SYZ_EXECUTOR
|
||
cover_reset(0);
|
||
#endif
|
||
info.lo_flags |= LO_FLAGS_PARTSCAN;
|
||
if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) {
|
||
err = errno;
|
||
goto error_clear_loop;
|
||
}
|
||
res = 0;
|
||
// If we managed to parse some partitions, symlink them into our work dir.
|
||
for (i = 1, j = 0; i < 8; i++) {
|
||
snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i);
|
||
struct stat statbuf;
|
||
if (stat(loopname, &statbuf) == 0) {
|
||
snprintf(linkname, sizeof(linkname), "./file%d", (int)j++);
|
||
if (symlink(loopname, linkname)) {
|
||
debug("syz_read_part_table: symlink(%s, %s) failed: %d\n", loopname, linkname, errno);
|
||
}
|
||
}
|
||
}
|
||
error_clear_loop:
|
||
ioctl(loopfd, LOOP_CLR_FD, 0);
|
||
error_close_loop:
|
||
close(loopfd);
|
||
error_close_memfd:
|
||
close(memfd);
|
||
error:
|
||
errno = err;
|
||
return res;
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_mount_image
|
||
#include <string.h>
|
||
#include <sys/mount.h>
|
||
|
||
//syz_mount_image(fs ptr[in, string[disk_filesystems]], dir ptr[in, filename], size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]], flags flags[mount_flags], opts ptr[in, fs_options[vfat_options]])
|
||
//fs_image_segment {
|
||
// data ptr[in, array[int8]]
|
||
// size len[data, intptr]
|
||
// offset intptr
|
||
//}
|
||
static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg)
|
||
{
|
||
char loopname[64], fs[32], opts[256];
|
||
int loopfd, err = 0, res = -1;
|
||
unsigned long i;
|
||
// Strictly saying we ought to do a nonfailing copyout of segments into a local var.
|
||
// But some filesystems have large number of segments (2000+),
|
||
// we can't allocate that much on stack and allocating elsewhere is problematic,
|
||
// so we just use the memory allocated by fuzzer.
|
||
struct fs_image_segment* segs = (struct fs_image_segment*)segments;
|
||
|
||
if (nsegs > IMAGE_MAX_SEGMENTS)
|
||
nsegs = IMAGE_MAX_SEGMENTS;
|
||
for (i = 0; i < nsegs; i++) {
|
||
if (segs[i].size > IMAGE_MAX_SIZE)
|
||
segs[i].size = IMAGE_MAX_SIZE;
|
||
segs[i].offset %= IMAGE_MAX_SIZE;
|
||
if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size)
|
||
segs[i].offset = IMAGE_MAX_SIZE - segs[i].size;
|
||
if (size < segs[i].offset + segs[i].offset)
|
||
size = segs[i].offset + segs[i].offset;
|
||
}
|
||
if (size > IMAGE_MAX_SIZE)
|
||
size = IMAGE_MAX_SIZE;
|
||
int memfd = syscall(SYZ_memfd_create, "syz_mount_image", 0);
|
||
if (memfd == -1) {
|
||
err = errno;
|
||
goto error;
|
||
}
|
||
if (ftruncate(memfd, size)) {
|
||
err = errno;
|
||
goto error_close_memfd;
|
||
}
|
||
for (i = 0; i < nsegs; i++) {
|
||
if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
|
||
debug("syz_mount_image: pwrite[%u] failed: %d\n", (int)i, errno);
|
||
}
|
||
}
|
||
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
|
||
loopfd = open(loopname, O_RDWR);
|
||
if (loopfd == -1) {
|
||
err = errno;
|
||
goto error_close_memfd;
|
||
}
|
||
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
|
||
if (errno != EBUSY) {
|
||
err = errno;
|
||
goto error_close_loop;
|
||
}
|
||
ioctl(loopfd, LOOP_CLR_FD, 0);
|
||
usleep(1000);
|
||
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
|
||
err = errno;
|
||
goto error_close_loop;
|
||
}
|
||
}
|
||
mkdir((char*)dir, 0777);
|
||
memset(fs, 0, sizeof(fs));
|
||
NONFAILING(strncpy(fs, (char*)fsarg, sizeof(fs) - 1));
|
||
memset(opts, 0, sizeof(opts));
|
||
// Leave some space for the additional options we append below.
|
||
NONFAILING(strncpy(opts, (char*)optsarg, sizeof(opts) - 32));
|
||
if (strcmp(fs, "iso9660") == 0) {
|
||
flags |= MS_RDONLY;
|
||
} else if (strncmp(fs, "ext", 3) == 0) {
|
||
// For ext2/3/4 we have to have errors=continue because the image
|
||
// can contain errors=panic flag and can legally crash kernel.
|
||
if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0)
|
||
strcat(opts, ",errors=continue");
|
||
} else if (strcmp(fs, "xfs") == 0) {
|
||
// For xfs we need nouuid because xfs has a global uuids table
|
||
// and if two parallel executors mounts fs with the same uuid, second mount fails.
|
||
strcat(opts, ",nouuid");
|
||
}
|
||
debug("syz_mount_image: size=%llu segs=%llu loop='%s' dir='%s' fs='%s' flags=%llu opts='%s'\n", (uint64)size, (uint64)nsegs, loopname, (char*)dir, fs, (uint64)flags, opts);
|
||
#if SYZ_EXECUTOR
|
||
cover_reset(0);
|
||
#endif
|
||
if (mount(loopname, (char*)dir, fs, flags, opts)) {
|
||
err = errno;
|
||
goto error_clear_loop;
|
||
}
|
||
res = 0;
|
||
error_clear_loop:
|
||
ioctl(loopfd, LOOP_CLR_FD, 0);
|
||
error_close_loop:
|
||
close(loopfd);
|
||
error_close_memfd:
|
||
close(memfd);
|
||
error:
|
||
errno = err;
|
||
return res;
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu
|
||
#include <errno.h>
|
||
#include <fcntl.h>
|
||
#include <linux/kvm.h>
|
||
#include <stdarg.h>
|
||
#include <stddef.h>
|
||
#include <sys/ioctl.h>
|
||
#include <sys/stat.h>
|
||
|
||
#if GOARCH_amd64
|
||
#include "common_kvm_amd64.h"
|
||
#elif GOARCH_arm64
|
||
#include "common_kvm_arm64.h"
|
||
#else
|
||
static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7)
|
||
{
|
||
return 0;
|
||
}
|
||
#endif
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_RESET_NET_NAMESPACE
|
||
#include <errno.h>
|
||
#include <net/if.h>
|
||
#include <netinet/in.h>
|
||
#include <string.h>
|
||
#include <sys/socket.h>
|
||
|
||
#include <linux/net.h>
|
||
|
||
// checkpoint/reset_net_namespace partially resets net namespace to initial state
|
||
// after each test. Currently it resets only ipv4 netfilter state.
|
||
// Ideally, we just create a new net namespace for each test,
|
||
// however it's too slow (1-1.5 seconds per namespace, not parallelizable).
|
||
|
||
// Linux headers do not compile for C++, so we have to define the structs manualy.
|
||
#define XT_TABLE_SIZE 1536
|
||
#define XT_MAX_ENTRIES 10
|
||
|
||
struct xt_counters {
|
||
uint64 pcnt, bcnt;
|
||
};
|
||
|
||
struct ipt_getinfo {
|
||
char name[32];
|
||
unsigned int valid_hooks;
|
||
unsigned int hook_entry[5];
|
||
unsigned int underflow[5];
|
||
unsigned int num_entries;
|
||
unsigned int size;
|
||
};
|
||
|
||
struct ipt_get_entries {
|
||
char name[32];
|
||
unsigned int size;
|
||
void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
|
||
};
|
||
|
||
struct ipt_replace {
|
||
char name[32];
|
||
unsigned int valid_hooks;
|
||
unsigned int num_entries;
|
||
unsigned int size;
|
||
unsigned int hook_entry[5];
|
||
unsigned int underflow[5];
|
||
unsigned int num_counters;
|
||
struct xt_counters* counters;
|
||
char entrytable[XT_TABLE_SIZE];
|
||
};
|
||
|
||
struct ipt_table_desc {
|
||
const char* name;
|
||
struct ipt_getinfo info;
|
||
struct ipt_replace replace;
|
||
};
|
||
|
||
static struct ipt_table_desc ipv4_tables[] = {
|
||
{.name = "filter"},
|
||
{.name = "nat"},
|
||
{.name = "mangle"},
|
||
{.name = "raw"},
|
||
{.name = "security"},
|
||
};
|
||
|
||
static struct ipt_table_desc ipv6_tables[] = {
|
||
{.name = "filter"},
|
||
{.name = "nat"},
|
||
{.name = "mangle"},
|
||
{.name = "raw"},
|
||
{.name = "security"},
|
||
};
|
||
|
||
#define IPT_BASE_CTL 64
|
||
#define IPT_SO_SET_REPLACE (IPT_BASE_CTL)
|
||
#define IPT_SO_GET_INFO (IPT_BASE_CTL)
|
||
#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
|
||
|
||
struct arpt_getinfo {
|
||
char name[32];
|
||
unsigned int valid_hooks;
|
||
unsigned int hook_entry[3];
|
||
unsigned int underflow[3];
|
||
unsigned int num_entries;
|
||
unsigned int size;
|
||
};
|
||
|
||
struct arpt_get_entries {
|
||
char name[32];
|
||
unsigned int size;
|
||
void* entrytable[XT_TABLE_SIZE / sizeof(void*)];
|
||
};
|
||
|
||
struct arpt_replace {
|
||
char name[32];
|
||
unsigned int valid_hooks;
|
||
unsigned int num_entries;
|
||
unsigned int size;
|
||
unsigned int hook_entry[3];
|
||
unsigned int underflow[3];
|
||
unsigned int num_counters;
|
||
struct xt_counters* counters;
|
||
char entrytable[XT_TABLE_SIZE];
|
||
};
|
||
|
||
struct arpt_table_desc {
|
||
const char* name;
|
||
struct arpt_getinfo info;
|
||
struct arpt_replace replace;
|
||
};
|
||
|
||
static struct arpt_table_desc arpt_tables[] = {
|
||
{.name = "filter"},
|
||
};
|
||
|
||
#define ARPT_BASE_CTL 96
|
||
#define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL)
|
||
#define ARPT_SO_GET_INFO (ARPT_BASE_CTL)
|
||
#define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1)
|
||
|
||
static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level)
|
||
{
|
||
struct ipt_get_entries entries;
|
||
socklen_t optlen;
|
||
int fd, i;
|
||
|
||
fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
|
||
if (fd == -1) {
|
||
switch (errno) {
|
||
case EAFNOSUPPORT:
|
||
case ENOPROTOOPT:
|
||
return;
|
||
}
|
||
fail("iptable checkpoint %d: socket failed", family);
|
||
}
|
||
for (i = 0; i < num_tables; i++) {
|
||
struct ipt_table_desc* table = &tables[i];
|
||
strcpy(table->info.name, table->name);
|
||
strcpy(table->replace.name, table->name);
|
||
optlen = sizeof(table->info);
|
||
if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) {
|
||
switch (errno) {
|
||
case EPERM:
|
||
case ENOENT:
|
||
case ENOPROTOOPT:
|
||
continue;
|
||
}
|
||
fail("iptable checkpoint %s/%d: getsockopt(IPT_SO_GET_INFO)", table->name, family);
|
||
}
|
||
debug("iptable checkpoint %s/%d: checkpoint entries=%d hooks=%x size=%d\n",
|
||
table->name, family, table->info.num_entries,
|
||
table->info.valid_hooks, table->info.size);
|
||
if (table->info.size > sizeof(table->replace.entrytable))
|
||
fail("iptable checkpoint %s/%d: table size is too large: %u",
|
||
table->name, family, table->info.size);
|
||
if (table->info.num_entries > XT_MAX_ENTRIES)
|
||
fail("iptable checkpoint %s/%d: too many counters: %u",
|
||
table->name, family, table->info.num_entries);
|
||
memset(&entries, 0, sizeof(entries));
|
||
strcpy(entries.name, table->name);
|
||
entries.size = table->info.size;
|
||
optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
|
||
if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
|
||
fail("iptable checkpoint %s/%d: getsockopt(IPT_SO_GET_ENTRIES)",
|
||
table->name, family);
|
||
table->replace.valid_hooks = table->info.valid_hooks;
|
||
table->replace.num_entries = table->info.num_entries;
|
||
table->replace.size = table->info.size;
|
||
memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry));
|
||
memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow));
|
||
memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
|
||
}
|
||
close(fd);
|
||
}
|
||
|
||
static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level)
|
||
{
|
||
struct xt_counters counters[XT_MAX_ENTRIES];
|
||
struct ipt_get_entries entries;
|
||
struct ipt_getinfo info;
|
||
socklen_t optlen;
|
||
int fd, i;
|
||
|
||
fd = socket(family, SOCK_STREAM, IPPROTO_TCP);
|
||
if (fd == -1) {
|
||
switch (errno) {
|
||
case EAFNOSUPPORT:
|
||
case ENOPROTOOPT:
|
||
return;
|
||
}
|
||
fail("iptable %d: socket failed", family);
|
||
}
|
||
for (i = 0; i < num_tables; i++) {
|
||
struct ipt_table_desc* table = &tables[i];
|
||
if (table->info.valid_hooks == 0)
|
||
continue;
|
||
memset(&info, 0, sizeof(info));
|
||
strcpy(info.name, table->name);
|
||
optlen = sizeof(info);
|
||
if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen))
|
||
fail("iptable %s/%d: getsockopt(IPT_SO_GET_INFO)", table->name, family);
|
||
if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
|
||
memset(&entries, 0, sizeof(entries));
|
||
strcpy(entries.name, table->name);
|
||
entries.size = table->info.size;
|
||
optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
|
||
if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen))
|
||
fail("iptable %s/%d: getsockopt(IPT_SO_GET_ENTRIES)", table->name, family);
|
||
if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0)
|
||
continue;
|
||
}
|
||
debug("iptable %s/%d: resetting\n", table->name, family);
|
||
table->replace.num_counters = info.num_entries;
|
||
table->replace.counters = counters;
|
||
optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size;
|
||
if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen))
|
||
fail("iptable %s/%d: setsockopt(IPT_SO_SET_REPLACE)", table->name, family);
|
||
}
|
||
close(fd);
|
||
}
|
||
|
||
static void checkpoint_arptables(void)
|
||
{
|
||
struct arpt_get_entries entries;
|
||
socklen_t optlen;
|
||
unsigned i;
|
||
int fd;
|
||
|
||
fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||
if (fd == -1) {
|
||
switch (errno) {
|
||
case EAFNOSUPPORT:
|
||
case ENOPROTOOPT:
|
||
return;
|
||
}
|
||
fail("arptable checkpoint: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
|
||
}
|
||
for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
|
||
struct arpt_table_desc* table = &arpt_tables[i];
|
||
strcpy(table->info.name, table->name);
|
||
strcpy(table->replace.name, table->name);
|
||
optlen = sizeof(table->info);
|
||
if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) {
|
||
switch (errno) {
|
||
case EPERM:
|
||
case ENOENT:
|
||
case ENOPROTOOPT:
|
||
continue;
|
||
}
|
||
fail("arptable checkpoint %s: getsockopt(ARPT_SO_GET_INFO)", table->name);
|
||
}
|
||
debug("arptable checkpoint %s: entries=%d hooks=%x size=%d\n",
|
||
table->name, table->info.num_entries, table->info.valid_hooks, table->info.size);
|
||
if (table->info.size > sizeof(table->replace.entrytable))
|
||
fail("arptable checkpoint %s: table size is too large: %u",
|
||
table->name, table->info.size);
|
||
if (table->info.num_entries > XT_MAX_ENTRIES)
|
||
fail("arptable checkpoint %s: too many counters: %u",
|
||
table->name, table->info.num_entries);
|
||
memset(&entries, 0, sizeof(entries));
|
||
strcpy(entries.name, table->name);
|
||
entries.size = table->info.size;
|
||
optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size;
|
||
if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
|
||
fail("arptable checkpoint %s: getsockopt(ARPT_SO_GET_ENTRIES)", table->name);
|
||
table->replace.valid_hooks = table->info.valid_hooks;
|
||
table->replace.num_entries = table->info.num_entries;
|
||
table->replace.size = table->info.size;
|
||
memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry));
|
||
memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow));
|
||
memcpy(table->replace.entrytable, entries.entrytable, table->info.size);
|
||
}
|
||
close(fd);
|
||
}
|
||
|
||
static void reset_arptables()
|
||
{
|
||
struct xt_counters counters[XT_MAX_ENTRIES];
|
||
struct arpt_get_entries entries;
|
||
struct arpt_getinfo info;
|
||
socklen_t optlen;
|
||
unsigned i;
|
||
int fd;
|
||
|
||
fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||
if (fd == -1) {
|
||
switch (errno) {
|
||
case EAFNOSUPPORT:
|
||
case ENOPROTOOPT:
|
||
return;
|
||
}
|
||
fail("arptable: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
|
||
}
|
||
for (i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) {
|
||
struct arpt_table_desc* table = &arpt_tables[i];
|
||
if (table->info.valid_hooks == 0)
|
||
continue;
|
||
memset(&info, 0, sizeof(info));
|
||
strcpy(info.name, table->name);
|
||
optlen = sizeof(info);
|
||
if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen))
|
||
fail("arptable %s:getsockopt(ARPT_SO_GET_INFO)", table->name);
|
||
if (memcmp(&table->info, &info, sizeof(table->info)) == 0) {
|
||
memset(&entries, 0, sizeof(entries));
|
||
strcpy(entries.name, table->name);
|
||
entries.size = table->info.size;
|
||
optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size;
|
||
if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen))
|
||
fail("arptable %s: getsockopt(ARPT_SO_GET_ENTRIES)", table->name);
|
||
if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0)
|
||
continue;
|
||
debug("arptable %s: data changed\n", table->name);
|
||
} else {
|
||
debug("arptable %s: header changed\n", table->name);
|
||
}
|
||
debug("arptable %s: resetting\n", table->name);
|
||
table->replace.num_counters = info.num_entries;
|
||
table->replace.counters = counters;
|
||
optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size;
|
||
if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen))
|
||
fail("arptable %s: setsockopt(ARPT_SO_SET_REPLACE)", table->name);
|
||
}
|
||
close(fd);
|
||
}
|
||
|
||
// ebtables.h is broken too:
|
||
// ebtables.h: In function ‘ebt_entry_target* ebt_get_target(ebt_entry*)’:
|
||
// ebtables.h:197:19: error: invalid conversion from ‘void*’ to ‘ebt_entry_target*’
|
||
|
||
#define NF_BR_NUMHOOKS 6
|
||
#define EBT_TABLE_MAXNAMELEN 32
|
||
#define EBT_CHAIN_MAXNAMELEN 32
|
||
#define EBT_BASE_CTL 128
|
||
#define EBT_SO_SET_ENTRIES (EBT_BASE_CTL)
|
||
#define EBT_SO_GET_INFO (EBT_BASE_CTL)
|
||
#define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO + 1)
|
||
#define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES + 1)
|
||
#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO + 1)
|
||
|
||
struct ebt_replace {
|
||
char name[EBT_TABLE_MAXNAMELEN];
|
||
unsigned int valid_hooks;
|
||
unsigned int nentries;
|
||
unsigned int entries_size;
|
||
struct ebt_entries* hook_entry[NF_BR_NUMHOOKS];
|
||
unsigned int num_counters;
|
||
struct ebt_counter* counters;
|
||
char* entries;
|
||
};
|
||
|
||
struct ebt_entries {
|
||
unsigned int distinguisher;
|
||
char name[EBT_CHAIN_MAXNAMELEN];
|
||
unsigned int counter_offset;
|
||
int policy;
|
||
unsigned int nentries;
|
||
char data[0] __attribute__((aligned(__alignof__(struct ebt_replace))));
|
||
};
|
||
|
||
struct ebt_table_desc {
|
||
const char* name;
|
||
struct ebt_replace replace;
|
||
char entrytable[XT_TABLE_SIZE];
|
||
};
|
||
|
||
static struct ebt_table_desc ebt_tables[] = {
|
||
{.name = "filter"},
|
||
{.name = "nat"},
|
||
{.name = "broute"},
|
||
};
|
||
|
||
static void checkpoint_ebtables(void)
|
||
{
|
||
socklen_t optlen;
|
||
unsigned i;
|
||
int fd;
|
||
|
||
fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||
if (fd == -1) {
|
||
switch (errno) {
|
||
case EAFNOSUPPORT:
|
||
case ENOPROTOOPT:
|
||
return;
|
||
}
|
||
fail("ebtable checkpoint: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
|
||
}
|
||
for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
|
||
struct ebt_table_desc* table = &ebt_tables[i];
|
||
strcpy(table->replace.name, table->name);
|
||
optlen = sizeof(table->replace);
|
||
if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace, &optlen)) {
|
||
switch (errno) {
|
||
case EPERM:
|
||
case ENOENT:
|
||
case ENOPROTOOPT:
|
||
continue;
|
||
}
|
||
fail("ebtable checkpoint %s: getsockopt(EBT_SO_GET_INIT_INFO)", table->name);
|
||
}
|
||
debug("ebtable checkpoint %s: entries=%d hooks=%x size=%d\n",
|
||
table->name, table->replace.nentries, table->replace.valid_hooks,
|
||
table->replace.entries_size);
|
||
if (table->replace.entries_size > sizeof(table->entrytable))
|
||
fail("ebtable checkpoint %s: table size is too large: %u",
|
||
table->name, table->replace.entries_size);
|
||
table->replace.num_counters = 0;
|
||
table->replace.entries = table->entrytable;
|
||
optlen = sizeof(table->replace) + table->replace.entries_size;
|
||
if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace, &optlen))
|
||
fail("ebtable checkpoint %s: getsockopt(EBT_SO_GET_INIT_ENTRIES)", table->name);
|
||
}
|
||
close(fd);
|
||
}
|
||
|
||
static void reset_ebtables()
|
||
{
|
||
struct ebt_replace replace;
|
||
char entrytable[XT_TABLE_SIZE];
|
||
socklen_t optlen;
|
||
unsigned i, j, h;
|
||
int fd;
|
||
|
||
fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||
if (fd == -1) {
|
||
switch (errno) {
|
||
case EAFNOSUPPORT:
|
||
case ENOPROTOOPT:
|
||
return;
|
||
}
|
||
fail("ebtable: socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)");
|
||
}
|
||
for (i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) {
|
||
struct ebt_table_desc* table = &ebt_tables[i];
|
||
if (table->replace.valid_hooks == 0)
|
||
continue;
|
||
memset(&replace, 0, sizeof(replace));
|
||
strcpy(replace.name, table->name);
|
||
optlen = sizeof(replace);
|
||
if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen))
|
||
fail("ebtable %s: getsockopt(EBT_SO_GET_INFO)", table->name);
|
||
replace.num_counters = 0;
|
||
table->replace.entries = 0;
|
||
for (h = 0; h < NF_BR_NUMHOOKS; h++)
|
||
table->replace.hook_entry[h] = 0;
|
||
if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) {
|
||
memset(&entrytable, 0, sizeof(entrytable));
|
||
replace.entries = entrytable;
|
||
optlen = sizeof(replace) + replace.entries_size;
|
||
if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen))
|
||
fail("ebtable %s: getsockopt(EBT_SO_GET_ENTRIES)", table->name);
|
||
if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0)
|
||
continue;
|
||
}
|
||
debug("ebtable %s: resetting\n", table->name);
|
||
// Kernel does not seem to return actual entry points (wat?).
|
||
for (j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) {
|
||
if (table->replace.valid_hooks & (1 << h)) {
|
||
table->replace.hook_entry[h] = (struct ebt_entries*)table->entrytable + j;
|
||
j++;
|
||
}
|
||
}
|
||
table->replace.entries = table->entrytable;
|
||
optlen = sizeof(table->replace) + table->replace.entries_size;
|
||
if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen))
|
||
fail("ebtable %s: setsockopt(EBT_SO_SET_ENTRIES)", table->name);
|
||
}
|
||
close(fd);
|
||
}
|
||
|
||
static void checkpoint_net_namespace(void)
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_net_reset)
|
||
return;
|
||
if (flag_sandbox == sandbox_setuid)
|
||
return;
|
||
#endif
|
||
checkpoint_ebtables();
|
||
checkpoint_arptables();
|
||
checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP);
|
||
checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6);
|
||
}
|
||
|
||
static void reset_net_namespace(void)
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_net_reset)
|
||
return;
|
||
if (flag_sandbox == sandbox_setuid)
|
||
return;
|
||
#endif
|
||
reset_ebtables();
|
||
reset_arptables();
|
||
reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP);
|
||
reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || (SYZ_ENABLE_CGROUPS && (SYZ_SANDBOX_NONE || SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP))
|
||
#include <fcntl.h>
|
||
#include <sys/mount.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
static void setup_cgroups()
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_cgroups)
|
||
return;
|
||
#endif
|
||
if (mkdir("/syzcgroup", 0777)) {
|
||
debug("mkdir(/syzcgroup) failed: %d\n", errno);
|
||
}
|
||
if (mkdir("/syzcgroup/unified", 0777)) {
|
||
debug("mkdir(/syzcgroup/unified) failed: %d\n", errno);
|
||
}
|
||
if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) {
|
||
debug("mount(cgroup2) failed: %d\n", errno);
|
||
}
|
||
if (chmod("/syzcgroup/unified", 0777)) {
|
||
debug("chmod(/syzcgroup/unified) failed: %d\n", errno);
|
||
}
|
||
write_file("/syzcgroup/unified/cgroup.subtree_control", "+cpu +memory +io +pids +rdma");
|
||
if (mkdir("/syzcgroup/cpu", 0777)) {
|
||
debug("mkdir(/syzcgroup/cpu) failed: %d\n", errno);
|
||
}
|
||
if (mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,perf_event,hugetlb")) {
|
||
debug("mount(cgroup cpu) failed: %d\n", errno);
|
||
}
|
||
write_file("/syzcgroup/cpu/cgroup.clone_children", "1");
|
||
if (chmod("/syzcgroup/cpu", 0777)) {
|
||
debug("chmod(/syzcgroup/cpu) failed: %d\n", errno);
|
||
}
|
||
if (mkdir("/syzcgroup/net", 0777)) {
|
||
debug("mkdir(/syzcgroup/net) failed: %d\n", errno);
|
||
}
|
||
if (mount("none", "/syzcgroup/net", "cgroup", 0, "net_cls,net_prio,devices,freezer")) {
|
||
debug("mount(cgroup net) failed: %d\n", errno);
|
||
}
|
||
if (chmod("/syzcgroup/net", 0777)) {
|
||
debug("chmod(/syzcgroup/net) failed: %d\n", errno);
|
||
}
|
||
}
|
||
|
||
#if SYZ_EXECUTOR || SYZ_REPEAT
|
||
static void setup_cgroups_loop()
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_cgroups)
|
||
return;
|
||
#endif
|
||
int pid = getpid();
|
||
char file[128];
|
||
char cgroupdir[64];
|
||
snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
|
||
if (mkdir(cgroupdir, 0777)) {
|
||
debug("mkdir(%s) failed: %d\n", cgroupdir, errno);
|
||
}
|
||
// Restrict number of pids per test process to prevent fork bombs.
|
||
// We have up to 16 threads + main process + loop.
|
||
// 32 pids should be enough for everyone.
|
||
snprintf(file, sizeof(file), "%s/pids.max", cgroupdir);
|
||
write_file(file, "32");
|
||
// Restrict memory consumption.
|
||
// We have some syscalls that inherently consume lots of memory,
|
||
// e.g. mounting some filesystem images requires at least 128MB
|
||
// image in memory. We restrict RLIMIT_AS to 200MB. Here we gradually
|
||
// increase low/high/max limits to make things more interesting.
|
||
// Also this takes into account KASAN quarantine size.
|
||
// If the limit is lower than KASAN quarantine size, then it can happen
|
||
// so that we kill the process, but all of its memory is in quarantine
|
||
// and is still accounted against memcg. As the result memcg won't
|
||
// allow to allocate any memory in the parent and in the new test process.
|
||
// The current limit of 300MB supports up to 9.6GB RAM (quarantine is 1/32).
|
||
snprintf(file, sizeof(file), "%s/memory.low", cgroupdir);
|
||
write_file(file, "%d", 298 << 20);
|
||
snprintf(file, sizeof(file), "%s/memory.high", cgroupdir);
|
||
write_file(file, "%d", 299 << 20);
|
||
snprintf(file, sizeof(file), "%s/memory.max", cgroupdir);
|
||
write_file(file, "%d", 300 << 20);
|
||
// Setup some v1 groups to make things more interesting.
|
||
snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
|
||
write_file(file, "%d", pid);
|
||
snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
|
||
if (mkdir(cgroupdir, 0777)) {
|
||
debug("mkdir(%s) failed: %d\n", cgroupdir, errno);
|
||
}
|
||
snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
|
||
write_file(file, "%d", pid);
|
||
snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
|
||
if (mkdir(cgroupdir, 0777)) {
|
||
debug("mkdir(%s) failed: %d\n", cgroupdir, errno);
|
||
}
|
||
snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir);
|
||
write_file(file, "%d", pid);
|
||
}
|
||
|
||
static void setup_cgroups_test()
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_cgroups)
|
||
return;
|
||
#endif
|
||
char cgroupdir[64];
|
||
snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid);
|
||
if (symlink(cgroupdir, "./cgroup")) {
|
||
debug("symlink(%s, ./cgroup) failed: %d\n", cgroupdir, errno);
|
||
}
|
||
snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid);
|
||
if (symlink(cgroupdir, "./cgroup.cpu")) {
|
||
debug("symlink(%s, ./cgroup.cpu) failed: %d\n", cgroupdir, errno);
|
||
}
|
||
snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid);
|
||
if (symlink(cgroupdir, "./cgroup.net")) {
|
||
debug("symlink(%s, ./cgroup.net) failed: %d\n", cgroupdir, errno);
|
||
}
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_SANDBOX_NAMESPACE
|
||
void initialize_cgroups()
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_cgroups)
|
||
return;
|
||
#endif
|
||
if (mkdir("./syz-tmp/newroot/syzcgroup", 0700))
|
||
fail("mkdir failed");
|
||
if (mkdir("./syz-tmp/newroot/syzcgroup/unified", 0700))
|
||
fail("mkdir failed");
|
||
if (mkdir("./syz-tmp/newroot/syzcgroup/cpu", 0700))
|
||
fail("mkdir failed");
|
||
if (mkdir("./syz-tmp/newroot/syzcgroup/net", 0700))
|
||
fail("mkdir failed");
|
||
unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE;
|
||
if (mount("/syzcgroup/unified", "./syz-tmp/newroot/syzcgroup/unified", NULL, bind_mount_flags, NULL)) {
|
||
debug("mount(cgroup2, MS_BIND) failed: %d\n", errno);
|
||
}
|
||
if (mount("/syzcgroup/cpu", "./syz-tmp/newroot/syzcgroup/cpu", NULL, bind_mount_flags, NULL)) {
|
||
debug("mount(cgroup/cpu, MS_BIND) failed: %d\n", errno);
|
||
}
|
||
if (mount("/syzcgroup/net", "./syz-tmp/newroot/syzcgroup/net", NULL, bind_mount_flags, NULL)) {
|
||
debug("mount(cgroup/net, MS_BIND) failed: %d\n", errno);
|
||
}
|
||
}
|
||
#endif
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE || SYZ_SANDBOX_SETUID || SYZ_SANDBOX_NAMESPACE || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
|
||
#include <errno.h>
|
||
#include <sys/mount.h>
|
||
|
||
static void setup_common()
|
||
{
|
||
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
|
||
debug("mount(fusectl) failed: %d\n", errno);
|
||
}
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_CGROUPS
|
||
setup_cgroups();
|
||
#endif
|
||
}
|
||
|
||
#include <sched.h>
|
||
#include <sys/prctl.h>
|
||
#include <sys/resource.h>
|
||
#include <sys/time.h>
|
||
#include <sys/wait.h>
|
||
|
||
static void loop();
|
||
|
||
static void sandbox_common()
|
||
{
|
||
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
|
||
setpgrp();
|
||
setsid();
|
||
|
||
#if SYZ_EXECUTOR || __NR_syz_init_net_socket
|
||
int netns = open("/proc/self/ns/net", O_RDONLY);
|
||
if (netns == -1)
|
||
fail("open(/proc/self/ns/net) failed");
|
||
if (dup2(netns, kInitNetNsFd) < 0)
|
||
fail("dup2(netns, kInitNetNsFd) failed");
|
||
close(netns);
|
||
#endif
|
||
|
||
struct rlimit rlim;
|
||
#if SYZ_EXECUTOR
|
||
rlim.rlim_cur = rlim.rlim_max = (200 << 20) +
|
||
(kMaxThreads * kCoverSize + kExtraCoverSize) * sizeof(void*);
|
||
#else
|
||
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
|
||
#endif
|
||
setrlimit(RLIMIT_AS, &rlim);
|
||
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
|
||
setrlimit(RLIMIT_MEMLOCK, &rlim);
|
||
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
|
||
setrlimit(RLIMIT_FSIZE, &rlim);
|
||
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
|
||
setrlimit(RLIMIT_STACK, &rlim);
|
||
rlim.rlim_cur = rlim.rlim_max = 0;
|
||
setrlimit(RLIMIT_CORE, &rlim);
|
||
rlim.rlim_cur = rlim.rlim_max = 256; // see kMaxFd
|
||
setrlimit(RLIMIT_NOFILE, &rlim);
|
||
|
||
// CLONE_NEWNS/NEWCGROUP cause EINVAL on some systems,
|
||
// so we do them separately of clone in do_sandbox_namespace.
|
||
if (unshare(CLONE_NEWNS)) {
|
||
debug("unshare(CLONE_NEWNS): %d\n", errno);
|
||
}
|
||
if (unshare(CLONE_NEWIPC)) {
|
||
debug("unshare(CLONE_NEWIPC): %d\n", errno);
|
||
}
|
||
if (unshare(0x02000000)) {
|
||
debug("unshare(CLONE_NEWCGROUP): %d\n", errno);
|
||
}
|
||
if (unshare(CLONE_NEWUTS)) {
|
||
debug("unshare(CLONE_NEWUTS): %d\n", errno);
|
||
}
|
||
if (unshare(CLONE_SYSVSEM)) {
|
||
debug("unshare(CLONE_SYSVSEM): %d\n", errno);
|
||
}
|
||
// These sysctl's restrict ipc resource usage (by default it's possible
|
||
// to eat all system memory by creating e.g. lots of large sem sets).
|
||
// These sysctl's are per-namespace, so we need to set them inside
|
||
// of the test ipc namespace (after CLONE_NEWIPC).
|
||
typedef struct {
|
||
const char* name;
|
||
const char* value;
|
||
} sysctl_t;
|
||
static const sysctl_t sysctls[] = {
|
||
{"/proc/sys/kernel/shmmax", "16777216"},
|
||
{"/proc/sys/kernel/shmall", "536870912"},
|
||
{"/proc/sys/kernel/shmmni", "1024"},
|
||
{"/proc/sys/kernel/msgmax", "8192"},
|
||
{"/proc/sys/kernel/msgmni", "1024"},
|
||
{"/proc/sys/kernel/msgmnb", "1024"},
|
||
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
|
||
};
|
||
unsigned i;
|
||
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
|
||
write_file(sysctls[i].name, sysctls[i].value);
|
||
}
|
||
|
||
int wait_for_loop(int pid)
|
||
{
|
||
if (pid < 0)
|
||
fail("sandbox fork failed");
|
||
debug("spawned loop pid %d\n", pid);
|
||
int status = 0;
|
||
while (waitpid(-1, &status, __WALL) != pid) {
|
||
}
|
||
return WEXITSTATUS(status);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_SANDBOX_NONE
|
||
#include <sched.h>
|
||
#include <sys/types.h>
|
||
|
||
static int do_sandbox_none(void)
|
||
{
|
||
// CLONE_NEWPID takes effect for the first child of the current process,
|
||
// so we do it before fork to make the loop "init" process of the namespace.
|
||
// We ought to do fail here, but sandbox=none is used in pkg/ipc tests
|
||
// and they are usually run under non-root.
|
||
// Also since debug is stripped by pkg/csource, we need to do {}
|
||
// even though we generally don't do {} around single statements.
|
||
if (unshare(CLONE_NEWPID)) {
|
||
debug("unshare(CLONE_NEWPID): %d\n", errno);
|
||
}
|
||
int pid = fork();
|
||
if (pid != 0)
|
||
return wait_for_loop(pid);
|
||
|
||
setup_common();
|
||
sandbox_common();
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
initialize_netdevices_init();
|
||
#endif
|
||
if (unshare(CLONE_NEWNET)) {
|
||
debug("unshare(CLONE_NEWNET): %d\n", errno);
|
||
}
|
||
#if SYZ_EXECUTOR || SYZ_TUN_ENABLE
|
||
initialize_tun();
|
||
#endif
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
initialize_netdevices();
|
||
#endif
|
||
loop();
|
||
doexit(1);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_SANDBOX_SETUID
|
||
#include <grp.h>
|
||
#include <sched.h>
|
||
#include <sys/prctl.h>
|
||
|
||
#define SYZ_HAVE_SANDBOX_SETUID 1
|
||
static int do_sandbox_setuid(void)
|
||
{
|
||
if (unshare(CLONE_NEWPID)) {
|
||
debug("unshare(CLONE_NEWPID): %d\n", errno);
|
||
}
|
||
int pid = fork();
|
||
if (pid != 0)
|
||
return wait_for_loop(pid);
|
||
|
||
setup_common();
|
||
sandbox_common();
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
initialize_netdevices_init();
|
||
#endif
|
||
if (unshare(CLONE_NEWNET)) {
|
||
debug("unshare(CLONE_NEWNET): %d\n", errno);
|
||
}
|
||
#if SYZ_EXECUTOR || SYZ_TUN_ENABLE
|
||
initialize_tun();
|
||
#endif
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
initialize_netdevices();
|
||
#endif
|
||
|
||
const int nobody = 65534;
|
||
if (setgroups(0, NULL))
|
||
fail("failed to setgroups");
|
||
if (syscall(SYS_setresgid, nobody, nobody, nobody))
|
||
fail("failed to setresgid");
|
||
if (syscall(SYS_setresuid, nobody, nobody, nobody))
|
||
fail("failed to setresuid");
|
||
|
||
// This is required to open /proc/self/* files.
|
||
// Otherwise they are owned by root and we can't open them after setuid.
|
||
// See task_dump_owner function in kernel.
|
||
prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
|
||
|
||
loop();
|
||
doexit(1);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_SANDBOX_NAMESPACE
|
||
#include <linux/capability.h>
|
||
#include <sched.h>
|
||
#include <sys/mman.h>
|
||
#include <sys/mount.h>
|
||
|
||
static int real_uid;
|
||
static int real_gid;
|
||
__attribute__((aligned(64 << 10))) static char sandbox_stack[1 << 20];
|
||
|
||
static int namespace_sandbox_proc(void* arg)
|
||
{
|
||
sandbox_common();
|
||
|
||
// /proc/self/setgroups is not present on some systems, ignore error.
|
||
write_file("/proc/self/setgroups", "deny");
|
||
if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid))
|
||
fail("write of /proc/self/uid_map failed");
|
||
if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid))
|
||
fail("write of /proc/self/gid_map failed");
|
||
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
initialize_netdevices_init();
|
||
#endif
|
||
// CLONE_NEWNET must always happen before tun setup,
|
||
// because we want the tun device in the test namespace.
|
||
if (unshare(CLONE_NEWNET))
|
||
fail("unshare(CLONE_NEWNET)");
|
||
#if SYZ_EXECUTOR || SYZ_TUN_ENABLE
|
||
// We setup tun here as it needs to be in the test net namespace,
|
||
// which in turn needs to be in the test user namespace.
|
||
// However, IFF_NAPI_FRAGS will fail as we are not root already.
|
||
// TODO: we should create tun in the init net namespace and use setns
|
||
// to move it to the target namespace.
|
||
initialize_tun();
|
||
#endif
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
initialize_netdevices();
|
||
#endif
|
||
|
||
if (mkdir("./syz-tmp", 0777))
|
||
fail("mkdir(syz-tmp) failed");
|
||
if (mount("", "./syz-tmp", "tmpfs", 0, NULL))
|
||
fail("mount(tmpfs) failed");
|
||
if (mkdir("./syz-tmp/newroot", 0777))
|
||
fail("mkdir failed");
|
||
if (mkdir("./syz-tmp/newroot/dev", 0700))
|
||
fail("mkdir failed");
|
||
unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE;
|
||
if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL))
|
||
fail("mount(dev) failed");
|
||
if (mkdir("./syz-tmp/newroot/proc", 0700))
|
||
fail("mkdir failed");
|
||
if (mount(NULL, "./syz-tmp/newroot/proc", "proc", 0, NULL))
|
||
fail("mount(proc) failed");
|
||
if (mkdir("./syz-tmp/newroot/selinux", 0700))
|
||
fail("mkdir failed");
|
||
// selinux mount used to be at /selinux, but then moved to /sys/fs/selinux.
|
||
const char* selinux_path = "./syz-tmp/newroot/selinux";
|
||
if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) {
|
||
if (errno != ENOENT)
|
||
fail("mount(/selinux) failed");
|
||
if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT)
|
||
fail("mount(/sys/fs/selinux) failed");
|
||
}
|
||
if (mkdir("./syz-tmp/newroot/sys", 0700))
|
||
fail("mkdir failed");
|
||
if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL))
|
||
fail("mount(sysfs) failed");
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_CGROUPS
|
||
initialize_cgroups();
|
||
#endif
|
||
if (mkdir("./syz-tmp/pivot", 0777))
|
||
fail("mkdir failed");
|
||
if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) {
|
||
debug("pivot_root failed\n");
|
||
if (chdir("./syz-tmp"))
|
||
fail("chdir failed");
|
||
} else {
|
||
debug("pivot_root OK\n");
|
||
if (chdir("/"))
|
||
fail("chdir failed");
|
||
if (umount2("./pivot", MNT_DETACH))
|
||
fail("umount failed");
|
||
}
|
||
if (chroot("./newroot"))
|
||
fail("chroot failed");
|
||
if (chdir("/"))
|
||
fail("chdir failed");
|
||
|
||
// Drop CAP_SYS_PTRACE so that test processes can't attach to parent processes.
|
||
// Previously it lead to hangs because the loop process stopped due to SIGSTOP.
|
||
// Note that a process can always ptrace its direct children, which is enough
|
||
// for testing purposes.
|
||
struct __user_cap_header_struct cap_hdr = {};
|
||
struct __user_cap_data_struct cap_data[2] = {};
|
||
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
|
||
cap_hdr.pid = getpid();
|
||
if (syscall(SYS_capget, &cap_hdr, &cap_data))
|
||
fail("capget failed");
|
||
cap_data[0].effective &= ~(1 << CAP_SYS_PTRACE);
|
||
cap_data[0].permitted &= ~(1 << CAP_SYS_PTRACE);
|
||
cap_data[0].inheritable &= ~(1 << CAP_SYS_PTRACE);
|
||
if (syscall(SYS_capset, &cap_hdr, &cap_data))
|
||
fail("capset failed");
|
||
|
||
loop();
|
||
doexit(1);
|
||
}
|
||
|
||
#define SYZ_HAVE_SANDBOX_NAMESPACE 1
|
||
static int do_sandbox_namespace(void)
|
||
{
|
||
int pid;
|
||
|
||
setup_common();
|
||
real_uid = getuid();
|
||
real_gid = getgid();
|
||
mprotect(sandbox_stack, 4096, PROT_NONE); // to catch stack underflows
|
||
pid = clone(namespace_sandbox_proc, &sandbox_stack[sizeof(sandbox_stack) - 64],
|
||
CLONE_NEWUSER | CLONE_NEWPID, 0);
|
||
return wait_for_loop(pid);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_SANDBOX_ANDROID_UNTRUSTED_APP
|
||
#include <fcntl.h> // open(2)
|
||
#include <grp.h> // setgroups
|
||
#include <sys/xattr.h> // setxattr, getxattr
|
||
|
||
#define AID_NET_BT_ADMIN 3001
|
||
#define AID_NET_BT 3002
|
||
#define AID_INET 3003
|
||
#define AID_EVERYBODY 9997
|
||
#define AID_APP 10000
|
||
|
||
#define UNTRUSTED_APP_UID AID_APP + 999
|
||
#define UNTRUSTED_APP_GID AID_APP + 999
|
||
|
||
const char* SELINUX_CONTEXT_UNTRUSTED_APP = "u:r:untrusted_app:s0:c512,c768";
|
||
const char* SELINUX_LABEL_APP_DATA_FILE = "u:object_r:app_data_file:s0:c512,c768";
|
||
const char* SELINUX_CONTEXT_FILE = "/proc/thread-self/attr/current";
|
||
const char* SELINUX_XATTR_NAME = "security.selinux";
|
||
|
||
const gid_t UNTRUSTED_APP_GROUPS[] = {UNTRUSTED_APP_GID, AID_NET_BT_ADMIN, AID_NET_BT, AID_INET, AID_EVERYBODY};
|
||
const size_t UNTRUSTED_APP_NUM_GROUPS = sizeof(UNTRUSTED_APP_GROUPS) / sizeof(UNTRUSTED_APP_GROUPS[0]);
|
||
|
||
// Similar to libselinux getcon(3), but:
|
||
// - No library dependency
|
||
// - No dynamic memory allocation
|
||
// - Uses fail() instead of returning an error code
|
||
static void syz_getcon(char* context, size_t context_size)
|
||
{
|
||
int fd = open(SELINUX_CONTEXT_FILE, O_RDONLY);
|
||
|
||
if (fd < 0)
|
||
fail("getcon: Couldn't open %s", SELINUX_CONTEXT_FILE);
|
||
|
||
ssize_t nread = read(fd, context, context_size);
|
||
|
||
close(fd);
|
||
|
||
if (nread <= 0)
|
||
fail("getcon: Failed to read from %s", SELINUX_CONTEXT_FILE);
|
||
|
||
// The contents of the context file MAY end with a newline
|
||
// and MAY not have a null terminator. Handle this here.
|
||
if (context[nread - 1] == '\n')
|
||
context[nread - 1] = '\0';
|
||
}
|
||
|
||
// Similar to libselinux setcon(3), but:
|
||
// - No library dependency
|
||
// - No dynamic memory allocation
|
||
// - Uses fail() instead of returning an error code
|
||
static void syz_setcon(const char* context)
|
||
{
|
||
char new_context[512];
|
||
|
||
// Attempt to write the new context
|
||
int fd = open(SELINUX_CONTEXT_FILE, O_WRONLY);
|
||
|
||
if (fd < 0)
|
||
fail("setcon: Could not open %s", SELINUX_CONTEXT_FILE);
|
||
|
||
ssize_t bytes_written = write(fd, context, strlen(context));
|
||
|
||
// N.B.: We cannot reuse this file descriptor, since the target SELinux context
|
||
// may not be able to read from it.
|
||
close(fd);
|
||
|
||
if (bytes_written != (ssize_t)strlen(context))
|
||
fail("setcon: Could not write entire context. Wrote %zi, expected %zu", bytes_written, strlen(context));
|
||
|
||
// Validate the transition by checking the context
|
||
syz_getcon(new_context, sizeof(new_context));
|
||
|
||
if (strcmp(context, new_context) != 0)
|
||
fail("setcon: Failed to change to %s, context is %s", context, new_context);
|
||
}
|
||
|
||
// Similar to libselinux getfilecon(3), but:
|
||
// - No library dependency
|
||
// - No dynamic memory allocation
|
||
// - Uses fail() instead of returning an error code
|
||
static int syz_getfilecon(const char* path, char* context, size_t context_size)
|
||
{
|
||
int length = getxattr(path, SELINUX_XATTR_NAME, context, context_size);
|
||
|
||
if (length == -1)
|
||
fail("getfilecon: getxattr failed");
|
||
|
||
return length;
|
||
}
|
||
|
||
// Similar to libselinux setfilecon(3), but:
|
||
// - No library dependency
|
||
// - No dynamic memory allocation
|
||
// - Uses fail() instead of returning an error code
|
||
static void syz_setfilecon(const char* path, const char* context)
|
||
{
|
||
char new_context[512];
|
||
|
||
if (setxattr(path, SELINUX_XATTR_NAME, context, strlen(context) + 1, 0) != 0)
|
||
fail("setfilecon: setxattr failed");
|
||
|
||
if (syz_getfilecon(path, new_context, sizeof(new_context)) <= 0)
|
||
fail("setfilecon: getfilecon failed");
|
||
|
||
if (strcmp(context, new_context) != 0)
|
||
fail("setfilecon: could not set context to %s, currently %s", context, new_context);
|
||
}
|
||
|
||
#define SYZ_HAVE_SANDBOX_ANDROID_UNTRUSTED_APP 1
|
||
static int do_sandbox_android_untrusted_app(void)
|
||
{
|
||
setup_common();
|
||
sandbox_common();
|
||
|
||
if (chown(".", UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
|
||
fail("chmod failed");
|
||
|
||
if (setgroups(UNTRUSTED_APP_NUM_GROUPS, UNTRUSTED_APP_GROUPS) != 0)
|
||
fail("setgroups failed");
|
||
|
||
if (setresgid(UNTRUSTED_APP_GID, UNTRUSTED_APP_GID, UNTRUSTED_APP_GID) != 0)
|
||
fail("setresgid failed");
|
||
|
||
if (setresuid(UNTRUSTED_APP_UID, UNTRUSTED_APP_UID, UNTRUSTED_APP_UID) != 0)
|
||
fail("setresuid failed");
|
||
|
||
syz_setfilecon(".", SELINUX_LABEL_APP_DATA_FILE);
|
||
syz_setcon(SELINUX_CONTEXT_UNTRUSTED_APP);
|
||
|
||
#if SYZ_EXECUTOR || SYZ_TUN_ENABLE
|
||
initialize_tun();
|
||
#endif
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_NETDEV
|
||
// Note: sandbox_android_untrusted_app does not unshare net namespace.
|
||
initialize_netdevices_init();
|
||
initialize_netdevices();
|
||
#endif
|
||
|
||
loop();
|
||
doexit(1);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_REPEAT && SYZ_USE_TMP_DIR
|
||
#include <dirent.h>
|
||
#include <errno.h>
|
||
#include <string.h>
|
||
#include <sys/ioctl.h>
|
||
#include <sys/mount.h>
|
||
|
||
#define FS_IOC_SETFLAGS _IOW('f', 2, long)
|
||
|
||
// One does not simply remove a directory.
|
||
// There can be mounts, so we need to try to umount.
|
||
// Moreover, a mount can be mounted several times, so we need to try to umount in a loop.
|
||
// Moreover, after umount a dir can become non-empty again, so we need another loop.
|
||
// Moreover, a mount can be re-mounted as read-only and then we will fail to make a dir empty.
|
||
static void remove_dir(const char* dir)
|
||
{
|
||
DIR* dp;
|
||
struct dirent* ep;
|
||
int iter = 0;
|
||
retry:
|
||
while (umount2(dir, MNT_DETACH) == 0) {
|
||
debug("umount(%s)\n", dir);
|
||
}
|
||
dp = opendir(dir);
|
||
if (dp == NULL) {
|
||
if (errno == EMFILE) {
|
||
// This happens when the test process casts prlimit(NOFILE) on us.
|
||
// Ideally we somehow prevent test processes from messing with parent processes.
|
||
// But full sandboxing is expensive, so let's ignore this error for now.
|
||
exitf("opendir(%s) failed due to NOFILE, exiting", dir);
|
||
}
|
||
exitf("opendir(%s) failed", dir);
|
||
}
|
||
while ((ep = readdir(dp))) {
|
||
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
|
||
continue;
|
||
char filename[FILENAME_MAX];
|
||
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
|
||
// If it's 9p mount with broken transport, lstat will fail.
|
||
// So try to umount first.
|
||
while (umount2(filename, MNT_DETACH) == 0) {
|
||
debug("umount(%s)\n", filename);
|
||
}
|
||
struct stat st;
|
||
if (lstat(filename, &st))
|
||
exitf("lstat(%s) failed", filename);
|
||
if (S_ISDIR(st.st_mode)) {
|
||
remove_dir(filename);
|
||
continue;
|
||
}
|
||
int i;
|
||
for (i = 0;; i++) {
|
||
if (unlink(filename) == 0)
|
||
break;
|
||
if (errno == EPERM) {
|
||
// Try to reset FS_XFLAG_IMMUTABLE.
|
||
int fd = open(filename, O_RDONLY);
|
||
if (fd != -1) {
|
||
long flags = 0;
|
||
if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
|
||
debug("reset FS_XFLAG_IMMUTABLE\n");
|
||
close(fd);
|
||
continue;
|
||
}
|
||
}
|
||
if (errno == EROFS) {
|
||
debug("ignoring EROFS\n");
|
||
break;
|
||
}
|
||
if (errno != EBUSY || i > 100)
|
||
exitf("unlink(%s) failed", filename);
|
||
debug("umount(%s)\n", filename);
|
||
if (umount2(filename, MNT_DETACH))
|
||
exitf("umount(%s) failed", filename);
|
||
}
|
||
}
|
||
closedir(dp);
|
||
int i;
|
||
for (i = 0;; i++) {
|
||
if (rmdir(dir) == 0)
|
||
break;
|
||
if (i < 100) {
|
||
if (errno == EPERM) {
|
||
// Try to reset FS_XFLAG_IMMUTABLE.
|
||
int fd = open(dir, O_RDONLY);
|
||
if (fd != -1) {
|
||
long flags = 0;
|
||
if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0)
|
||
debug("reset FS_XFLAG_IMMUTABLE\n");
|
||
close(fd);
|
||
continue;
|
||
}
|
||
}
|
||
if (errno == EROFS) {
|
||
debug("ignoring EROFS\n");
|
||
break;
|
||
}
|
||
if (errno == EBUSY) {
|
||
debug("umount(%s)\n", dir);
|
||
if (umount2(dir, MNT_DETACH))
|
||
exitf("umount(%s) failed", dir);
|
||
continue;
|
||
}
|
||
if (errno == ENOTEMPTY) {
|
||
if (iter < 100) {
|
||
iter++;
|
||
goto retry;
|
||
}
|
||
}
|
||
}
|
||
exitf("rmdir(%s) failed", dir);
|
||
}
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_FAULT_INJECTION
|
||
#include <fcntl.h>
|
||
#include <string.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
static int inject_fault(int nth)
|
||
{
|
||
int fd;
|
||
fd = open("/proc/thread-self/fail-nth", O_RDWR);
|
||
// We treat errors here as temporal/non-critical because we see
|
||
// occasional ENOENT/EACCES errors returned. It seems that fuzzer
|
||
// somehow gets its hands to it.
|
||
if (fd == -1)
|
||
exitf("failed to open /proc/thread-self/fail-nth");
|
||
char buf[16];
|
||
sprintf(buf, "%d", nth + 1);
|
||
if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
|
||
exitf("failed to write /proc/thread-self/fail-nth");
|
||
return fd;
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR
|
||
static int fault_injected(int fail_fd)
|
||
{
|
||
char buf[16];
|
||
int n = read(fail_fd, buf, sizeof(buf) - 1);
|
||
if (n <= 0)
|
||
exitf("failed to read /proc/thread-self/fail-nth");
|
||
int res = n == 2 && buf[0] == '0' && buf[1] == '\n';
|
||
buf[0] = '0';
|
||
if (write(fail_fd, buf, 1) != 1)
|
||
exitf("failed to write /proc/thread-self/fail-nth");
|
||
close(fail_fd);
|
||
return res;
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_REPEAT
|
||
#include <dirent.h>
|
||
#include <errno.h>
|
||
#include <fcntl.h>
|
||
#include <signal.h>
|
||
#include <string.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
#include <sys/wait.h>
|
||
|
||
static void kill_and_wait(int pid, int* status)
|
||
{
|
||
kill(-pid, SIGKILL);
|
||
kill(pid, SIGKILL);
|
||
int i;
|
||
// First, give it up to 100 ms to surrender.
|
||
for (i = 0; i < 100; i++) {
|
||
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
|
||
return;
|
||
usleep(1000);
|
||
}
|
||
// Now, try to abort fuse connections as they cause deadlocks,
|
||
// see Documentation/filesystems/fuse.txt for details.
|
||
// There is no good way to figure out the right connections
|
||
// provided that the process could use unshare(CLONE_NEWNS),
|
||
// so we abort all.
|
||
debug("kill is not working\n");
|
||
DIR* dir = opendir("/sys/fs/fuse/connections");
|
||
if (dir) {
|
||
for (;;) {
|
||
struct dirent* ent = readdir(dir);
|
||
if (!ent)
|
||
break;
|
||
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
|
||
continue;
|
||
char abort[300];
|
||
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);
|
||
int fd = open(abort, O_WRONLY);
|
||
if (fd == -1) {
|
||
debug("failed to open %s: %d\n", abort, errno);
|
||
continue;
|
||
}
|
||
debug("aborting fuse conn %s\n", ent->d_name);
|
||
if (write(fd, abort, 1) < 0) {
|
||
debug("failed to abort: %d\n", errno);
|
||
}
|
||
close(fd);
|
||
}
|
||
closedir(dir);
|
||
} else {
|
||
debug("failed to open /sys/fs/fuse/connections: %d\n", errno);
|
||
}
|
||
// Now, just wait, no other options.
|
||
while (waitpid(-1, status, __WALL) != pid) {
|
||
}
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_REPEAT && (SYZ_ENABLE_CGROUPS || SYZ_RESET_NET_NAMESPACE)
|
||
#include <fcntl.h>
|
||
#include <sys/ioctl.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
#include <unistd.h>
|
||
|
||
#define SYZ_HAVE_SETUP_LOOP 1
|
||
static void setup_loop()
|
||
{
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_CGROUPS
|
||
setup_cgroups_loop();
|
||
#endif
|
||
#if SYZ_EXECUTOR || SYZ_RESET_NET_NAMESPACE
|
||
checkpoint_net_namespace();
|
||
#endif
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_REPEAT && (SYZ_RESET_NET_NAMESPACE || __NR_syz_mount_image || __NR_syz_read_part_table)
|
||
#define SYZ_HAVE_RESET_LOOP 1
|
||
static void reset_loop()
|
||
{
|
||
#if SYZ_EXECUTOR || __NR_syz_mount_image || __NR_syz_read_part_table
|
||
char buf[64];
|
||
snprintf(buf, sizeof(buf), "/dev/loop%llu", procid);
|
||
int loopfd = open(buf, O_RDWR);
|
||
if (loopfd != -1) {
|
||
ioctl(loopfd, LOOP_CLR_FD, 0);
|
||
close(loopfd);
|
||
}
|
||
#endif
|
||
#if SYZ_EXECUTOR || SYZ_RESET_NET_NAMESPACE
|
||
reset_net_namespace();
|
||
#endif
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_REPEAT
|
||
#include <sys/prctl.h>
|
||
|
||
#define SYZ_HAVE_SETUP_TEST 1
|
||
static void setup_test()
|
||
{
|
||
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
|
||
setpgrp();
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_CGROUPS
|
||
setup_cgroups_test();
|
||
#endif
|
||
// It's the leaf test process we want to be always killed first.
|
||
write_file("/proc/self/oom_score_adj", "1000");
|
||
#if SYZ_EXECUTOR || SYZ_TUN_ENABLE
|
||
// Read all remaining packets from tun to better
|
||
// isolate consequently executing programs.
|
||
flush_tun();
|
||
#endif
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_CLOSE_FDS
|
||
#define SYZ_HAVE_CLOSE_FDS 1
|
||
static void close_fds()
|
||
{
|
||
#if SYZ_EXECUTOR
|
||
if (!flag_enable_close_fds)
|
||
return;
|
||
#endif
|
||
// Keeping a 9p transport pipe open will hang the proccess dead,
|
||
// so close all opened file descriptors.
|
||
// Also close all USB emulation descriptors to trigger exit from USB
|
||
// event loop to collect coverage.
|
||
int fd;
|
||
for (fd = 3; fd < 30; fd++)
|
||
close(fd);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_FAULT_INJECTION
|
||
#include <errno.h>
|
||
|
||
static void setup_fault()
|
||
{
|
||
static struct {
|
||
const char* file;
|
||
const char* val;
|
||
bool fatal;
|
||
} files[] = {
|
||
{"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
|
||
// These are enabled by separate configs (e.g. CONFIG_FAIL_FUTEX)
|
||
// and we did not check all of them in host.checkFaultInjection, so we ignore errors.
|
||
{"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
|
||
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
|
||
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
|
||
{"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
|
||
};
|
||
unsigned i;
|
||
for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
|
||
if (!write_file(files[i].file, files[i].val)) {
|
||
debug("failed to write %s: %d\n", files[i].file, errno);
|
||
if (files[i].fatal)
|
||
fail("failed to write %s", files[i].file);
|
||
}
|
||
}
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_LEAK
|
||
#include <fcntl.h>
|
||
#include <stdio.h>
|
||
#include <string.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
#define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak"
|
||
|
||
static void setup_leak()
|
||
{
|
||
// Flush boot leaks.
|
||
if (!write_file(KMEMLEAK_FILE, "scan"))
|
||
fail("failed to write %s", KMEMLEAK_FILE);
|
||
sleep(5); // account for MSECS_MIN_AGE
|
||
if (!write_file(KMEMLEAK_FILE, "scan"))
|
||
fail("failed to write %s", KMEMLEAK_FILE);
|
||
if (!write_file(KMEMLEAK_FILE, "clear"))
|
||
fail("failed to write %s", KMEMLEAK_FILE);
|
||
}
|
||
|
||
#define SYZ_HAVE_LEAK_CHECK 1
|
||
#if SYZ_EXECUTOR
|
||
static void check_leaks(char** frames, int nframes)
|
||
#else
|
||
static void check_leaks(void)
|
||
#endif
|
||
{
|
||
int fd = open(KMEMLEAK_FILE, O_RDWR);
|
||
if (fd == -1)
|
||
fail("failed to open(\"%s\")", KMEMLEAK_FILE);
|
||
// KMEMLEAK has false positives. To mitigate most of them, it checksums
|
||
// potentially leaked objects, and reports them only on the next scan
|
||
// iff the checksum does not change. Because of that we do the following
|
||
// intricate dance:
|
||
// Scan, sleep, scan again. At this point we can get some leaks.
|
||
// If there are leaks, we sleep and scan again, this can remove
|
||
// false leaks. Then, read kmemleak again. If we get leaks now, then
|
||
// hopefully these are true positives during the previous testing cycle.
|
||
uint64 start = current_time_ms();
|
||
if (write(fd, "scan", 4) != 4)
|
||
fail("failed to write(%s, \"scan\")", KMEMLEAK_FILE);
|
||
sleep(1);
|
||
// Account for MSECS_MIN_AGE
|
||
// (1 second less because scanning will take at least a second).
|
||
while (current_time_ms() - start < 4 * 1000)
|
||
sleep(1);
|
||
if (write(fd, "scan", 4) != 4)
|
||
fail("failed to write(%s, \"scan\")", KMEMLEAK_FILE);
|
||
static char buf[128 << 10];
|
||
ssize_t n = read(fd, buf, sizeof(buf) - 1);
|
||
if (n < 0)
|
||
fail("failed to read(%s)", KMEMLEAK_FILE);
|
||
int nleaks = 0;
|
||
if (n != 0) {
|
||
sleep(1);
|
||
if (write(fd, "scan", 4) != 4)
|
||
fail("failed to write(%s, \"scan\")", KMEMLEAK_FILE);
|
||
if (lseek(fd, 0, SEEK_SET) < 0)
|
||
fail("failed to lseek(%s)", KMEMLEAK_FILE);
|
||
n = read(fd, buf, sizeof(buf) - 1);
|
||
if (n < 0)
|
||
fail("failed to read(%s)", KMEMLEAK_FILE);
|
||
buf[n] = 0;
|
||
char* pos = buf;
|
||
char* end = buf + n;
|
||
while (pos < end) {
|
||
char* next = strstr(pos + 1, "unreferenced object");
|
||
if (!next)
|
||
next = end;
|
||
char prev = *next;
|
||
*next = 0;
|
||
#if SYZ_EXECUTOR
|
||
int f;
|
||
for (f = 0; f < nframes; f++) {
|
||
if (strstr(pos, frames[f]))
|
||
break;
|
||
}
|
||
if (f != nframes) {
|
||
*next = prev;
|
||
pos = next;
|
||
continue;
|
||
}
|
||
#endif
|
||
// BUG in output should be recognized by manager.
|
||
fprintf(stderr, "BUG: memory leak\n%s\n", pos);
|
||
*next = prev;
|
||
pos = next;
|
||
nleaks++;
|
||
}
|
||
}
|
||
if (write(fd, "clear", 5) != 5)
|
||
fail("failed to write(%s, \"clear\")", KMEMLEAK_FILE);
|
||
close(fd);
|
||
if (nleaks)
|
||
doexit(1);
|
||
}
|
||
#endif
|
||
|
||
#if SYZ_EXECUTOR || SYZ_ENABLE_BINFMT_MISC
|
||
#include <fcntl.h>
|
||
#include <sys/mount.h>
|
||
#include <sys/stat.h>
|
||
#include <sys/types.h>
|
||
|
||
static void setup_binfmt_misc()
|
||
{
|
||
if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) {
|
||
debug("mount(binfmt_misc) failed: %d\n", errno);
|
||
}
|
||
write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:");
|
||
write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:\x02::./file0:POC");
|
||
}
|
||
#endif
|