prog: prevent sandbox escaping files from entering s.files

3 files changed, 28 insertions, 2 deletions

diff --git a/prog/analysis.go b/prog/analysis.go
index c26e14014..f03f828b9 100644
--- a/prog/analysis.go
+++ b/prog/analysis.go
@@ -83,7 +83,7 @@ func (s *state) analyzeImpl(c *Call, resources bool) {
 				case BufferString:
 					s.strings[val] = true
 				case BufferFilename:
-					if len(val) < 3 {
+					if len(val) < 3 || escapingFilename(val) {
 						// This is not our file, probalby one of specialFiles.
 						return
 					}
diff --git a/prog/rand.go b/prog/rand.go
index 2e028d230..b479d1e8c 100644
--- a/prog/rand.go
+++ b/prog/rand.go
@@ -158,7 +158,7 @@ func (r *randGen) filename(s *state, typ *BufferType) string {
 		panic(fmt.Sprintf("zero-terminated filename: %q", fn))
 	}
 	if escapingFilename(fn) {
-		panic(fmt.Sprintf("sandbox escaping file name %q", fn))
+		panic(fmt.Sprintf("sandbox escaping file name %q, s.files are %v", fn, s.files))
 	}
 	if !typ.Varlen() {
 		size := typ.Size()
diff --git a/prog/rand_test.go b/prog/rand_test.go
new file mode 100644
index 000000000..1771a0052
--- /dev/null
+++ b/prog/rand_test.go
@@ -0,0 +1,26 @@
+// Copyright 2018 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package prog
+
+import (
+	"math/rand"
+	"testing"
+)
+
+func TestNotEscaping(t *testing.T) {
+	r := newRand(nil, rand.NewSource(0))
+	s := &state{
+		files: map[string]bool{"./file0": true},
+	}
+	bound := 1000000
+	if testing.Short() {
+		bound = 1000
+	}
+	for i := 0; i < bound; i++ {
+		fn := r.filenameImpl(s)
+		if escapingFilename(fn) {
+			t.Errorf("sandbox escaping file name %q", fn)
+		}
+	}
+}