diff options
| author | Andrey Konovalov <andreyknvl@gmail.com> | 2017-01-18 19:37:40 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-01-18 19:37:40 +0100 |
| commit | 43383bd973203b4b70b2c4b4fa46f84dc003f560 (patch) | |
| tree | b2f244143ce9ecc11d20d47735e5044f4f4ef9e1 | |
| parent | 1ac75f06add54089e4910ecb6a97198336155c63 (diff) | |
| parent | a370347640ba8b56360a092746dd6133a392792d (diff) | |
Merge pull request #108 from xairy/fix-align
Fix alignment and padding
| -rw-r--r-- | prog/encodingexec.go | 57 | ||||
| -rw-r--r-- | prog/encodingexec_test.go | 76 | ||||
| -rw-r--r-- | prog/mutation.go | 11 | ||||
| -rw-r--r-- | prog/prog.go | 18 | ||||
| -rw-r--r-- | prog/validation.go | 7 | ||||
| -rw-r--r-- | sys/align.go | 43 | ||||
| -rw-r--r-- | sys/decl.go | 13 | ||||
| -rw-r--r-- | sys/test.txt | 120 | ||||
| -rw-r--r-- | sysgen/sysgen.go | 6 |
9 files changed, 281 insertions, 70 deletions
diff --git a/prog/encodingexec.go b/prog/encodingexec.go index 57ff32eab..6dc8c88d2 100644 --- a/prog/encodingexec.go +++ b/prog/encodingexec.go @@ -38,47 +38,45 @@ func (p *Prog) SerializeForExec(pid int) []byte { w := &execContext{args: make(map[*Arg]*argInfo)} for _, c := range p.Calls { // Calculate arg offsets within structs. - foreachArg(c, func(arg, base *Arg, _ *[]*Arg) { - if base == nil || arg.Kind == ArgGroup || arg.Kind == ArgUnion { - return - } - if w.args[base] == nil { - w.args[base] = &argInfo{} - } - w.args[arg] = &argInfo{Offset: w.args[base].CurSize} - if arg.Type.BitfieldLength() == 0 || arg.Type.BitfieldLast() { - w.args[base].CurSize += arg.Size() - } - }) // Generate copyin instructions that fill in data into pointer arguments. foreachArg(c, func(arg, _ *Arg, _ *[]*Arg) { if arg.Kind == ArgPointer && arg.Res != nil { - var rec func(*Arg) - rec = func(arg1 *Arg) { + var rec func(*Arg, uintptr) uintptr + rec = func(arg1 *Arg, offset uintptr) uintptr { + w.args[arg1] = &argInfo{Offset: offset} if arg1.Kind == ArgGroup { + var totalSize uintptr for _, arg2 := range arg1.Inner { - rec(arg2) + size := rec(arg2, offset) + if arg2.Type.BitfieldLength() == 0 || arg2.Type.BitfieldLast() { + offset += size + totalSize += size + } + } + if totalSize > arg1.Size() { + panic(fmt.Sprintf("bad group arg size %v, should be <= %v for %+v", totalSize, arg1.Size(), arg1)) } - return + return arg1.Size() } if arg1.Kind == ArgUnion { - rec(arg1.Option) - return - } - if sys.IsPad(arg1.Type) { - return - } - if arg1.Kind == ArgData && len(arg1.Data) == 0 { - return + size := rec(arg1.Option, offset) + offset += size + if size > arg1.Size() { + panic(fmt.Sprintf("bad union arg size %v, should be <= %v for %+v", size, arg1.Size(), arg1)) + } + return arg1.Size() } - if arg1.Type.Dir() != sys.DirOut { + if !sys.IsPad(arg1.Type) && + !(arg1.Kind == ArgData && len(arg1.Data) == 0) && + arg1.Type.Dir() != sys.DirOut { w.write(ExecInstrCopyin) - w.write(physicalAddr(arg) + w.args[arg1].Offset) + w.write(physicalAddr(arg) + offset) w.writeArg(arg1, pid) instrSeq++ } + return arg1.Size() } - rec(arg.Res) + rec(arg.Res, 0) } }) // Generate the call itself. @@ -136,9 +134,8 @@ type execContext struct { } type argInfo struct { - Offset uintptr // from base pointer - CurSize uintptr - Idx uintptr // instruction index + Offset uintptr // from base pointer + Idx uintptr // instruction index } func (w *execContext) write(v uintptr) { diff --git a/prog/encodingexec_test.go b/prog/encodingexec_test.go index 25960b338..5ff80b698 100644 --- a/prog/encodingexec_test.go +++ b/prog/encodingexec_test.go @@ -91,6 +91,49 @@ func TestSerializeForExec(t *testing.T) { }, }, { + "syz_test$align2(&(0x7f0000000000)={0x42, {[0x43]}, {[0x44]}})", + []uint64{ + instrCopyin, dataOffset + 0, argConst, 1, 0x42, 0, 0, + instrCopyin, dataOffset + 1, argConst, 2, 0x43, 0, 0, + instrCopyin, dataOffset + 4, argConst, 2, 0x44, 0, 0, + callID("syz_test$align2"), 1, argConst, ptrSize, dataOffset, 0, 0, + instrEOF, + }, + }, + { + "syz_test$align3(&(0x7f0000000000)={0x42, {0x43}, {0x44}})", + []uint64{ + instrCopyin, dataOffset + 0, argConst, 1, 0x42, 0, 0, + instrCopyin, dataOffset + 1, argConst, 1, 0x43, 0, 0, + instrCopyin, dataOffset + 4, argConst, 1, 0x44, 0, 0, + callID("syz_test$align3"), 1, argConst, ptrSize, dataOffset, 0, 0, + instrEOF, + }, + }, + { + "syz_test$align4(&(0x7f0000000000)={{0x42, 0x43}, 0x44})", + []uint64{ + instrCopyin, dataOffset + 0, argConst, 1, 0x42, 0, 0, + instrCopyin, dataOffset + 1, argConst, 2, 0x43, 0, 0, + instrCopyin, dataOffset + 4, argConst, 1, 0x44, 0, 0, + callID("syz_test$align4"), 1, argConst, ptrSize, dataOffset, 0, 0, + instrEOF, + }, + }, + { + "syz_test$align5(&(0x7f0000000000)={{0x42, []}, {0x43, [0x44, 0x45, 0x46]}, 0x47})", + []uint64{ + instrCopyin, dataOffset + 0, argConst, 8, 0x42, 0, 0, + instrCopyin, dataOffset + 8, argConst, 8, 0x43, 0, 0, + instrCopyin, dataOffset + 16, argConst, 2, 0x44, 0, 0, + instrCopyin, dataOffset + 18, argConst, 2, 0x45, 0, 0, + instrCopyin, dataOffset + 20, argConst, 2, 0x46, 0, 0, + instrCopyin, dataOffset + 24, argConst, 1, 0x47, 0, 0, + callID("syz_test$align5"), 1, argConst, ptrSize, dataOffset, 0, 0, + instrEOF, + }, + }, + { "syz_test$union0(&(0x7f0000000000)={0x1, @f2=0x2})", []uint64{ instrCopyin, dataOffset + 0, argConst, 8, 1, 0, 0, @@ -100,6 +143,24 @@ func TestSerializeForExec(t *testing.T) { }, }, { + "syz_test$union1(&(0x7f0000000000)={@f1=0x42, 0x43})", + []uint64{ + instrCopyin, dataOffset + 0, argConst, 4, 0x42, 0, 0, + instrCopyin, dataOffset + 8, argConst, 1, 0x43, 0, 0, + callID("syz_test$union1"), 1, argConst, ptrSize, dataOffset, 0, 0, + instrEOF, + }, + }, + { + "syz_test$union2(&(0x7f0000000000)={@f1=0x42, 0x43})", + []uint64{ + instrCopyin, dataOffset + 0, argConst, 4, 0x42, 0, 0, + instrCopyin, dataOffset + 4, argConst, 1, 0x43, 0, 0, + callID("syz_test$union2"), 1, argConst, ptrSize, dataOffset, 0, 0, + instrEOF, + }, + }, + { "syz_test$array0(&(0x7f0000000000)={0x1, [@f0=0x2, @f1=0x3], 0x4})", []uint64{ instrCopyin, dataOffset + 0, argConst, 1, 1, 0, 0, @@ -152,7 +213,7 @@ func TestSerializeForExec(t *testing.T) { }, }, { - "syz_test$bf(&(0x7f0000000000)={0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42})", + "syz_test$bf0(&(0x7f0000000000)={0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42})", []uint64{ instrCopyin, dataOffset + 0, argConst, 2, 0x42, 0, 10, instrCopyin, dataOffset + 8, argConst, 8, 0x42, 0, 0, @@ -162,7 +223,18 @@ func TestSerializeForExec(t *testing.T) { instrCopyin, dataOffset + 24, argConst, 2, 0x42, 0, 11, instrCopyin, dataOffset + 26, argConst, 2, 0x4200, 0, 11, instrCopyin, dataOffset + 28, argConst, 1, 0x42, 0, 0, - callID("syz_test$bf"), 1, argConst, ptrSize, dataOffset, 0, 0, + callID("syz_test$bf0"), 1, argConst, ptrSize, dataOffset, 0, 0, + instrEOF, + }, + }, + { + "syz_test$bf1(&(0x7f0000000000)={{0x42, 0x42, 0x42}, 0x42})", + []uint64{ + instrCopyin, dataOffset + 0, argConst, 4, 0x42, 0, 10, + instrCopyin, dataOffset + 0, argConst, 4, 0x42, 10, 10, + instrCopyin, dataOffset + 0, argConst, 4, 0x42, 20, 10, + instrCopyin, dataOffset + 4, argConst, 1, 0x42, 0, 0, + callID("syz_test$bf1"), 1, argConst, ptrSize, dataOffset, 0, 0, instrEOF, }, }, diff --git a/prog/mutation.go b/prog/mutation.go index 9a48bcf98..eacce8033 100644 --- a/prog/mutation.go +++ b/prog/mutation.go @@ -5,6 +5,7 @@ package prog import ( "fmt" + "math" "math/rand" "unsafe" @@ -88,7 +89,7 @@ func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, corpus []*Pro panic(fmt.Sprintf("bad arg kind for BufferType: %v", arg.Kind)) } minLen := int(0) - maxLen := ^int(0) + maxLen := math.MaxInt32 if a.Kind == sys.BufferBlobRange { minLen = int(a.RangeBegin) maxLen = int(a.RangeEnd) @@ -96,7 +97,13 @@ func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, corpus []*Pro arg.Data = mutateData(r, data, minLen, maxLen) case sys.BufferString: if r.bin() { - arg.Data = mutateData(r, append([]byte{}, arg.Data...), int(0), ^int(0)) + minLen := int(0) + maxLen := math.MaxInt32 + if a.Length != 0 { + minLen = int(a.Length) + maxLen = int(a.Length) + } + arg.Data = mutateData(r, append([]byte{}, arg.Data...), minLen, maxLen) } else { arg.Data = r.randString(s, a.Values, a.Dir()) } diff --git a/prog/prog.go b/prog/prog.go index cdc2dfe3c..cc45b1352 100644 --- a/prog/prog.go +++ b/prog/prog.go @@ -112,11 +112,25 @@ func (a *Arg) Size() uintptr { case *sys.StructType: var size uintptr for _, fld := range a.Inner { - size += fld.Size() + if fld.Type.BitfieldLength() == 0 || fld.Type.BitfieldLast() { + size += fld.Size() + } + } + align := typ.Align() + if size%align != 0 { + if typ.Varlen { + size += align - size%align + } else { + panic(fmt.Sprintf("struct %+v with type %+v has static size %v, which isn't aligned to %v", a, typ, size, align)) + } } return size case *sys.UnionType: - return a.Option.Size() + if !typ.Varlen { + return typ.Size() + } else { + return a.Option.Size() + } case *sys.ArrayType: var size uintptr for _, in := range a.Inner { diff --git a/prog/validation.go b/prog/validation.go index b2d539282..75d8e95a4 100644 --- a/prog/validation.go +++ b/prog/validation.go @@ -97,6 +97,13 @@ func (c *Call) validate(ctx *validCtx) error { if arg.Val >= uintptr(typ1.ValuesPerProc) { return fmt.Errorf("syscall %v: per proc arg '%v' has bad value '%v'", c.Meta.Name, typ.Name(), arg.Val) } + case *sys.BufferType: + switch typ1.Kind { + case sys.BufferString: + if typ1.Length != 0 && len(arg.Data) != int(typ1.Length) { + return fmt.Errorf("syscall %v: string arg '%v' has size %v, which should be %v", c.Meta.Name, len(arg.Data), typ1.Length) + } + } } switch arg.Kind { case ArgConst: diff --git a/sys/align.go b/sys/align.go index 8b9e1a3c2..3c672b83e 100644 --- a/sys/align.go +++ b/sys/align.go @@ -22,6 +22,7 @@ func initAlign() { rec(f) } markBitfields(t1) + markVarlen(t1) addAlignment(t1) } case *UnionType: @@ -76,13 +77,38 @@ func markBitfields(t *StructType) { } } +func markVarlen(t *StructType) { + for i, f := range t.Fields { + if at, ok := f.(*StructType); ok && at.Varlen { + t.Varlen = true + } + if at, ok := f.(*UnionType); ok && at.Varlen { + t.Varlen = true + } + if at, ok := f.(*ArrayType); ok && (at.Kind == ArrayRandLen || (at.Kind == ArrayRangeLen && at.RangeBegin != at.RangeEnd)) { + t.Varlen = true + } + if at, ok := f.(*BufferType); ok && (at.Kind == BufferBlobRand || (at.Kind == BufferBlobRange && at.RangeBegin != at.RangeEnd)) { + t.Varlen = true + } + if !t.packed && t.Varlen && i != len(t.Fields)-1 { + panic(fmt.Sprintf("variable length field %+v in the middle of a struct %+v", f, t)) + } + } +} + func addAlignment(t *StructType) { if t.packed { + // If a struct is packed, statically sized and has explicitly set alignment, add a padding. + if !t.Varlen && t.align != 0 && t.Size()%t.align != 0 { + pad := t.align - t.Size()%t.align + t.Fields = append(t.Fields, makePad(pad)) + } return } var fields []Type - var off, align uintptr - varLen := false + var off uintptr + align := t.align for i, f := range t.Fields { a := f.Align() if align < a { @@ -97,21 +123,12 @@ func addAlignment(t *StructType) { } } fields = append(fields, f) - if at, ok := f.(*ArrayType); ok && (at.Kind == ArrayRandLen || (at.Kind == ArrayRangeLen && at.RangeBegin != at.RangeEnd)) { - varLen = true - } - if at, ok := f.(*BufferType); ok && (at.Kind == BufferBlobRand || (at.Kind == BufferBlobRange && at.RangeBegin != at.RangeEnd)) { - varLen = true - } - if varLen && i != len(t.Fields)-1 { - panic("embed array in middle of a struct") - } - if (f.BitfieldLength() == 0 || f.BitfieldLast()) && !varLen { + if (f.BitfieldLength() == 0 || f.BitfieldLast()) && !t.Varlen { // Increase offset if the current field is not a bitfield or it's the last bitfield in a set. off += f.Size() } } - if align != 0 && off%align != 0 && !varLen { + if align != 0 && off%align != 0 && !t.Varlen { pad := align - off%align off += pad fields = append(fields, makePad(pad)) diff --git a/sys/decl.go b/sys/decl.go index 9c7887f99..08df93dd2 100644 --- a/sys/decl.go +++ b/sys/decl.go @@ -222,6 +222,7 @@ type BufferType struct { Text TextKind // for BufferText SubKind string Values []string // possible values for BufferString kind + Length uintptr // max string length for BufferString kind } func (t *BufferType) Size() uintptr { @@ -292,6 +293,7 @@ func (t *PtrType) Align() uintptr { type StructType struct { TypeCommon Fields []Type + Varlen bool padded bool packed bool align uintptr @@ -303,7 +305,9 @@ func (t *StructType) Size() uintptr { } var size uintptr for _, f := range t.Fields { - size += f.Size() + if f.BitfieldLength() == 0 || f.BitfieldLast() { + size += f.Size() + } } return size } @@ -312,6 +316,9 @@ func (t *StructType) Align() uintptr { if t.align != 0 { return t.align // overrided by user attribute } + if t.packed { + return 1 + } var align uintptr for _, f := range t.Fields { if a1 := f.Align(); align < a1 { @@ -324,11 +331,11 @@ func (t *StructType) Align() uintptr { type UnionType struct { TypeCommon Options []Type - varlen bool + Varlen bool } func (t *UnionType) Size() uintptr { - if t.varlen { + if t.Varlen { panic("union size is not statically known") } size := t.Options[0].Size() diff --git a/sys/test.txt b/sys/test.txt index aa9ea1ab0..68ca85db8 100644 --- a/sys/test.txt +++ b/sys/test.txt @@ -6,16 +6,23 @@ syz_test() # Integer types. + syz_test$int(a0 intptr, a1 int8, a2 int16, a3 int32, a4 int64) # Opt arguments + syz_test$opt0(a0 intptr[opt]) syz_test$opt1(a0 ptr[in, intptr, opt]) syz_test$opt2(a0 vma[opt]) -# Struct alignment. +# Alignment and padding + syz_test$align0(a0 ptr[in, syz_align0]) syz_test$align1(a0 ptr[in, syz_align1]) +syz_test$align2(a0 ptr[in, syz_align2]) +syz_test$align3(a0 ptr[in, syz_align3]) +syz_test$align4(a0 ptr[in, syz_align4]) +syz_test$align5(a0 ptr[in, syz_align5]) syz_align0 { f0 int16 @@ -33,22 +40,93 @@ syz_align1 { f4 int64 } [packed] -# Unions. +syz_align2_packed { + f0 array[int16, 1] +} [packed] -syz_test$union0(a0 ptr[in, syz_union_struct]) +syz_align2_not_packed { + f0 array[int16, 1] +} -syz_union_struct { - f int64 - u syz_union0 +syz_align2 { + f0 int8 + f1 syz_align2_packed + f2 syz_align2_not_packed +} + +syz_align3_noalign { + f0 int8 +} + +syz_align3_align4 { + f0 int8 +} [align_4] + +syz_align3 { + f0 int8 + f1 syz_align3_noalign + f2 syz_align3_align4 +} + +syz_align4_internal { + f0 int8 + f1 int16 +} [packed, align_4] + +syz_align4 { + f0 syz_align4_internal + f1 int8 +} + +syz_align5_internal { + f0 int64 + f1 array[int16, 0:3] } +syz_align5 { + f0 syz_align5_internal + f1 syz_align5_internal + f2 int8 +} [packed] + +# Unions + +syz_test$union0(a0 ptr[in, syz_union0_struct]) +syz_test$union1(a0 ptr[in, syz_union1_struct]) +syz_test$union2(a0 ptr[in, syz_union2_struct]) + syz_union0 [ f0 int64 f1 array[int64, 10] f2 int8 ] -# Arrays. +syz_union0_struct { + f int64 + u syz_union0 +} + +syz_union1 [ + f0 int64 + f1 int32 +] + +syz_union1_struct { + f0 syz_union1 + f1 int8 +} [packed] + +syz_union2 [ + f0 int64 + f1 int32 +] [varlen] + +syz_union2_struct { + f0 syz_union2 + f1 int8 +} [packed] + +# Arrays syz_test$array0(a0 ptr[in, syz_array_struct]) syz_test$array1(a0 ptr[in, syz_array_trailing]) @@ -77,7 +155,7 @@ syz_array_blob { f2 int16 } -# Length. +# Length syz_test$length0(a0 ptr[in, syz_length_int_struct]) syz_test$length1(a0 ptr[in, syz_length_const_struct]) @@ -178,7 +256,7 @@ syz_length_bytesize_struct { f5 bytesize8[f0, int8] } -# Big endian. +# Big endian syz_test$end0(a0 ptr[in, syz_end_int_struct]) syz_test$end1(a0 ptr[in, syz_end_var_struct]) @@ -199,18 +277,18 @@ syz_end_var_struct { f2 flags[syz_end_flags, int64be] } [packed] -# Vma type. +# Vma type syz_test$vma0(v0 vma, l0 len[v0], v1 vma[5], l1 len[v1], v2 vma[7:9], l2 len[v2]) -# Text type. +# Text type syz_test$text_x86_real(a0 ptr[in, text[x86_real]], a1 len[a0]) syz_test$text_x86_16(a0 ptr[in, text[x86_16]], a1 len[a0]) syz_test$text_x86_32(a0 ptr[in, text[x86_32]], a1 len[a0]) syz_test$text_x86_64(a0 ptr[in, text[x86_64]], a1 len[a0]) -# Regression tests. +# Regression tests syz_test$regression0(a0 ptr[inout, syz_regression0_struct]) @@ -218,11 +296,11 @@ syz_regression0_struct { f0 buffer[out] } -# Bitfields. +# Bitfields syz_bf_flags = 0, 1, 2 -syz_bf_struct { +syz_bf_struct0 { f0 flags[syz_bf_flags, int16:10] f1 int64 f2 const[0x42, int16:5] @@ -233,4 +311,16 @@ syz_bf_struct { f7 int8 } -syz_test$bf(a0 ptr[in, syz_bf_struct]) +syz_bf_struct1_internal { + f0 int32:10 + f1 int32:10 + f2 int32:10 +} + +syz_bf_struct1 { + f0 syz_bf_struct1_internal + f1 int8 +} + +syz_test$bf0(a0 ptr[in, syz_bf_struct0]) +syz_test$bf1(a0 ptr[in, syz_bf_struct1]) diff --git a/sysgen/sysgen.go b/sysgen/sysgen.go index 583be5a40..c71936c01 100644 --- a/sysgen/sysgen.go +++ b/sysgen/sysgen.go @@ -275,7 +275,7 @@ func generateStructEntry(str Struct, key structKey, out io.Writer) { } varlen := "" if str.Varlen { - varlen = ", varlen: true" + varlen = ", Varlen: true" } align := "" if str.Align != 0 { @@ -433,8 +433,8 @@ func generateArg( for i, s := range vals { vals[i] = s + "\x00" } + var size uint64 if len(a) >= 2 { - var size uint64 if v, ok := consts[a[1]]; ok { size = v } else { @@ -454,7 +454,7 @@ func generateArg( vals[i] = s } } - fmt.Fprintf(out, "&BufferType{%v, Kind: BufferString, SubKind: %q, Values: %#v}", common(), subkind, vals) + fmt.Fprintf(out, "&BufferType{%v, Kind: BufferString, SubKind: %q, Values: %#v, Length: %v}", common(), subkind, vals, size) case "salg_type": if want := 0; len(a) != want { failf("wrong number of arguments for %v arg %v, want %v, got %v", typ, name, want, len(a)) |