diff options
| author | Anton Lindqvist <anton@basename.se> | 2019-05-21 23:17:22 +0200 |
|---|---|---|
| committer | Anton Lindqvist <anton@basename.se> | 2019-05-24 22:33:56 +0200 |
| commit | 85c573157db1baae51178263fe3289c8329e6dc2 (patch) | |
| tree | 367d8e88c9713fbdff93b4042a3b4fe5c5f5a3de | |
| parent | 0dadcd9d912d7faab1cd5fc0dfad21ff95ff86a8 (diff) | |
pkg/csource: add ability to annotate syscalls using comments in C reproducers
Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).
This commit introduces an optional annotate function on a per target basis.
Example for the OpenBSD target:
$ cat prog.in
mknod(0x0, 0x0, 0x4503)
getpid()
$ syz-prog2c -prog prog.in
int main(void)
{
syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
syscall(SYS_getpid);
return 0;
}
| -rw-r--r-- | pkg/csource/csource.go | 7 | ||||
| -rw-r--r-- | prog/target.go | 6 | ||||
| -rw-r--r-- | sys/openbsd/init.go | 16 |
3 files changed, 28 insertions, 1 deletions
diff --git a/pkg/csource/csource.go b/pkg/csource/csource.go index c8513286f..75b5a5e02 100644 --- a/pkg/csource/csource.go +++ b/pkg/csource/csource.go @@ -239,7 +239,12 @@ func (ctx *context) emitCall(w *bytes.Buffer, call prog.ExecCall, ci int, haveCo } fmt.Fprintf(w, "0") } - fmt.Fprintf(w, ");\n") + fmt.Fprintf(w, ");") + comment := ctx.target.AnnotateCall(call) + if len(comment) != 0 { + fmt.Fprintf(w, " /* %s */", comment) + } + fmt.Fprintf(w, "\n") if trace { cast := "" if !native && !strings.HasPrefix(callName, "syz_") { diff --git a/prog/target.go b/prog/target.go index b64af0027..da9b3255c 100644 --- a/prog/target.go +++ b/prog/target.go @@ -31,6 +31,11 @@ type Target struct { // SanitizeCall neutralizes harmful calls. SanitizeCall func(c *Call) + // AnnotateCall annotates a syscall invocation in C reproducers. + // The returned string will be placed inside a comment except for the + // empty string which will omit the comment. + AnnotateCall func(c ExecCall) string + // SpecialTypes allows target to do custom generation/mutation for some struct's and union's. // Map key is struct/union name for which custom generation/mutation is required. // Map value is custom generation/mutation function that will be called @@ -106,6 +111,7 @@ func AllTargets() []*Target { func (target *Target) lazyInit() { target.SanitizeCall = func(c *Call) {} + target.AnnotateCall = func(c ExecCall) string { return "" } target.initTarget() target.initArch(target) target.ConstMap = nil // currently used only by initArch diff --git a/sys/openbsd/init.go b/sys/openbsd/init.go index bce74fbac..c42fe0497 100644 --- a/sys/openbsd/init.go +++ b/sys/openbsd/init.go @@ -4,6 +4,8 @@ package openbsd import ( + "fmt" + "github.com/google/syzkaller/prog" "github.com/google/syzkaller/sys/targets" ) @@ -17,6 +19,7 @@ func InitTarget(target *prog.Target) { target.MakeMmap = targets.MakePosixMmap(target) target.SanitizeCall = arch.SanitizeCall + target.AnnotateCall = arch.annotateCall } type arch struct { @@ -107,3 +110,16 @@ func (arch *arch) SanitizeCall(c *prog.Call) { arch.unix.SanitizeCall(c) } } + +func (arch *arch) annotateCall(c prog.ExecCall) string { + devArg := 2 + switch c.Meta.Name { + case "mknodat": + devArg = 3 + fallthrough + case "mknod": + dev := c.Args[devArg].(prog.ExecArgConst).Value + return fmt.Sprintf("major = %v, minor = %v", devmajor(dev), devminor(dev)) + } + return "" +} |