diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2024-04-25 14:00:41 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2024-04-29 14:53:56 +0000 |
| commit | 88ec97282e185df0bdc0d760bcd5f0a2e4891362 (patch) | |
| tree | 95b6a8de04d1edcddd7526df75328c5da8c664df | |
| parent | 337657e0d5b5c120b163c09fbcfc49ae5897cb39 (diff) | |
pkg/host: explicitly disable syz_execute_func
Disable the syscall in descriptions rather than in the code.
This makes it more visible for users that it's disabled,
and makes it less special (will not need to move this logic to host).
Also change the condition in syz-sysgen to be more precise,
otherwise syz_execute_func becomes unused function.
| -rw-r--r-- | pkg/host/syscalls.go | 17 | ||||
| -rw-r--r-- | sys/darwin/sys.txt | 2 | ||||
| -rw-r--r-- | sys/freebsd/sys.txt | 2 | ||||
| -rw-r--r-- | sys/fuchsia/sys.txt | 2 | ||||
| -rw-r--r-- | sys/linux/sys.txt | 16 | ||||
| -rw-r--r-- | sys/netbsd/sys.txt | 2 | ||||
| -rw-r--r-- | sys/openbsd/sys.txt | 2 | ||||
| -rw-r--r-- | sys/syz-sysgen/sysgen.go | 7 | ||||
| -rw-r--r-- | sys/test/test.txt | 2 |
9 files changed, 26 insertions, 26 deletions
diff --git a/pkg/host/syscalls.go b/pkg/host/syscalls.go index fd8acc4d1..cd49ded51 100644 --- a/pkg/host/syscalls.go +++ b/pkg/host/syscalls.go @@ -35,23 +35,6 @@ func DetectSupportedSyscalls(target *prog.Target, sandbox string, enabled map[*p case !enabled[c]: ok = false reason = "not in set of enabled calls" - case c.CallName == "syz_execute_func": - // syz_execute_func caused multiple problems: - // 1. First it lead to corpus explosion. The program used existing values in registers - // to pollute output area. We tried to zero registers (though, not reliably). - // 2. It lead to explosion again. The exact mechanics are unknown, here is one sample: - // syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4 - // 430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44 - // 9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464 - // 660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100") - // 3. The code can also execute syscalls (and it is know to), but it's not subject to - // target.SanitizeCall. As the result it can do things that programs are not supposed to do. - // 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable - // to syz_execute_func based on corpus contents. Mechanics are also not known. - // It also did not cause finding of any new bugs (at least not that I know of). - // Let's disable it for now until we figure out how to resolve all these problems. - ok = false - reason = "always disabled for now" default: ok, reason = isSupported(c, target, sandbox) } diff --git a/sys/darwin/sys.txt b/sys/darwin/sys.txt index 88d218b73..44c5aa6b4 100644 --- a/sys/darwin/sys.txt +++ b/sys/darwin/sys.txt @@ -17,7 +17,7 @@ include <time.h> include <signal.h> include <sys/wait.h> -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) poll(fds ptr[in, array[pollfd]], nfds len[fds], timeout int32) select(n len[inp], inp ptr[inout, fd_set], outp ptr[inout, fd_set], exp ptr[inout, fd_set], tvp ptr[inout, timeval]) diff --git a/sys/freebsd/sys.txt b/sys/freebsd/sys.txt index 3b53a4985..8738250a3 100644 --- a/sys/freebsd/sys.txt +++ b/sys/freebsd/sys.txt @@ -24,7 +24,7 @@ include <sys/specialfd.h> type signo int32[0:SIGRTMAX] -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) sf_hdtr { headers ptr[in, array[iovec_in]] diff --git a/sys/fuchsia/sys.txt b/sys/fuchsia/sys.txt index d2f11af27..6cdb4af8f 100644 --- a/sys/fuchsia/sys.txt +++ b/sys/fuchsia/sys.txt @@ -6,7 +6,7 @@ include <zircon/syscalls.h> include <ddk/driver.h> -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) # Provided by sysroot (include/ddk/driver.h) resource zx_root_resource[zx_handle] diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt index 57af33efe..7b03e851e 100644 --- a/sys/linux/sys.txt +++ b/sys/linux/sys.txt @@ -93,7 +93,21 @@ type padto64[T] { type signalno int32[0:65] type signalnoptr intptr[0:65] -syz_execute_func(text ptr[in, text[target]]) +# syz_execute_func caused multiple problems: +# 1. First it lead to corpus explosion. The program used existing values in registers +# to pollute output area. We tried to zero registers (though, not reliably). +# 2. It lead to explosion again. The exact mechanics are unknown, here is one sample: +# syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4 +# 430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44 +# 9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464 +# 660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100") +# 3. The code can also execute syscalls (and it is know to), but it's not subject to +# target.SanitizeCall. As the result it can do things that programs are not supposed to do. +# 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable +# to syz_execute_func based on corpus contents. Mechanics are also not known. +# It also did not cause finding of any new bugs (at least not that I know of). +# So it's disabled on all OSes until we figure out how to resolve all these problems. +syz_execute_func(text ptr[in, text[target]]) (disabled) # Exclude /sys/power/state as reported in https://lkml.org/lkml/2021/5/27/653 openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*:-/sys/power/state"]], flags flags[open_flags], mode flags[open_mode]) fd diff --git a/sys/netbsd/sys.txt b/sys/netbsd/sys.txt index 502b792e2..709ec4c29 100644 --- a/sys/netbsd/sys.txt +++ b/sys/netbsd/sys.txt @@ -24,7 +24,7 @@ include <sys/module.h> include <sys/swap.h> include <sys/ras.h> -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) pipe(pipefd ptr[out, pipefd]) diff --git a/sys/openbsd/sys.txt b/sys/openbsd/sys.txt index 0752c7449..819270fbc 100644 --- a/sys/openbsd/sys.txt +++ b/sys/openbsd/sys.txt @@ -17,7 +17,7 @@ include <time.h> include <signal.h> include <sys/wait.h> -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) pipe(pipefd ptr[out, pipefd]) diff --git a/sys/syz-sysgen/sysgen.go b/sys/syz-sysgen/sysgen.go index 313cb60d8..b1ed731bb 100644 --- a/sys/syz-sysgen/sysgen.go +++ b/sys/syz-sysgen/sysgen.go @@ -12,6 +12,7 @@ import ( "path/filepath" "reflect" "sort" + "strings" "sync" "text/template" @@ -342,8 +343,10 @@ func newSyscallData(target *targets.Target, sc *prog.Syscall, attrs []uint64) Sy Name: sc.Name, CallName: callName, NR: int32(sc.NR), - NeedCall: (!target.HasCallNumber(sc.CallName) || patchCallName) && !sc.Attrs.Disabled, - Attrs: attrs, + NeedCall: (!target.HasCallNumber(sc.CallName) || patchCallName) && + // These are declared in the compiler for internal purposes. + !strings.HasPrefix(sc.Name, "syz_builtin"), + Attrs: attrs, } } diff --git a/sys/test/test.txt b/sys/test/test.txt index a973904a3..b08b9bcf8 100644 --- a/sys/test/test.txt +++ b/sys/test/test.txt @@ -3,7 +3,7 @@ # Syscalls used in syzkaller tests. -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) test() |