sys/openbsd: prevent killing the ssh VM connection

This is one of the root causes of the 'no output from test machine' panic. Issuing a DIOCKILLSTATES ioctl on a /dev/pf file descriptor will cause state associated with ongoing connections to be purged; effectively killing the ssh connection to the VM. Including net/pfvar.h is necessary in order to make use of the DIOCKILLSTATES define.
author: Anton Lindqvist <anton@basename.se> 2020-03-04 16:46:46 +0100
committer: Dmitry Vyukov <dvyukov@google.com> 2020-03-05 09:14:28 +0100
commit: b655d91b8cb3b60be16c940d7bf4b192c2624a7b (patch)
tree: 106c7619ff6e501845f4da6538458170c74cd000
parent: 576fb9bc341530127b33f5c588a305f085f39a4f (diff)
7 files changed, 52 insertions, 8 deletions
diff --git a/executor/defs.h b/executor/defs.h
index ecd476951..c9130082b 100644
--- a/executor/defs.h
+++ b/executor/defs.h
@@ -150,7 +150,7 @@
 
 #if GOARCH_amd64
 #define GOARCH "amd64"
-#define SYZ_REVISION "361f7adfaff69eb683f0c63eb1cb1a0d4fdd1ca5"
+#define SYZ_REVISION "6c58885985007c08bbc08a61d5fcdf22ae662d55"
 #define SYZ_EXECUTOR_USES_FORK_SERVER 1
 #define SYZ_EXECUTOR_USES_SHMEM 1
 #define SYZ_PAGE_SIZE 4096
diff --git a/executor/syscalls.h b/executor/syscalls.h
index ada3902d4..410c1d816 100644
--- a/executor/syscalls.h
+++ b/executor/syscalls.h
@@ -22281,6 +22281,7 @@ const call_t syscalls[] = {
     {"openat$klog", 321},
     {"openat$null", 321},
     {"openat$pci", 321},
+    {"openat$pf", 321},
     {"openat$speaker", 321},
     {"openat$tty", 321},
     {"openat$vmm", 321},
diff --git a/sys/openbsd/dev_pf.txt b/sys/openbsd/dev_pf.txt
new file mode 100644
index 000000000..4dfd44aec
--- /dev/null
+++ b/sys/openbsd/dev_pf.txt
@@ -0,0 +1,17 @@
+# Copyright 2020 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+include <sys/types.h>
+include <sys/time.h>
+include <sys/fcntl.h>
+include <sys/ioctl.h>
+include <net/if.h>
+
+include <net/pfvar.h>
+
+# This ioctl is restricted in SanitizeCall(), see init.go.
+_ = DIOCKILLSTATES
+
+resource fd_pf[fd]
+
+openat$pf(fd const[AT_FDCWD], file ptr[in, string["/dev/pf"]], flags flags[open_flags], mode const[0]) fd_pf
diff --git a/sys/openbsd/dev_pf_amd64.const b/sys/openbsd/dev_pf_amd64.const
new file mode 100644
index 000000000..f5a32c62a
--- /dev/null
+++ b/sys/openbsd/dev_pf_amd64.const
@@ -0,0 +1,4 @@
+# AUTOGENERATED FILE
+AT_FDCWD = 18446744073709551516
+DIOCKILLSTATES = 3235922985
+SYS_openat = 321
diff --git a/sys/openbsd/gen/amd64.go b/sys/openbsd/gen/amd64.go
index 75e89ee19..d329555d2 100644
--- a/sys/openbsd/gen/amd64.go
+++ b/sys/openbsd/gen/amd64.go
@@ -19,6 +19,7 @@ var resources_amd64 = []*ResourceDesc{
 	{Name: "fd_klog", Kind: []string{"fd", "fd_klog"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_kqueue", Kind: []string{"fd", "fd_kqueue"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_pci", Kind: []string{"fd", "fd_pci"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
+	{Name: "fd_pf", Kind: []string{"fd", "fd_pf"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_speaker", Kind: []string{"fd", "fd_speaker"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_tty", Kind: []string{"fd", "fd_tty"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_vmm", Kind: []string{"fd", "fd_vmm"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
@@ -1897,6 +1898,12 @@ var syscalls_amd64 = []*Syscall{
 		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "open_flags", FldName: "flags", TypeSize: 8}}, Vals: []uint64{0, 1, 2, 8, 16, 32, 64, 128, 128, 128, 256, 512, 1024, 2048, 32768, 65536, 131072}},
 		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "mode", TypeSize: 8}}},
 	}, Ret: &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_pci", FldName: "ret", TypeSize: 4, ArgDir: 1}}},
+	{NR: 321, Name: "openat$pf", CallName: "openat", Args: []Type{
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "fd", TypeSize: 8}}, Val: 18446744073709551516},
+		&PtrType{TypeCommon{TypeName: "ptr", FldName: "file", TypeSize: 8}, &BufferType{TypeCommon: TypeCommon{TypeName: "string", TypeSize: 8}, Kind: 2, Values: []string{"/dev/pf\x00"}}},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "open_flags", FldName: "flags", TypeSize: 8}}, Vals: []uint64{0, 1, 2, 8, 16, 32, 64, 128, 128, 128, 256, 512, 1024, 2048, 32768, 65536, 131072}},
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "mode", TypeSize: 8}}},
+	}, Ret: &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_pf", FldName: "ret", TypeSize: 4, ArgDir: 1}}},
 	{NR: 321, Name: "openat$speaker", CallName: "openat", Args: []Type{
 		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "fd", TypeSize: 8}}, Val: 18446744073709551516},
 		&PtrType{TypeCommon{TypeName: "ptr", FldName: "file", TypeSize: 8}, &BufferType{TypeCommon: TypeCommon{TypeName: "string", TypeSize: 13}, Kind: 2, Values: []string{"/dev/speaker\x00"}}},
@@ -2491,6 +2498,7 @@ var consts_amd64 = []ConstValue{
 	{"CLOCK_PROCESS_CPUTIME_ID", 2},
 	{Name: "CLOCK_REALTIME"},
 	{"CLOCK_THREAD_CPUTIME_ID", 4},
+	{"DIOCKILLSTATES", 3235922985},
 	{"DIOCMAP", 3222299767},
 	{"DM_OPENBLCK", 2},
 	{"DM_OPENPART", 1},
@@ -3050,4 +3058,4 @@ var consts_amd64 = []ConstValue{
 	{"__MAP_NOREPLACE", 2048},
 }
 
-const revision_amd64 = "361f7adfaff69eb683f0c63eb1cb1a0d4fdd1ca5"
+const revision_amd64 = "6c58885985007c08bbc08a61d5fcdf22ae662d55"
diff --git a/sys/openbsd/init.go b/sys/openbsd/init.go
index 404536dfa..e7c5d08f6 100644
--- a/sys/openbsd/init.go
+++ b/sys/openbsd/init.go
@@ -13,9 +13,10 @@ import (
 
 func InitTarget(target *prog.Target) {
 	arch := &arch{
-		unix:    targets.MakeUnixSanitizer(target),
-		S_IFMT:  target.GetConst("S_IFMT"),
-		S_IFCHR: target.GetConst("S_IFCHR"),
+		unix:           targets.MakeUnixSanitizer(target),
+		DIOCKILLSTATES: target.GetConst("DIOCKILLSTATES"),
+		S_IFMT:         target.GetConst("S_IFMT"),
+		S_IFCHR:        target.GetConst("S_IFCHR"),
 	}
 
 	target.MakeMmap = targets.MakePosixMmap(target)
@@ -24,9 +25,10 @@ func InitTarget(target *prog.Target) {
 }
 
 type arch struct {
-	unix    *targets.UnixSanitizer
-	S_IFMT  uint64
-	S_IFCHR uint64
+	unix           *targets.UnixSanitizer
+	DIOCKILLSTATES uint64
+	S_IFMT         uint64
+	S_IFCHR        uint64
 }
 
 const (
@@ -91,6 +93,14 @@ func (arch *arch) SanitizeCall(c *prog.Call) {
 		for _, f := range badflags {
 			flags.Val &= ^f
 		}
+	case "ioctl":
+		// Performing the following ioctl on a /dev/pf file descriptor
+		// causes the ssh VM connection to die. For now, just rewire it
+		// to an invalid command.
+		request := c.Args[1].(*prog.ConstArg)
+		if request.Val == arch.DIOCKILLSTATES {
+			request.Val = 0
+		}
 	case "mknodat":
 		argStart = 2
 		fallthrough
diff --git a/sys/openbsd/init_test.go b/sys/openbsd/init_test.go
index fa6ffcb94..39e93a688 100644
--- a/sys/openbsd/init_test.go
+++ b/sys/openbsd/init_test.go
@@ -30,6 +30,10 @@ func TestSanitizeCall(t *testing.T) {
 			`fchflags(0x0, 0x0)`,
 		},
 		{
+			`ioctl$BIOCSDIRFILT(0x0, 0xc0e04429, 0x0)`,
+			`ioctl$BIOCSDIRFILT(0x0, 0x0, 0x0)`,
+		},
+		{
 			// major=22, minor=232
 			`mknodat(0x0, 0x0, 0x0, 0x16e8)`,
 			`mknodat(0x0, 0x0, 0x0, 0x202)`,
author	Anton Lindqvist <anton@basename.se>	2020-03-04 16:46:46 +0100
committer	Dmitry Vyukov <dvyukov@google.com>	2020-03-05 09:14:28 +0100
commit	b655d91b8cb3b60be16c940d7bf4b192c2624a7b (patch)
tree	106c7619ff6e501845f4da6538458170c74cd000
parent	576fb9bc341530127b33f5c588a305f085f39a4f (diff)