sys/linux: enforce arguments of all syz_open_dev calls

Opening random devices can lead to havoc. Enforce device major/minor.
author: Dmitry Vyukov <dvyukov@google.com> 2019-12-03 16:56:13 +0100
committer: Dmitry Vyukov <dvyukov@google.com> 2019-12-03 18:48:14 +0100
commit: dfe2e9d84a64066fd15913c7cd02d1853adf3942 (patch)
tree: 73a986f1ed2b0a184126fd4c4cc7d45d6dc40672 /sys/linux/init.go
parent: 799e6ffbbe35cd75b780d3dcbbeb7d13ebe1fb24 (diff)
1 files changed, 20 insertions, 4 deletions
diff --git a/sys/linux/init.go b/sys/linux/init.go
index 94565a9d3..64df47a3f 100644
--- a/sys/linux/init.go
+++ b/sys/linux/init.go
@@ -74,6 +74,7 @@ func InitTarget(target *prog.Target) {
 		"vboxnet0", "vboxnet1", "vmnet0", "vmnet1", "GPL",
 	}
 	switch target.Arch {
+
 	case "amd64":
 		target.SpecialPointers = []uint64{
 			0xffffffff81000000, // kernel text
@@ -203,15 +204,30 @@ func (arch *arch) sanitizeCall(c *prog.Call) {
 		}
 	case "syz_open_procfs":
 		arch.sanitizeSyzOpenProcfs(c)
+	case "syz_open_dev":
+		enforceIntArg(c.Args[0])
+		enforceIntArg(c.Args[1])
+		enforceIntArg(c.Args[2])
 	}
 
 	switch c.Meta.Name {
 	case "setsockopt$EBT_SO_SET_ENTRIES":
 		arch.sanitizeEbtables(c)
-	case "syz_open_dev$char_usb":
-		// Don't allow opening various char and block devices.
-		c.Args[0].(*prog.ConstArg).Val = 0xc
-		c.Args[1].(*prog.ConstArg).Val = arch.USB_MAJOR
+	}
+}
+
+func enforceIntArg(a prog.Arg) {
+	arg, ok := a.(*prog.ConstArg)
+	if !ok {
+		return
+	}
+	switch typ := arg.Type().(type) {
+	case *prog.ConstType:
+		arg.Val = typ.Val
+	case *prog.IntType:
+		if typ.Kind == prog.IntRange && (arg.Val < typ.RangeBegin || arg.Val > typ.RangeEnd) {
+			arg.Val = typ.RangeBegin
+		}
 	}
 }
author	Dmitry Vyukov <dvyukov@google.com>	2019-12-03 16:56:13 +0100
committer	Dmitry Vyukov <dvyukov@google.com>	2019-12-03 18:48:14 +0100
commit	dfe2e9d84a64066fd15913c7cd02d1853adf3942 (patch)
tree	73a986f1ed2b0a184126fd4c4cc7d45d6dc40672 /sys/linux/init.go
parent	799e6ffbbe35cd75b780d3dcbbeb7d13ebe1fb24 (diff)