sys/linux: prohibit FAN_OPEN_PERM and FAN_ACCESS_PERM

FAN_OPEN_PERM and FAN_ACCESS_PERM require the program to reply to open requests. If that does not happen, the program will hang in an unkillable state forever. See the following bug for details: https://groups.google.com/d/msg/syzkaller-bugs/pD-vbqJu6U0/kGH30p3lBgAJ
author: Dmitry Vyukov <dvyukov@google.com> 2018-10-15 18:53:00 +0200
committer: Dmitry Vyukov <dvyukov@google.com> 2018-10-15 18:53:00 +0200
commit: 6ce17935cb99fa11aaa2f2d1889261da6b298013 (patch)
tree: 958c8cc613630710c0d1b83517230e85f1e65525 /sys/linux
parent: caf12900683e434dcd16bdac59b909f13fb09099 (diff)
9 files changed, 196 insertions, 23 deletions
diff --git a/sys/linux/aio_arm.const b/sys/linux/aio_arm.const
index 1bca789d0..f8c432778 100644
--- a/sys/linux/aio_arm.const
+++ b/sys/linux/aio_arm.const
@@ -12,6 +12,6 @@ IOCB_FLAG_RESFD = 1
 __NR_io_cancel = 247
 __NR_io_destroy = 244
 __NR_io_getevents = 245
-# __NR_io_pgetevents is not set
+__NR_io_pgetevents = 399
 __NR_io_setup = 243
 __NR_io_submit = 246
diff --git a/sys/linux/gen/386.go b/sys/linux/gen/386.go
index 8084c6c79..e8483d03d 100644
--- a/sys/linux/gen/386.go
+++ b/sys/linux/gen/386.go
@@ -22781,7 +22781,7 @@ var syscalls_386 = []*Syscall{
 		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "seconds", TypeSize: 4}}},
 	}},
 	{NR: 384, Name: "arch_prctl", CallName: "arch_prctl", Args: []Type{
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "arch_prctl_code", FldName: "code", TypeSize: 4}}, Vals: []uint64{4098, 4099, 4097, 4100}},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "arch_prctl_code", FldName: "code", TypeSize: 4}}, Vals: []uint64{4099, 4097, 4100}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "buffer", FldName: "addr", TypeSize: 4}, Type: &BufferType{TypeCommon: TypeCommon{IsVarlen: true}}},
 	}},
 	{NR: 361, Name: "bind", CallName: "bind", Args: []Type{
@@ -23291,7 +23291,7 @@ var syscalls_386 = []*Syscall{
 	{NR: 339, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}},
 		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 4}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true},
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 4}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 4}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 4}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}},
 	}},
@@ -30592,7 +30592,7 @@ var syscalls_386 = []*Syscall{
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 4}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}},
 	}},
 	{NR: 26, Name: "ptrace", CallName: "ptrace", Args: []Type{
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 4}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 4}}, Vals: []uint64{16904, 8, 16903, 16, 17}},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}},
 	}},
 	{NR: 26, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{
@@ -41321,4 +41321,4 @@ var consts_386 = []ConstValue{
 	{Name: "bpf_insn_load_imm_dw", Value: 24},
 }
 
-const revision_386 = "642a145ebbc67e85c1215435c6b534d306e9817c"
+const revision_386 = "7d1cc6599aafad3c0b0ee7e24d0ea18a1310f4f6"
diff --git a/sys/linux/gen/amd64.go b/sys/linux/gen/amd64.go
index 5118406fa..121e128e1 100644
--- a/sys/linux/gen/amd64.go
+++ b/sys/linux/gen/amd64.go
@@ -23231,7 +23231,7 @@ var syscalls_amd64 = []*Syscall{
 		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "seconds", TypeSize: 8}}},
 	}},
 	{NR: 158, Name: "arch_prctl", CallName: "arch_prctl", Args: []Type{
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "arch_prctl_code", FldName: "code", TypeSize: 8}}, Vals: []uint64{4098, 4099, 4097, 4100}},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "arch_prctl_code", FldName: "code", TypeSize: 8}}, Vals: []uint64{4099, 4097, 4100}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "buffer", FldName: "addr", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{IsVarlen: true}}},
 	}},
 	{NR: 49, Name: "bind", CallName: "bind", Args: []Type{
@@ -23741,7 +23741,7 @@ var syscalls_amd64 = []*Syscall{
 	{NR: 301, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}},
 		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 8}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true},
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}},
 	}},
@@ -31112,7 +31112,7 @@ var syscalls_amd64 = []*Syscall{
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 8}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}},
 	}},
 	{NR: 101, Name: "ptrace", CallName: "ptrace", Args: []Type{
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{16904, 8, 16903, 16, 17}},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}},
 	}},
 	{NR: 101, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{
@@ -42015,4 +42015,4 @@ var consts_amd64 = []ConstValue{
 	{Name: "bpf_insn_load_imm_dw", Value: 24},
 }
 
-const revision_amd64 = "4bf7088eb1e77eb4525156890f346c4c426308df"
+const revision_amd64 = "ef47a3e33a5764e82cb1ccb694fd34a5311053b4"
diff --git a/sys/linux/gen/arm.go b/sys/linux/gen/arm.go
index a0c4f8969..c455f58d2 100644
--- a/sys/linux/gen/arm.go
+++ b/sys/linux/gen/arm.go
@@ -23193,7 +23193,7 @@ var syscalls_arm = []*Syscall{
 	{NR: 368, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}},
 		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 4}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true},
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 4}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 4}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 4}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}},
 	}},
@@ -24958,6 +24958,14 @@ var syscalls_arm = []*Syscall{
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "events", TypeSize: 4}, Type: &ArrayType{TypeCommon: TypeCommon{TypeName: "array", ArgDir: 1, IsVarlen: true}, Type: &StructType{Key: StructKey{Name: "io_event", Dir: 1}}}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "timeout", TypeSize: 4, IsOptional: true}, Type: &StructType{Key: StructKey{Name: "timespec"}}},
 	}},
+	{NR: 399, Name: "io_pgetevents", CallName: "io_pgetevents", Args: []Type{
+		&ResourceType{TypeCommon: TypeCommon{TypeName: "io_ctx", FldName: "ctx", TypeSize: 4}},
+		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "min_nr", TypeSize: 4}}},
+		&LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "nr", TypeSize: 4}}, Buf: "events"},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "events", TypeSize: 4}, Type: &ArrayType{TypeCommon: TypeCommon{TypeName: "array", ArgDir: 1, IsVarlen: true}, Type: &StructType{Key: StructKey{Name: "io_event", Dir: 1}}}},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "timeout", TypeSize: 4, IsOptional: true}, Type: &StructType{Key: StructKey{Name: "timespec"}}},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "usig", TypeSize: 4, IsOptional: true}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}},
+	}},
 	{NR: 243, Name: "io_setup", CallName: "io_setup", Args: []Type{
 		&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "n", TypeSize: 4}}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "ctx", TypeSize: 4}, Type: &ResourceType{TypeCommon: TypeCommon{TypeName: "io_ctx", TypeSize: 4, ArgDir: 1}}},
@@ -30380,7 +30388,7 @@ var syscalls_arm = []*Syscall{
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 4}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}},
 	}},
 	{NR: 26, Name: "ptrace", CallName: "ptrace", Args: []Type{
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 4}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 4}}, Vals: []uint64{16904, 8, 16903, 16, 17}},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}},
 	}},
 	{NR: 26, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{
@@ -40986,6 +40994,7 @@ var consts_arm = []ConstValue{
 	{Name: "__NR_io_cancel", Value: 247},
 	{Name: "__NR_io_destroy", Value: 244},
 	{Name: "__NR_io_getevents", Value: 245},
+	{Name: "__NR_io_pgetevents", Value: 399},
 	{Name: "__NR_io_setup", Value: 243},
 	{Name: "__NR_io_submit", Value: 246},
 	{Name: "__NR_ioctl", Value: 54},
@@ -41187,4 +41196,4 @@ var consts_arm = []ConstValue{
 	{Name: "bpf_insn_load_imm_dw", Value: 24},
 }
 
-const revision_arm = "87d9b5b947c05cd6232361b1c5ed052568f6d8ed"
+const revision_arm = "15223c241125b3b97cca255736128daf2364eb5f"
diff --git a/sys/linux/gen/arm64.go b/sys/linux/gen/arm64.go
index 2b14c8fe6..2761f2613 100644
--- a/sys/linux/gen/arm64.go
+++ b/sys/linux/gen/arm64.go
@@ -23497,7 +23497,7 @@ var syscalls_arm64 = []*Syscall{
 	{NR: 263, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}},
 		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 8}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true},
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}},
 	}},
@@ -30662,7 +30662,7 @@ var syscalls_arm64 = []*Syscall{
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 8}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}},
 	}},
 	{NR: 117, Name: "ptrace", CallName: "ptrace", Args: []Type{
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{16904, 8, 16903, 16, 17}},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}},
 	}},
 	{NR: 117, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{
@@ -41409,4 +41409,4 @@ var consts_arm64 = []ConstValue{
 	{Name: "bpf_insn_load_imm_dw", Value: 24},
 }
 
-const revision_arm64 = "4c268588881cd3c4d4195b7ec7fb71c90732ef6c"
+const revision_arm64 = "788811e4e0b7f2906517c1b548e5d719bb4eb681"
diff --git a/sys/linux/gen/ppc64le.go b/sys/linux/gen/ppc64le.go
index 49d6a9c1b..d2f042500 100644
--- a/sys/linux/gen/ppc64le.go
+++ b/sys/linux/gen/ppc64le.go
@@ -22540,7 +22540,7 @@ var syscalls_ppc64le = []*Syscall{
 	{NR: 324, Name: "fanotify_mark", CallName: "fanotify_mark", Args: []Type{
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_fanotify", FldName: "fd", TypeSize: 4}},
 		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mark", FldName: "flags", TypeSize: 8}}, Vals: []uint64{1, 2, 128, 4, 8, 16, 32, 64}, BitMask: true},
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 65536, 131072, 1073741824, 134217728}, BitMask: true},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "fanotify_mask", FldName: "mask", TypeSize: 8}}, Vals: []uint64{1, 2, 8, 16, 32, 1073741824, 134217728}, BitMask: true},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "fd_dir", FldName: "fddir", TypeSize: 4}},
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "path", TypeSize: 8}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "filename", IsVarlen: true}, Kind: 3}},
 	}},
@@ -29153,7 +29153,7 @@ var syscalls_ppc64le = []*Syscall{
 		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "sig", TypeSize: 8}, Type: &StructType{Key: StructKey{Name: "sigset_size"}}},
 	}},
 	{NR: 26, Name: "ptrace", CallName: "ptrace", Args: []Type{
-		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{0, 16904, 8, 16903, 16, 17}},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "ptrace_req", FldName: "req", TypeSize: 8}}, Vals: []uint64{16904, 8, 16903, 16, 17}},
 		&ResourceType{TypeCommon: TypeCommon{TypeName: "pid", FldName: "pid", TypeSize: 4}},
 	}},
 	{NR: 26, Name: "ptrace$PTRACE_SECCOMP_GET_FILTER", CallName: "ptrace", Args: []Type{
@@ -38765,4 +38765,4 @@ var consts_ppc64le = []ConstValue{
 	{Name: "bpf_insn_load_imm_dw", Value: 24},
 }
 
-const revision_ppc64le = "cdf0eb7c11ca182ba6df6598c596f4da9c7a489c"
+const revision_ppc64le = "3fa983482ac8a3d065ca2cd99d5fd18b973d0b9f"
diff --git a/sys/linux/init.go b/sys/linux/init.go
index d4ab7da70..f545abdf4 100644
--- a/sys/linux/init.go
+++ b/sys/linux/init.go
@@ -21,6 +21,8 @@ func InitTarget(target *prog.Target) {
 		FITHAW:                    target.ConstMap["FITHAW"],
 		EXT4_IOC_SHUTDOWN:         target.ConstMap["EXT4_IOC_SHUTDOWN"],
 		EXT4_IOC_MIGRATE:          target.ConstMap["EXT4_IOC_MIGRATE"],
+		FAN_OPEN_PERM:             target.ConstMap["FAN_OPEN_PERM"],
+		FAN_ACCESS_PERM:           target.ConstMap["FAN_ACCESS_PERM"],
 		PTRACE_TRACEME:            target.ConstMap["PTRACE_TRACEME"],
 		CLOCK_REALTIME:            target.ConstMap["CLOCK_REALTIME"],
 		ARCH_SET_FS:               target.ConstMap["ARCH_SET_FS"],
@@ -95,6 +97,8 @@ type arch struct {
 	FITHAW                    uint64
 	EXT4_IOC_SHUTDOWN         uint64
 	EXT4_IOC_MIGRATE          uint64
+	FAN_OPEN_PERM             uint64
+	FAN_ACCESS_PERM           uint64
 	PTRACE_TRACEME            uint64
 	CLOCK_REALTIME            uint64
 	ARCH_SET_FS               uint64
@@ -128,11 +132,18 @@ func (arch *arch) sanitizeCall(c *prog.Call) {
 		if uint64(uint32(cmd.Val)) == arch.EXT4_IOC_SHUTDOWN {
 			cmd.Val = arch.EXT4_IOC_MIGRATE
 		}
+	case "fanotify_mark":
+		// FAN_OPEN_PERM and FAN_ACCESS_PERM require the program to reply to open requests.
+		// If that does not happen, the program will hang in an unkillable state forever.
+		// See the following bug for details:
+		// https://groups.google.com/d/msg/syzkaller-bugs/pD-vbqJu6U0/kGH30p3lBgAJ
+		mask := c.Args[2].(*prog.ConstArg)
+		mask.Val &^= arch.FAN_OPEN_PERM | arch.FAN_ACCESS_PERM
 	case "ptrace":
 		req := c.Args[0].(*prog.ConstArg)
 		// PTRACE_TRACEME leads to unkillable processes, see:
 		// https://groups.google.com/forum/#!topic/syzkaller/uGzwvhlCXAw
-		if req.Val == arch.PTRACE_TRACEME {
+		if uint64(uint32(req.Val)) == arch.PTRACE_TRACEME {
 			req.Val = ^uint64(0)
 		}
 	case "arch_prctl":
diff --git a/sys/linux/init_test.go b/sys/linux/init_test.go
new file mode 100644
index 000000000..090fa7790
--- /dev/null
+++ b/sys/linux/init_test.go
@@ -0,0 +1,153 @@
+// Copyright 2018 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package linux_test
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/google/syzkaller/prog"
+	_ "github.com/google/syzkaller/sys/linux/gen"
+)
+
+func TestSanitize(t *testing.T) {
+	target, err := prog.GetTarget("linux", "amd64")
+	if err != nil {
+		t.Fatal(err)
+	}
+	tests := []struct {
+		input  string
+		output string
+	}{
+		{
+			`syslog(0x10000000006, 0x0, 0x0)`,
+			`syslog(0x9, 0x0, 0x0)`,
+		},
+		{
+			`syslog(0x10000000007, 0x0, 0x0)`,
+			`syslog(0x9, 0x0, 0x0)`,
+		},
+		{
+			`syslog(0x1, 0x0, 0x0)`,
+			`syslog(0x1, 0x0, 0x0)`,
+		},
+
+		{
+			`ptrace(0xf000000000, 0x0)`,
+			`ptrace(0xffffffffffffffff, 0x0)`,
+		},
+		{
+			`ptrace$peek(0x0)`,
+			`ptrace$peek(0xffffffffffffffff, 0x0, &(0x7f0000000000))`,
+		},
+		{
+			`ptrace(0x1)`,
+			`ptrace(0x1, 0x0)`,
+		},
+		{
+			`arch_prctl(0xf00000001002, 0x0)`,
+			`arch_prctl(0x1001, 0x0)`,
+		},
+		{
+			`arch_prctl(0x1003, 0x0)`,
+			`arch_prctl(0x1003, 0x0)`,
+		},
+		{
+			`ioctl(0x0, 0x200000c0045877, 0x0)`,
+			`ioctl(0x0, 0xc0045878, 0x0)`,
+		},
+		{
+			`ioctl$int_in(0x0, 0x2000008004587d, 0x0)`,
+			`ioctl$int_in(0x0, 0x6609, 0x0)`,
+		},
+		{
+			`fanotify_mark(0x1, 0x2, 0x407fe029, 0x3, 0x0)`,
+			`fanotify_mark(0x1, 0x2, 0x407ce029, 0x3, 0x0)`,
+		},
+		{
+			`fanotify_mark(0xffffffffffffffff, 0xffffffffffffffff, 0xfffffffffffcffff, 0xffffffffffffffff, 0x0)`,
+			`fanotify_mark(0xffffffffffffffff, 0xffffffffffffffff, 0xfffffffffffcffff, 0xffffffffffffffff, 0x0)`,
+		},
+		{
+			`syz_init_net_socket$bt_hci(0x1, 0x0, 0x0)`,
+			`syz_init_net_socket$bt_hci(0xffffffffffffffff, 0x0, 0x0)`,
+		},
+		{
+			`syz_init_net_socket$bt_hci(0x27, 0x0, 0x0)`,
+			`syz_init_net_socket$bt_hci(0x27, 0x0, 0x0)`,
+		},
+		{
+			`syz_init_net_socket$bt_hci(0x1a, 0x0, 0x0)`,
+			`syz_init_net_socket$bt_hci(0x1a, 0x0, 0x0)`,
+		},
+		{
+			`syz_init_net_socket$bt_hci(0x1f, 0x0, 0x0)`,
+			`syz_init_net_socket$bt_hci(0x1f, 0x0, 0x0)`,
+		},
+		{
+			`mmap(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)`,
+			`mmap(0x0, 0x0, 0x0, 0x10, 0x0, 0x0)`,
+		},
+		{
+			`mremap(0x0, 0x0, 0x0, 0xcc, 0x0)`,
+			`mremap(0x0, 0x0, 0x0, 0xcc, 0x0)`,
+		},
+		{
+			`mremap(0x0, 0x0, 0x0, 0xcd, 0x0)`,
+			`mremap(0x0, 0x0, 0x0, 0xcf, 0x0)`,
+		},
+		{
+			`
+mknod(0x0, 0x1000, 0x0)
+mknod(0x0, 0x8000, 0x0)
+mknod(0x0, 0xc000, 0x0)
+mknod(0x0, 0x2000, 0x0)
+mknod(0x0, 0x6000, 0x0)
+mknod(0x0, 0x6000, 0x700)
+`,
+			`
+mknod(0x0, 0x1000, 0x0)
+mknod(0x0, 0x8000, 0x0)
+mknod(0x0, 0xc000, 0x0)
+mknod(0x0, 0x8000, 0x0)
+mknod(0x0, 0x8000, 0x0)
+mknod(0x0, 0x6000, 0x700)
+`,
+		},
+		{
+			`
+exit(0x3)
+exit(0x43)
+exit(0xc3)
+exit(0xc4)
+exit_group(0x5a)
+exit_group(0x44)
+exit_group(0x444)
+`,
+			`
+exit(0x3)
+exit(0x1)
+exit(0x1)
+exit(0x1)
+exit_group(0x5a)
+exit_group(0x1)
+exit_group(0x1)
+`,
+		},
+	}
+	for i, test := range tests {
+		t.Run(fmt.Sprint(i), func(t *testing.T) {
+			p, err := target.Deserialize([]byte(test.input))
+			if err != nil {
+				t.Fatal(err)
+			}
+			got := strings.TrimSpace(string(p.Serialize()))
+			want := strings.TrimSpace(test.output)
+			if got != want {
+				t.Fatalf("input:\n%v\ngot:\n%v\nwant:\n%s", test.input, got, want)
+			}
+		})
+	}
+}
diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt
index 371667fc7..8b45e3d0b 100644
--- a/sys/linux/sys.txt
+++ b/sys/linux/sys.txt
@@ -880,7 +880,7 @@ prctl_endian = PR_ENDIAN_BIG, PR_ENDIAN_LITTLE, PR_ENDIAN_PPC_LITTLE
 prctl_fpexc = PR_FP_EXC_SW_ENABLE, PR_FP_EXC_DIV, PR_FP_EXC_OVF, PR_FP_EXC_UND, PR_FP_EXC_RES, PR_FP_EXC_INV, PR_FP_EXC_DISABLED, PR_FP_EXC_NONRECOV, PR_FP_EXC_ASYNC, PR_FP_EXC_PRECISE
 prctl_seccomp_mode = SECCOMP_MODE_DISABLED, SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
 prctl_mm_option = PR_SET_MM_START_CODE, PR_SET_MM_END_CODE, PR_SET_MM_START_DATA, PR_SET_MM_END_DATA, PR_SET_MM_START_STACK, PR_SET_MM_START_BRK, PR_SET_MM_BRK
-arch_prctl_code = ARCH_SET_FS, ARCH_GET_FS, ARCH_SET_GS, ARCH_GET_GS
+arch_prctl_code = ARCH_GET_FS, ARCH_SET_GS, ARCH_GET_GS
 epoll_flags = EPOLL_CLOEXEC
 epoll_ev = POLLIN, POLLOUT, POLLRDHUP, POLLPRI, POLLERR, POLLHUP, EPOLLET, EPOLLONESHOT, EPOLLEXCLUSIVE, EPOLLWAKEUP
 pollfd_events = POLLIN, POLLPRI, POLLOUT, POLLERR, POLLHUP, POLLNVAL, POLLRDNORM, POLLRDBAND, POLLWRNORM, POLLWRBAND, POLLMSG, POLLREMOVE, POLLRDHUP, POLLFREE, POLL_BUSY_LOOP
@@ -905,7 +905,7 @@ inotify_mask = IN_ACCESS, IN_ATTRIB, IN_CLOSE_WRITE, IN_CLOSE_NOWRITE, IN_CREATE
 fanotify_flags = FAN_CLASS_PRE_CONTENT, FAN_CLASS_CONTENT, FAN_CLASS_NOTIF, FAN_CLOEXEC, FAN_NONBLOCK, FAN_UNLIMITED_QUEUE, FAN_UNLIMITED_MARKS, FAN_ENABLE_AUDIT
 fanotify_events = O_RDONLY, O_WRONLY, O_RDWR, O_LARGEFILE, O_CLOEXEC, O_APPEND, O_DSYNC, O_NOATIME, O_NONBLOCK, O_SYNC
 fanotify_mark = FAN_MARK_ADD, FAN_MARK_REMOVE, FAN_MARK_FLUSH, FAN_MARK_DONT_FOLLOW, FAN_MARK_ONLYDIR, FAN_MARK_MOUNT, FAN_MARK_IGNORED_MASK, FAN_MARK_IGNORED_SURV_MODIFY
-fanotify_mask = FAN_ACCESS, FAN_MODIFY, FAN_CLOSE_WRITE, FAN_CLOSE_NOWRITE, FAN_OPEN, FAN_OPEN_PERM, FAN_ACCESS_PERM, FAN_ONDIR, FAN_EVENT_ON_CHILD
+fanotify_mask = FAN_ACCESS, FAN_MODIFY, FAN_CLOSE_WRITE, FAN_CLOSE_NOWRITE, FAN_OPEN, FAN_ONDIR, FAN_EVENT_ON_CHILD
 faccessat_flags = 0x100, 0x200, 0x400, 0x800, 0x1000
 futex_op = FUTEX_WAIT, FUTEX_WAIT_BITSET, FUTEX_WAKE, FUTEX_REQUEUE, FUTEX_CMP_REQUEUE
 sync_file_flags = SYNC_FILE_RANGE_WAIT_BEFORE, SYNC_FILE_RANGE_WRITE, SYNC_FILE_RANGE_WAIT_AFTER
@@ -931,7 +931,7 @@ sched_attr_flags = 0
 sched_attr_flags2 = 0, SCHED_FLAG_RESET_ON_FORK
 sched_attr_size = 48
 mempolicy_flags = 0, MPOL_F_MEMS_ALLOWED, MPOL_F_ADDR, MPOL_F_NODE
-ptrace_req = PTRACE_TRACEME, PTRACE_LISTEN, PTRACE_KILL, PTRACE_INTERRUPT, PTRACE_ATTACH, PTRACE_DETACH
+ptrace_req = PTRACE_LISTEN, PTRACE_KILL, PTRACE_INTERRUPT, PTRACE_ATTACH, PTRACE_DETACH
 ptrace_req_peek = PTRACE_PEEKTEXT, PTRACE_PEEKDATA
 ptrace_req_poke = PTRACE_POKETEXT, PTRACE_POKEDATA
 ptrace_req_getregs = PTRACE_GETREGS, PTRACE_GETFPREGS
@@ -958,7 +958,7 @@ fiemap_extent_flags = FIEMAP_EXTENT_LAST, FIEMAP_EXTENT_UNKNOWN, FIEMAP_EXTENT_D
 getrandom_flags = GRND_NONBLOCK, GRND_RANDOM
 clone_flags = CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_PTRACE, CLONE_VFORK, CLONE_PARENT, CLONE_THREAD, CLONE_NEWNS, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID, CLONE_UNTRACED, CLONE_CHILD_SETTID, CLONE_NEWCGROUP, CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET, CLONE_IO
 
-_ = KCOV_INIT_TRACE, KCOV_ENABLE, KCOV_DISABLE, KCOV_TRACE_PC, KCOV_TRACE_CMP, FIFREEZE, __NR_mmap2
+_ = KCOV_INIT_TRACE, KCOV_ENABLE, KCOV_DISABLE, KCOV_TRACE_PC, KCOV_TRACE_CMP, FIFREEZE, FAN_OPEN_PERM, FAN_ACCESS_PERM, PTRACE_TRACEME, ARCH_SET_FS, __NR_mmap2
 
 # Not yet implemented syscalls
 #define __NR_umask 95
author	Dmitry Vyukov <dvyukov@google.com>	2018-10-15 18:53:00 +0200
committer	Dmitry Vyukov <dvyukov@google.com>	2018-10-15 18:53:00 +0200
commit	6ce17935cb99fa11aaa2f2d1889261da6b298013 (patch)
tree	958c8cc613630710c0d1b83517230e85f1e65525 /sys/linux
parent	caf12900683e434dcd16bdac59b909f13fb09099 (diff)