diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2019-12-03 16:56:13 +0100 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2019-12-03 18:48:14 +0100 |
| commit | dfe2e9d84a64066fd15913c7cd02d1853adf3942 (patch) | |
| tree | 73a986f1ed2b0a184126fd4c4cc7d45d6dc40672 /sys/linux | |
| parent | 799e6ffbbe35cd75b780d3dcbbeb7d13ebe1fb24 (diff) | |
sys/linux: enforce arguments of all syz_open_dev calls
Opening random devices can lead to havoc.
Enforce device major/minor.
Diffstat (limited to 'sys/linux')
| -rw-r--r-- | sys/linux/init.go | 24 | ||||
| -rw-r--r-- | sys/linux/init_test.go | 13 |
2 files changed, 33 insertions, 4 deletions
diff --git a/sys/linux/init.go b/sys/linux/init.go index 94565a9d3..64df47a3f 100644 --- a/sys/linux/init.go +++ b/sys/linux/init.go @@ -74,6 +74,7 @@ func InitTarget(target *prog.Target) { "vboxnet0", "vboxnet1", "vmnet0", "vmnet1", "GPL", } switch target.Arch { + case "amd64": target.SpecialPointers = []uint64{ 0xffffffff81000000, // kernel text @@ -203,15 +204,30 @@ func (arch *arch) sanitizeCall(c *prog.Call) { } case "syz_open_procfs": arch.sanitizeSyzOpenProcfs(c) + case "syz_open_dev": + enforceIntArg(c.Args[0]) + enforceIntArg(c.Args[1]) + enforceIntArg(c.Args[2]) } switch c.Meta.Name { case "setsockopt$EBT_SO_SET_ENTRIES": arch.sanitizeEbtables(c) - case "syz_open_dev$char_usb": - // Don't allow opening various char and block devices. - c.Args[0].(*prog.ConstArg).Val = 0xc - c.Args[1].(*prog.ConstArg).Val = arch.USB_MAJOR + } +} + +func enforceIntArg(a prog.Arg) { + arg, ok := a.(*prog.ConstArg) + if !ok { + return + } + switch typ := arg.Type().(type) { + case *prog.ConstType: + arg.Val = typ.Val + case *prog.IntType: + if typ.Kind == prog.IntRange && (arg.Val < typ.RangeBegin || arg.Val > typ.RangeEnd) { + arg.Val = typ.RangeBegin + } } } diff --git a/sys/linux/init_test.go b/sys/linux/init_test.go index 7e4753115..4358bef35 100644 --- a/sys/linux/init_test.go +++ b/sys/linux/init_test.go @@ -152,6 +152,19 @@ syz_open_procfs(0x0, &(0x7f0000000000)='net\x00') syz_open_procfs(0x0, &(0x7f0000000000)='net\x00') `, }, + + { + ` +syz_open_dev$tty1(0xc, 0x4, 0x4) +syz_open_dev$tty1(0xb, 0x2, 0x4) +syz_open_dev$tty1(0xc, 0x4, 0x5) +`, + ` +syz_open_dev$tty1(0xc, 0x4, 0x4) +syz_open_dev$tty1(0xc, 0x4, 0x4) +syz_open_dev$tty1(0xc, 0x4, 0x1) + `, + }, } for i, test := range tests { t.Run(fmt.Sprint(i), func(t *testing.T) { |