prog: add concept of "special pointers"

Currently we only generate either valid user-space pointers or NULL.
Extend NULL to a set of special pointers that we will use in programs.
All targets now contain 3 special values:
 - NULL
 - 0xfffffffffffffff (invalid kernel pointer)
 - 0x999999999999999 (non-canonical address)
Each target can add additional special pointers on top of this.

Also generate NULL/special pointers for non-opt ptr's.
This restriction was always too restrictive. We may want to generate
them with very low probability, but we do want to generate them.

Also change pointers to NULL/special during mutation
(but still not in the opposite direction).

2 files changed, 31 insertions, 19 deletions

diff --git a/sys/linux/init.go b/sys/linux/init.go
index 035ffee2f..1400ce182 100644
--- a/sys/linux/init.go
+++ b/sys/linux/init.go
@@ -10,16 +10,6 @@ import (
 	"github.com/google/syzkaller/sys/targets"
 )
 
-/*
-func init() {
-	prog.RegisterTarget(gen.Target_amd64, initTarget)
-	prog.RegisterTarget(gen.Target_386, initTarget)
-	prog.RegisterTarget(gen.Target_arm64, initTarget)
-	prog.RegisterTarget(gen.Target_arm, initTarget)
-	prog.RegisterTarget(gen.Target_ppc64le, initTarget)
-}
-*/
-
 func InitTarget(target *prog.Target) {
 	arch := &arch{
 		unix:                      targets.MakeUnixSanitizer(target),
@@ -54,7 +44,26 @@ func InitTarget(target *prog.Target) {
 		"arpt_replace":       arch.generateArptables,
 		"ebt_replace":        arch.generateEbtables,
 	}
-	target.StringDictionary = stringDictionary
+	// TODO(dvyukov): get rid of this, this must be in descriptions.
+	target.StringDictionary = []string{
+		"user", "keyring", "trusted", "system", "security", "selinux",
+		"posix_acl_access", "mime_type", "md5sum", "nodev", "self",
+		"bdev", "proc", "cgroup", "cpuset",
+		"lo", "eth0", "eth1", "em0", "em1", "wlan0", "wlan1", "ppp0", "ppp1",
+		"vboxnet0", "vboxnet1", "vmnet0", "vmnet1", "GPL",
+	}
+	switch target.Arch {
+	case "amd64":
+		target.SpecialPointers = []uint64{
+			0xffffffff81000000, // kernel text
+		}
+	case "386":
+	case "arm64":
+	case "arm":
+	case "ppc64le":
+	default:
+		panic("unknown arch")
+	}
 
 	if target.Arch == runtime.GOARCH {
 		KCOV_INIT_TRACE = uintptr(target.ConstMap["KCOV_INIT_TRACE"])
@@ -70,13 +79,6 @@ var (
 	KCOV_ENABLE     uintptr
 	KCOV_DISABLE    uintptr
 	KCOV_TRACE_CMP  uintptr
-
-	// TODO(dvyukov): get rid of this, this must be in descriptions.
-	stringDictionary = []string{"user", "keyring", "trusted", "system", "security", "selinux",
-		"posix_acl_access", "mime_type", "md5sum", "nodev", "self",
-		"bdev", "proc", "cgroup", "cpuset",
-		"lo", "eth0", "eth1", "em0", "em1", "wlan0", "wlan1", "ppp0", "ppp1",
-		"vboxnet0", "vboxnet1", "vmnet0", "vmnet1", "GPL"}
 )
 
 type arch struct {
diff --git a/sys/linux/init_iptables.go b/sys/linux/init_iptables.go
index 231bcfb77..2a49bffe4 100644
--- a/sys/linux/init_iptables.go
+++ b/sys/linux/init_iptables.go
@@ -126,6 +126,9 @@ func (arch *arch) generateEbtables(g *prog.Gen, typ prog.Type, old prog.Arg) (
 	}
 	tableArg := arg.(*prog.UnionArg).Option.(*prog.GroupArg)
 	entriesPtr := tableArg.Inner[entriesField].(*prog.PointerArg)
+	if entriesPtr.Res == nil {
+		return
+	}
 	entriesArray := entriesPtr.Res.(*prog.GroupArg)
 	offsets := make([]uint64, len(entriesArray.Inner))
 	var pos, totalEntries uint64
@@ -165,8 +168,15 @@ func (arch *arch) sanitizeEbtables(c *prog.Call) {
 	// This is very hacky... just as netfilter interfaces.
 	// setsockopt's len argument must be equal to size of ebt_replace + entries size.
 	lenArg := c.Args[4].(*prog.ConstArg)
-	tableArg := c.Args[3].(*prog.PointerArg).Res.(*prog.UnionArg).Option.(*prog.GroupArg)
+	tablePtr := c.Args[3].(*prog.PointerArg).Res
+	if tablePtr == nil {
+		return
+	}
+	tableArg := tablePtr.(*prog.UnionArg).Option.(*prog.GroupArg)
 	entriesField := len(tableArg.Inner) - 1
 	entriesArg := tableArg.Inner[entriesField].(*prog.PointerArg).Res
+	if entriesArg == nil {
+		return
+	}
 	lenArg.Val = tableArg.Size() + entriesArg.Size()
 }