diff options
| author | Shankara Pailoor <shankarapailoor@gmail.com> | 2018-12-28 06:05:56 -0800 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2018-12-28 15:18:24 +0100 |
| commit | e33ad0f1875349ef73a89aad2473594de21ad9c0 (patch) | |
| tree | ec93487ee366eb93f13e35dace9ad63f67d33901 /tools | |
| parent | 6a33670d2ffa859bd7180727ef641f425cc95120 (diff) | |
tools/syz-trace2syz: only add null-byte for prog.BufferFilename
trace2syz used to always add a null byte to strings.
This isn't correct behavior since we may end up writing null bytes to files.
The extra byte can affect system calls like ioctl FS_IOC_ENABLE_VERITY.
We now only add the byte for filenames.
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/syz-trace2syz/parser/lex.go | 1 | ||||
| -rw-r--r-- | tools/syz-trace2syz/parser/straceLex.rl | 1 | ||||
| -rw-r--r-- | tools/syz-trace2syz/proggen/proggen.go | 5 | ||||
| -rw-r--r-- | tools/syz-trace2syz/proggen/proggen_test.go | 8 |
4 files changed, 9 insertions, 6 deletions
diff --git a/tools/syz-trace2syz/parser/lex.go b/tools/syz-trace2syz/parser/lex.go index c5a83df64..12df80674 100644 --- a/tools/syz-trace2syz/parser/lex.go +++ b/tools/syz-trace2syz/parser/lex.go @@ -5804,6 +5804,5 @@ func ParseString(s string) string { log.Logf(2, "failed to decode string: %s, with error: %s", s, err.Error()) decoded = []byte(strippedStr) } - decoded = append(decoded, '\x00') return string(decoded) } diff --git a/tools/syz-trace2syz/parser/straceLex.rl b/tools/syz-trace2syz/parser/straceLex.rl index 9d5d4eaf5..d52446301 100644 --- a/tools/syz-trace2syz/parser/straceLex.rl +++ b/tools/syz-trace2syz/parser/straceLex.rl @@ -127,6 +127,5 @@ func ParseString(s string) string{ log.Logf(2, "failed to decode string: %s, with error: %s", s, err.Error()) decoded = []byte(strippedStr) } - decoded = append(decoded, '\x00') return string(decoded) } diff --git a/tools/syz-trace2syz/proggen/proggen.go b/tools/syz-trace2syz/proggen/proggen.go index c1bdd501d..5d68d8fab 100644 --- a/tools/syz-trace2syz/proggen/proggen.go +++ b/tools/syz-trace2syz/proggen/proggen.go @@ -287,6 +287,11 @@ func (ctx *context) genBuffer(syzType *prog.BufferType, traceType parser.IrType) default: log.Fatalf("unsupported type for buffer: %#v", traceType) } + // strace always drops the null byte for strings but we only need to add it back for filenames + switch syzType.Kind { + case prog.BufferFilename: + bufVal = append(bufVal, '\x00') + } if !syzType.Varlen() { size := syzType.Size() for uint64(len(bufVal)) < size { diff --git a/tools/syz-trace2syz/proggen/proggen_test.go b/tools/syz-trace2syz/proggen/proggen_test.go index 71f3a2add..fbdc93f5f 100644 --- a/tools/syz-trace2syz/proggen/proggen_test.go +++ b/tools/syz-trace2syz/proggen/proggen_test.go @@ -24,14 +24,14 @@ open("file", 66) = 3 write(3, "somedata", 8) = 8 `, ` r0 = open(&(0x7f0000000000)='file\x00', 0x42, 0x0) -write(r0, &(0x7f0000000040)='somedata\x00', 0x9) +write(r0, &(0x7f0000000040)='somedata', 0x8) `, }, {` pipe([5,6]) = 0 write(6, "\xff\xff\xfe\xff", 4) = 4 `, ` pipe(&(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff}) -write(r0, &(0x7f0000000040)="fffffeff00", 0x5) +write(r0, &(0x7f0000000040)="fffffeff", 0x4) `, }, {` pipe({0x0, 0x1}) = 0 @@ -51,13 +51,13 @@ getsockopt$inet_sctp6_SCTP_RESET_STREAMS(0xffffffffffffffff, 0x84, 0x77, &(0x7f0 inotify_init() = 2 open("tmp", 66) = 3 inotify_add_watch(3, "\x2e", 0xfff) = 3 -write(3, "temp", 5) = 5 +write(3, "temp", 4) = 4 inotify_rm_watch(2, 3) = 0 `, ` r0 = inotify_init() r1 = open(&(0x7f0000000000)='tmp\x00', 0x42, 0x0) r2 = inotify_add_watch(r1, &(0x7f0000000040)='.\x00', 0xfff) -write(r1, &(0x7f0000000080)='temp\x00', 0x5) +write(r1, &(0x7f0000000080)='temp', 0x4) inotify_rm_watch(r0, r2) `, }, {` |