diff options
| -rw-r--r-- | executor/common.h | 2 | ||||
| -rw-r--r-- | executor/common_bsd.h | 4 | ||||
| -rw-r--r-- | executor/common_fuchsia.h | 2 | ||||
| -rw-r--r-- | executor/common_kvm_amd64.h | 2 | ||||
| -rw-r--r-- | executor/common_kvm_arm64.h | 2 | ||||
| -rw-r--r-- | executor/common_linux.h | 22 | ||||
| -rw-r--r-- | executor/common_test.h | 10 | ||||
| -rw-r--r-- | pkg/csource/csource_test.go | 13 | ||||
| -rw-r--r-- | pkg/csource/generated.go | 44 |
9 files changed, 56 insertions, 45 deletions
diff --git a/executor/common.h b/executor/common.h index 1d4d1883c..9531d4a3e 100644 --- a/executor/common.h +++ b/executor/common.h @@ -381,7 +381,7 @@ static uint16 csum_inet_digest(struct csum_inet* csum) #if SYZ_EXECUTOR || __NR_syz_execute_func // syz_execute_func(text ptr[in, text[taget]]) -static long syz_execute_func(long text) +static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; diff --git a/executor/common_bsd.h b/executor/common_bsd.h index 40c9d14fb..be9481563 100644 --- a/executor/common_bsd.h +++ b/executor/common_bsd.h @@ -161,7 +161,7 @@ static void initialize_tun(int tun_id) #include <stdbool.h> #include <sys/uio.h> -static long syz_emit_ethernet(long a0, long a1) +static long syz_emit_ethernet(volatile long a0, volatile long a1) { // syz_emit_ethernet(len len[packet], packet ptr[in, array[int8]]) if (tunfd < 0) @@ -216,7 +216,7 @@ struct tcp_resources { // pkg/csource hoistIncludes. #include <netinet/if_ether.h> -static long syz_extract_tcp_res(long a0, long a1, long a2) +static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2) { // syz_extract_tcp_res(res ptr[out, tcp_resources], seq_inc int32, ack_inc int32) diff --git a/executor/common_fuchsia.h b/executor/common_fuchsia.h index 3dbbaff7c..9749f668b 100644 --- a/executor/common_fuchsia.h +++ b/executor/common_fuchsia.h @@ -220,7 +220,7 @@ static long syz_job_default(void) #endif #if SYZ_EXECUTOR || __NR_syz_future_time -static long syz_future_time(long when) +static long syz_future_time(volatile long when) { zx_time_t delta_ms; switch (when) { diff --git a/executor/common_kvm_amd64.h b/executor/common_kvm_amd64.h index 9eb70f71f..db9ab73d4 100644 --- a/executor/common_kvm_amd64.h +++ b/executor/common_kvm_amd64.h @@ -269,7 +269,7 @@ struct kvm_opt { #define KVM_SETUP_VM (1 << 6) // syz_kvm_setup_cpu(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in, array[kvm_text, 1]], ntext len[text], flags flags[kvm_setup_flags], opts ptr[in, array[kvm_setup_opt, 0:2]], nopt len[opts]) -static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7) +static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; diff --git a/executor/common_kvm_arm64.h b/executor/common_kvm_arm64.h index 868c2fe65..4b536929f 100644 --- a/executor/common_kvm_arm64.h +++ b/executor/common_kvm_arm64.h @@ -17,7 +17,7 @@ struct kvm_opt { }; // syz_kvm_setup_cpu(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in, array[kvm_text, 1]], ntext len[text], flags flags[kvm_setup_flags], opts ptr[in, array[kvm_setup_opt, 0:2]], nopt len[opts]) -static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7) +static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; diff --git a/executor/common_linux.h b/executor/common_linux.h index 0e185553c..b84955577 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -660,7 +660,7 @@ struct vnet_fragmentation { uint32 frags[MAX_FRAGS]; }; -static long syz_emit_ethernet(long a0, long a1, long a2) +static long syz_emit_ethernet(volatile long a0, volatile long a1, volatile long a2) { // syz_emit_ethernet(len len[packet], packet ptr[in, eth_packet], frags ptr[in, vnet_fragmentation, opt]) // vnet_fragmentation { @@ -746,7 +746,7 @@ struct tcp_resources { uint32 ack; }; -static long syz_extract_tcp_res(long a0, long a1, long a2) +static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2) { // syz_extract_tcp_res(res ptr[out, tcp_resources], seq_inc int32, ack_inc int32) @@ -804,7 +804,7 @@ static long syz_extract_tcp_res(long a0, long a1, long a2) #include <sys/stat.h> #include <sys/types.h> -static long syz_open_dev(long a0, long a1, long a2) +static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { // syz_open_dev$char(dev const[0xc], major intptr, minor intptr) fd @@ -833,7 +833,7 @@ static long syz_open_dev(long a0, long a1, long a2) #include <sys/stat.h> #include <sys/types.h> -static long syz_open_procfs(long a0, long a1) +static long syz_open_procfs(volatile long a0, volatile long a1) { // syz_open_procfs(pid pid, file ptr[in, string[procfs_file]]) fd @@ -859,7 +859,7 @@ static long syz_open_procfs(long a0, long a1) #include <sys/stat.h> #include <sys/types.h> -static long syz_open_pts(long a0, long a1) +static long syz_open_pts(volatile long a0, volatile long a1) { // syz_openpts(fd fd[tty], flags flags[open_flags]) fd[tty] int ptyno = 0; @@ -882,7 +882,7 @@ static long syz_open_pts(long a0, long a1) const int kInitNetNsFd = 239; // see kMaxFd // syz_init_net_socket opens a socket in init net namespace. // Used for families that can only be created in init net namespace. -static long syz_init_net_socket(long domain, long type, long proto) +static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) @@ -898,7 +898,7 @@ static long syz_init_net_socket(long domain, long type, long proto) return sock; } #else -static long syz_init_net_socket(long domain, long type, long proto) +static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } @@ -912,7 +912,7 @@ static long syz_init_net_socket(long domain, long type, long proto) #include <sys/socket.h> #include <sys/types.h> -static long syz_genetlink_get_family_id(long name) +static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; @@ -991,7 +991,7 @@ struct fs_image_segment { #if SYZ_EXECUTOR || __NR_syz_read_part_table // syz_read_part_table(size intptr, nsegs len[segments], segments ptr[in, array[fs_image_segment]]) -static long syz_read_part_table(unsigned long size, unsigned long nsegs, long segments) +static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; @@ -1091,7 +1091,7 @@ error: // size len[data, intptr] // offset intptr //} -static long syz_mount_image(long fsarg, long dir, unsigned long size, unsigned long nsegs, long segments, long flags, long optsarg) +static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; @@ -1200,7 +1200,7 @@ error: #elif GOARCH_arm64 #include "common_kvm_arm64.h" #else -static long syz_kvm_setup_cpu(long a0, long a1, long a2, long a3, long a4, long a5, long a6, long a7) +static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } diff --git a/executor/common_test.h b/executor/common_test.h index 826d2c8d8..428ea2ce1 100644 --- a/executor/common_test.h +++ b/executor/common_test.h @@ -10,7 +10,7 @@ #include <sys/mman.h> // syz_mmap(addr vma, len len[addr]) -static long syz_mmap(long a0, long a1) +static long syz_mmap(volatile long a0, volatile long a1) { return (long)mmap((void*)a0, a1, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0); } @@ -20,7 +20,7 @@ static long syz_mmap(long a0, long a1) #include <errno.h> // syz_errno(v int32) -static long syz_errno(long v) +static long syz_errno(volatile long v) { errno = v; return v == 0 ? 0 : -1; @@ -29,7 +29,7 @@ static long syz_errno(long v) #if SYZ_EXECUTOR || __NR_syz_exit // syz_exit(status int32) -static long syz_exit(long status) +static long syz_exit(volatile long status) { _exit(status); return 0; @@ -41,7 +41,7 @@ static long syz_exit(long status) #include <string.h> // syz_compare(want ptr[in, string], want_len len[want], got ptr[in, compare_data], got_len len[got]) -static long syz_compare(long want, long want_len, long got, long got_len) +static long syz_compare(volatile long want, volatile long want_len, volatile long got, volatile long got_len) { if (want_len != got_len) { debug("syz_compare: want_len=%lu got_len=%lu\n", want_len, got_len); @@ -65,7 +65,7 @@ static long syz_compare(long want, long want_len, long got, long got_len) #include <stdarg.h> // syz_compare_int$4(n const[2], v0 intptr, v1 intptr, v2 intptr, v3 intptr) -static long syz_compare_int(long n, ...) +static long syz_compare_int(volatile long n, ...) { va_list args; va_start(args, n); diff --git a/pkg/csource/csource_test.go b/pkg/csource/csource_test.go index ce2db21c0..773ff2ed8 100644 --- a/pkg/csource/csource_test.go +++ b/pkg/csource/csource_test.go @@ -67,9 +67,16 @@ func testTarget(t *testing.T, target *prog.Target, full bool) { rs := rand.NewSource(seed) t.Logf("seed=%v", seed) p := target.Generate(rs, 10, nil) - p.Calls = append(p.Calls, target.GenerateAllSyzProg(rs).Calls...) + // Turns out that fully minimized program can trigger new interesting warnings, + // e.g. about NULL arguments for functions that require non-NULL arguments in syz_ functions. + // We could append both AllSyzProg as-is and a minimized version of it, + // but this makes the NULL argument warnings go away (they showed up in ".constprop" versions). + // Testing 2 programs takes too long since we have lots of options permutations and OS/arch. + // So we use the as-is in short tests and minimized version in full tests. + syzProg := target.GenerateAllSyzProg(rs) var opts []Options if !full || testing.Short() { + p.Calls = append(p.Calls, syzProg.Calls...) opts = allOptionsSingle(target.OS) // This is the main configuration used by executor, // so we want to test it as well. @@ -83,6 +90,10 @@ func testTarget(t *testing.T, target *prog.Target, full bool) { UseTmpDir: true, }) } else { + minimized, _ := prog.Minimize(syzProg, -1, false, func(p *prog.Prog, call int) bool { + return len(p.Calls) == len(syzProg.Calls) + }) + p.Calls = append(p.Calls, minimized.Calls...) opts = allOptionsPermutations(target.OS) } for opti, opts := range opts { diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go index e58ce06c6..a41a64a62 100644 --- a/pkg/csource/generated.go +++ b/pkg/csource/generated.go @@ -362,7 +362,7 @@ static uint16 csum_inet_digest(struct csum_inet* csum) #endif #if SYZ_EXECUTOR || __NR_syz_execute_func -static long syz_execute_func(long text) +static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; @@ -548,7 +548,7 @@ static void initialize_tun(int tun_id) #include <stdbool.h> #include <sys/uio.h> -static long syz_emit_ethernet(long a0, long a1) +static long syz_emit_ethernet(volatile long a0, volatile long a1) { if (tunfd < 0) return (uintptr_t)-1; @@ -599,7 +599,7 @@ struct tcp_resources { #include <netinet/tcp.h> #include <netinet/if_ether.h> -static long syz_extract_tcp_res(long a0, long a1, long a2) +static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) @@ -957,7 +957,7 @@ static long syz_job_default(void) #endif #if SYZ_EXECUTOR || __NR_syz_future_time -static long syz_future_time(long when) +static long syz_future_time(volatile long when) { zx_time_t delta_ms; switch (when) { @@ -1579,7 +1579,7 @@ struct vnet_fragmentation { uint32 frags[MAX_FRAGS]; }; -static long syz_emit_ethernet(long a0, long a1, long a2) +static long syz_emit_ethernet(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) return (uintptr_t)-1; @@ -1657,7 +1657,7 @@ struct tcp_resources { uint32 ack; }; -static long syz_extract_tcp_res(long a0, long a1, long a2) +static long syz_extract_tcp_res(volatile long a0, volatile long a1, volatile long a2) { if (tunfd < 0) @@ -1713,7 +1713,7 @@ static long syz_extract_tcp_res(long a0, long a1, long a2) #include <sys/stat.h> #include <sys/types.h> -static long syz_open_dev(long a0, long a1, long a2) +static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; @@ -1739,7 +1739,7 @@ static long syz_open_dev(long a0, long a1, long a2) #include <sys/stat.h> #include <sys/types.h> -static long syz_open_procfs(long a0, long a1) +static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; @@ -1764,7 +1764,7 @@ static long syz_open_procfs(long a0, long a1) #include <sys/stat.h> #include <sys/types.h> -static long syz_open_pts(long a0, long a1) +static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) @@ -1784,7 +1784,7 @@ static long syz_open_pts(long a0, long a1) #include <unistd.h> const int kInitNetNsFd = 239; -static long syz_init_net_socket(long domain, long type, long proto) +static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) @@ -1800,7 +1800,7 @@ static long syz_init_net_socket(long domain, long type, long proto) return sock; } #else -static long syz_init_net_socket(long domain, long type, long proto) +static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { return syscall(__NR_socket, domain, type, proto); } @@ -1814,7 +1814,7 @@ static long syz_init_net_socket(long domain, long type, long proto) #include <sys/socket.h> #include <sys/types.h> -static long syz_genetlink_get_family_id(long name) +static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; @@ -1892,7 +1892,7 @@ struct fs_image_segment { #endif #if SYZ_EXECUTOR || __NR_syz_read_part_table -static long syz_read_part_table(unsigned long size, unsigned long nsegs, long segments) +static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; @@ -1983,7 +1983,7 @@ error: #if SYZ_EXECUTOR || __NR_syz_mount_image #include <string.h> #include <sys/mount.h> -static long syz_mount_image(long fsarg, long dir, unsigned long size, unsigned long nsegs, long segments, long flags, long optsarg) +static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; @@ -2411,7 +2411,7 @@ struct kvm_opt { #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) -static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7) +static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; @@ -2961,7 +2961,7 @@ struct kvm_opt { uint64 typ; uint64 val; }; -static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7) +static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; @@ -3028,7 +3028,7 @@ static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uin } #else -static long syz_kvm_setup_cpu(long a0, long a1, long a2, long a3, long a4, long a5, long a6, long a7) +static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { return 0; } @@ -4341,7 +4341,7 @@ static void reset_test() #if SYZ_EXECUTOR || __NR_syz_mmap #include <sys/mman.h> -static long syz_mmap(long a0, long a1) +static long syz_mmap(volatile long a0, volatile long a1) { return (long)mmap((void*)a0, a1, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0); } @@ -4349,7 +4349,7 @@ static long syz_mmap(long a0, long a1) #if SYZ_EXECUTOR || __NR_syz_errno #include <errno.h> -static long syz_errno(long v) +static long syz_errno(volatile long v) { errno = v; return v == 0 ? 0 : -1; @@ -4357,7 +4357,7 @@ static long syz_errno(long v) #endif #if SYZ_EXECUTOR || __NR_syz_exit -static long syz_exit(long status) +static long syz_exit(volatile long status) { _exit(status); return 0; @@ -4367,7 +4367,7 @@ static long syz_exit(long status) #if SYZ_EXECUTOR || __NR_syz_compare #include <errno.h> #include <string.h> -static long syz_compare(long want, long want_len, long got, long got_len) +static long syz_compare(volatile long want, volatile long want_len, volatile long got, volatile long got_len) { if (want_len != got_len) { debug("syz_compare: want_len=%lu got_len=%lu\n", want_len, got_len); @@ -4389,7 +4389,7 @@ static long syz_compare(long want, long want_len, long got, long got_len) #if SYZ_EXECUTOR || __NR_syz_compare_int #include <errno.h> #include <stdarg.h> -static long syz_compare_int(long n, ...) +static long syz_compare_int(volatile long n, ...) { va_list args; va_start(args, n); |