diff options
| -rw-r--r-- | pkg/host/syscalls.go | 17 | ||||
| -rw-r--r-- | sys/darwin/sys.txt | 2 | ||||
| -rw-r--r-- | sys/freebsd/sys.txt | 2 | ||||
| -rw-r--r-- | sys/fuchsia/sys.txt | 2 | ||||
| -rw-r--r-- | sys/linux/sys.txt | 16 | ||||
| -rw-r--r-- | sys/netbsd/sys.txt | 2 | ||||
| -rw-r--r-- | sys/openbsd/sys.txt | 2 | ||||
| -rw-r--r-- | sys/syz-sysgen/sysgen.go | 7 | ||||
| -rw-r--r-- | sys/test/test.txt | 2 |
9 files changed, 26 insertions, 26 deletions
diff --git a/pkg/host/syscalls.go b/pkg/host/syscalls.go index fd8acc4d1..cd49ded51 100644 --- a/pkg/host/syscalls.go +++ b/pkg/host/syscalls.go @@ -35,23 +35,6 @@ func DetectSupportedSyscalls(target *prog.Target, sandbox string, enabled map[*p case !enabled[c]: ok = false reason = "not in set of enabled calls" - case c.CallName == "syz_execute_func": - // syz_execute_func caused multiple problems: - // 1. First it lead to corpus explosion. The program used existing values in registers - // to pollute output area. We tried to zero registers (though, not reliably). - // 2. It lead to explosion again. The exact mechanics are unknown, here is one sample: - // syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4 - // 430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44 - // 9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464 - // 660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100") - // 3. The code can also execute syscalls (and it is know to), but it's not subject to - // target.SanitizeCall. As the result it can do things that programs are not supposed to do. - // 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable - // to syz_execute_func based on corpus contents. Mechanics are also not known. - // It also did not cause finding of any new bugs (at least not that I know of). - // Let's disable it for now until we figure out how to resolve all these problems. - ok = false - reason = "always disabled for now" default: ok, reason = isSupported(c, target, sandbox) } diff --git a/sys/darwin/sys.txt b/sys/darwin/sys.txt index 88d218b73..44c5aa6b4 100644 --- a/sys/darwin/sys.txt +++ b/sys/darwin/sys.txt @@ -17,7 +17,7 @@ include <time.h> include <signal.h> include <sys/wait.h> -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) poll(fds ptr[in, array[pollfd]], nfds len[fds], timeout int32) select(n len[inp], inp ptr[inout, fd_set], outp ptr[inout, fd_set], exp ptr[inout, fd_set], tvp ptr[inout, timeval]) diff --git a/sys/freebsd/sys.txt b/sys/freebsd/sys.txt index 3b53a4985..8738250a3 100644 --- a/sys/freebsd/sys.txt +++ b/sys/freebsd/sys.txt @@ -24,7 +24,7 @@ include <sys/specialfd.h> type signo int32[0:SIGRTMAX] -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) sf_hdtr { headers ptr[in, array[iovec_in]] diff --git a/sys/fuchsia/sys.txt b/sys/fuchsia/sys.txt index d2f11af27..6cdb4af8f 100644 --- a/sys/fuchsia/sys.txt +++ b/sys/fuchsia/sys.txt @@ -6,7 +6,7 @@ include <zircon/syscalls.h> include <ddk/driver.h> -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) # Provided by sysroot (include/ddk/driver.h) resource zx_root_resource[zx_handle] diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt index 57af33efe..7b03e851e 100644 --- a/sys/linux/sys.txt +++ b/sys/linux/sys.txt @@ -93,7 +93,21 @@ type padto64[T] { type signalno int32[0:65] type signalnoptr intptr[0:65] -syz_execute_func(text ptr[in, text[target]]) +# syz_execute_func caused multiple problems: +# 1. First it lead to corpus explosion. The program used existing values in registers +# to pollute output area. We tried to zero registers (though, not reliably). +# 2. It lead to explosion again. The exact mechanics are unknown, here is one sample: +# syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4 +# 430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44 +# 9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464 +# 660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100") +# 3. The code can also execute syscalls (and it is know to), but it's not subject to +# target.SanitizeCall. As the result it can do things that programs are not supposed to do. +# 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable +# to syz_execute_func based on corpus contents. Mechanics are also not known. +# It also did not cause finding of any new bugs (at least not that I know of). +# So it's disabled on all OSes until we figure out how to resolve all these problems. +syz_execute_func(text ptr[in, text[target]]) (disabled) # Exclude /sys/power/state as reported in https://lkml.org/lkml/2021/5/27/653 openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*:-/sys/power/state"]], flags flags[open_flags], mode flags[open_mode]) fd diff --git a/sys/netbsd/sys.txt b/sys/netbsd/sys.txt index 502b792e2..709ec4c29 100644 --- a/sys/netbsd/sys.txt +++ b/sys/netbsd/sys.txt @@ -24,7 +24,7 @@ include <sys/module.h> include <sys/swap.h> include <sys/ras.h> -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) pipe(pipefd ptr[out, pipefd]) diff --git a/sys/openbsd/sys.txt b/sys/openbsd/sys.txt index 0752c7449..819270fbc 100644 --- a/sys/openbsd/sys.txt +++ b/sys/openbsd/sys.txt @@ -17,7 +17,7 @@ include <time.h> include <signal.h> include <sys/wait.h> -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) pipe(pipefd ptr[out, pipefd]) diff --git a/sys/syz-sysgen/sysgen.go b/sys/syz-sysgen/sysgen.go index 313cb60d8..b1ed731bb 100644 --- a/sys/syz-sysgen/sysgen.go +++ b/sys/syz-sysgen/sysgen.go @@ -12,6 +12,7 @@ import ( "path/filepath" "reflect" "sort" + "strings" "sync" "text/template" @@ -342,8 +343,10 @@ func newSyscallData(target *targets.Target, sc *prog.Syscall, attrs []uint64) Sy Name: sc.Name, CallName: callName, NR: int32(sc.NR), - NeedCall: (!target.HasCallNumber(sc.CallName) || patchCallName) && !sc.Attrs.Disabled, - Attrs: attrs, + NeedCall: (!target.HasCallNumber(sc.CallName) || patchCallName) && + // These are declared in the compiler for internal purposes. + !strings.HasPrefix(sc.Name, "syz_builtin"), + Attrs: attrs, } } diff --git a/sys/test/test.txt b/sys/test/test.txt index a973904a3..b08b9bcf8 100644 --- a/sys/test/test.txt +++ b/sys/test/test.txt @@ -3,7 +3,7 @@ # Syscalls used in syzkaller tests. -syz_execute_func(text ptr[in, text[target]]) +syz_execute_func(text ptr[in, text[target]]) (disabled) test() |