From 1172db0ccf077bbfef7ddd176ced61c7140cb698 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Tue, 1 Aug 2017 18:30:20 +0200 Subject: prog: fix encoding for exec of result args ResultArg might have const value. Also add a test. --- executor/syscalls.h | 6 ++++++ prog/encodingexec.go | 18 +++++++++++++----- prog/encodingexec_test.go | 7 +++++++ sys/sys_amd64.go | 3 +++ sys/sys_arm64.go | 3 +++ sys/sys_ppc64le.go | 3 +++ sys/test.txt | 7 +++++++ 7 files changed, 42 insertions(+), 5 deletions(-) diff --git a/executor/syscalls.h b/executor/syscalls.h index 535926cc6..aaee4cf35 100644 --- a/executor/syscalls.h +++ b/executor/syscalls.h @@ -1468,6 +1468,8 @@ static call_t syscalls[] = { {"syz_test$recur1", 1000001}, {"syz_test$recur2", 1000001}, {"syz_test$regression0", 1000001}, + {"syz_test$res0", 1000001}, + {"syz_test$res1", 1000001}, {"syz_test$struct", 1000001}, {"syz_test$text_x86_16", 1000001}, {"syz_test$text_x86_32", 1000001}, @@ -2980,6 +2982,8 @@ static call_t syscalls[] = { {"syz_test$recur1", 1000001}, {"syz_test$recur2", 1000001}, {"syz_test$regression0", 1000001}, + {"syz_test$res0", 1000001}, + {"syz_test$res1", 1000001}, {"syz_test$struct", 1000001}, {"syz_test$text_x86_16", 1000001}, {"syz_test$text_x86_32", 1000001}, @@ -4492,6 +4496,8 @@ static call_t syscalls[] = { {"syz_test$recur1", 1000001}, {"syz_test$recur2", 1000001}, {"syz_test$regression0", 1000001}, + {"syz_test$res0", 1000001}, + {"syz_test$res1", 1000001}, {"syz_test$struct", 1000001}, {"syz_test$text_x86_16", 1000001}, {"syz_test$text_x86_32", 1000001}, diff --git a/prog/encodingexec.go b/prog/encodingexec.go index ba2efcd37..403b09f88 100644 --- a/prog/encodingexec.go +++ b/prog/encodingexec.go @@ -253,11 +253,19 @@ func (w *execContext) writeArg(arg Arg, pid int, csumMap map[Arg]CsumInfo) { w.write(a.Type().BitfieldOffset()) w.write(a.Type().BitfieldLength()) case *ResultArg: - w.write(ExecArgResult) - w.write(a.Size()) - w.write(w.args[a.Res].Idx) - w.write(a.OpDiv) - w.write(a.OpAdd) + if a.Res == nil { + w.write(ExecArgConst) + w.write(a.Size()) + w.write(a.Val) + w.write(0) // bit field offset + w.write(0) // bit field length + } else { + w.write(ExecArgResult) + w.write(a.Size()) + w.write(w.args[a.Res].Idx) + w.write(a.OpDiv) + w.write(a.OpAdd) + } case *PointerArg: w.write(ExecArgConst) w.write(a.Size()) diff --git a/prog/encodingexec_test.go b/prog/encodingexec_test.go index b7a6b9463..2d96a47e0 100644 --- a/prog/encodingexec_test.go +++ b/prog/encodingexec_test.go @@ -250,6 +250,13 @@ func TestSerializeForExec(t *testing.T) { instrEOF, }, }, + { + "syz_test$res1(0xffff)", + []uint64{ + callID("syz_test$res1"), 1, argConst, 4, 0xffff, 0, 0, + instrEOF, + }, + }, } buf := make([]byte, ExecBufferSize) diff --git a/sys/sys_amd64.go b/sys/sys_amd64.go index 8ae510019..7c45588f9 100644 --- a/sys/sys_amd64.go +++ b/sys/sys_amd64.go @@ -85,6 +85,7 @@ var resourceArray = []*ResourceDesc{ &ResourceDesc{Name: "sock_udp", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"fd", "sock", "sock_in", "sock_udp"}, Values: []uintptr{0xffffffffffffffff, 18446744073709551516}}, &ResourceDesc{Name: "sock_udp6", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"fd", "sock", "sock_in6", "sock_udp6"}, Values: []uintptr{0xffffffffffffffff, 18446744073709551516}}, &ResourceDesc{Name: "sock_unix", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"fd", "sock", "sock_unix"}, Values: []uintptr{0xffffffffffffffff, 18446744073709551516}}, + &ResourceDesc{Name: "syz_res", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"syz_res"}, Values: []uintptr{0xffff}}, &ResourceDesc{Name: "tcp_seq_num", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"tcp_seq_num"}, Values: []uintptr{0x42424242}}, &ResourceDesc{Name: "te_session_id", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"te_session_id"}, Values: []uintptr{0}}, &ResourceDesc{Name: "time_nsec", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"time_nsec"}, Values: []uintptr{0}}, @@ -22936,6 +22937,8 @@ var Calls = []*Call{ &Call{Name: "syz_test$recur1", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_recur_1", "", DirInOut})}}, NR: 1000001}, &Call{Name: "syz_test$recur2", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_recur_2", "", DirInOut})}}, NR: 1000001}, &Call{Name: "syz_test$regression0", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_regression0_struct", "", DirInOut})}}, NR: 1000001}, + &Call{Name: "syz_test$res0", CallName: "syz_test", Native: false, Ret: &ResourceType{TypeCommon: TypeCommon{TypeName: "syz_res", FldName: "ret", ArgDir: DirOut, IsOptional: false}, Desc: resource("syz_res")}, Args: []Type{}, NR: 1000001}, + &Call{Name: "syz_test$res1", CallName: "syz_test", Native: false, Args: []Type{&ResourceType{TypeCommon: TypeCommon{TypeName: "syz_res", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Desc: resource("syz_res")}}, NR: 1000001}, &Call{Name: "syz_test$struct", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_struct0", "", DirIn})}}, NR: 1000001}, &Call{Name: "syz_test$text_x86_16", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "text", FldName: "", ArgDir: DirIn, IsOptional: false}, Kind: BufferText, Text: Text_x86_16}}, &LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "a1", ArgDir: DirIn, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}, Buf: "a0", ByteSize: 0}}, NR: 1000001}, &Call{Name: "syz_test$text_x86_32", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "text", FldName: "", ArgDir: DirIn, IsOptional: false}, Kind: BufferText, Text: Text_x86_32}}, &LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "a1", ArgDir: DirIn, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}, Buf: "a0", ByteSize: 0}}, NR: 1000001}, diff --git a/sys/sys_arm64.go b/sys/sys_arm64.go index 08d6d18f4..a293fcfed 100644 --- a/sys/sys_arm64.go +++ b/sys/sys_arm64.go @@ -85,6 +85,7 @@ var resourceArray = []*ResourceDesc{ &ResourceDesc{Name: "sock_udp", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"fd", "sock", "sock_in", "sock_udp"}, Values: []uintptr{0xffffffffffffffff, 18446744073709551516}}, &ResourceDesc{Name: "sock_udp6", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"fd", "sock", "sock_in6", "sock_udp6"}, Values: []uintptr{0xffffffffffffffff, 18446744073709551516}}, &ResourceDesc{Name: "sock_unix", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"fd", "sock", "sock_unix"}, Values: []uintptr{0xffffffffffffffff, 18446744073709551516}}, + &ResourceDesc{Name: "syz_res", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"syz_res"}, Values: []uintptr{0xffff}}, &ResourceDesc{Name: "tcp_seq_num", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"tcp_seq_num"}, Values: []uintptr{0x42424242}}, &ResourceDesc{Name: "te_session_id", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"te_session_id"}, Values: []uintptr{0}}, &ResourceDesc{Name: "time_nsec", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"time_nsec"}, Values: []uintptr{0}}, @@ -22936,6 +22937,8 @@ var Calls = []*Call{ &Call{Name: "syz_test$recur1", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_recur_1", "", DirInOut})}}, NR: 1000001}, &Call{Name: "syz_test$recur2", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_recur_2", "", DirInOut})}}, NR: 1000001}, &Call{Name: "syz_test$regression0", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_regression0_struct", "", DirInOut})}}, NR: 1000001}, + &Call{Name: "syz_test$res0", CallName: "syz_test", Native: false, Ret: &ResourceType{TypeCommon: TypeCommon{TypeName: "syz_res", FldName: "ret", ArgDir: DirOut, IsOptional: false}, Desc: resource("syz_res")}, Args: []Type{}, NR: 1000001}, + &Call{Name: "syz_test$res1", CallName: "syz_test", Native: false, Args: []Type{&ResourceType{TypeCommon: TypeCommon{TypeName: "syz_res", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Desc: resource("syz_res")}}, NR: 1000001}, &Call{Name: "syz_test$struct", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_struct0", "", DirIn})}}, NR: 1000001}, &Call{Name: "syz_test$text_x86_16", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "text", FldName: "", ArgDir: DirIn, IsOptional: false}, Kind: BufferText, Text: Text_x86_16}}, &LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "a1", ArgDir: DirIn, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}, Buf: "a0", ByteSize: 0}}, NR: 1000001}, &Call{Name: "syz_test$text_x86_32", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "text", FldName: "", ArgDir: DirIn, IsOptional: false}, Kind: BufferText, Text: Text_x86_32}}, &LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "a1", ArgDir: DirIn, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}, Buf: "a0", ByteSize: 0}}, NR: 1000001}, diff --git a/sys/sys_ppc64le.go b/sys/sys_ppc64le.go index cf33cd926..f1664a27f 100644 --- a/sys/sys_ppc64le.go +++ b/sys/sys_ppc64le.go @@ -85,6 +85,7 @@ var resourceArray = []*ResourceDesc{ &ResourceDesc{Name: "sock_udp", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"fd", "sock", "sock_in", "sock_udp"}, Values: []uintptr{0xffffffffffffffff, 18446744073709551516}}, &ResourceDesc{Name: "sock_udp6", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"fd", "sock", "sock_in6", "sock_udp6"}, Values: []uintptr{0xffffffffffffffff, 18446744073709551516}}, &ResourceDesc{Name: "sock_unix", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"fd", "sock", "sock_unix"}, Values: []uintptr{0xffffffffffffffff, 18446744073709551516}}, + &ResourceDesc{Name: "syz_res", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"syz_res"}, Values: []uintptr{0xffff}}, &ResourceDesc{Name: "tcp_seq_num", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"tcp_seq_num"}, Values: []uintptr{0x42424242}}, &ResourceDesc{Name: "te_session_id", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "int32", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 4, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"te_session_id"}, Values: []uintptr{0}}, &ResourceDesc{Name: "time_nsec", Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "resource-type", ArgDir: DirInOut, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}}, Kind: []string{"time_nsec"}, Values: []uintptr{0}}, @@ -22936,6 +22937,8 @@ var Calls = []*Call{ &Call{Name: "syz_test$recur1", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_recur_1", "", DirInOut})}}, NR: 1000001}, &Call{Name: "syz_test$recur2", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_recur_2", "", DirInOut})}}, NR: 1000001}, &Call{Name: "syz_test$regression0", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_regression0_struct", "", DirInOut})}}, NR: 1000001}, + &Call{Name: "syz_test$res0", CallName: "syz_test", Native: false, Ret: &ResourceType{TypeCommon: TypeCommon{TypeName: "syz_res", FldName: "ret", ArgDir: DirOut, IsOptional: false}, Desc: resource("syz_res")}, Args: []Type{}, NR: 1000001}, + &Call{Name: "syz_test$res1", CallName: "syz_test", Native: false, Args: []Type{&ResourceType{TypeCommon: TypeCommon{TypeName: "syz_res", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Desc: resource("syz_res")}}, NR: 1000001}, &Call{Name: "syz_test$struct", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_struct0", "", DirIn})}}, NR: 1000001}, &Call{Name: "syz_test$text_x86_16", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "text", FldName: "", ArgDir: DirIn, IsOptional: false}, Kind: BufferText, Text: Text_x86_16}}, &LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "a1", ArgDir: DirIn, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}, Buf: "a0", ByteSize: 0}}, NR: 1000001}, &Call{Name: "syz_test$text_x86_32", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "text", FldName: "", ArgDir: DirIn, IsOptional: false}, Kind: BufferText, Text: Text_x86_32}}, &LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "a1", ArgDir: DirIn, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}, Buf: "a0", ByteSize: 0}}, NR: 1000001}, diff --git a/sys/test.txt b/sys/test.txt index af664e4d6..b0d1a7f79 100644 --- a/sys/test.txt +++ b/sys/test.txt @@ -507,3 +507,10 @@ syz_recur_2 { syz_test$recur0(a0 ptr[inout, syz_recur_0]) syz_test$recur1(a0 ptr[inout, syz_recur_1]) syz_test$recur2(a0 ptr[inout, syz_recur_2]) + +# Resources. + +resource syz_res[int32]: 0xffff + +syz_test$res0() syz_res +syz_test$res1(a0 syz_res) -- cgit mrf-deployment