From 90fd6503136121e9494761a460898e83bc0b6b3e Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Sun, 18 Feb 2018 16:38:45 +0100
Subject: prog: fix PhysicalAddr for NULL addresses

Turns out we never produced NULL pointers because
what's meant to be NULL pointer was actually encoded
as pointer to beginning of the data region.
---
 prog/encodingexec.go      | 17 ++++++++---------
 prog/encodingexec_test.go |  9 +++++++++
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/prog/encodingexec.go b/prog/encodingexec.go
index b5573f60f..ae885d3b1 100644
--- a/prog/encodingexec.go
+++ b/prog/encodingexec.go
@@ -193,16 +193,15 @@ func (p *Prog) SerializeForExec(buffer []byte) (int, error) {
 	return len(buffer) - len(w.buf), nil
 }
 
-func (target *Target) PhysicalAddr(arg Arg) uint64 {
-	a, ok := arg.(*PointerArg)
-	if !ok {
-		panic("physicalAddr: bad arg kind")
+func (target *Target) PhysicalAddr(arg *PointerArg) uint64 {
+	if arg.Res == nil && arg.PagesNum == 0 {
+		return 0
 	}
-	addr := a.PageIndex*target.PageSize + target.DataOffset
-	if a.PageOffset >= 0 {
-		addr += uint64(a.PageOffset)
+	addr := arg.PageIndex*target.PageSize + target.DataOffset
+	if arg.PageOffset >= 0 {
+		addr += uint64(arg.PageOffset)
 	} else {
-		addr += target.PageSize - uint64(-a.PageOffset)
+		addr += target.PageSize - uint64(-arg.PageOffset)
 	}
 	return addr
 }
@@ -256,7 +255,7 @@ func (w *execContext) writeArg(arg Arg) {
 			w.write(a.OpAdd)
 		}
 	case *PointerArg:
-		w.writeConstArg(a.Size(), w.target.PhysicalAddr(arg), 0, 0, 0, false)
+		w.writeConstArg(a.Size(), w.target.PhysicalAddr(a), 0, 0, 0, false)
 	case *DataArg:
 		data := a.Data()
 		w.write(execArgData)
diff --git a/prog/encodingexec_test.go b/prog/encodingexec_test.go
index 06265fa76..92c36cad4 100644
--- a/prog/encodingexec_test.go
+++ b/prog/encodingexec_test.go
@@ -381,6 +381,15 @@ func TestSerializeForExec(t *testing.T) {
 			},
 			nil,
 		},
+		{
+			// NULL pointer must be encoded os 0.
+			"syz_test$opt1(0x0)",
+			[]uint64{
+				callID("syz_test$opt1"), ExecNoCopyout, 1, execArgConst, 8, 0,
+				execInstrEOF,
+			},
+			nil,
+		},
 	}
 
 	buf := make([]byte, ExecBufferSize)
-- 
cgit mrf-deployment