From eada53b810e964b4a71c20ab023020f281855fe9 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Fri, 7 Dec 2018 12:48:59 +0100 Subject: tools/syz-trace2syz/proggen: fix vma allocation There are 2 bugs: 1. We always allocate 1 page, even if use more. 2. VMA addresses are not aligned, so most mmap-like functions fail with EINVAL. The added test currently panics with "unaligned vma address". --- prog/target.go | 6 ++++++ tools/syz-trace2syz/proggen/proggen.go | 2 +- tools/syz-trace2syz/proggen/proggen_test.go | 10 ++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/prog/target.go b/prog/target.go index f99c45c5b..56fbb860d 100644 --- a/prog/target.go +++ b/prog/target.go @@ -264,6 +264,12 @@ func (pg *ProgGen) Allocate(size uint64) uint64 { return pg.ma.alloc(nil, size) } +func (pg *ProgGen) AllocateVMA(npages uint64) uint64 { + psize := pg.target.PageSize + addr := pg.ma.alloc(nil, (npages+1)*psize) + return (addr + psize - 1) & ^(psize - 1) +} + func (pg *ProgGen) Finalize() (*Prog, error) { if err := pg.p.validate(); err != nil { return nil, err diff --git a/tools/syz-trace2syz/proggen/proggen.go b/tools/syz-trace2syz/proggen/proggen.go index 967167fe9..a1394d057 100644 --- a/tools/syz-trace2syz/proggen/proggen.go +++ b/tools/syz-trace2syz/proggen/proggen.go @@ -167,7 +167,7 @@ func genVma(syzType *prog.VmaType, _ parser.IrType, ctx *Context) prog.Arg { if syzType.RangeBegin != 0 || syzType.RangeEnd != 0 { npages = syzType.RangeEnd } - return prog.MakeVmaPointerArg(syzType, ctx.pg.Allocate(ctx.Target.PageSize), npages) + return prog.MakeVmaPointerArg(syzType, ctx.pg.AllocateVMA(npages), npages) } func genArray(syzType *prog.ArrayType, traceType parser.IrType, ctx *Context) prog.Arg { diff --git a/tools/syz-trace2syz/proggen/proggen_test.go b/tools/syz-trace2syz/proggen/proggen_test.go index 1e7a5f3a6..8f56de2d5 100644 --- a/tools/syz-trace2syz/proggen/proggen_test.go +++ b/tools/syz-trace2syz/proggen/proggen_test.go @@ -62,6 +62,16 @@ func TestParseTraceBasic(t *testing.T) { } } +func TestParseVMA(t *testing.T) { + test := `pipe({0x0, 0x1}) = 0 + shmget(0x0, 0x1, 0x2, 0x3) = 0` + p := parseSingleTrace(t, test) + expectedSeq := "pipe-shmget" + if p.String() != expectedSeq { + t.Fatalf("expected: %s != %s", expectedSeq, p.String()) + } +} + func TestParseTraceInnerResource(t *testing.T) { test := `pipe([5,6]) = 0 write(6, "\xff\xff\xfe\xff", 4) = 4` -- cgit mrf-deployment