From f9ccea26eb0de391a874cfe56a414e573a81e9b2 Mon Sep 17 00:00:00 2001
From: Shankara Pailoor <shankarapailoor@gmail.com>
Date: Tue, 8 Jan 2019 08:14:19 -0800
Subject: tools/syz-trace2syz/proggen: convert strace byte arrays to int args

strace decodes certain arguments like sockaddr_in.sin_port or sin_addr
as hex strings under -Xraw. This is because the arguments are in network byte
order. This patch supports converting those hex strings to int args if the size
of the string is 1, 2, 4, or 8.
---
 tools/syz-trace2syz/proggen/proggen.go      | 24 ++++++++++++++++++--
 tools/syz-trace2syz/proggen/proggen_test.go | 35 +++++++++++++++++++++++------
 2 files changed, 50 insertions(+), 9 deletions(-)

diff --git a/tools/syz-trace2syz/proggen/proggen.go b/tools/syz-trace2syz/proggen/proggen.go
index 6c484b29c..027befcef 100644
--- a/tools/syz-trace2syz/proggen/proggen.go
+++ b/tools/syz-trace2syz/proggen/proggen.go
@@ -333,8 +333,28 @@ func (ctx *context) genConst(syzType prog.Type, traceType parser.IrType) prog.Ar
 		}
 		return ctx.genConst(syzType, a.Elems[0])
 	case *parser.BufferType:
-		// The call almost certainly returned an errno
-		return syzType.DefaultArg()
+		// strace decodes some arguments as hex strings because those values are network ordered
+		// e.g. sin_port or sin_addr fields of sockaddr_in.
+		// network order is big endian byte order so if the len of byte array is 1, 2, 4, or 8 then
+		// it is a good chance that we are decoding one of those fields. If it isn't, then most likely
+		// we have an error i.e. a sockaddr_un struct passed to a connect call with an inet file descriptor
+		var val uint64
+		switch len(a.Val) {
+		case 8:
+			val = uint64(binary.BigEndian.Uint64([]byte(a.Val)))
+		case 4:
+			// int
+			val = uint64(binary.BigEndian.Uint32([]byte(a.Val)))
+		case 2:
+			// short
+			val = uint64(binary.BigEndian.Uint16([]byte(a.Val)))
+		case 1:
+			val = uint64(a.Val[0])
+		default:
+			// The call almost certainly returned an errno
+			return syzType.DefaultArg()
+		}
+		return prog.MakeConstArg(syzType, val)
 	default:
 		log.Fatalf("unsupported type for const: %#v", traceType)
 	}
diff --git a/tools/syz-trace2syz/proggen/proggen_test.go b/tools/syz-trace2syz/proggen/proggen_test.go
index 2d40e928d..a0fd8520d 100644
--- a/tools/syz-trace2syz/proggen/proggen_test.go
+++ b/tools/syz-trace2syz/proggen/proggen_test.go
@@ -155,13 +155,6 @@ connect(3, {sa_family=2, sin_port=17812, sin_addr=0x0}, 16) = 0
 `, `
 r0 = socket$inet_tcp(0x2, 0x1, 0x0)
 connect$inet(r0, &(0x7f0000000000)={0x2, 0x4594}, 0x10)
-`,
-		}, {`
-socket(2, 1, 0) = 3
-connect(3, {sa_family=2, sin_port=17812, sin_addr=0x7f000001}, 16) = 0
-`, `
-r0 = socket$inet_tcp(0x2, 0x1, 0x0)
-connect$inet(r0, &(0x7f0000000000)={0x2, 0x4594, @rand_addr=0x7f000001}, 0x10)
 `,
 		}, {`
 open("\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 0) = 3
@@ -169,6 +162,34 @@ fsetxattr(3, "\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x73\x65\x6c\x69\x6e\x75\x78",
 `, `
 r0 = open(&(0x7f0000000000)='/dev/snd/seq\x00', 0x0, 0x0)
 fsetxattr(r0, &(0x7f0000000040)=@known='security.selinux\x00', &(0x7f0000000080)='sys\x00', 0x4, 0x0)
+`,
+		}, {`
+socket(0x2, 0x1, 0) = 3
+connect(3, {sa_family=0x2, sin_port="\x1f\x90", sin_addr="\x7f\x00\x00\x01"}, 16) = -1
+`, `
+r0 = socket$inet_tcp(0x2, 0x1, 0x0)
+connect$inet(r0, &(0x7f0000000000)={0x2, 0x1f90, @rand_addr=0x7f000001}, 0x10)
+`,
+		}, {`
+socket(0x2, 0x1, 0) = 3
+connect(3, {sa_family=0x2, sin_port="\x1f\x90", sin_addr="\x00\x00\x00\x00\x7f\x00\x00\x01"}, 16) = -1
+`, `
+r0 = socket$inet_tcp(0x2, 0x1, 0x0)
+connect$inet(r0, &(0x7f0000000000)={0x2, 0x1f90, @rand_addr=0x7f000001}, 0x10)
+`,
+		}, {`
+socket(0x2, 0x1, 0) = 3
+connect(3, {sa_family=0x2, sin_port="\x1f\x90", sin_addr="\x00"}, 16) = -1
+`, `
+r0 = socket$inet_tcp(0x2, 0x1, 0x0)
+connect$inet(r0, &(0x7f0000000000)={0x2, 0x1f90}, 0x10)
+`,
+		}, {`
+socket(0x2, 0x1, 0) = 3
+connect(3, {sa_family=0x2, sin_port="\x1f\x90", sin_addr="\x00"}, 16) = -1
+`, `
+r0 = socket$inet_tcp(0x2, 0x1, 0x0)
+connect$inet(r0, &(0x7f0000000000)={0x2, 0x1f90}, 0x10)
 `,
 		},
 	}
-- 
cgit mrf-deployment