From eb97aa06109e7b258c888b3c364533de17ec33ee Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Fri, 29 Sep 2017 09:41:10 +0200 Subject: executor: support fragmentation in syz_emit_ethernet A recent linux commit "tun: enable napi_gro_frags() for TUN/TAP driver" added support for fragmentation when emitting packets via tun. Support this feature in syz_emit_ethernet. --- executor/common_linux.h | 98 +++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 79 insertions(+), 19 deletions(-) (limited to 'executor/common_linux.h') diff --git a/executor/common_linux.h b/executor/common_linux.h index 3ad7d374f..e61a42902 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -263,6 +263,7 @@ static void execute_command(const char* format, ...) } static int tunfd = -1; +static int tun_frags_enabled; // We just need this to be large enough to hold headers that we parse (ethernet/ip/tcp). // Rest of the packet (if any) will be silently truncated which is fine. @@ -281,6 +282,13 @@ static int tunfd = -1; #define LOCAL_IPV6 "fe80::%02hxaa" #define REMOTE_IPV6 "fe80::%02hxbb" +#ifndef IFF_NAPI +#define IFF_NAPI 0x0010 +#endif +#ifndef IFF_NAPI_FRAGS +#define IFF_NAPI_FRAGS 0x0020 +#endif + static void initialize_tun(uint64_t pid) { if (pid >= MAX_PIDS) @@ -297,9 +305,19 @@ static void initialize_tun(uint64_t pid) struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, iface, IFNAMSIZ); - ifr.ifr_flags = IFF_TAP | IFF_NO_PI; - if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) - fail("tun: ioctl(TUNSETIFF) failed"); + ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS; + if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { + // IFF_NAPI_FRAGS requires root, so try without it. + ifr.ifr_flags = IFF_TAP | IFF_NO_PI; + if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) + fail("tun: ioctl(TUNSETIFF) failed"); + } + // If IFF_NAPI_FRAGS is not supported it will be silently dropped, + // so query the effective flags. + if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0) + fail("tun: ioctl(TUNGETIFF) failed"); + tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0; + debug("tun_frags_enabled=%d\n", tun_frags_enabled); char local_mac[ADDR_MAX_LEN]; snprintf_check(local_mac, sizeof(local_mac), LOCAL_MAC, id); @@ -345,7 +363,10 @@ static int read_tun(char* data, int size) if (rv < 0) { if (errno == EAGAIN) return -1; - fail("tun: read failed with %d, errno: %d", rv, errno); + // Tun sometimes returns this, unclear if it's a kernel bug or not. + if (errno == EBADFD) + return -1; + fail("tun: read failed with %d", rv); } return rv; } @@ -366,17 +387,60 @@ static void debug_dump_data(const char* data, int length) #endif #if defined(SYZ_EXECUTOR) || (defined(__NR_syz_emit_ethernet) && defined(SYZ_TUN_ENABLE)) -static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1) -{ - // syz_emit_ethernet(len len[packet], packet ptr[in, eth_packet]) +#define MAX_FRAGS 4 +struct vnet_fragmentation { + uint32_t full; + uint32_t count; + uint32_t frags[MAX_FRAGS]; +}; +static uintptr_t syz_emit_ethernet(uintptr_t a0, uintptr_t a1, uintptr_t a2) +{ + // syz_emit_ethernet(len len[packet], packet ptr[in, eth_packet], frags ptr[in, vnet_fragmentation, opt]) + // vnet_fragmentation { + // full int32[0:1] + // count len[frags, int32] + // frags array[int32[0:4096], 1:4] + // } if (tunfd < 0) return (uintptr_t)-1; - int64_t length = a0; + uint32_t length = a0; char* data = (char*)a1; debug_dump_data(data, length); - return write(tunfd, data, length); + + struct vnet_fragmentation* frags = (struct vnet_fragmentation*)a2; + struct iovec vecs[MAX_FRAGS + 1]; + uint32_t nfrags = 0; + if (!tun_frags_enabled || frags == NULL) { + vecs[nfrags].iov_base = data; + vecs[nfrags].iov_len = length; + nfrags++; + } else { + bool full = true; + uint32_t i, count = 0; + NONFAILING(full = frags->full); + NONFAILING(count = frags->count); + if (count > MAX_FRAGS) + count = MAX_FRAGS; + for (i = 0; i < count && length != 0; i++) { + uint32_t size = 0; + NONFAILING(size = frags->frags[i]); + if (size > length) + size = length; + vecs[nfrags].iov_base = data; + vecs[nfrags].iov_len = size; + nfrags++; + data += size; + length -= size; + } + if (length != 0 && (full || nfrags == 0)) { + vecs[nfrags].iov_base = data; + vecs[nfrags].iov_len = length; + nfrags++; + } + } + return writev(tunfd, vecs, nfrags); } #endif @@ -685,8 +749,6 @@ static bool write_file(const char* file, const char* what, ...) #if defined(SYZ_EXECUTOR) || defined(SYZ_SANDBOX_NAMESPACE) static int real_uid; static int real_gid; -static int epid; -static bool etun; __attribute__((aligned(64 << 10))) static char sandbox_stack[1 << 20]; static int namespace_sandbox_proc(void* arg) @@ -700,12 +762,6 @@ static int namespace_sandbox_proc(void* arg) if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) fail("write of /proc/self/gid_map failed"); -#if defined(SYZ_EXECUTOR) || defined(SYZ_TUN_ENABLE) - // For sandbox namespace we setup tun after initializing uid mapping, - // otherwise ip commands fail. - setup_tun(epid, etun); -#endif - if (mkdir("./syz-tmp", 0777)) fail("mkdir(syz-tmp) failed"); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) @@ -759,10 +815,14 @@ static int namespace_sandbox_proc(void* arg) static int do_sandbox_namespace(int executor_pid, bool enable_tun) { +#if defined(SYZ_EXECUTOR) || defined(SYZ_TUN_ENABLE) + // For sandbox namespace we setup tun before dropping privs, + // because IFF_NAPI_FRAGS requires root. + setup_tun(executor_pid, enable_tun); +#endif + real_uid = getuid(); real_gid = getgid(); - epid = executor_pid; - etun = enable_tun; mprotect(sandbox_stack, 4096, PROT_NONE); // to catch stack underflows return clone(namespace_sandbox_proc, &sandbox_stack[sizeof(sandbox_stack) - 64], CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWUTS | CLONE_NEWNET, NULL); -- cgit mrf-deployment