From a4718693a3d9fcabb02299b2ec07c19d8208c539 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Thu, 30 Aug 2018 21:10:38 -0700 Subject: sys/linux: add syz_execute_func The function executes random code. Update #310 --- executor/common.h | 9 +++++++++ executor/common_linux.h | 6 +++--- executor/defs.h | 32 ++++++++++++++++---------------- executor/executor_akaros.h | 2 +- executor/executor_bsd.h | 2 +- executor/executor_linux.h | 2 +- executor/syscalls.h | 16 ++++++++++++++++ 7 files changed, 47 insertions(+), 22 deletions(-) (limited to 'executor') diff --git a/executor/common.h b/executor/common.h index 5dbb7f7b9..15b279956 100644 --- a/executor/common.h +++ b/executor/common.h @@ -364,6 +364,15 @@ static uint16 csum_inet_digest(struct csum_inet* csum) } #endif +#if SYZ_EXECUTOR || __NR_syz_execute_func +// syz_execute_func(text ptr[in, text[taget]]) +static long syz_execute_func(long text) +{ + ((void (*)(void))(text))(); + return 0; +} +#endif + #if GOOS_akaros #include "common_akaros.h" #elif GOOS_freebsd || GOOS_netbsd || GOOS_openbsd diff --git a/executor/common_linux.h b/executor/common_linux.h index b59633273..40b06f9fe 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -36,13 +36,13 @@ static void event_set(event_t* ev) if (ev->state) fail("event already set"); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); - syscall(SYS_futex, &ev->state, FUTEX_WAKE); + syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) - syscall(SYS_futex, &ev->state, FUTEX_WAIT, 0, 0); + syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) @@ -59,7 +59,7 @@ static int event_timedwait(event_t* ev, uint64 timeout) struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; - syscall(SYS_futex, &ev->state, FUTEX_WAIT, 0, &ts); + syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); diff --git a/executor/defs.h b/executor/defs.h index 07558cdcf..3a6edd3af 100644 --- a/executor/defs.h +++ b/executor/defs.h @@ -5,7 +5,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "44785e2dac3e0f922841ab905a8c4e7838585083" +#define SYZ_REVISION "f9824f5b26bc0ee36bc1e6debd6e8a8d6eee33ab" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 0 #define SYZ_PAGE_SIZE 4096 @@ -20,7 +20,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "89eac40a68a14ffc0af9fc9b181147236b82d00b" +#define SYZ_REVISION "06d50288c46275b56218cab0097fcb71a7f0f80e" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -35,7 +35,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "2a5cb64c987696cb8bdf1d6d9561c04993cf3299" +#define SYZ_REVISION "ee62749ce0e69fd29de1864a220e909a18613438" #define SYZ_EXECUTOR_USES_FORK_SERVER 0 #define SYZ_EXECUTOR_USES_SHMEM 0 #define SYZ_PAGE_SIZE 4096 @@ -45,7 +45,7 @@ #if GOARCH_arm64 #define GOARCH "arm64" -#define SYZ_REVISION "974ef513ae535d2b92308edd342169a59b596cd4" +#define SYZ_REVISION "80d5b2ce01d8c9deca31efaa1a61da313eaa44e6" #define SYZ_EXECUTOR_USES_FORK_SERVER 0 #define SYZ_EXECUTOR_USES_SHMEM 0 #define SYZ_PAGE_SIZE 4096 @@ -60,7 +60,7 @@ #if GOARCH_386 #define GOARCH "386" -#define SYZ_REVISION "73c32691841967fea34cade58340298a0a6e34a3" +#define SYZ_REVISION "cf409e12bbb8bef7899f39295b0b6d69d318af8d" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -70,7 +70,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "26712f7e003ed8690f47cf5edb70bd3eb94766c1" +#define SYZ_REVISION "3efd822501eed7b0536ca7f8ba2b7720b9f6bab3" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -80,7 +80,7 @@ #if GOARCH_arm #define GOARCH "arm" -#define SYZ_REVISION "f155a0335de7dec3226189d25e230ba9889ff0ef" +#define SYZ_REVISION "d64ccba4ff5f75614cce9e04b971a39e735578b2" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -90,7 +90,7 @@ #if GOARCH_arm64 #define GOARCH "arm64" -#define SYZ_REVISION "1fd22f27ba905dec42b576344dd6c58c011de140" +#define SYZ_REVISION "33b760e03637540176d75bef5357cc5b147afabe" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -100,7 +100,7 @@ #if GOARCH_ppc64le #define GOARCH "ppc64le" -#define SYZ_REVISION "cfee5c1892c53b104910906c54ef416def23581b" +#define SYZ_REVISION "17f888e873bc99a49d971c80b87ddad7d8291e82" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -115,7 +115,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "c05720ceb16e651f6ae9addd1f5be83497d861e3" +#define SYZ_REVISION "741d8f94955b7b371dee88f03db02ab85d5a9384" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -130,7 +130,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "f1bde02bbb60bf849ed61dda9a552900891199ef" +#define SYZ_REVISION "b7a0cb1d6df43d07bd4ab11d2c4b1a2e1c046ac1" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -145,7 +145,7 @@ #if GOARCH_32_fork_shmem #define GOARCH "32_fork_shmem" -#define SYZ_REVISION "d09983a8bb4f2ccd0e303191862d170b5b636bd8" +#define SYZ_REVISION "4225c1e93671306efa6a41958a6d553aed7e8cf7" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 4096 @@ -155,7 +155,7 @@ #if GOARCH_32_shmem #define GOARCH "32_shmem" -#define SYZ_REVISION "8d0f255b4d310c70d0e7d65ac8e5c6c3032a9e14" +#define SYZ_REVISION "ae161a1d8e44b101412b6f8d8fdde3a6ce553e55" #define SYZ_EXECUTOR_USES_FORK_SERVER 0 #define SYZ_EXECUTOR_USES_SHMEM 1 #define SYZ_PAGE_SIZE 8192 @@ -165,7 +165,7 @@ #if GOARCH_64 #define GOARCH "64" -#define SYZ_REVISION "3a71e90e1d9f2ae8b0cbfa9e76a429a74ca2ce90" +#define SYZ_REVISION "6ffded136a7c445ee912402759cc9f71c3add37a" #define SYZ_EXECUTOR_USES_FORK_SERVER 0 #define SYZ_EXECUTOR_USES_SHMEM 0 #define SYZ_PAGE_SIZE 4096 @@ -175,7 +175,7 @@ #if GOARCH_64_fork #define GOARCH "64_fork" -#define SYZ_REVISION "39c2288dd1c825ce7a587f946cfc91e0e453cf5e" +#define SYZ_REVISION "ef850b63cd75f943301e586db069812cc63ac259" #define SYZ_EXECUTOR_USES_FORK_SERVER 1 #define SYZ_EXECUTOR_USES_SHMEM 0 #define SYZ_PAGE_SIZE 8192 @@ -190,7 +190,7 @@ #if GOARCH_amd64 #define GOARCH "amd64" -#define SYZ_REVISION "f2b48fb82a68b0cb24b2ab9638add66deb9542dd" +#define SYZ_REVISION "7f58e6832b5d8674b8a77505e6eb0fa213781c23" #define SYZ_EXECUTOR_USES_FORK_SERVER 0 #define SYZ_EXECUTOR_USES_SHMEM 0 #define SYZ_PAGE_SIZE 4096 diff --git a/executor/executor_akaros.h b/executor/executor_akaros.h index 566781c2e..e60e7cfc6 100644 --- a/executor/executor_akaros.h +++ b/executor/executor_akaros.h @@ -13,7 +13,7 @@ static void os_init(int argc, char** argv, void* data, size_t data_size) { program_name = argv[0]; if (argc == 2 && strcmp(argv[1], "child") == 0) { - if (mmap(data, data_size, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data) + if (mmap(data, data_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data) fail("mmap of data segment failed"); child(); } diff --git a/executor/executor_bsd.h b/executor/executor_bsd.h index 565a0bb3d..5bb192d8c 100644 --- a/executor/executor_bsd.h +++ b/executor/executor_bsd.h @@ -17,7 +17,7 @@ static void os_init(int argc, char** argv, void* data, size_t data_size) { - if (mmap(data, data_size, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data) + if (mmap(data, data_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data) fail("mmap of data segment failed"); // Some minimal sandboxing. diff --git a/executor/executor_linux.h b/executor/executor_linux.h index 2eab98560..c7af48144 100644 --- a/executor/executor_linux.h +++ b/executor/executor_linux.h @@ -25,7 +25,7 @@ static void os_init(int argc, char** argv, void* data, size_t data_size) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); is_kernel_64_bit = detect_kernel_bitness(); - if (mmap(data, data_size, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data) + if (mmap(data, data_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0) != data) fail("mmap of data segment failed"); } diff --git a/executor/syscalls.h b/executor/syscalls.h index b86f53c87..44d46ea59 100644 --- a/executor/syscalls.h +++ b/executor/syscalls.h @@ -201,6 +201,7 @@ const call_t syscalls[] = { {"send_event", 39}, {"stat", 105}, {"symlink", 114}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"tap_fds", 126}, {"tcgetattr", 141}, {"umask", 109}, @@ -471,6 +472,7 @@ const call_t syscalls[] = { {"symlink", 57}, {"symlinkat", 502}, {"sync", 36}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"truncate", 479}, {"unlink", 10}, {"unlinkat", 503}, @@ -542,6 +544,7 @@ const call_t syscalls[] = { {"symlink", 0, (syscall_t)symlink}, {"symlinkat", 0, (syscall_t)symlinkat}, {"sync", 0, (syscall_t)sync}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_future_time", 0, (syscall_t)syz_future_time}, {"syz_job_default", 0, (syscall_t)syz_job_default}, {"syz_mmap", 0, (syscall_t)syz_mmap}, @@ -789,6 +792,7 @@ const call_t syscalls[] = { {"symlink", 0, (syscall_t)symlink}, {"symlinkat", 0, (syscall_t)symlinkat}, {"sync", 0, (syscall_t)sync}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_future_time", 0, (syscall_t)syz_future_time}, {"syz_job_default", 0, (syscall_t)syz_job_default}, {"syz_mmap", 0, (syscall_t)syz_mmap}, @@ -2932,6 +2936,7 @@ const call_t syscalls[] = { {"sysinfo", 116}, {"syslog", 103}, {"syz_emit_ethernet", 0, (syscall_t)syz_emit_ethernet}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_extract_tcp_res", 0, (syscall_t)syz_extract_tcp_res}, {"syz_extract_tcp_res$synack", 0, (syscall_t)syz_extract_tcp_res}, {"syz_genetlink_get_family_id$fou", 0, (syscall_t)syz_genetlink_get_family_id}, @@ -5152,6 +5157,7 @@ const call_t syscalls[] = { {"sysinfo", 99}, {"syslog", 103}, {"syz_emit_ethernet", 0, (syscall_t)syz_emit_ethernet}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_extract_tcp_res", 0, (syscall_t)syz_extract_tcp_res}, {"syz_extract_tcp_res$synack", 0, (syscall_t)syz_extract_tcp_res}, {"syz_genetlink_get_family_id$fou", 0, (syscall_t)syz_genetlink_get_family_id}, @@ -7330,6 +7336,7 @@ const call_t syscalls[] = { {"sysinfo", 116}, {"syslog", 103}, {"syz_emit_ethernet", 0, (syscall_t)syz_emit_ethernet}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_extract_tcp_res", 0, (syscall_t)syz_extract_tcp_res}, {"syz_extract_tcp_res$synack", 0, (syscall_t)syz_extract_tcp_res}, {"syz_genetlink_get_family_id$fou", 0, (syscall_t)syz_genetlink_get_family_id}, @@ -9483,6 +9490,7 @@ const call_t syscalls[] = { {"sysinfo", 179}, {"syslog", 116}, {"syz_emit_ethernet", 0, (syscall_t)syz_emit_ethernet}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_extract_tcp_res", 0, (syscall_t)syz_extract_tcp_res}, {"syz_extract_tcp_res$synack", 0, (syscall_t)syz_extract_tcp_res}, {"syz_genetlink_get_family_id$fou", 0, (syscall_t)syz_genetlink_get_family_id}, @@ -11513,6 +11521,7 @@ const call_t syscalls[] = { {"sysinfo", 116}, {"syslog", 103}, {"syz_emit_ethernet", 0, (syscall_t)syz_emit_ethernet}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_extract_tcp_res", 0, (syscall_t)syz_extract_tcp_res}, {"syz_extract_tcp_res$synack", 0, (syscall_t)syz_extract_tcp_res}, {"syz_genetlink_get_family_id$fou", 0, (syscall_t)syz_genetlink_get_family_id}, @@ -11920,6 +11929,7 @@ const call_t syscalls[] = { {"symlink", 57}, {"symlinkat", 470}, {"sync", 36}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"truncate", 200}, {"unlink", 10}, {"unlinkat", 471}, @@ -12152,6 +12162,7 @@ const call_t syscalls[] = { {"symlink", 57}, {"symlinkat", 324}, {"sync", 36}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_open_pts", 0, (syscall_t)syz_open_pts}, {"truncate", 200}, {"unlink", 10}, @@ -12174,6 +12185,7 @@ const call_t syscalls[] = { const call_t syscalls[] = { {"syz_compare", 0, (syscall_t)syz_compare}, {"syz_errno", 0, (syscall_t)syz_errno}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_mmap", 0, (syscall_t)syz_mmap}, }; @@ -12183,6 +12195,7 @@ const call_t syscalls[] = { const call_t syscalls[] = { {"syz_compare", 0, (syscall_t)syz_compare}, {"syz_errno", 0, (syscall_t)syz_errno}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_mmap", 0, (syscall_t)syz_mmap}, }; @@ -12214,6 +12227,7 @@ const call_t syscalls[] = { {"serialize1", 0}, {"syz_compare", 0, (syscall_t)syz_compare}, {"syz_errno", 0, (syscall_t)syz_errno}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_mmap", 0, (syscall_t)syz_mmap}, {"test", 0}, {"test$align0", 0}, @@ -12310,6 +12324,7 @@ const call_t syscalls[] = { const call_t syscalls[] = { {"syz_compare", 0, (syscall_t)syz_compare}, {"syz_errno", 0, (syscall_t)syz_errno}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"syz_mmap", 0, (syscall_t)syz_mmap}, }; @@ -15215,6 +15230,7 @@ const call_t syscalls[] = { {"setsockopt", 0, (syscall_t)setsockopt}, {"sndPlaySoundA", 0, (syscall_t)sndPlaySoundA}, {"socket", 0, (syscall_t)socket}, + {"syz_execute_func", 0, (syscall_t)syz_execute_func}, {"timeBeginPeriod", 0, (syscall_t)timeBeginPeriod}, {"timeEndPeriod", 0, (syscall_t)timeEndPeriod}, {"timeGetDevCaps", 0, (syscall_t)timeGetDevCaps}, -- cgit mrf-deployment