From 988628d10c15f7387c830d883a12a4b6f0fac901 Mon Sep 17 00:00:00 2001 From: Hrutvik Kanabar Date: Wed, 7 Sep 2022 09:12:47 +0000 Subject: sys/linux, tools/syz-imagegen: allow `syz_mount_image` to change directory Add a boolean argument to the `syz_mount_image` pseudo-syscall. When this is true, `syz_mount_image` will change directory to the mountpoint after mounting the image passed. Experimentation suggests that to reproduce many non-`ext4` filesystem bugs, it is sufficient to mount the filesystem within an `ext4`-based VM and then change directory to the mountpoint before executing code. This change aims to increase the probability that a mount operation will be succeeded by the corresponding change in directory, and so increase the probability of finding non-`ext4` bugs. We also have to update the `syz-imagegen` tool. Now it generates seed `syz_mount_image` calls with change of directory enabled. The previous behaviour (i.e. no change of directory) will be recovered by use of existing corpuses and fuzzing the change-of-directory argument. The next commit will regenerate all `syz_mount_image` seeds. --- pkg/csource/generated.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'pkg/csource') diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go index e8f34b576..86a4b91d8 100644 --- a/pkg/csource/generated.go +++ b/pkg/csource/generated.go @@ -6285,7 +6285,7 @@ error_clear_loop: #include #include #include -static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) +static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg, volatile long change_dir) { struct fs_image_segment* segs = (struct fs_image_segment*)segments; int res = -1, err = 0, loopfd = -1, memfd = -1, need_loop_device = !!segs; @@ -6332,6 +6332,14 @@ static long syz_mount_image(volatile long fsarg, volatile long dir, volatile uns if (res == -1) { debug("syz_mount_image > open error: %d\n", errno); err = errno; + goto error_clear_loop; + } + if (change_dir) { + res = chdir(target); + if (res == -1) { + debug("syz_mount_image > chdir error: %d\n", errno); + err = errno; + } } error_clear_loop: -- cgit mrf-deployment