From cb704a294c54aed90281c016a6dc0c40ae295601 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Tue, 10 Dec 2019 16:04:18 +0100 Subject: executor: fix syz_mount_image 1. It always crashed in cover_reset when coverage is disabled. 2. Use NONFAILING when accessing image segments. 3. Give it additional 100 ms as it may be slow. 4. Add a test for syz_mount_image. --- pkg/csource/csource.go | 1 + pkg/csource/generated.go | 44 ++++++++++++++++++-------------------------- 2 files changed, 19 insertions(+), 26 deletions(-) (limited to 'pkg/csource') diff --git a/pkg/csource/csource.go b/pkg/csource/csource.go index 32fa2b3d1..b81bf6b4f 100644 --- a/pkg/csource/csource.go +++ b/pkg/csource/csource.go @@ -81,6 +81,7 @@ func Write(p *prog.Prog, opts Options) ([]byte, error) { "syz_usb_ep_read": 300, "syz_usb_disconnect": 300, "syz_open_dev$hiddev": 50, + "syz_mount_image": 100, } timeoutExpr := "45" for i, call := range p.Calls { diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go index 778a9f4d3..dd6a99d16 100644 --- a/pkg/csource/generated.go +++ b/pkg/csource/generated.go @@ -3385,14 +3385,10 @@ struct fs_image_segment { #elif GOARCH_ppc64le #define sys_memfd_create 360 #endif -#endif -#if SYZ_EXECUTOR || __NR_syz_read_part_table -static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) +static unsigned long fs_image_segment_check(unsigned long size, unsigned long nsegs, long segments) { - char loopname[64], linkname[64]; - int loopfd, err = 0, res = -1; - unsigned long i, j; + unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) @@ -3408,6 +3404,17 @@ static long syz_read_part_table(volatile unsigned long size, volatile unsigned l } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; + return size; +} +#endif + +#if SYZ_EXECUTOR || __NR_syz_read_part_table +static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) +{ + char loopname[64], linkname[64]; + int loopfd, err = 0, res = -1; + unsigned long i, j; + NONFAILING(size = fs_image_segment_check(size, nsegs, segments)); int memfd = syscall(sys_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; @@ -3418,9 +3425,8 @@ static long syz_read_part_table(volatile unsigned long size, volatile unsigned l goto error_close_memfd; } for (i = 0; i < nsegs; i++) { - if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { - debug("syz_read_part_table: pwrite[%u] failed: %d\n", (int)i, errno); - } + struct fs_image_segment* segs = (struct fs_image_segment*)segments; + NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset)); } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); @@ -3484,21 +3490,8 @@ static long syz_mount_image(volatile long fsarg, volatile long dir, volatile uns char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; - struct fs_image_segment* segs = (struct fs_image_segment*)segments; - if (nsegs > IMAGE_MAX_SEGMENTS) - nsegs = IMAGE_MAX_SEGMENTS; - for (i = 0; i < nsegs; i++) { - if (segs[i].size > IMAGE_MAX_SIZE) - segs[i].size = IMAGE_MAX_SIZE; - segs[i].offset %= IMAGE_MAX_SIZE; - if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) - segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; - if (size < segs[i].offset + segs[i].offset) - size = segs[i].offset + segs[i].offset; - } - if (size > IMAGE_MAX_SIZE) - size = IMAGE_MAX_SIZE; + NONFAILING(size = fs_image_segment_check(size, nsegs, segments)); int memfd = syscall(sys_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; @@ -3509,9 +3502,8 @@ static long syz_mount_image(volatile long fsarg, volatile long dir, volatile uns goto error_close_memfd; } for (i = 0; i < nsegs; i++) { - if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { - debug("syz_mount_image: pwrite[%u] failed: %d\n", (int)i, errno); - } + struct fs_image_segment* segs = (struct fs_image_segment*)segments; + NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset)); } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); -- cgit mrf-deployment