From a4d38b39a8e23244bea7a53e9d7a759474f85dae Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Mon, 4 May 2020 08:58:32 +0200
Subject: prog: support disabled attribute

Update #477
Update #502
---
 pkg/csource/csource_test.go |  4 +--
 pkg/host/syscalls.go        | 68 ++++++++++++++++++++++++---------------------
 pkg/mgrconfig/load.go       |  5 ++++
 3 files changed, 44 insertions(+), 33 deletions(-)

(limited to 'pkg')

diff --git a/pkg/csource/csource_test.go b/pkg/csource/csource_test.go
index 78145c8fa..32ff9da28 100644
--- a/pkg/csource/csource_test.go
+++ b/pkg/csource/csource_test.go
@@ -62,7 +62,7 @@ func testTarget(t *testing.T, target *prog.Target, full bool) {
 	}
 	rs := rand.NewSource(seed)
 	t.Logf("seed=%v", seed)
-	p := target.Generate(rs, 10, nil)
+	p := target.Generate(rs, 10, target.DefaultChoiceTable())
 	// Turns out that fully minimized program can trigger new interesting warnings,
 	// e.g. about NULL arguments for functions that require non-NULL arguments in syz_ functions.
 	// We could append both AllSyzProg as-is and a minimized version of it,
@@ -166,7 +166,7 @@ func TestSysTests(t *testing.T) {
 func TestExecutorMacros(t *testing.T) {
 	// Ensure that executor does not mis-spell any of the SYZ_* macros.
 	target, _ := prog.GetTarget("test", "64")
-	p := target.Generate(rand.NewSource(0), 1, nil)
+	p := target.Generate(rand.NewSource(0), 1, target.DefaultChoiceTable())
 	expected := commonDefines(p, Options{})
 	expected["SYZ_EXECUTOR"] = true
 	expected["SYZ_HAVE_SETUP_LOOP"] = true
diff --git a/pkg/host/syscalls.go b/pkg/host/syscalls.go
index 17ec0f25a..d63c7ceef 100644
--- a/pkg/host/syscalls.go
+++ b/pkg/host/syscalls.go
@@ -21,38 +21,44 @@ func DetectSupportedSyscalls(target *prog.Target, sandbox string) (
 		for _, c := range target.Syscalls {
 			supported[c] = true
 		}
-		return supported, unsupported, nil
-	}
-	for _, c := range target.Syscalls {
-		ok, reason := false, ""
-		switch c.CallName {
-		case "syz_execute_func":
-			// syz_execute_func caused multiple problems:
-			// 1. First it lead to corpus exploision. The program used existing values in registers
-			// to pollute output area. We tried to zero registers (though, not reliably).
-			// 2. It lead to explosion again. The exact mechanics are unknown, here is one sample:
-			// syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4
-			//	430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44
-			//	9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464
-			//	660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100")
-			// 3. The code can also execute syscalls (and it is know to), but it's not subject to
-			// target.SanitizeCall. As the result it can do things that programs are not supposed to do.
-			// 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable
-			// to syz_execute_func based on corpus contents. Mechanics are also not known.
-			// It also did not cause finding of any new bugs (at least not that I know of).
-			// Let's disable it for now until we figure out how to resolve all these problems.
-			ok = false
-			reason = "always disabled for now"
-		default:
-			ok, reason = isSupported(c, target, sandbox)
-		}
-		if ok {
-			supported[c] = true
-		} else {
-			if reason == "" {
-				reason = "unknown"
+	} else {
+		for _, c := range target.Syscalls {
+			ok, reason := false, ""
+			switch c.CallName {
+			case "syz_execute_func":
+				// syz_execute_func caused multiple problems:
+				// 1. First it lead to corpus exploision. The program used existing values in registers
+				// to pollute output area. We tried to zero registers (though, not reliably).
+				// 2. It lead to explosion again. The exact mechanics are unknown, here is one sample:
+				// syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4
+				//	430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44
+				//	9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464
+				//	660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100")
+				// 3. The code can also execute syscalls (and it is know to), but it's not subject to
+				// target.SanitizeCall. As the result it can do things that programs are not supposed to do.
+				// 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable
+				// to syz_execute_func based on corpus contents. Mechanics are also not known.
+				// It also did not cause finding of any new bugs (at least not that I know of).
+				// Let's disable it for now until we figure out how to resolve all these problems.
+				ok = false
+				reason = "always disabled for now"
+			default:
+				ok, reason = isSupported(c, target, sandbox)
 			}
-			unsupported[c] = reason
+			if ok {
+				supported[c] = true
+			} else {
+				if reason == "" {
+					reason = "unknown"
+				}
+				unsupported[c] = reason
+			}
+		}
+	}
+	for c := range supported {
+		if c.Attrs.Disabled {
+			delete(supported, c)
+			unsupported[c] = "has disabled attribute in descriptions"
 		}
 	}
 	return supported, unsupported, nil
diff --git a/pkg/mgrconfig/load.go b/pkg/mgrconfig/load.go
index 4e4136362..c17f7cd15 100644
--- a/pkg/mgrconfig/load.go
+++ b/pkg/mgrconfig/load.go
@@ -216,6 +216,11 @@ func ParseEnabledSyscalls(target *prog.Target, enabled, disabled []string) ([]in
 			syscalls[call.ID] = true
 		}
 	}
+	for call := range syscalls {
+		if target.Syscalls[call].Attrs.Disabled {
+			delete(syscalls, call)
+		}
+	}
 	for _, c := range disabled {
 		n := 0
 		for _, call := range target.Syscalls {
-- 
cgit mrf-deployment