From 6892001bbc38e19c6f06cf9e78390962b007bc4f Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Mon, 16 Nov 2015 19:14:05 +0100 Subject: add tty-related ioctl's --- prog/analysis.go | 38 +++++++++++++++------------ prog/consts.go | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ prog/mutation.go | 4 +-- prog/prio.go | 2 +- prog/prog.go | 2 ++ prog/rand.go | 4 ++- 6 files changed, 108 insertions(+), 20 deletions(-) (limited to 'prog') diff --git a/prog/analysis.go b/prog/analysis.go index e1d106d10..ed295ee9a 100644 --- a/prog/analysis.go +++ b/prog/analysis.go @@ -230,28 +230,34 @@ func sanitizeCall(c *Call) { if flags.Val&MREMAP_MAYMOVE != 0 { flags.Val |= MREMAP_FIXED } - case "mknod": - mode := c.Args[1] - if mode.Kind != ArgConst { - panic("mknod mode is not const") - } - // Char and block devices read/write io ports, kernel memory and do other nasty things. - if mode.Val != S_IFREG && mode.Val != S_IFIFO && mode.Val != S_IFSOCK { - mode.Val = S_IFIFO - } + // not required if executor drops privileges + /* + case "mknod": + mode := c.Args[1] + if mode.Kind != ArgConst { + panic("mknod mode is not const") + } + // Char and block devices read/write io ports, kernel memory and do other nasty things. + if mode.Val != S_IFREG && mode.Val != S_IFIFO && mode.Val != S_IFSOCK { + mode.Val = S_IFIFO + } + */ case "syslog": cmd := c.Args[0] // These disable console output, but we need it. if cmd.Val == SYSLOG_ACTION_CONSOLE_OFF || cmd.Val == SYSLOG_ACTION_CONSOLE_ON { cmd.Val = SYSLOG_ACTION_SIZE_UNREAD } - case "ioctl": - cmd := c.Args[1] - // Freeze kills machine. Though, it is an interesting functions, - // so we need to test it somehow (TODO). - if uint32(cmd.Val) == uint32(FIFREEZE) { - cmd.Val = FITHAW - } + // not required if executor drops privileges + /* + case "ioctl": + cmd := c.Args[1] + // Freeze kills machine. Though, it is an interesting functions, + // so we need to test it somehow (TODO). + if uint32(cmd.Val) == uint32(FIFREEZE) { + cmd.Val = FITHAW + } + */ case "ptrace": // PTRACE_TRACEME leads to unkillable processes, see: // https://groups.google.com/forum/#!topic/syzkaller/uGzwvhlCXAw diff --git a/prog/consts.go b/prog/consts.go index 9df6be072..ab99a5e5f 100644 --- a/prog/consts.go +++ b/prog/consts.go @@ -123,6 +123,7 @@ const ( FIOCLEX = 21585 FIONBIO = 21537 FIONCLEX = 21584 + FIONREAD = 21531 FIOQSIZE = 21600 FITHAW = 3221510264 FS_IOC_FIEMAP = 3223348747 @@ -167,6 +168,12 @@ const ( GETPID = 11 GETVAL = 12 GETZCNT = 15 + GIO_CMAP = 19312 + GIO_FONT = 19296 + GIO_FONTX = 19307 + GIO_SCRNMAP = 19264 + GIO_UNIMAP = 19302 + GIO_UNISCRNMAP = 19305 IN_ACCESS = 1 IN_ATTRIB = 4 IN_CLOEXEC = 524288 @@ -288,6 +295,7 @@ const ( KCMP_SIGHAND = 4 KCMP_SYSVSEM = 6 KCMP_VM = 1 + KDADDIO = 19252 KDBUS_ATTACH_ANY = 18446744073709551615 KDBUS_ATTACH_AUDIT = 4096 KDBUS_ATTACH_AUXGROUPS = 8 @@ -389,6 +397,27 @@ const ( KDBUS_RECV_RETURN_DROPPED_MSGS = 2 KDBUS_RECV_RETURN_INCOMPLETE_FDS = 1 KDBUS_SEND_SYNC_REPLY = 1 + KDDELIO = 19253 + KDDISABIO = 19255 + KDENABIO = 19254 + KDGETKEYCODE = 19276 + KDGETLED = 19249 + KDGETMODE = 19259 + KDGKBDIACR = 19274 + KDGKBENT = 19270 + KDGKBLED = 19300 + KDGKBMETA = 19298 + KDGKBMODE = 19268 + KDGKBSENT = 19272 + KDGKBTYPE = 19251 + KDSETKEYCODE = 19277 + KDSETLED = 19250 + KDSETMODE = 19258 + KDSIGACCEPT = 19278 + KDSKBLED = 19301 + KDSKBMETA = 19299 + KDSKBMODE = 19269 + KDSKBSENT = 19273 KEXEC_ARCH_386 = 196608 KEXEC_ARCH_ARM = 2621440 KEXEC_ARCH_IA_64 = 3276800 @@ -441,6 +470,7 @@ const ( KEY_SPEC_THREAD_KEYRING = 18446744073709551615 KEY_SPEC_USER_KEYRING = 18446744073709551612 KEY_SPEC_USER_SESSION_KEYRING = 18446744073709551611 + KIOCSOUND = 19247 LOCK_EX = 2 LOCK_NB = 4 LOCK_SH = 1 @@ -565,6 +595,13 @@ const ( O_SYNC = 1052672 O_TRUNC = 512 O_WRONLY = 1 + PIO_FONT = 19297 + PIO_FONTRESET = 19309 + PIO_FONTX = 19308 + PIO_SCRNMAP = 19265 + PIO_UNIMAP = 19303 + PIO_UNIMAPCLR = 19304 + PIO_UNISCRNMAP = 19306 POSIX_FADV_DONTNEED = 4 POSIX_FADV_NOREUSE = 5 POSIX_FADV_NORMAL = 0 @@ -831,6 +868,9 @@ const ( S_IXGRP = 8 S_IXOTH = 1 S_IXUSR = 64 + TCFLSH = 21515 + TCGETA = 21509 + TCGETS = 21505 TCP_CORK = 3 TCP_DEFER_ACCEPT = 9 TCP_INFO = 11 @@ -843,12 +883,50 @@ const ( TCP_QUICKACK = 12 TCP_SYNCNT = 7 TCP_WINDOW_CLAMP = 10 + TCSBRK = 21513 + TCSBRKP = 21541 + TCSETS = 21506 + TCSETSF = 21508 + TCXONC = 21514 TFD_CLOEXEC = 524288 TFD_NONBLOCK = 2048 TFD_TIMER_ABSTIME = 1 TIMER_ABSTIME = 1 + TIOCCBRK = 21544 + TIOCCONS = 21533 + TIOCEXCL = 21516 + TIOCGETD = 21540 + TIOCGLCKTRMIOS = 21590 + TIOCGPGRP = 21519 + TIOCGSOFTCAR = 21529 + TIOCGWINSZ = 21523 + TIOCLINUX = 21532 + TIOCMBIC = 21527 + TIOCMGET = 21525 + TIOCMSET = 21528 + TIOCNOTTY = 21538 + TIOCNXCL = 21517 + TIOCOUTQ = 21521 + TIOCPKT = 21536 + TIOCSBRK = 21543 + TIOCSCTTY = 21518 + TIOCSETD = 21539 + TIOCSLCKTRMIOS = 21591 + TIOCSSOFTCAR = 21530 + TIOCSTI = 21522 + TIOCSWINSZ = 21524 UDP_CORK = 1 UMOUNT_NOFOLLOW = 8 + VT_ACTIVATE = 22022 + VT_DISALLOCATE = 22024 + VT_GETMODE = 22017 + VT_GETSTATE = 22019 + VT_OPENQRY = 22016 + VT_RELDISP = 22021 + VT_RESIZE = 22025 + VT_RESIZEX = 22026 + VT_SETMODE = 22018 + VT_WAITACTIVE = 22023 WCONTINUED = 8 WEXITED = 4 WHOLE_SECONDS = 33554432 diff --git a/prog/mutation.go b/prog/mutation.go index 2e7f76fd6..db471a4c6 100644 --- a/prog/mutation.go +++ b/prog/mutation.go @@ -152,7 +152,7 @@ func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable) { } case sys.LenType: panic("bad arg returned by mutationArgs: LenType") - case sys.ConstType: + case sys.ConstType, sys.StrConstType: panic("bad arg returned by mutationArgs: ConstType") default: panic(fmt.Sprintf("bad arg returned by mutationArgs: %#v, type=%#v", *arg, arg.Type)) @@ -306,7 +306,7 @@ func mutationArgs(c *Call) (args, bases []*Arg, parents []*[]*Arg) { case sys.LenType: // Size is updated when the size-of arg change. return - case sys.ConstType: + case sys.ConstType, sys.StrConstType: // Well, this is const. return } diff --git a/prog/prio.go b/prog/prio.go index 3f30bf594..8374fd54d 100644 --- a/prog/prio.go +++ b/prog/prio.go @@ -209,7 +209,7 @@ func foreachArgType(meta *sys.Call, f func(sys.Type, ArgDir)) { } case sys.ResourceType, sys.FileoffType, sys.BufferType, sys.VmaType, sys.LenType, sys.FlagsType, sys.ConstType, - sys.IntType, sys.FilenameType: + sys.StrConstType, sys.IntType, sys.FilenameType: default: panic("unknown type") } diff --git a/prog/prog.go b/prog/prog.go index 615951918..80d58b949 100644 --- a/prog/prog.go +++ b/prog/prog.go @@ -63,6 +63,8 @@ func (a *Arg) Size(typ sys.Type) uintptr { return typ1.TypeSize case sys.ConstType: return typ1.TypeSize + case sys.StrConstType: + return ptrSize case sys.FileoffType: return typ1.TypeSize case sys.ResourceType: diff --git a/prog/rand.go b/prog/rand.go index 9cb88b8b6..8509ef5cc 100644 --- a/prog/rand.go +++ b/prog/rand.go @@ -603,7 +603,7 @@ func (r *randGen) generateArg(s *state, typ sys.Type, dir ArgDir, sizes map[stri // in subsequent calls. For the same reason we do generate pointer/array/struct // output arguments (their elements can be referenced in subsequent calls). switch typ.(type) { - case sys.IntType, sys.FlagsType, sys.ConstType, sys.FileoffType, sys.ResourceType: + case sys.IntType, sys.FlagsType, sys.ConstType, sys.StrConstType, sys.FileoffType, sys.ResourceType: return constArg(0), nil, nil } } @@ -692,6 +692,8 @@ func (r *randGen) generateArg(s *state, typ sys.Type, dir ArgDir, sizes map[stri return constArg(r.flags(a.Vals)), nil, nil case sys.ConstType: return constArg(a.Val), nil, nil + case sys.StrConstType: + return dataArg([]byte(a.Val)), constArg(uintptr(len(a.Val))), nil case sys.IntType: v := r.randInt() switch a.Kind { -- cgit mrf-deployment