From 71db69869e82cce9af00f8660c6e867936b19212 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Mon, 4 May 2020 09:21:34 +0200 Subject: sys/linux: mark some ioctls as disabled Mark ioctls we disable in init.go as disabled. Update #477 Update #502 --- sys/linux/bpf_386.const | 2 +- sys/linux/bpf_amd64.const | 2 +- sys/linux/bpf_arm.const | 2 +- sys/linux/bpf_arm64.const | 2 +- sys/linux/bpf_mips64le.const | 2 +- sys/linux/bpf_ppc64le.const | 2 +- sys/linux/dev_ptmx.txt | 11 ++++++++++- sys/linux/fs_ext4.txt | 11 +++++++++-- sys/linux/init.go | 4 +--- sys/linux/init_test.go | 4 ---- sys/linux/prctl_386.const | 2 +- sys/linux/prctl_amd64.const | 2 +- sys/linux/prctl_arm.const | 2 +- sys/linux/prctl_arm64.const | 2 +- sys/linux/prctl_mips64le.const | 2 +- sys/linux/prctl_ppc64le.const | 2 +- sys/linux/sys.txt | 15 +++++++++++---- sys/linux/sys_386.const | 1 - sys/linux/sys_amd64.const | 1 - sys/linux/sys_arm.const | 1 - sys/linux/sys_arm64.const | 1 - sys/linux/sys_mips64le.const | 1 - sys/linux/sys_ppc64le.const | 1 - 23 files changed, 43 insertions(+), 32 deletions(-) (limited to 'sys/linux') diff --git a/sys/linux/bpf_386.const b/sys/linux/bpf_386.const index 00a92d0b8..13a70ca0e 100644 --- a/sys/linux/bpf_386.const +++ b/sys/linux/bpf_386.const @@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9 BTF_MAGIC = 60319 BTF_VERSION = 1 MAX_BPF_REG = 11 -__BPF_FUNC_MAX_ID = 125 +__BPF_FUNC_MAX_ID = 126 __MAX_BPF_REG = 11 __NR_bpf = 357 bpf_call_code = 133 diff --git a/sys/linux/bpf_amd64.const b/sys/linux/bpf_amd64.const index b539fc0cb..1aac3b5d3 100644 --- a/sys/linux/bpf_amd64.const +++ b/sys/linux/bpf_amd64.const @@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9 BTF_MAGIC = 60319 BTF_VERSION = 1 MAX_BPF_REG = 11 -__BPF_FUNC_MAX_ID = 125 +__BPF_FUNC_MAX_ID = 126 __MAX_BPF_REG = 11 __NR_bpf = 321 bpf_call_code = 133 diff --git a/sys/linux/bpf_arm.const b/sys/linux/bpf_arm.const index 1f1e1465a..aaeb5db2f 100644 --- a/sys/linux/bpf_arm.const +++ b/sys/linux/bpf_arm.const @@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9 BTF_MAGIC = 60319 BTF_VERSION = 1 MAX_BPF_REG = 11 -__BPF_FUNC_MAX_ID = 125 +__BPF_FUNC_MAX_ID = 126 __MAX_BPF_REG = 11 __NR_bpf = 386 bpf_call_code = 133 diff --git a/sys/linux/bpf_arm64.const b/sys/linux/bpf_arm64.const index d3f42ac85..5b12719a4 100644 --- a/sys/linux/bpf_arm64.const +++ b/sys/linux/bpf_arm64.const @@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9 BTF_MAGIC = 60319 BTF_VERSION = 1 MAX_BPF_REG = 11 -__BPF_FUNC_MAX_ID = 125 +__BPF_FUNC_MAX_ID = 126 __MAX_BPF_REG = 11 __NR_bpf = 280 bpf_call_code = 133 diff --git a/sys/linux/bpf_mips64le.const b/sys/linux/bpf_mips64le.const index b8f3a7c8a..95f68f9c2 100644 --- a/sys/linux/bpf_mips64le.const +++ b/sys/linux/bpf_mips64le.const @@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9 BTF_MAGIC = 60319 BTF_VERSION = 1 MAX_BPF_REG = 11 -__BPF_FUNC_MAX_ID = 125 +__BPF_FUNC_MAX_ID = 126 __MAX_BPF_REG = 11 __NR_bpf = 5315 bpf_call_code = 133 diff --git a/sys/linux/bpf_ppc64le.const b/sys/linux/bpf_ppc64le.const index 1633606c4..f3a381788 100644 --- a/sys/linux/bpf_ppc64le.const +++ b/sys/linux/bpf_ppc64le.const @@ -217,7 +217,7 @@ BTF_KIND_VOLATILE = 9 BTF_MAGIC = 60319 BTF_VERSION = 1 MAX_BPF_REG = 11 -__BPF_FUNC_MAX_ID = 125 +__BPF_FUNC_MAX_ID = 126 __MAX_BPF_REG = 11 __NR_bpf = 361 bpf_call_code = 133 diff --git a/sys/linux/dev_ptmx.txt b/sys/linux/dev_ptmx.txt index 31277fe38..a03b24c58 100644 --- a/sys/linux/dev_ptmx.txt +++ b/sys/linux/dev_ptmx.txt @@ -136,8 +136,17 @@ ioctl$TIOCL_GETKMSGREDIRECT(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[T ioctl$TIOCL_SCROLLCONSOLE(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, tioctl_scroll_console]) ioctl$TIOCL_BLANKSCREEN(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[TIOCL_BLANKSCREEN, int8]]) +# TIOCSSERIAL can do nasty things under root, like causing writes to random memory +# pretty much like /dev/mem, but this is also working as intended. +# For details see: +# https://groups.google.com/g/syzkaller-bugs/c/1rVENJf9P4U/m/QtGpapRxAgAJ +# https://syzkaller.appspot.com/bug?extid=f4f1e871965064ae689e +# TODO: TIOCSSERIAL does some other things that are not dangerous +# and would be nice to test, if/when we can neutralize based on sandbox value +# we could prohibit it only under sandbox=none. +ioctl$TIOCSSERIAL(fd fd, cmd const[TIOCSSERIAL], arg ptr[in, serial_struct]) (disabled) + ioctl$TIOCGSERIAL(fd fd_tty, cmd const[TIOCGSERIAL], arg ptr[out, serial_struct]) -ioctl$TIOCSSERIAL(fd fd_tty, cmd const[TIOCSSERIAL], arg ptr[in, serial_struct]) ioctl$TCGETS2(fd fd_tty, cmd const[TCGETS2], arg ptr[out, termios2]) ioctl$TCSETS2(fd fd_tty, cmd const[TCSETS2], arg ptr[in, termios2]) ioctl$TCSETSF2(fd fd_tty, cmd const[TCSETSF2], arg ptr[in, termios2]) diff --git a/sys/linux/fs_ext4.txt b/sys/linux/fs_ext4.txt index 20dc4dbf2..56d702bb9 100644 --- a/sys/linux/fs_ext4.txt +++ b/sys/linux/fs_ext4.txt @@ -16,8 +16,15 @@ ioctl$EXT4_IOC_PRECACHE_EXTENTS(fd fd, cmd const[EXT4_IOC_PRECACHE_EXTENTS]) ext4_inode_flags = EXT4_SECRM_FL, EXT4_UNRM_FL, EXT4_COMPR_FL, EXT4_SYNC_FL, EXT4_IMMUTABLE_FL, EXT4_APPEND_FL, EXT4_NODUMP_FL, EXT4_NOATIME_FL, EXT4_PROJINHERIT_FL, EXT4_JOURNAL_DATA_FL, EXT4_NOTAIL_FL, EXT4_DIRSYNC_FL, EXT4_TOPDIR_FL, EXT4_EXTENTS_FL -# See comments in init.go. -_ = EXT4_IOC_SHUTDOWN, EXT4_IOC_RESIZE_FS +# EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways. +# Fortunately, the value does not conflict with any other ioctl commands for now. +ioctl$EXT4_IOC_SHUTDOWN(fd fd, cmd const[EXT4_IOC_SHUTDOWN]) (disabled) + +# EXT4_IOC_RESIZE_FS on root fs can shrink it to 0 (or whatever is the minimum size) +# and then creation of new temp dirs for tests will fail. +# TODO: not necessary for sandbox=namespace as it tests in a tmpfs +# and/or if we mount tmpfs for sandbox=none (#971). +ioctl$EXT4_IOC_RESIZE_FS(fd fd, cmd const[EXT4_IOC_RESIZE_FS]) (disabled) ext4_new_group_input { group int32 diff --git a/sys/linux/init.go b/sys/linux/init.go index 65faad183..f4f000cfa 100644 --- a/sys/linux/init.go +++ b/sys/linux/init.go @@ -24,7 +24,6 @@ func InitTarget(target *prog.Target) { FIFREEZE: target.GetConst("FIFREEZE"), FITHAW: target.GetConst("FITHAW"), SNAPSHOT_FREEZE: target.GetConst("SNAPSHOT_FREEZE"), - SNAPSHOT_UNFREEZE: target.GetConst("SNAPSHOT_UNFREEZE"), EXT4_IOC_SHUTDOWN: target.GetConst("EXT4_IOC_SHUTDOWN"), EXT4_IOC_RESIZE_FS: target.GetConst("EXT4_IOC_RESIZE_FS"), EXT4_IOC_MIGRATE: target.GetConst("EXT4_IOC_MIGRATE"), @@ -132,7 +131,6 @@ type arch struct { FIFREEZE uint64 FITHAW uint64 SNAPSHOT_FREEZE uint64 - SNAPSHOT_UNFREEZE uint64 EXT4_IOC_SHUTDOWN uint64 EXT4_IOC_RESIZE_FS uint64 EXT4_IOC_MIGRATE uint64 @@ -252,7 +250,7 @@ func (arch *arch) neutralizeIoctl(c *prog.Call) { cmd.Val = arch.FITHAW case arch.SNAPSHOT_FREEZE: // SNAPSHOT_FREEZE freezes all processes and leaves the machine dead. - cmd.Val = arch.SNAPSHOT_UNFREEZE + cmd.Val = arch.FITHAW case arch.EXT4_IOC_SHUTDOWN: // EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways. // Fortunately, the value does not conflict with any other ioctl commands for now. diff --git a/sys/linux/init_test.go b/sys/linux/init_test.go index ba6dd9462..df0622ba3 100644 --- a/sys/linux/init_test.go +++ b/sys/linux/init_test.go @@ -131,9 +131,5 @@ syz_open_dev$tty1(0xc, 0x4, 0x4) syz_open_dev$tty1(0xc, 0x4, 0x1) `, }, - { - In: `ioctl$TIOCSSERIAL(0x0, 0x541f, 0x0)`, - Out: `ioctl$TIOCSSERIAL(0x0, 0x541e, 0x0)`, - }, }) } diff --git a/sys/linux/prctl_386.const b/sys/linux/prctl_386.const index 0b9c3ab97..10f85c882 100644 --- a/sys/linux/prctl_386.const +++ b/sys/linux/prctl_386.const @@ -8,7 +8,7 @@ ARCH_MAP_VDSO_X32 = 8193 ARCH_SET_CPUID = 4114 ARCH_SET_FS = 4098 ARCH_SET_GS = 4097 -CAP_LAST_CAP = 37 +CAP_LAST_CAP = 38 PR_CAPBSET_DROP = 24 PR_CAPBSET_READ = 23 PR_CAP_AMBIENT = 47 diff --git a/sys/linux/prctl_amd64.const b/sys/linux/prctl_amd64.const index d2c014e56..768de6c29 100644 --- a/sys/linux/prctl_amd64.const +++ b/sys/linux/prctl_amd64.const @@ -8,7 +8,7 @@ ARCH_MAP_VDSO_X32 = 8193 ARCH_SET_CPUID = 4114 ARCH_SET_FS = 4098 ARCH_SET_GS = 4097 -CAP_LAST_CAP = 37 +CAP_LAST_CAP = 38 PR_CAPBSET_DROP = 24 PR_CAPBSET_READ = 23 PR_CAP_AMBIENT = 47 diff --git a/sys/linux/prctl_arm.const b/sys/linux/prctl_arm.const index 11f16c599..1b9433aa4 100644 --- a/sys/linux/prctl_arm.const +++ b/sys/linux/prctl_arm.const @@ -8,7 +8,7 @@ # ARCH_SET_CPUID is not set # ARCH_SET_FS is not set # ARCH_SET_GS is not set -CAP_LAST_CAP = 37 +CAP_LAST_CAP = 38 PR_CAPBSET_DROP = 24 PR_CAPBSET_READ = 23 PR_CAP_AMBIENT = 47 diff --git a/sys/linux/prctl_arm64.const b/sys/linux/prctl_arm64.const index 4444c6eb7..ff36679fd 100644 --- a/sys/linux/prctl_arm64.const +++ b/sys/linux/prctl_arm64.const @@ -8,7 +8,7 @@ # ARCH_SET_CPUID is not set # ARCH_SET_FS is not set # ARCH_SET_GS is not set -CAP_LAST_CAP = 37 +CAP_LAST_CAP = 38 PR_CAPBSET_DROP = 24 PR_CAPBSET_READ = 23 PR_CAP_AMBIENT = 47 diff --git a/sys/linux/prctl_mips64le.const b/sys/linux/prctl_mips64le.const index 2a4998828..6f837a503 100644 --- a/sys/linux/prctl_mips64le.const +++ b/sys/linux/prctl_mips64le.const @@ -8,7 +8,7 @@ # ARCH_SET_CPUID is not set # ARCH_SET_FS is not set # ARCH_SET_GS is not set -CAP_LAST_CAP = 37 +CAP_LAST_CAP = 38 PR_CAPBSET_DROP = 24 PR_CAPBSET_READ = 23 PR_CAP_AMBIENT = 47 diff --git a/sys/linux/prctl_ppc64le.const b/sys/linux/prctl_ppc64le.const index 1ab70e56a..127d8e4aa 100644 --- a/sys/linux/prctl_ppc64le.const +++ b/sys/linux/prctl_ppc64le.const @@ -8,7 +8,7 @@ # ARCH_SET_CPUID is not set # ARCH_SET_FS is not set # ARCH_SET_GS is not set -CAP_LAST_CAP = 37 +CAP_LAST_CAP = 38 PR_CAPBSET_DROP = 24 PR_CAPBSET_READ = 23 PR_CAP_AMBIENT = 47 diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt index b4e470608..78604b717 100644 --- a/sys/linux/sys.txt +++ b/sys/linux/sys.txt @@ -182,10 +182,16 @@ restart_syscall() # Almighty! ioctl(fd fd, cmd int32, arg buffer[in]) -ioctl$void(fd fd, cmd flags[ioctl_void]) ioctl$int_in(fd fd, cmd flags[ioctl_int_in], v ptr[in, int64]) ioctl$int_out(fd fd, cmd flags[ioctl_int_out], v ptr[out, intptr]) +ioctl$FIOCLEX(fd fd, cmd const[FIOCLEX]) +ioctl$FIONCLEX(fd fd, cmd const[FIONCLEX]) +ioctl$FITHAW(fd fd, cmd const[FITHAW]) + +# FIFREEZE is disabled because it can easily kill the machine. +ioctl$FIFREEZE(fd fd, cmd const[FIFREEZE]) (disabled) + fcntl$dupfd(fd fd, cmd flags[fcntl_dupfd], arg fd) fd fcntl$getflags(fd fd, cmd flags[fcntl_getflags]) fcntl$setflags(fd fd, cmd const[F_SETFD], flags flags[fcntl_flags]) @@ -534,7 +540,9 @@ openat$nvme_fabrics(fd const[AT_FDCWD], file ptr[in, string["/dev/nvme-fabrics"] openat$bsg(fd const[AT_FDCWD], file ptr[in, string["/dev/bsg"]], flags flags[open_flags], mode const[0]) fd openat$snapshot(fd const[AT_FDCWD], file ptr[in, string["/dev/snapshot"]], flags flags[open_flags], mode const[0]) fd -_ = SNAPSHOT_FREEZE, SNAPSHOT_UNFREEZE + +# SNAPSHOT_FREEZE is disabled because it can easily kill the machine. +ioctl$SNAPSHOT_FREEZE(fd fd, cmd const[SNAPSHOT_FREEZE]) (disabled) pipefd { rfd fd @@ -957,7 +965,6 @@ flock_type = F_RDLCK, F_WRLCK, F_UNLCK f_owner_type = F_OWNER_TID, F_OWNER_PID, F_OWNER_PGRP fcntl_notify = DN_MULTISHOT, DN_ACCESS, DN_MODIFY, DN_CREATE, DN_DELETE, DN_RENAME, DN_ATTRIB seal_types = F_SEAL_SEAL, F_SEAL_SHRINK, F_SEAL_GROW, F_SEAL_WRITE -ioctl_void = FIOCLEX, FIONCLEX, FITHAW ioctl_int_in = FIONBIO, FIOASYNC ioctl_int_out = FIOQSIZE, FIGETBSZ fcntl_rw_hint = RWF_WRITE_LIFE_NOT_SET, RWH_WRITE_LIFE_NONE, RWH_WRITE_LIFE_SHORT, RWH_WRITE_LIFE_MEDIUM, RWH_WRITE_LIFE_LONG, RWH_WRITE_LIFE_EXTREME @@ -973,7 +980,7 @@ _ = STA_PLL, STA_PPSFREQ, STA_PPSTIME, STA_FLL, STA_INS, STA_DEL, STA_UNSYNC, ST _ = ADJ_OFFSET, ADJ_FREQUENCY, ADJ_MAXERROR, ADJ_ESTERROR, ADJ_STATUS, ADJ_TIMECONST, ADJ_TAI, ADJ_SETOFFSET, ADJ_MICRO, ADJ_NANO, ADJ_TICK, ADJ_OFFSET_SINGLESHOT # misc -_ = KCOV_INIT_TRACE, KCOV_ENABLE, KCOV_DISABLE, KCOV_TRACE_PC, KCOV_TRACE_CMP, FIFREEZE, PTRACE_TRACEME, SYSLOG_ACTION_CONSOLE_ON, SYSLOG_ACTION_CONSOLE_OFF, SYSLOG_ACTION_CONSOLE_LEVEL, SYSLOG_ACTION_CLEAR, __NR_mmap2 +_ = KCOV_INIT_TRACE, KCOV_ENABLE, KCOV_DISABLE, KCOV_TRACE_PC, KCOV_TRACE_CMP, PTRACE_TRACEME, SYSLOG_ACTION_CONSOLE_ON, SYSLOG_ACTION_CONSOLE_OFF, SYSLOG_ACTION_CONSOLE_LEVEL, SYSLOG_ACTION_CLEAR, __NR_mmap2 # Hardcode KCOV_REMOTE_ENABLE value for amd64 until new kcov patches reach mainline. define KCOV_REMOTE_ENABLE 1075340134 diff --git a/sys/linux/sys_386.const b/sys/linux/sys_386.const index ccb7508c2..e0428f856 100644 --- a/sys/linux/sys_386.const +++ b/sys/linux/sys_386.const @@ -458,7 +458,6 @@ SIG_BLOCK = 0 SIG_SETMASK = 2 SIG_UNBLOCK = 1 SNAPSHOT_FREEZE = 13057 -SNAPSHOT_UNFREEZE = 13058 SPLICE_F_GIFT = 8 SPLICE_F_MORE = 4 SPLICE_F_MOVE = 1 diff --git a/sys/linux/sys_amd64.const b/sys/linux/sys_amd64.const index 3b43c4ecd..6951cfaf1 100644 --- a/sys/linux/sys_amd64.const +++ b/sys/linux/sys_amd64.const @@ -458,7 +458,6 @@ SIG_BLOCK = 0 SIG_SETMASK = 2 SIG_UNBLOCK = 1 SNAPSHOT_FREEZE = 13057 -SNAPSHOT_UNFREEZE = 13058 SPLICE_F_GIFT = 8 SPLICE_F_MORE = 4 SPLICE_F_MOVE = 1 diff --git a/sys/linux/sys_arm.const b/sys/linux/sys_arm.const index 531698582..dc2aaf204 100644 --- a/sys/linux/sys_arm.const +++ b/sys/linux/sys_arm.const @@ -458,7 +458,6 @@ SIG_BLOCK = 0 SIG_SETMASK = 2 SIG_UNBLOCK = 1 SNAPSHOT_FREEZE = 13057 -SNAPSHOT_UNFREEZE = 13058 SPLICE_F_GIFT = 8 SPLICE_F_MORE = 4 SPLICE_F_MOVE = 1 diff --git a/sys/linux/sys_arm64.const b/sys/linux/sys_arm64.const index 49a2f6928..5aff308b0 100644 --- a/sys/linux/sys_arm64.const +++ b/sys/linux/sys_arm64.const @@ -458,7 +458,6 @@ SIG_BLOCK = 0 SIG_SETMASK = 2 SIG_UNBLOCK = 1 SNAPSHOT_FREEZE = 13057 -SNAPSHOT_UNFREEZE = 13058 SPLICE_F_GIFT = 8 SPLICE_F_MORE = 4 SPLICE_F_MOVE = 1 diff --git a/sys/linux/sys_mips64le.const b/sys/linux/sys_mips64le.const index e4c37f7f7..2fc44fcff 100644 --- a/sys/linux/sys_mips64le.const +++ b/sys/linux/sys_mips64le.const @@ -458,7 +458,6 @@ SIG_BLOCK = 1 SIG_SETMASK = 3 SIG_UNBLOCK = 2 SNAPSHOT_FREEZE = 536883969 -SNAPSHOT_UNFREEZE = 536883970 SPLICE_F_GIFT = 8 SPLICE_F_MORE = 4 SPLICE_F_MOVE = 1 diff --git a/sys/linux/sys_ppc64le.const b/sys/linux/sys_ppc64le.const index efddafe61..bc2c1ec9e 100644 --- a/sys/linux/sys_ppc64le.const +++ b/sys/linux/sys_ppc64le.const @@ -458,7 +458,6 @@ SIG_BLOCK = 0 SIG_SETMASK = 2 SIG_UNBLOCK = 1 SNAPSHOT_FREEZE = 536883969 -SNAPSHOT_UNFREEZE = 536883970 SPLICE_F_GIFT = 8 SPLICE_F_MORE = 4 SPLICE_F_MOVE = 1 -- cgit mrf-deployment