From cc1e9bc12dd23755159935e93858fcfee121d94e Mon Sep 17 00:00:00 2001 From: Anton Lindqvist Date: Mon, 29 Jun 2020 20:53:07 +0200 Subject: sys/openbsd: neutralize yet another pf ioctl command Disarms the latest reproducer[1] for the discovered "no output from test machine" panic. While here, tidy up and improve comments. [1] https://syzkaller.appspot.com/bug?id=4c3b1ac22d6d7f1d9ebcad5469a28cb4562debda --- sys/openbsd/dev_pf.txt | 3 ++- sys/openbsd/dev_pf_amd64.const | 1 + sys/openbsd/init.go | 10 ++++++---- sys/openbsd/init_test.go | 6 ++++++ 4 files changed, 15 insertions(+), 5 deletions(-) (limited to 'sys/openbsd') diff --git a/sys/openbsd/dev_pf.txt b/sys/openbsd/dev_pf.txt index 4dfd44aec..93ce99b06 100644 --- a/sys/openbsd/dev_pf.txt +++ b/sys/openbsd/dev_pf.txt @@ -9,7 +9,8 @@ include include -# This ioctl is restricted in SanitizeCall(), see init.go. +# The following ioctl commands are restricted in neutralize(), see init.go. +_ = DIOCCLRSTATES _ = DIOCKILLSTATES resource fd_pf[fd] diff --git a/sys/openbsd/dev_pf_amd64.const b/sys/openbsd/dev_pf_amd64.const index f5a32c62a..1a68d3d6e 100644 --- a/sys/openbsd/dev_pf_amd64.const +++ b/sys/openbsd/dev_pf_amd64.const @@ -1,4 +1,5 @@ # AUTOGENERATED FILE AT_FDCWD = 18446744073709551516 +DIOCCLRSTATES = 3235922962 DIOCKILLSTATES = 3235922985 SYS_openat = 321 diff --git a/sys/openbsd/init.go b/sys/openbsd/init.go index 6948139aa..f24f06273 100644 --- a/sys/openbsd/init.go +++ b/sys/openbsd/init.go @@ -15,6 +15,7 @@ func InitTarget(target *prog.Target) { arch := &arch{ unix: targets.MakeUnixNeutralizer(target), DIOCKILLSTATES: target.GetConst("DIOCKILLSTATES"), + DIOCCLRSTATES: target.GetConst("DIOCCLRSTATES"), S_IFMT: target.GetConst("S_IFMT"), S_IFCHR: target.GetConst("S_IFCHR"), } @@ -26,6 +27,7 @@ func InitTarget(target *prog.Target) { type arch struct { unix *targets.UnixNeutralizer + DIOCCLRSTATES uint64 DIOCKILLSTATES uint64 S_IFMT uint64 S_IFCHR uint64 @@ -94,11 +96,11 @@ func (arch *arch) neutralize(c *prog.Call) { flags.Val &= ^f } case "ioctl": - // Performing the following ioctl on a /dev/pf file descriptor - // causes the ssh VM connection to die. For now, just rewire it - // to an invalid command. + // Performing the following ioctl commands on a /dev/pf file + // descriptor causes the ssh VM connection to die. For now, just + // rewire them to an invalid command. request := c.Args[1].(*prog.ConstArg) - if request.Val == arch.DIOCKILLSTATES { + if request.Val == arch.DIOCCLRSTATES || request.Val == arch.DIOCKILLSTATES { request.Val = 0 } case "mknodat": diff --git a/sys/openbsd/init_test.go b/sys/openbsd/init_test.go index 8ca641f16..c4ec0c0bb 100644 --- a/sys/openbsd/init_test.go +++ b/sys/openbsd/init_test.go @@ -20,10 +20,16 @@ func TestNeutralize(t *testing.T) { In: `fchflags(0x0, 0x60004)`, Out: `fchflags(0x0, 0x0)`, }, + // Note, a random ioctl description used since only the command + // is of importance. { In: `ioctl$BIOCSDIRFILT(0x0, 0xc0e04429, 0x0)`, Out: `ioctl$BIOCSDIRFILT(0x0, 0x0, 0x0)`, }, + { + In: `ioctl$BIOCSDIRFILT(0x0, 0xc0e04412, 0x0)`, + Out: `ioctl$BIOCSDIRFILT(0x0, 0x0, 0x0)`, + }, { // major=22, minor=232 In: `mknodat(0x0, 0x0, 0x0, 0x16e8)`, -- cgit mrf-deployment