From 94f1595a775beffc924ace61dbdaabfc57d65668 Mon Sep 17 00:00:00 2001
From: Andrey Konovalov <andreyknvl@google.com>
Date: Wed, 19 Jul 2017 15:31:22 +0200
Subject: prog: allow recursion for optional pointers

When syzkaller generates arg that uses a few structs that reference each
other via pointers, it can go into infinite recursion and crash.

Fix this by forcing pointer args to be null when the depth of recursion
reaches 3 for some struct.
---
 sys/sys_amd64.go | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

(limited to 'sys/sys_amd64.go')

diff --git a/sys/sys_amd64.go b/sys/sys_amd64.go
index 88835de03..9f8013528 100644
--- a/sys/sys_amd64.go
+++ b/sys/sys_amd64.go
@@ -680,6 +680,10 @@ var structArray = []Type{
 	&StructType{TypeCommon: TypeCommon{TypeName: "syz_length_parent2_struct_inner_inner", IsOptional: false}},
 	&StructType{TypeCommon: TypeCommon{TypeName: "syz_length_parent_struct", IsOptional: false}},
 	&StructType{TypeCommon: TypeCommon{TypeName: "syz_length_vma_struct", IsOptional: false}},
+	&StructType{TypeCommon: TypeCommon{TypeName: "syz_recur_0", IsOptional: false}},
+	&StructType{TypeCommon: TypeCommon{TypeName: "syz_recur_1", IsOptional: false}},
+	&StructType{TypeCommon: TypeCommon{TypeName: "syz_recur_2", IsOptional: false}},
+	&StructType{TypeCommon: TypeCommon{TypeName: "syz_recur_2_0", IsOptional: false}},
 	&StructType{TypeCommon: TypeCommon{TypeName: "syz_regression0_struct", IsOptional: false}},
 	&UnionType{TypeCommon: TypeCommon{TypeName: "syz_union0", IsOptional: false}},
 	&StructType{TypeCommon: TypeCommon{TypeName: "syz_union0_struct", IsOptional: false}},
@@ -19100,6 +19104,69 @@ var structFields = []struct {
 		&VmaType{TypeCommon: TypeCommon{TypeName: "vma", FldName: "f0", ArgDir: DirOut, IsOptional: false}, RangeBegin: 0, RangeEnd: 0},
 		&LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "f1", ArgDir: DirOut, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}, Buf: "f0", ByteSize: 0},
 	}},
+	{structKey{"syz_recur_0", "", DirIn}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_0", "", DirIn})},
+	}},
+	{structKey{"syz_recur_0", "", DirInOut}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_0", "", DirIn})},
+	}},
+	{structKey{"syz_recur_0", "", DirOut}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_0", "", DirIn})},
+	}},
+	{structKey{"syz_recur_1", "", DirIn}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_1", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a1", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2", "", DirIn})},
+	}},
+	{structKey{"syz_recur_1", "", DirInOut}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_1", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a1", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2", "", DirIn})},
+	}},
+	{structKey{"syz_recur_1", "", DirOut}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_1", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a1", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2", "", DirIn})},
+	}},
+	{structKey{"syz_recur_2", "", DirIn}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a1", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_1", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a2", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a3", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a4", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a5", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2", "", DirIn})},
+	}},
+	{structKey{"syz_recur_2", "", DirInOut}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a1", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_1", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a2", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a3", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a4", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a5", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2", "", DirIn})},
+	}},
+	{structKey{"syz_recur_2", "", DirOut}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a1", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_1", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a2", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a3", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a4", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a5", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2", "", DirIn})},
+	}},
+	{structKey{"syz_recur_2_0", "", DirIn}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a1", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a2", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a3", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+	}},
+	{structKey{"syz_recur_2_0", "", DirInOut}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a1", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a2", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a3", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+	}},
+	{structKey{"syz_recur_2_0", "", DirOut}, []Type{
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a1", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a2", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+		&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a3", ArgDir: DirIn, IsOptional: true}, Type: getStruct(structKey{"syz_recur_2_0", "", DirIn})},
+	}},
 	{structKey{"syz_regression0_struct", "", DirIn}, []Type{
 		&PtrType{TypeCommon: TypeCommon{TypeName: "buffer", FldName: "f0", ArgDir: DirIn, IsOptional: false}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "buffer", FldName: "f0", ArgDir: DirOut, IsOptional: false}, Kind: BufferBlobRand}},
 	}},
@@ -22833,6 +22900,9 @@ var Calls = []*Call{
 	&Call{Name: "syz_test$opt0", CallName: "syz_test", Native: false, Args: []Type{&IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}}}, NR: 1000001},
 	&Call{Name: "syz_test$opt1", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: true}, Type: &IntType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "intptr", FldName: "", ArgDir: DirIn, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}}}}, NR: 1000001},
 	&Call{Name: "syz_test$opt2", CallName: "syz_test", Native: false, Args: []Type{&VmaType{TypeCommon: TypeCommon{TypeName: "vma", FldName: "a0", ArgDir: DirIn, IsOptional: true}, RangeBegin: 0, RangeEnd: 0}}, NR: 1000001},
+	&Call{Name: "syz_test$recur0", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_recur_0", "", DirInOut})}}, NR: 1000001},
+	&Call{Name: "syz_test$recur1", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_recur_1", "", DirInOut})}}, NR: 1000001},
+	&Call{Name: "syz_test$recur2", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_recur_2", "", DirInOut})}}, NR: 1000001},
 	&Call{Name: "syz_test$regression0", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: getStruct(structKey{"syz_regression0_struct", "", DirInOut})}}, NR: 1000001},
 	&Call{Name: "syz_test$text_x86_16", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "text", FldName: "", ArgDir: DirIn, IsOptional: false}, Kind: BufferText, Text: Text_x86_16}}, &LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "a1", ArgDir: DirIn, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}, Buf: "a0", ByteSize: 0}}, NR: 1000001},
 	&Call{Name: "syz_test$text_x86_32", CallName: "syz_test", Native: false, Args: []Type{&PtrType{TypeCommon: TypeCommon{TypeName: "ptr", FldName: "a0", ArgDir: DirIn, IsOptional: false}, Type: &BufferType{TypeCommon: TypeCommon{TypeName: "text", FldName: "", ArgDir: DirIn, IsOptional: false}, Kind: BufferText, Text: Text_x86_32}}, &LenType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "len", FldName: "a1", ArgDir: DirIn, IsOptional: false}, TypeSize: 8, BigEndian: false, BitfieldLen: 0}, Buf: "a0", ByteSize: 0}}, NR: 1000001},
-- 
cgit mrf-deployment