From b655d91b8cb3b60be16c940d7bf4b192c2624a7b Mon Sep 17 00:00:00 2001
From: Anton Lindqvist <anton@basename.se>
Date: Wed, 4 Mar 2020 16:46:46 +0100
Subject: sys/openbsd: prevent killing the ssh VM connection

This is one of the root causes of the 'no output from test machine'
panic. Issuing a DIOCKILLSTATES ioctl on a /dev/pf file descriptor will
cause state associated with ongoing connections to be purged;
effectively killing the ssh connection to the VM.

Including net/pfvar.h is necessary in order to make use of the
DIOCKILLSTATES define.
---
 sys/openbsd/dev_pf.txt         | 17 +++++++++++++++++
 sys/openbsd/dev_pf_amd64.const |  4 ++++
 sys/openbsd/gen/amd64.go       | 10 +++++++++-
 sys/openbsd/init.go            | 22 ++++++++++++++++------
 sys/openbsd/init_test.go       |  4 ++++
 5 files changed, 50 insertions(+), 7 deletions(-)
 create mode 100644 sys/openbsd/dev_pf.txt
 create mode 100644 sys/openbsd/dev_pf_amd64.const

(limited to 'sys')

diff --git a/sys/openbsd/dev_pf.txt b/sys/openbsd/dev_pf.txt
new file mode 100644
index 000000000..4dfd44aec
--- /dev/null
+++ b/sys/openbsd/dev_pf.txt
@@ -0,0 +1,17 @@
+# Copyright 2020 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+include <sys/types.h>
+include <sys/time.h>
+include <sys/fcntl.h>
+include <sys/ioctl.h>
+include <net/if.h>
+
+include <net/pfvar.h>
+
+# This ioctl is restricted in SanitizeCall(), see init.go.
+_ = DIOCKILLSTATES
+
+resource fd_pf[fd]
+
+openat$pf(fd const[AT_FDCWD], file ptr[in, string["/dev/pf"]], flags flags[open_flags], mode const[0]) fd_pf
diff --git a/sys/openbsd/dev_pf_amd64.const b/sys/openbsd/dev_pf_amd64.const
new file mode 100644
index 000000000..f5a32c62a
--- /dev/null
+++ b/sys/openbsd/dev_pf_amd64.const
@@ -0,0 +1,4 @@
+# AUTOGENERATED FILE
+AT_FDCWD = 18446744073709551516
+DIOCKILLSTATES = 3235922985
+SYS_openat = 321
diff --git a/sys/openbsd/gen/amd64.go b/sys/openbsd/gen/amd64.go
index 75e89ee19..d329555d2 100644
--- a/sys/openbsd/gen/amd64.go
+++ b/sys/openbsd/gen/amd64.go
@@ -19,6 +19,7 @@ var resources_amd64 = []*ResourceDesc{
 	{Name: "fd_klog", Kind: []string{"fd", "fd_klog"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_kqueue", Kind: []string{"fd", "fd_kqueue"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_pci", Kind: []string{"fd", "fd_pci"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
+	{Name: "fd_pf", Kind: []string{"fd", "fd_pf"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_speaker", Kind: []string{"fd", "fd_speaker"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_tty", Kind: []string{"fd", "fd_tty"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
 	{Name: "fd_vmm", Kind: []string{"fd", "fd_vmm"}, Values: []uint64{18446744073709551615, 18446744073709551516}},
@@ -1897,6 +1898,12 @@ var syscalls_amd64 = []*Syscall{
 		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "open_flags", FldName: "flags", TypeSize: 8}}, Vals: []uint64{0, 1, 2, 8, 16, 32, 64, 128, 128, 128, 256, 512, 1024, 2048, 32768, 65536, 131072}},
 		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "mode", TypeSize: 8}}},
 	}, Ret: &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_pci", FldName: "ret", TypeSize: 4, ArgDir: 1}}},
+	{NR: 321, Name: "openat$pf", CallName: "openat", Args: []Type{
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "fd", TypeSize: 8}}, Val: 18446744073709551516},
+		&PtrType{TypeCommon{TypeName: "ptr", FldName: "file", TypeSize: 8}, &BufferType{TypeCommon: TypeCommon{TypeName: "string", TypeSize: 8}, Kind: 2, Values: []string{"/dev/pf\x00"}}},
+		&FlagsType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "open_flags", FldName: "flags", TypeSize: 8}}, Vals: []uint64{0, 1, 2, 8, 16, 32, 64, 128, 128, 128, 256, 512, 1024, 2048, 32768, 65536, 131072}},
+		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "mode", TypeSize: 8}}},
+	}, Ret: &ResourceType{TypeCommon: TypeCommon{TypeName: "fd_pf", FldName: "ret", TypeSize: 4, ArgDir: 1}}},
 	{NR: 321, Name: "openat$speaker", CallName: "openat", Args: []Type{
 		&ConstType{IntTypeCommon: IntTypeCommon{TypeCommon: TypeCommon{TypeName: "const", FldName: "fd", TypeSize: 8}}, Val: 18446744073709551516},
 		&PtrType{TypeCommon{TypeName: "ptr", FldName: "file", TypeSize: 8}, &BufferType{TypeCommon: TypeCommon{TypeName: "string", TypeSize: 13}, Kind: 2, Values: []string{"/dev/speaker\x00"}}},
@@ -2491,6 +2498,7 @@ var consts_amd64 = []ConstValue{
 	{"CLOCK_PROCESS_CPUTIME_ID", 2},
 	{Name: "CLOCK_REALTIME"},
 	{"CLOCK_THREAD_CPUTIME_ID", 4},
+	{"DIOCKILLSTATES", 3235922985},
 	{"DIOCMAP", 3222299767},
 	{"DM_OPENBLCK", 2},
 	{"DM_OPENPART", 1},
@@ -3050,4 +3058,4 @@ var consts_amd64 = []ConstValue{
 	{"__MAP_NOREPLACE", 2048},
 }
 
-const revision_amd64 = "361f7adfaff69eb683f0c63eb1cb1a0d4fdd1ca5"
+const revision_amd64 = "6c58885985007c08bbc08a61d5fcdf22ae662d55"
diff --git a/sys/openbsd/init.go b/sys/openbsd/init.go
index 404536dfa..e7c5d08f6 100644
--- a/sys/openbsd/init.go
+++ b/sys/openbsd/init.go
@@ -13,9 +13,10 @@ import (
 
 func InitTarget(target *prog.Target) {
 	arch := &arch{
-		unix:    targets.MakeUnixSanitizer(target),
-		S_IFMT:  target.GetConst("S_IFMT"),
-		S_IFCHR: target.GetConst("S_IFCHR"),
+		unix:           targets.MakeUnixSanitizer(target),
+		DIOCKILLSTATES: target.GetConst("DIOCKILLSTATES"),
+		S_IFMT:         target.GetConst("S_IFMT"),
+		S_IFCHR:        target.GetConst("S_IFCHR"),
 	}
 
 	target.MakeMmap = targets.MakePosixMmap(target)
@@ -24,9 +25,10 @@ func InitTarget(target *prog.Target) {
 }
 
 type arch struct {
-	unix    *targets.UnixSanitizer
-	S_IFMT  uint64
-	S_IFCHR uint64
+	unix           *targets.UnixSanitizer
+	DIOCKILLSTATES uint64
+	S_IFMT         uint64
+	S_IFCHR        uint64
 }
 
 const (
@@ -91,6 +93,14 @@ func (arch *arch) SanitizeCall(c *prog.Call) {
 		for _, f := range badflags {
 			flags.Val &= ^f
 		}
+	case "ioctl":
+		// Performing the following ioctl on a /dev/pf file descriptor
+		// causes the ssh VM connection to die. For now, just rewire it
+		// to an invalid command.
+		request := c.Args[1].(*prog.ConstArg)
+		if request.Val == arch.DIOCKILLSTATES {
+			request.Val = 0
+		}
 	case "mknodat":
 		argStart = 2
 		fallthrough
diff --git a/sys/openbsd/init_test.go b/sys/openbsd/init_test.go
index fa6ffcb94..39e93a688 100644
--- a/sys/openbsd/init_test.go
+++ b/sys/openbsd/init_test.go
@@ -29,6 +29,10 @@ func TestSanitizeCall(t *testing.T) {
 			`fchflags(0x0, 0x60004)`,
 			`fchflags(0x0, 0x0)`,
 		},
+		{
+			`ioctl$BIOCSDIRFILT(0x0, 0xc0e04429, 0x0)`,
+			`ioctl$BIOCSDIRFILT(0x0, 0x0, 0x0)`,
+		},
 		{
 			// major=22, minor=232
 			`mknodat(0x0, 0x0, 0x0, 0x16e8)`,
-- 
cgit mrf-deployment