From 8aaf5d60aa0b3ddb05e117f52c0e30ec246b7aad Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Fri, 17 Jan 2025 10:39:49 +0100 Subject: tools/syz-declextract: support function scopes Extract info about function scopes formed by switch'es on function arguments. For example if we have: void foo(..., int cmd, ...) { ... switch (cmd) { case FOO: ... block 1 ... case BAR: ... block 2 ... } ... } We record that any data flow within block 1 is only relevant when foo's arg cmd has value FOO, similarly for block 2 and BAR. This allows to do 3 things: 1. Locate ioctl commands that are switched on within transitively called functions. 2. Infer return value for each ioctl command. 3. Infer argument type when it's not specified in _IO macro. This will also allow to infer other multiplexed syscalls. Descriptions generated on Linux commit c4b9570cfb63501. --- tools/syz-declextract/testdata/include/uapi/file_operations.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'tools/syz-declextract/testdata/include/uapi') diff --git a/tools/syz-declextract/testdata/include/uapi/file_operations.h b/tools/syz-declextract/testdata/include/uapi/file_operations.h index 6a2a8d259..f81d6886d 100644 --- a/tools/syz-declextract/testdata/include/uapi/file_operations.h +++ b/tools/syz-declextract/testdata/include/uapi/file_operations.h @@ -8,6 +8,10 @@ #define FOO_IOCTL3 _IOR('c', 3, struct foo_ioctl_arg) #define FOO_IOCTL4 _IOW('c', 4, struct foo_ioctl_arg) #define FOO_IOCTL5 _IOWR('c', 5, struct foo_ioctl_arg) +#define FOO_IOCTL6 _IO('c', 6) +#define FOO_IOCTL7 _IO('c', 7) +#define FOO_IOCTL8 _IO('c', 8) +#define FOO_IOCTL9 _IO('c', 9) struct foo_ioctl_arg { int a, b; -- cgit mrf-deployment