From 8aaf5d60aa0b3ddb05e117f52c0e30ec246b7aad Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Fri, 17 Jan 2025 10:39:49 +0100 Subject: tools/syz-declextract: support function scopes Extract info about function scopes formed by switch'es on function arguments. For example if we have: void foo(..., int cmd, ...) { ... switch (cmd) { case FOO: ... block 1 ... case BAR: ... block 2 ... } ... } We record that any data flow within block 1 is only relevant when foo's arg cmd has value FOO, similarly for block 2 and BAR. This allows to do 3 things: 1. Locate ioctl commands that are switched on within transitively called functions. 2. Infer return value for each ioctl command. 3. Infer argument type when it's not specified in _IO macro. This will also allow to infer other multiplexed syscalls. Descriptions generated on Linux commit c4b9570cfb63501. --- tools/syz-declextract/testdata/include/fs.h | 7 ++++++- tools/syz-declextract/testdata/include/uapi/file_operations.h | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'tools/syz-declextract/testdata/include') diff --git a/tools/syz-declextract/testdata/include/fs.h b/tools/syz-declextract/testdata/include/fs.h index a5c838595..33782d1ee 100644 --- a/tools/syz-declextract/testdata/include/fs.h +++ b/tools/syz-declextract/testdata/include/fs.h @@ -7,6 +7,11 @@ struct file_operations { void (*write)(void); void (*read_iter)(void); void (*write_iter)(void); - void (*unlocked_ioctl)(unsigned int); + void (*unlocked_ioctl)(void*, unsigned int, unsigned long); void (*mmap)(void); }; + +int alloc_fd(); +void __fget_light(int fd); +int from_kuid(); + diff --git a/tools/syz-declextract/testdata/include/uapi/file_operations.h b/tools/syz-declextract/testdata/include/uapi/file_operations.h index 6a2a8d259..f81d6886d 100644 --- a/tools/syz-declextract/testdata/include/uapi/file_operations.h +++ b/tools/syz-declextract/testdata/include/uapi/file_operations.h @@ -8,6 +8,10 @@ #define FOO_IOCTL3 _IOR('c', 3, struct foo_ioctl_arg) #define FOO_IOCTL4 _IOW('c', 4, struct foo_ioctl_arg) #define FOO_IOCTL5 _IOWR('c', 5, struct foo_ioctl_arg) +#define FOO_IOCTL6 _IO('c', 6) +#define FOO_IOCTL7 _IO('c', 7) +#define FOO_IOCTL8 _IO('c', 8) +#define FOO_IOCTL9 _IO('c', 9) struct foo_ioctl_arg { int a, b; -- cgit mrf-deployment