From 8aaf5d60aa0b3ddb05e117f52c0e30ec246b7aad Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Fri, 17 Jan 2025 10:39:49 +0100 Subject: tools/syz-declextract: support function scopes Extract info about function scopes formed by switch'es on function arguments. For example if we have: void foo(..., int cmd, ...) { ... switch (cmd) { case FOO: ... block 1 ... case BAR: ... block 2 ... } ... } We record that any data flow within block 1 is only relevant when foo's arg cmd has value FOO, similarly for block 2 and BAR. This allows to do 3 things: 1. Locate ioctl commands that are switched on within transitively called functions. 2. Infer return value for each ioctl command. 3. Infer argument type when it's not specified in _IO macro. This will also allow to infer other multiplexed syscalls. Descriptions generated on Linux commit c4b9570cfb63501. --- tools/syz-declextract/testdata/scopes.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 tools/syz-declextract/testdata/scopes.c (limited to 'tools/syz-declextract/testdata/scopes.c') diff --git a/tools/syz-declextract/testdata/scopes.c b/tools/syz-declextract/testdata/scopes.c new file mode 100644 index 000000000..56c1638d1 --- /dev/null +++ b/tools/syz-declextract/testdata/scopes.c @@ -0,0 +1,30 @@ +// Copyright 2024 syzkaller project authors. All rights reserved. +// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +#include "include/fs.h" +#include "include/syscall.h" +#include "include/uapi/file_operations.h" + +SYSCALL_DEFINE1(scopes0, int x, long cmd, long aux) { + int tmp = 0; + __fget_light(aux); + switch (cmd) { + case FOO_IOCTL1: + __fget_light(x); + break; + case FOO_IOCTL2: + case FOO_IOCTL3: + tmp = alloc_fd(); + return tmp; + case FOO_IOCTL4 ... FOO_IOCTL4 + 2: + tmp++; + break; + case 100 ... 102: + tmp++; + break; + default: + tmp = cmd; + break; + } + return tmp; +} -- cgit mrf-deployment