1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
// Copyright 2015 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
package host
import (
"bytes"
"fmt"
"io/ioutil"
"runtime"
"strconv"
"strings"
"syscall"
"github.com/google/syzkaller/pkg/osutil"
"github.com/google/syzkaller/prog"
)
// DetectSupportedSyscalls returns list on supported syscalls on host.
func DetectSupportedSyscalls(target *prog.Target) (map[*prog.Syscall]bool, error) {
// There are 3 possible strategies:
// 1. Executes all syscalls with presumably invalid arguments and check for ENOprog.
// But not all syscalls are safe to execute. For example, pause will hang,
// while setpgrp will push the process into own process group.
// 2. Check presence of /sys/kernel/debug/tracing/events/syscalls/sys_enter_* files.
// This requires root and CONFIG_FTRACE_SYSCALLS. Also it lies for some syscalls.
// For example, on x86_64 it says that sendfile is not present (only sendfile64).
// 3. Check sys_syscallname in /proc/kallsyms.
// Requires CONFIG_KALLSYMS. Seems to be the most reliable. That's what we use here.
kallsyms, _ := ioutil.ReadFile("/proc/kallsyms")
supported := make(map[*prog.Syscall]bool)
for _, c := range target.Syscalls {
if isSupported(kallsyms, c) {
supported[c] = true
}
}
return supported, nil
}
func isSupported(kallsyms []byte, c *prog.Syscall) bool {
if strings.HasPrefix(c.CallName, "syz_") {
return isSupportedSyzkall(c)
}
if strings.HasPrefix(c.Name, "socket$") {
return isSupportedSocket(c)
}
if strings.HasPrefix(c.Name, "open$") {
return isSupportedOpen(c)
}
if strings.HasPrefix(c.Name, "openat$") {
return isSupportedOpenAt(c)
}
if len(kallsyms) == 0 {
return true
}
name := c.CallName
if newname := kallsymsMap[name]; newname != "" {
name = newname
}
return bytes.Index(kallsyms, []byte(" T sys_"+name+"\n")) != -1
}
// Some syscall names diverge in __NR_* consts and kallsyms.
// umount2 is renamed to umount in arch/x86/entry/syscalls/syscall_64.tbl.
// Where umount is renamed to oldumount is unclear.
var kallsymsMap = map[string]string{
"umount": "oldumount",
"umount2": "umount",
}
func isSupportedSyzkall(c *prog.Syscall) bool {
switch c.CallName {
case "syz_open_dev":
if _, ok := c.Args[0].(*prog.ConstType); ok {
// This is for syz_open_dev$char/block.
// They are currently commented out, but in case one enables them.
return true
}
fname, ok := extractStringConst(c.Args[0])
if !ok {
panic("first open arg is not a pointer to string const")
}
if syscall.Getuid() != 0 {
return false
}
var check func(dev string) bool
check = func(dev string) bool {
if !strings.Contains(dev, "#") {
return osutil.IsExist(dev)
}
for i := 0; i < 10; i++ {
if check(strings.Replace(dev, "#", strconv.Itoa(i), 1)) {
return true
}
}
return false
}
return check(fname)
case "syz_open_procfs":
return true
case "syz_open_pts":
return true
case "syz_fuse_mount":
return osutil.IsExist("/dev/fuse")
case "syz_fuseblk_mount":
return osutil.IsExist("/dev/fuse") && syscall.Getuid() == 0
case "syz_emit_ethernet", "syz_extract_tcp_res":
fd, err := syscall.Open("/dev/net/tun", syscall.O_RDWR, 0)
if err == nil {
syscall.Close(fd)
}
return err == nil && syscall.Getuid() == 0
case "syz_kvm_setup_cpu":
switch c.Name {
case "syz_kvm_setup_cpu$x86":
return runtime.GOARCH == "amd64" || runtime.GOARCH == "386"
case "syz_kvm_setup_cpu$arm64":
return runtime.GOARCH == "arm64"
}
}
panic("unknown syzkall: " + c.Name)
}
func isSupportedSocket(c *prog.Syscall) bool {
af, ok := c.Args[0].(*prog.ConstType)
if !ok {
println(c.Name)
panic("socket family is not const")
}
fd, err := syscall.Socket(int(af.Val), 0, 0)
if fd != -1 {
syscall.Close(fd)
}
return err != syscall.ENOSYS && err != syscall.EAFNOSUPPORT
}
func isSupportedOpen(c *prog.Syscall) bool {
fname, ok := extractStringConst(c.Args[0])
if !ok {
return true
}
fd, err := syscall.Open(fname, syscall.O_RDONLY, 0)
if fd != -1 {
syscall.Close(fd)
}
return err == nil
}
func isSupportedOpenAt(c *prog.Syscall) bool {
fname, ok := extractStringConst(c.Args[1])
if !ok {
return true
}
fd, err := syscall.Open(fname, syscall.O_RDONLY, 0)
if fd != -1 {
syscall.Close(fd)
}
return err == nil
}
func extractStringConst(typ prog.Type) (string, bool) {
ptr, ok := typ.(*prog.PtrType)
if !ok {
panic("first open arg is not a pointer to string const")
}
str, ok := ptr.Type.(*prog.BufferType)
if !ok || str.Kind != prog.BufferString || len(str.Values) != 1 {
return "", false
}
v := str.Values[0]
v = v[:len(v)-1] // string terminating \x00
return v, true
}
func EnableFaultInjection() error {
if err := osutil.WriteFile("/sys/kernel/debug/failslab/ignore-gfp-wait", []byte("N")); err != nil {
return fmt.Errorf("failed to write /sys/kernel/debug/failslab/ignore-gfp-wait: %v", err)
}
if err := osutil.WriteFile("/sys/kernel/debug/fail_futex/ignore-private", []byte("N")); err != nil {
return fmt.Errorf("failed to write /sys/kernel/debug/fail_futex/ignore-private: %v", err)
}
return nil
}
|
