prog: fix PhysicalAddr for NULL addresses

Turns out we never produced NULL pointers because what's meant to be NULL pointer was actually encoded as pointer to beginning of the data region.
google · Feb 19, 2018 · 90fd650 · 90fd650
1 parent 6e89f94
commit 90fd650
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 9 deletions.
diff --git a/prog/encodingexec.go b/prog/encodingexec.go
@@ -193,16 +193,15 @@ func (p *Prog) SerializeForExec(buffer []byte) (int, error) {
 	return len(buffer) - len(w.buf), nil
 }
 
-func (target *Target) PhysicalAddr(arg Arg) uint64 {
-	a, ok := arg.(*PointerArg)
-	if !ok {
-		panic("physicalAddr: bad arg kind")
+func (target *Target) PhysicalAddr(arg *PointerArg) uint64 {
+	if arg.Res == nil && arg.PagesNum == 0 {
+		return 0
 	}
-	addr := a.PageIndex*target.PageSize + target.DataOffset
-	if a.PageOffset >= 0 {
-		addr += uint64(a.PageOffset)
+	addr := arg.PageIndex*target.PageSize + target.DataOffset
+	if arg.PageOffset >= 0 {
+		addr += uint64(arg.PageOffset)
 	} else {
-		addr += target.PageSize - uint64(-a.PageOffset)
+		addr += target.PageSize - uint64(-arg.PageOffset)
 	}
 	return addr
 }
@@ -256,7 +255,7 @@ func (w *execContext) writeArg(arg Arg) {
 			w.write(a.OpAdd)
 		}
 	case *PointerArg:
-		w.writeConstArg(a.Size(), w.target.PhysicalAddr(arg), 0, 0, 0, false)
+		w.writeConstArg(a.Size(), w.target.PhysicalAddr(a), 0, 0, 0, false)
 	case *DataArg:
 		data := a.Data()
 		w.write(execArgData)

diff --git a/prog/encodingexec_test.go b/prog/encodingexec_test.go
@@ -381,6 +381,15 @@ func TestSerializeForExec(t *testing.T) {
 			},
 			nil,
 		},
+		{
+			// NULL pointer must be encoded os 0.
+			"syz_test$opt1(0x0)",
+			[]uint64{
+				callID("syz_test$opt1"), ExecNoCopyout, 1, execArgConst, 8, 0,
+				execInstrEOF,
+			},
+			nil,
+		},
 	}
 
 	buf := make([]byte, ExecBufferSize)