Skip to content
Permalink
Browse files

tools/syz-trace2syz/proggen: convert strace byte arrays to int args

strace decodes certain arguments like sockaddr_in.sin_port or sin_addr
as hex strings under -Xraw. This is because the arguments are in network byte
order. This patch supports converting those hex strings to int args if the size
of the string is 1, 2, 4, or 8.
  • Loading branch information...
shankarapailoor authored and dvyukov committed Jan 8, 2019
1 parent 0108829 commit f9ccea26eb0de391a874cfe56a414e573a81e9b2
Showing with 50 additions and 9 deletions.
  1. +22 −2 tools/syz-trace2syz/proggen/proggen.go
  2. +28 −7 tools/syz-trace2syz/proggen/proggen_test.go
@@ -333,8 +333,28 @@ func (ctx *context) genConst(syzType prog.Type, traceType parser.IrType) prog.Ar
}
return ctx.genConst(syzType, a.Elems[0])
case *parser.BufferType:
// The call almost certainly returned an errno
return syzType.DefaultArg()
// strace decodes some arguments as hex strings because those values are network ordered
// e.g. sin_port or sin_addr fields of sockaddr_in.
// network order is big endian byte order so if the len of byte array is 1, 2, 4, or 8 then
// it is a good chance that we are decoding one of those fields. If it isn't, then most likely
// we have an error i.e. a sockaddr_un struct passed to a connect call with an inet file descriptor
var val uint64
switch len(a.Val) {
case 8:
val = uint64(binary.BigEndian.Uint64([]byte(a.Val)))
case 4:
// int
val = uint64(binary.BigEndian.Uint32([]byte(a.Val)))
case 2:
// short
val = uint64(binary.BigEndian.Uint16([]byte(a.Val)))
case 1:
val = uint64(a.Val[0])
default:
// The call almost certainly returned an errno
return syzType.DefaultArg()
}
return prog.MakeConstArg(syzType, val)
default:
log.Fatalf("unsupported type for const: %#v", traceType)
}
@@ -155,20 +155,41 @@ connect(3, {sa_family=2, sin_port=17812, sin_addr=0x0}, 16) = 0
`, `
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
connect$inet(r0, &(0x7f0000000000)={0x2, 0x4594}, 0x10)
`,
}, {`
socket(2, 1, 0) = 3
connect(3, {sa_family=2, sin_port=17812, sin_addr=0x7f000001}, 16) = 0
`, `
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
connect$inet(r0, &(0x7f0000000000)={0x2, 0x4594, @rand_addr=0x7f000001}, 0x10)
`,
}, {`
open("\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 0) = 3
fsetxattr(3, "\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x73\x65\x6c\x69\x6e\x75\x78","\x73\x79\x73", 4, 0) = 0
`, `
r0 = open(&(0x7f0000000000)='/dev/snd/seq\x00', 0x0, 0x0)
fsetxattr(r0, &(0x7f0000000040)=@known='security.selinux\x00', &(0x7f0000000080)='sys\x00', 0x4, 0x0)
`,
}, {`
socket(0x2, 0x1, 0) = 3
connect(3, {sa_family=0x2, sin_port="\x1f\x90", sin_addr="\x7f\x00\x00\x01"}, 16) = -1
`, `
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
connect$inet(r0, &(0x7f0000000000)={0x2, 0x1f90, @rand_addr=0x7f000001}, 0x10)
`,
}, {`
socket(0x2, 0x1, 0) = 3
connect(3, {sa_family=0x2, sin_port="\x1f\x90", sin_addr="\x00\x00\x00\x00\x7f\x00\x00\x01"}, 16) = -1
`, `
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
connect$inet(r0, &(0x7f0000000000)={0x2, 0x1f90, @rand_addr=0x7f000001}, 0x10)
`,
}, {`
socket(0x2, 0x1, 0) = 3
connect(3, {sa_family=0x2, sin_port="\x1f\x90", sin_addr="\x00"}, 16) = -1
`, `
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
connect$inet(r0, &(0x7f0000000000)={0x2, 0x1f90}, 0x10)
`,
}, {`
socket(0x2, 0x1, 0) = 3
connect(3, {sa_family=0x2, sin_port="\x1f\x90", sin_addr="\x00"}, 16) = -1
`, `
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
connect$inet(r0, &(0x7f0000000000)={0x2, 0x1f90}, 0x10)
`,
},
}

0 comments on commit f9ccea2

Please sign in to comment.
You can’t perform that action at this time.