Hello community, here is the log from the commit of package trinity for openSUSE:Factory checked in at 2016-10-20 23:09:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trinity (Old) and /work/SRC/openSUSE:Factory/.trinity.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trinity" Changes: -------- --- /work/SRC/openSUSE:Factory/trinity/trinity.changes 2016-10-10 16:21:31.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.trinity.new/trinity.changes 2016-10-20 23:10:16.000000000 +0200 @@ -1,0 +2,15 @@ +Wed Oct 19 19:40:23 UTC 2016 - [email protected] + +- Update to version 1.6+git.20161018: + * don't use rewind() on /proc/pid/stat + * Fix up segfaults when encountering null entries in syscall tables. + * fix segfault in setsockopt() when called with --disable-fds=sockets + * add the 'special' ring-id's for keyctl + * generate random numbers in the -1..-10 range + * change the random munging a little + * silence cppcheck + * mark pages as PROT_READ before we fault them with a read + * remove the 'do syscall in a subchild' code for now. + * allow '0' as a file mode + +------------------------------------------------------------------- Old: ---- trinity-1.6+git.20161005.tar.xz New: ---- trinity-1.6+git.20161018.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trinity.spec ++++++ --- /var/tmp/diff_new_pack.ltZxQe/_old 2016-10-20 23:10:17.000000000 +0200 +++ /var/tmp/diff_new_pack.ltZxQe/_new 2016-10-20 23:10:17.000000000 +0200 @@ -16,9 +16,9 @@ # -%define version_unconverted 1.6+git.20161005 +%define version_unconverted 1.6+git.20161018 Name: trinity -Version: 1.6+git.20161005 +Version: 1.6+git.20161018 Release: 0 Summary: A Linux System call fuzz tester License: GPL-2.0 ++++++ trinity-1.6+git.20161005.tar.xz -> trinity-1.6+git.20161018.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/childops/random-syscall.c new/trinity-1.6+git.20161018/childops/random-syscall.c --- old/trinity-1.6+git.20161005/childops/random-syscall.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/childops/random-syscall.c 2016-10-19 01:17:03.000000000 +0200 @@ -136,6 +136,7 @@ return TRUE; } +/* static bool do_syscall_in_child(struct syscallrecord *rec, struct childdata *child) { pid_t pid; @@ -170,6 +171,7 @@ return FALSE; } } +*/ bool random_syscall(struct childdata *child) { @@ -191,12 +193,13 @@ stash = zmalloc(sizeof(struct syscallrecord)); memcpy(stash, rec, sizeof(struct syscallrecord)); - - if (RAND_BOOL()) { +/* + if (ONE_IN(100)) { if (do_syscall_in_child(rec, child) == FALSE) goto fail; } else - do_syscall(rec); +*/ + do_syscall(rec); check_sanity(rec, stash); @@ -205,7 +208,7 @@ handle_syscall_ret(rec); ret = TRUE; -fail: +//fail: free(stash); return ret; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/fds/bpf.c new/trinity-1.6+git.20161018/fds/bpf.c --- old/trinity-1.6+git.20161005/fds/bpf.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/fds/bpf.c 2016-10-19 01:17:03.000000000 +0200 @@ -48,81 +48,50 @@ close(obj->bpf_map_fd); } +struct bpf_fd_types { + u32 map_type; + u32 key_size; + u32 value_size; + u32 max_entries; + u32 flags; + char name[32]; +}; + +static struct bpf_fd_types bpf_fds[] = { + { BPF_MAP_TYPE_HASH, sizeof(long long), sizeof(long long), 1024, 0, "hash" }, + { BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 256, 0, "array" }, + { BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), sizeof(int), 4, 0, "prog_array" }, + { BPF_MAP_TYPE_PERF_EVENT_ARRAY, sizeof(int), sizeof(u32), 32, 0, "perf event array" }, + { BPF_MAP_TYPE_PERCPU_HASH, sizeof(u32), sizeof(u64) * PERF_MAX_STACK_DEPTH, 10000, 0, "percpu hash" }, + { BPF_MAP_TYPE_PERCPU_ARRAY, sizeof(u32), sizeof(u64), 100, 0, "percpu array" }, + { BPF_MAP_TYPE_STACK_TRACE, sizeof(u32), sizeof(u64), 100, 0, "stack trace" }, +}; + static int open_bpf_fds(void) { struct objhead *head; - int fd, key; - long long value = 0; - struct object *obj; struct rlimit r = {1 << 20, 1 << 20}; + unsigned int i; setrlimit(RLIMIT_MEMLOCK, &r); head = get_objhead(OBJ_GLOBAL, OBJ_FD_BPF_MAP); head->destroy = &bpf_destructor; - fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long), sizeof(long long), 1024, 0); - if (fd < 0) - goto fail_hash; - obj = alloc_object(); - obj->bpf_map_fd = fd; - add_object(obj, OBJ_GLOBAL, OBJ_FD_BPF_MAP); - output(2, "fd[%d] = bpf hash\n", fd); -fail_hash: - - fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(key), sizeof(value), 256, 0); - if (fd < 0) - goto fail_array; - obj = alloc_object(); - obj->bpf_map_fd = fd; - add_object(obj, OBJ_GLOBAL, OBJ_FD_BPF_MAP); - output(2, "fd[%d] = bpf array\n", fd); -fail_array: - - fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), sizeof(int), 4, 0); - if (fd < 0) - goto fail_progarray; - obj = alloc_object(); - obj->bpf_map_fd = fd; - add_object(obj, OBJ_GLOBAL, OBJ_FD_BPF_MAP); - output(2, "fd[%d] = bpf progarray\n", fd); -fail_progarray: - - fd = bpf_create_map(BPF_MAP_TYPE_PERF_EVENT_ARRAY, sizeof(int), sizeof(u32), 32, 0); - if (fd < 0) - goto fail_perf_event_array; - obj = alloc_object(); - obj->bpf_map_fd = fd; - add_object(obj, OBJ_GLOBAL, OBJ_FD_BPF_MAP); - output(2, "fd[%d] = bpf perf event array\n", fd); -fail_perf_event_array: - - fd = bpf_create_map(BPF_MAP_TYPE_PERCPU_HASH, sizeof(u32), sizeof(u64) * PERF_MAX_STACK_DEPTH, 10000, 0); - if (fd < 0) - goto fail_percpu_hash; - obj = alloc_object(); - obj->bpf_map_fd = fd; - add_object(obj, OBJ_GLOBAL, OBJ_FD_BPF_MAP); - output(2, "fd[%d] = bpf percpu hash\n", fd); -fail_percpu_hash: - - fd = bpf_create_map(BPF_MAP_TYPE_PERCPU_ARRAY, sizeof(u32), sizeof(u64), 100, 0); - if (fd < 0) - goto fail_percpu_array; - obj = alloc_object(); - obj->bpf_map_fd = fd; - add_object(obj, OBJ_GLOBAL, OBJ_FD_BPF_MAP); - output(2, "fd[%d] = bpf percpu array\n", fd); -fail_percpu_array: - - fd = bpf_create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32), sizeof(u64), 100, 0); - if (fd < 0) - goto fail_stacktrace; - obj = alloc_object(); - obj->bpf_map_fd = fd; - add_object(obj, OBJ_GLOBAL, OBJ_FD_BPF_MAP); - output(2, "fd[%d] = bpf stack trace\n", fd); -fail_stacktrace: + for (i = 0; i < ARRAY_SIZE(bpf_fds); i++) { + struct object *obj; + int fd; + + fd = bpf_create_map(bpf_fds[i].map_type, bpf_fds[i].key_size, bpf_fds[i].value_size, bpf_fds[i].max_entries, bpf_fds[i].flags); + + if (fd < 0) + continue; + + obj = alloc_object(); + obj->bpf_map_fd = fd; + add_object(obj, OBJ_GLOBAL, OBJ_FD_BPF_MAP); + output(2, "fd[%d] = bpf %s\n", fd, &bpf_fds[i].name); + } //FIXME: right now, returning FALSE means "abort everything", not // "skip this provider", so on -ENOSYS, we have to still register. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/fds/testfiles.c new/trinity-1.6+git.20161018/fds/testfiles.c --- old/trinity-1.6+git.20161005/fds/testfiles.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/fds/testfiles.c 2016-10-19 01:17:03.000000000 +0200 @@ -19,7 +19,8 @@ #include "testfile.h" #include "utils.h" -#define MAX_TESTFILE_FDS 4 +#define MAX_TESTFILES 4 +#define MAX_TESTFILE_FDS 20 static void testfile_destructor(struct object *obj) { @@ -60,12 +61,12 @@ static int open_testfile_fds(void) { char *filename; - unsigned int i = 1; + unsigned int i = 1, nr = 0; unsigned int fails = 0; filename = zmalloc(64); - while (i <= MAX_TESTFILE_FDS) { + while (nr < MAX_TESTFILE_FDS) { int fd; sprintf(filename, "trinity-testfile%u", i); @@ -79,6 +80,10 @@ add_object(obj, OBJ_GLOBAL, OBJ_FD_TESTFILE); i++; + if (i > MAX_TESTFILES) + i = 1; + nr++; + fails = 0; mmap_fd(fd, filename, page_size, PROT_READ|PROT_WRITE, OBJ_GLOBAL, OBJ_MMAP_TESTFILE); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/generate-args.c new/trinity-1.6+git.20161018/generate-args.c --- old/trinity-1.6+git.20161005/generate-args.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/generate-args.c 2016-10-19 01:17:03.000000000 +0200 @@ -229,7 +229,7 @@ for (i = 0; i < count; i++) { unsigned int j; - j = rnd() % 15; + j = rnd() % 16; switch (j) { case 0: op = S_IRWXU; break; case 1: op = S_IRUSR; break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/include/syscalls-x86_64.h new/trinity-1.6+git.20161018/include/syscalls-x86_64.h --- old/trinity-1.6+git.20161005/include/syscalls-x86_64.h 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/include/syscalls-x86_64.h 2016-10-19 01:17:03.000000000 +0200 @@ -340,4 +340,7 @@ { .entry = &syscall_copy_file_range }, { .entry = &syscall_preadv2 }, { .entry = &syscall_pwritev2 }, + { .entry = &syscall_pkey_mprotect }, + { .entry = &syscall_pkey_alloc }, + { .entry = &syscall_pkey_free }, }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/main.c new/trinity-1.6+git.20161018/main.c --- old/trinity-1.6+git.20161005/main.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/main.c 2016-10-19 01:17:03.000000000 +0200 @@ -237,7 +237,7 @@ if (getpid() != mainpid) BUG("get_pid_state can only be called from main!\n"); - rewind(child->pidstatfile); + fseek(child->pidstatfile, 0L, SEEK_SET); if (getline(&line, &n, child->pidstatfile) != -1) sscanf(line, "%d %s %c", &pid, procname, &state); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/mm/fault-read.c new/trinity-1.6+git.20161018/mm/fault-read.c --- old/trinity-1.6+git.20161005/mm/fault-read.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/mm/fault-read.c 2016-10-19 01:17:03.000000000 +0200 @@ -19,6 +19,7 @@ char buf[page_size]; p += offset; + mprotect((void *) p, page_size, PROT_READ); memcpy(buf, p, page_size); } @@ -31,8 +32,11 @@ nr = nr_pages(map); - for (i = 0; i < nr; i++) - memcpy(buf, p + (i * page_size), page_size); + for (i = 0; i < nr; i++) { + char *page = p + (i * page_size); + mprotect((void *) page, page_size, PROT_READ); + memcpy(buf, page, page_size); + } } static void read_every_other_page(struct map *map) @@ -45,8 +49,11 @@ first = RAND_BOOL(); - for (i = first; i < nr; i+=2) - memcpy(buf, p + (i * page_size), page_size); + for (i = first; i < nr; i+=2) { + char *page = p + (i * page_size); + mprotect((void *) page, page_size, PROT_READ); + memcpy(buf, page, page_size); + } } static void read_mapping_reverse(struct map *map) @@ -57,8 +64,11 @@ nr = nr_pages(map) - 1; - for (i = nr; i > 0; i--) - memcpy(buf, p + (i * page_size), page_size); + for (i = nr; i > 0; i--) { + char *page = p + (i * page_size); + mprotect((void *) page, page_size, PROT_READ); + memcpy(buf, page, page_size); + } } /* fault in a random set of map->size pages. (some may be faulted >once) */ @@ -70,8 +80,11 @@ nr = nr_pages(map); - for (i = 0; i < nr; i++) - memcpy(buf, p + ((rnd() % nr) * page_size), page_size); + for (i = 0; i < nr; i++) { + char *page = p + ((rnd() % nr) * page_size); + mprotect((void *) page, page_size, PROT_READ); + memcpy(buf, page, page_size); + } } /* Fault in the last page in a mapping */ @@ -79,8 +92,11 @@ { char *p = map->ptr; char buf[page_size]; + char *ptr; - memcpy(buf, p + (map->size - page_size), page_size); + ptr = p + (map->size - page_size); + mprotect((void *) ptr, page_size, PROT_READ); + memcpy(buf, ptr, page_size); } static const struct faultfn read_faultfns[] = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/mm/fault-write.c new/trinity-1.6+git.20161018/mm/fault-write.c --- old/trinity-1.6+git.20161005/mm/fault-write.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/mm/fault-write.c 2016-10-19 01:17:03.000000000 +0200 @@ -17,55 +17,66 @@ static void dirty_one_page(struct map *map) { char *p = map->ptr; + unsigned long offset = (rnd() % (map->size - 1)) & PAGE_MASK; - p[rnd() % (map->size - 1)] = rnd(); + mprotect((void *) (p + offset), page_size, PROT_READ|PROT_WRITE); + p[offset] = rnd(); } static void dirty_whole_mapping(struct map *map) { - char *p = map->ptr; unsigned int i, nr; nr = nr_pages(map); - for (i = 0; i < nr; i++) - p[i * page_size] = rnd(); + for (i = 0; i < nr; i++) { + char *p = map->ptr + (i * page_size); + mprotect((void *) p, page_size, PROT_READ|PROT_WRITE); + *p = rnd(); + } } static void dirty_every_other_page(struct map *map) { - char *p = map->ptr; unsigned int i, nr, first; nr = nr_pages(map); first = RAND_BOOL(); - for (i = first; i < nr; i+=2) - p[i * page_size] = rnd(); + for (i = first; i < nr; i+=2) { + char *p = map->ptr + (i * page_size); + mprotect((void *) p, page_size, PROT_READ|PROT_WRITE); + *p = rnd(); + } } static void dirty_mapping_reverse(struct map *map) { - char *p = map->ptr; unsigned int i, nr; nr = nr_pages(map) - 1; - for (i = nr; i > 0; i--) - p[i * page_size] = rnd(); + for (i = nr; i > 0; i--) { + char *p = map->ptr + (i * page_size); + mprotect((void *) p, page_size, PROT_READ|PROT_WRITE); + *p = rnd(); + } } /* dirty a random set of map->size pages. (some may be faulted >once) */ static void dirty_random_pages(struct map *map) { - char *p = map->ptr; unsigned int i, nr; nr = nr_pages(map); - for (i = 0; i < nr; i++) - p[(rnd() % nr) * page_size] = rnd(); + for (i = 0; i < nr; i++) { + off_t offset = (rnd() % nr) * page_size; + char *p = map->ptr + offset; + mprotect((void *) p, page_size, PROT_READ|PROT_WRITE); + *p = rnd(); + } } /* @@ -74,6 +85,7 @@ { char *p = map->ptr; + mprotect(map->ptr, page_size, PROT_READ|PROT_WRITE); generate_random_page(p); } @@ -84,6 +96,7 @@ { char *p = map->ptr + map->size - page_size; + mprotect((void *) p, page_size, PROT_READ|PROT_WRITE); memset((void *) p, 'A', page_size); } @@ -103,14 +116,11 @@ void random_map_writefn(struct map *map) { if (map->size == page_size) { - mprotect(map->ptr, page_size, PROT_READ|PROT_WRITE); write_faultfns_single[rnd() % ARRAY_SIZE(write_faultfns_single)].func(map); } else { if (RAND_BOOL()) { - mprotect(map->ptr, map->size, PROT_READ|PROT_WRITE); write_faultfns[rnd() % ARRAY_SIZE(write_faultfns)].func(map); } else { - mprotect(map->ptr, page_size, PROT_READ|PROT_WRITE); write_faultfns_single[rnd() % ARRAY_SIZE(write_faultfns_single)].func(map); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/net/bpf.c new/trinity-1.6+git.20161018/net/bpf.c --- old/trinity-1.6+git.20161005/net/bpf.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/net/bpf.c 2016-10-19 01:17:03.000000000 +0200 @@ -68,27 +68,30 @@ #define BPF_W 0x00 #define BPF_H 0x08 #define BPF_B 0x10 +#define BPF_DW 0x18 /* eBPF only, double word */ static const uint16_t bpf_size_vars[] = { - BPF_W, BPF_H, BPF_B, + BPF_W, BPF_H, BPF_B, BPF_DW, }; static const char *bpf_size_vars_name[] = { [BPF_W] = "w", [BPF_H] = "h", [BPF_B] = "b", + [BPF_DW] = "dw", }; #define BPF_MODE(code) ((code) & 0xe0) -#define BPF_IMM 0x00 +#define BPF_IMM 0x00 #define BPF_ABS 0x20 #define BPF_IND 0x40 #define BPF_MEM 0x60 -#define BPF_LEN 0x80 -#define BPF_MSH 0xa0 +#define BPF_LEN 0x80 /* classic BPF only, reserved in eBPF */ +#define BPF_MSH 0xa0 /* classic BPF only, reserved in eBPF */ +#define BPF_XADD 0xc0 /* eBPF only, exclusive add */ static const uint16_t bpf_mode_vars[] = { - BPF_IMM, BPF_ABS, BPF_IND, BPF_MEM, BPF_LEN, BPF_MSH, + BPF_IMM, BPF_ABS, BPF_IND, BPF_MEM, BPF_LEN, BPF_MSH, BPF_XADD, }; static const char *bpf_mode_vars_name[] = { @@ -98,6 +101,7 @@ [BPF_MEM] = "mem", [BPF_LEN] = "len", [BPF_MSH] = "msh", + [BPF_XADD] = "xadd", }; #define BPF_OP(code) ((code) & 0xf0) @@ -110,12 +114,15 @@ #define BPF_LSH 0x60 #define BPF_RSH 0x70 #define BPF_NEG 0x80 -#define BPF_MOD 0x90 +#define BPF_MOD 0x90 #define BPF_XOR 0xa0 +#define BPF_MOV 0xb0 /* eBPF only: mov reg to reg */ +#define BPF_ARSH 0xc0 /* eBPF only: sign extending shift right */ +#define BPF_END 0xd0 /* eBPF only: endianness conversion */ static const uint16_t bpf_alu_op_vars[] = { BPF_ADD, BPF_SUB, BPF_MUL, BPF_DIV, BPF_OR, BPF_AND, BPF_LSH, BPF_RSH, - BPF_NEG, BPF_MOD, BPF_XOR, + BPF_NEG, BPF_MOD, BPF_XOR, BPF_MOV, BPF_ARSH, BPF_END, }; static const char *bpf_alu_op_vars_name[] = { @@ -130,6 +137,9 @@ [BPF_NEG] = "neg", [BPF_MOD] = "mod", [BPF_XOR] = "xor", + [BPF_MOV] = "mov", + [BPF_ARSH] = "arsh", + [BPF_END] = "end" }; #define BPF_JA 0x00 @@ -137,9 +147,15 @@ #define BPF_JGT 0x20 #define BPF_JGE 0x30 #define BPF_JSET 0x40 +#define BPF_JNE 0x50 /* eBPF only: jump != */ +#define BPF_JSGT 0x60 /* eBPF only: signed '>' */ +#define BPF_JSGE 0x70 /* eBPF only: signed '>=' */ +#define BPF_CALL 0x80 /* eBPF only: function call */ +#define BPF_EXIT 0x90 /* eBPF only: function return */ static const uint16_t bpf_jmp_op_vars[] = { BPF_JA, BPF_JEQ, BPF_JGT, BPF_JGE, BPF_JSET, + BPF_JNE, BPF_JSGT, BPF_JSGE, BPF_CALL, BPF_EXIT, }; static const char *bpf_jmp_op_vars_name[] = { @@ -148,6 +164,11 @@ [BPF_JGT] = "jgt", [BPF_JGE] = "jge", [BPF_JSET] = "jset", + [BPF_JNE] = "jne", + [BPF_JSGT] = "jsgt", + [BPF_JSGE] = "jsge", + [BPF_CALL] = "call", + [BPF_EXIT] = "exit", }; #define BPF_SRC(code) ((code) & 0x08) @@ -824,7 +845,7 @@ bpf->filter[i].jf |= (uint8_t) rnd(); /* Not always fill out k */ - bpf->filter[i].k = ((ONE_IN(10)) ? 0 : (uint32_t) rnd()); + bpf->filter[i].k = ((ONE_IN(10)) ? 0 : (uint32_t) rand32()); /* Also try to jump into BPF extensions by chance */ if (BPF_CLASS(bpf->filter[i].code) == BPF_LD || diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/rand/random.c new/trinity-1.6+git.20161018/rand/random.c --- old/trinity-1.6+git.20161005/rand/random.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/rand/random.c 2016-10-19 01:17:03.000000000 +0200 @@ -86,7 +86,7 @@ { unsigned short r = 0, r2; - switch (rnd() % 5) { + switch (rnd() % 6) { case 0: r = RAND_BYTE(); break; @@ -99,27 +99,28 @@ case 4: r2 = rnd() & 0xff; r = r2 | r2 << 8; break; + case 5: return 0 - ((rnd() % 10) + 1); } /* Sometimes flip sign */ if (ONE_IN(25)) r = ~r + 1; - if (ONE_IN(4)) { + if (ONE_IN(25)) { int _div = 1 << RAND_RANGE(1, 4); /* 2,4,8 or 16 */ r /= _div; } - /* limit the size */ - switch (rnd() % 4) { - case 0: r &= 0xff; - break; - case 1: r &= 0xfff; - break; - case 2: r &= PAGE_MASK; - break; - case 3: // do nothing - break; + if (RAND_BOOL()) { + /* limit the size */ + switch (rnd() % 3) { + case 0: r &= 0xff; + break; + case 1: r &= 0xfff; + break; + case 2: r &= PAGE_MASK; + break; + } } return r; } @@ -131,13 +132,11 @@ { unsigned long r = 0; - switch (rnd() % 7) { + switch (rnd() % 8) { case 0: r = RAND_BYTE(); break; - case 1: r = rand16(); break; - case 2: r = rand_single_bit(32); break; case 3: r = randbits(32); @@ -148,6 +147,8 @@ break; case 6: return get_interesting_value(); + + case 7: return 0 - ((rnd() % 10) + 1); } /* Sometimes deduct it from INT_MAX */ @@ -159,23 +160,23 @@ r = ~r + 1; /* we might get lucky if something is counting ints/longs etc. */ - if (ONE_IN(4)) { + if (ONE_IN(25)) { int _div = 1 << RAND_RANGE(1, 4); /* 2,4,8 or 16 */ r /= _div; } - /* limit the size */ - switch (rnd() % 5) { - case 0: r &= 0xff; - break; - case 1: r &= 0xffff; - break; - case 2: r &= PAGE_MASK; - break; - case 3: r &= 0xffffff; - break; - case 4: // do nothing - break; + if (RAND_BOOL()) { + /* limit the size */ + switch (rnd() % 4) { + case 0: r &= 0xff; + break; + case 1: r &= 0xffff; + break; + case 2: r &= PAGE_MASK; + break; + case 3: r &= 0xffffff; + break; + } } return r; @@ -188,7 +189,7 @@ { u64 r = 0; - switch (rnd() % 8) { + switch (rnd() % 9) { /* 8-bit ranges */ case 0: r = RAND_BYTE(); @@ -214,6 +215,9 @@ /* Sometimes pick a not-so-random number. */ case 7: return get_interesting_value(); + + // small 64bit negative number. + case 8: return 0 - ((rnd() % 10) + 1); } /* limit the size */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/syscalls/add_key.c new/trinity-1.6+git.20161018/syscalls/add_key.c --- old/trinity-1.6+git.20161005/syscalls/add_key.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/syscalls/add_key.c 2016-10-19 01:17:03.000000000 +0200 @@ -8,6 +8,7 @@ * On success add_key() returns the serial number of the key it created or updated. * On error, the value -1 will be returned and errno will have been set to an appropriate error. */ +#include <linux/keyctl.h> #include "random.h" #include "sanitise.h" @@ -20,6 +21,17 @@ rec->a1 = (unsigned long) RAND_ARRAY(keytypes); } +static unsigned long addkey_ringids[] = { + KEY_SPEC_THREAD_KEYRING, + KEY_SPEC_PROCESS_KEYRING, + KEY_SPEC_SESSION_KEYRING, + KEY_SPEC_USER_KEYRING, + KEY_SPEC_USER_SESSION_KEYRING, + KEY_SPEC_GROUP_KEYRING, + KEY_SPEC_REQKEY_AUTH_KEY, + KEY_SPEC_REQUESTOR_KEYRING, +}; + struct syscallentry syscall_add_key = { .name = "add_key", .num_args = 5, @@ -32,6 +44,8 @@ .arg4name = "plen", .arg4type = ARG_LEN, .arg5name = "ringid", + .arg5type = ARG_OP, + .arg5list = ARGLIST(addkey_ringids), .rettype = RET_KEY_SERIAL_T, .sanitise = sanitise_add_key, }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/syscalls/mprotect.c new/trinity-1.6+git.20161018/syscalls/mprotect.c --- old/trinity-1.6+git.20161005/syscalls/mprotect.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/syscalls/mprotect.c 2016-10-19 01:17:03.000000000 +0200 @@ -45,3 +45,18 @@ .group = GROUP_VM, .post = post_mprotect, }; + +struct syscallentry syscall_pkey_mprotect = { + .name = "pkey_mprotect", + .num_args = 4, + .arg1name = "start", + .arg1type = ARG_MMAP, + .arg2name = "len", + .arg3name = "prot", + .arg3type = ARG_LIST, + .arg3list = ARGLIST(mprotect_prots), + .arg4name = "key", + .sanitise = sanitise_mprotect, + .group = GROUP_VM, + .post = post_mprotect, +}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/syscalls/pkey.c new/trinity-1.6+git.20161018/syscalls/pkey.c --- old/trinity-1.6+git.20161005/syscalls/pkey.c 1970-01-01 01:00:00.000000000 +0100 +++ new/trinity-1.6+git.20161018/syscalls/pkey.c 2016-10-19 01:17:03.000000000 +0200 @@ -0,0 +1,40 @@ +/* + * SYSCALL_DEFINE2(pkey_alloc, unsigned long, flags, unsigned long, init_val) + */ + +#include "sanitise.h" +#include "syscall.h" +#include "trinity.h" +#include "utils.h" + +#define PKEY_DISABLE_ACCESS 0x1 +#define PKEY_DISABLE_WRITE 0x2 + +static unsigned long pkey_alloc_initvals[] = { + PKEY_DISABLE_ACCESS, + PKEY_DISABLE_WRITE, +}; + +static void sanitise_pkey_alloc(struct syscallrecord *rec) +{ + // no flags defined right now. + rec->a1 = 0; +} + +struct syscallentry syscall_pkey_alloc = { + .name = "pkey_alloc", + .num_args = 2, + .arg1name = "flags", + .arg2name = "init_val", + .arg2type = ARG_LIST, + .arg2list = ARGLIST(pkey_alloc_initvals), + .sanitise = sanitise_pkey_alloc, + .group = GROUP_VM, +}; + +struct syscallentry syscall_pkey_free = { + .name = "pkey_free", + .num_args = 1, + .arg1name = "key", + .group = GROUP_VM, +}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/syscalls/read.c new/trinity-1.6+git.20161018/syscalls/read.c --- old/trinity-1.6+git.20161005/syscalls/read.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/syscalls/read.c 2016-10-19 01:17:03.000000000 +0200 @@ -15,7 +15,10 @@ static void sanitise_read(struct syscallrecord *rec) { rec->a2 = (unsigned long) get_non_null_address(); - rec->a3 = rnd() % page_size; + if (RAND_BOOL()) + rec->a3 = rnd() % page_size; + else + rec->a3 = page_size; } struct syscallentry syscall_read = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/syscalls/send.c new/trinity-1.6+git.20161018/syscalls/send.c --- old/trinity-1.6+git.20161005/syscalls/send.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/syscalls/send.c 2016-10-19 01:17:03.000000000 +0200 @@ -120,7 +120,7 @@ struct socketinfo *si = (struct socketinfo *) rec->a1; struct msghdr *msg; struct sockaddr *sa = NULL; - socklen_t salen; + socklen_t salen = 0; if (si == NULL) // handle --disable-fds=sockets goto skip_si; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/syscalls/setsockopt.c new/trinity-1.6+git.20161018/syscalls/setsockopt.c --- old/trinity-1.6+git.20161005/syscalls/setsockopt.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/syscalls/setsockopt.c 2016-10-19 01:17:03.000000000 +0200 @@ -191,10 +191,16 @@ struct socket_triplet *triplet = NULL; int fd; + si = (struct socketinfo *) rec->a1; + if (si == NULL) { + rec->a1 = get_random_fd(); + rec->a4 = (unsigned long) zmalloc(page_size); + return; + } + if (ONE_IN(1000)) { fd = get_random_fd(); } else { - si = (struct socketinfo *) rec->a1; fd = si->fd; triplet = &si->triplet; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/syscalls/syscalls.h new/trinity-1.6+git.20161018/syscalls/syscalls.h --- old/trinity-1.6+git.20161005/syscalls/syscalls.h 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/syscalls/syscalls.h 2016-10-19 01:17:03.000000000 +0200 @@ -382,5 +382,8 @@ extern struct syscallentry syscall_copy_file_range; extern struct syscallentry syscall_preadv2; extern struct syscallentry syscall_pwritev2; +extern struct syscallentry syscall_pkey_mprotect; +extern struct syscallentry syscall_pkey_alloc; +extern struct syscallentry syscall_pkey_free; unsigned int random_fcntl_setfl_flags(void); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20161005/tables.c new/trinity-1.6+git.20161018/tables.c --- old/trinity-1.6+git.20161005/tables.c 2016-10-05 20:09:56.000000000 +0200 +++ new/trinity-1.6+git.20161018/tables.c 2016-10-19 01:17:03.000000000 +0200 @@ -46,6 +46,8 @@ return; entry = table[call].entry; + if (entry == NULL) + return; if (entry->flags & AVOID_SYSCALL) output(0, "%s is marked as AVOID. Skipping\n", entry->name); @@ -62,6 +64,8 @@ return FALSE; entry = table[call].entry; + if (entry == NULL) + return FALSE; if (entry->flags & AVOID_SYSCALL) return FALSE;
