Hello community, here is the log from the commit of package trinity for openSUSE:Factory checked in at 2016-06-07 23:47:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trinity (Old) and /work/SRC/openSUSE:Factory/.trinity.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trinity" Changes: -------- --- /work/SRC/openSUSE:Factory/trinity/trinity.changes 2016-05-23 16:39:34.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.trinity.new/trinity.changes 2016-06-07 23:47:41.000000000 +0200 @@ -1,0 +2,15 @@ +Fri May 27 20:28:47 UTC 2016 - [email protected] + +- Update to version 1.6+git.20160526: + * for each random syscall, do one in an extra child too. + * compile fix. + * fix memory leak on child fork failure. + * check for potential failure to acquire testfile fd. + * fds/drm.c: Add forward declaration of struct. + * flesh out the bpf sanitiser a little. + * introduce object types for bpf maps & progs + * make the BPF_PROG_LOAD case look more sane + * bpf: only do bpf_gen_filter for BPF_PROG_TYPE_SOCKET_FILTER + * fix wrong variable name in childops wait + +------------------------------------------------------------------- Old: ---- trinity-1.6+git.20160520.tar.xz New: ---- trinity-1.6+git.20160526.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trinity.spec ++++++ --- /var/tmp/diff_new_pack.FaYqDk/_old 2016-06-07 23:47:42.000000000 +0200 +++ /var/tmp/diff_new_pack.FaYqDk/_new 2016-06-07 23:47:42.000000000 +0200 @@ -16,10 +16,10 @@ # -%define version_unconverted 1.6+git.20160520 +%define version_unconverted 1.6+git.20160526 Name: trinity -Version: 1.6+git.20160520 +Version: 1.6+git.20160526 Release: 0 Summary: A Linux System call fuzz tester License: GPL-2.0 @@ -48,7 +48,7 @@ %endif %if 0%{suse_version} >= 1330 # builds for 32 bit architectures are failing on Tumbleweed -Excludearch: %ix86 %arm +ExcludeArch: %ix86 %arm %endif BuildRequires: make BuildRequires: xz ++++++ trinity-1.6+git.20160520.tar.xz -> trinity-1.6+git.20160526.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/child.c new/trinity-1.6+git.20160526/child.c --- old/trinity-1.6+git.20160520/child.c 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/child.c 2016-05-27 22:28:47.000000000 +0200 @@ -55,12 +55,19 @@ .likelyhood = 10, .type = CHILD_READ_ALL_FILES }, -*/ { + { .name = "thrash_pid_files", .func = thrash_pidfiles, .likelyhood = 50, .type = CHILD_THRASH_PID }, + { + .name = "truncate_testfile", + .func = truncate_testfile, + .likelyhood = 10, + .type = CHILD_TRUNCATE_TESTFILE + }, +*/ }; static const struct child_funcs root_child_ops[] = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/childops/random-syscall.c new/trinity-1.6+git.20160526/childops/random-syscall.c --- old/trinity-1.6+git.20160520/childops/random-syscall.c 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/childops/random-syscall.c 2016-05-27 22:28:47.000000000 +0200 @@ -6,6 +6,8 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <sys/types.h> +#include <sys/wait.h> #include "arch.h" // biarch #include "child.h" @@ -137,6 +139,8 @@ bool random_syscall(struct childdata *child) { struct syscallrecord *rec, *stash; + pid_t pid; + int ret = FALSE; rec = &child->syscall; @@ -153,7 +157,27 @@ stash = zmalloc(sizeof(struct syscallrecord)); memcpy(stash, rec, sizeof(struct syscallrecord)); - do_syscall(rec); + pid = fork(); + if (pid == 0) { + // child + do_syscall(rec); + _exit(EXIT_SUCCESS); + } else if (pid > 0) { + // parent + int childret = 0; + int childstatus; + while (childret == 0) { + clock_gettime(CLOCK_MONOTONIC, &child->tp); + kill(pid, SIGKILL); + childret = waitpid(pid, &childstatus, WUNTRACED | WCONTINUED | WNOHANG); + if (childret == 0) + usleep(100); + } + do_syscall(rec); + } else { + // fork failed + goto fail; + } check_sanity(rec, stash); @@ -161,7 +185,9 @@ handle_syscall_ret(rec); + ret = TRUE; +fail: free(stash); - return TRUE; + return ret; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/childops/truncate-testfile.c new/trinity-1.6+git.20160526/childops/truncate-testfile.c --- old/trinity-1.6+git.20160520/childops/truncate-testfile.c 1970-01-01 01:00:00.000000000 +0100 +++ new/trinity-1.6+git.20160526/childops/truncate-testfile.c 2016-05-27 22:28:47.000000000 +0200 @@ -0,0 +1,33 @@ +/* + * Pick a testfile, truncate it back to zero bytes, or a + * selection of random sizes. + */ + +#include <sys/types.h> +#include <unistd.h> +#include "objects.h" +#include "random.h" +#include "testfile.h" +#include "utils.h" + +//TODO: stat the file, and divide by two + +bool truncate_testfile(struct childdata *child) +{ + int fd; + int ret; + off_t sizes[] = { 0, 4096, MB(1), GB(1) }; + + fd = get_rand_testfile_fd(); + if (fd < 0) + return FALSE; + + ret = ftruncate(fd, RAND_ARRAY(sizes)); + + clock_gettime(CLOCK_MONOTONIC, &child->tp); + + if (ret < 0) + return FALSE; + + return TRUE; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/fds/drm.c new/trinity-1.6+git.20160526/fds/drm.c --- old/trinity-1.6+git.20160520/fds/drm.c 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/fds/drm.c 2016-05-27 22:28:47.000000000 +0200 @@ -71,6 +71,8 @@ output(2, "fd[%d] = drm\n", fd); } +static struct fd_provider drm_fd_provider; + static int open_drm_fds(void) { struct objhead *head; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/fds/testfiles.c new/trinity-1.6+git.20160526/fds/testfiles.c --- old/trinity-1.6+git.20160520/fds/testfiles.c 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/fds/testfiles.c 2016-05-27 22:28:47.000000000 +0200 @@ -16,6 +16,7 @@ #include "sanitise.h" #include "shm.h" #include "syscalls/syscalls.h" +#include "testfile.h" #include "utils.h" #define MAX_TESTFILE_FDS 4 @@ -96,7 +97,7 @@ return TRUE; } -static int get_rand_testfile_fd(void) +int get_rand_testfile_fd(void) { struct object *obj; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/generate-args.c new/trinity-1.6+git.20160526/generate-args.c --- old/trinity-1.6+git.20160520/generate-args.c 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/generate-args.c 2016-05-27 22:28:47.000000000 +0200 @@ -124,10 +124,10 @@ unreachable(); } - if (num == 0) + if (*num == 0) BUG("ARG_OP/LIST with 0 args. What?\n"); - if (values == NULL) + if (*values == NULL) BUG("ARG_OP/LIST with no values.\n"); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/include/child.h new/trinity-1.6+git.20160526/include/child.h --- old/trinity-1.6+git.20160520/include/child.h 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/include/child.h 2016-05-27 22:28:47.000000000 +0200 @@ -12,6 +12,7 @@ CHILD_READ_ALL_FILES, CHILD_THRASH_PID, CHILD_ROOT_DROP_PRIVS, + CHILD_TRUNCATE_TESTFILE, }; struct childdata { @@ -65,3 +66,4 @@ bool read_all_files(struct childdata *child); bool thrash_pidfiles(struct childdata *child); bool drop_privs(struct childdata *child); +bool truncate_testfile(struct childdata *child); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/include/object-types.h new/trinity-1.6+git.20160526/include/object-types.h --- old/trinity-1.6+git.20160520/include/object-types.h 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/include/object-types.h 2016-05-27 22:28:47.000000000 +0200 @@ -17,6 +17,8 @@ OBJ_FD_SOCKET, OBJ_FD_USERFAULTFD, OBJ_FD_FANOTIFY, + OBJ_FD_BPF_MAP, + OBJ_FD_BPF_PROG, OBJ_FUTEX, OBJ_SYSV_SHM, MAX_OBJECT_TYPES, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/include/objects.h new/trinity-1.6+git.20160526/include/objects.h --- old/trinity-1.6+git.20160520/include/objects.h 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/include/objects.h 2016-05-27 22:28:47.000000000 +0200 @@ -37,6 +37,10 @@ int fanotifyfd; + int bpf_map_fd; + + int bpf_prog_fd; + struct socketinfo sockinfo; struct __lock lock; /* futex */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/include/testfile.h new/trinity-1.6+git.20160526/include/testfile.h --- old/trinity-1.6+git.20160520/include/testfile.h 1970-01-01 01:00:00.000000000 +0100 +++ new/trinity-1.6+git.20160526/include/testfile.h 2016-05-27 22:28:47.000000000 +0200 @@ -0,0 +1,3 @@ +#pragma once + +int get_rand_testfile_fd(void); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/mm/maps-initial.c new/trinity-1.6+git.20160526/mm/maps-initial.c --- old/trinity-1.6+git.20160520/mm/maps-initial.c 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/mm/maps-initial.c 2016-05-27 22:28:47.000000000 +0200 @@ -80,15 +80,12 @@ if ((free * 1024) < GB(8ULL)) { printf("Free memory: %.2fGB\n", (double) free / 1024 / 1024); printf("Low on memory, disabling mmaping of 1GB pages\n"); - mapping_sizes[5] = page_size; + mapping_sizes[4] = page_size; goto out_free; } } } - //FIXME - mapping_sizes[4] = 0; - out_free: free(buffer); out_close: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/objects.c new/trinity-1.6+git.20160526/objects.c --- old/trinity-1.6+git.20160520/objects.c 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/objects.c 2016-05-27 22:28:47.000000000 +0200 @@ -79,6 +79,12 @@ case OBJ_FD_FANOTIFY: output(0, "fanotify:%d\n", obj->fanotifyfd);\ break; + case OBJ_FD_BPF_MAP: + output(0, "bpf map fd:%d\n", obj->bpf_map_fd); + break; + case OBJ_FD_BPF_PROG: + output(0, "bpf prog fd:%d\n", obj->bpf_prog_fd); + break; case OBJ_FUTEX: output(0, "futex: %lx owner:%d\n", obj->lock.futex, obj->lock.owner_pid); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/syscalls/bpf.c new/trinity-1.6+git.20160526/syscalls/bpf.c --- old/trinity-1.6+git.20160520/syscalls/bpf.c 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/syscalls/bpf.c 2016-05-27 22:28:47.000000000 +0200 @@ -1,14 +1,89 @@ /* * SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size) */ +#include <linux/bpf.h> +#include <linux/filter.h> +#include "arch.h" +#include "net.h" +#include "random.h" #include "sanitise.h" -enum bpf_cmd { - BPF_MAP_CREATE, BPF_MAP_LOOKUP_ELEM, BPF_MAP_UPDATE_ELEM, BPF_MAP_DELETE_ELEM, - BPF_MAP_GET_NEXT_KEY, BPF_PROG_LOAD, +static unsigned long bpf_prog_types[] = { + BPF_PROG_TYPE_UNSPEC, + BPF_PROG_TYPE_SOCKET_FILTER, + BPF_PROG_TYPE_KPROBE, + BPF_PROG_TYPE_SCHED_CLS, + BPF_PROG_TYPE_SCHED_ACT, }; -// TODO: sanitize = allocate a page, and use bpf_gen_filter to generate something legit. +static const char license[] = "GPLv2"; + +static void bpf_prog_load(struct syscallrecord *rec) +{ + unsigned long *insns = NULL, len = 0; + union bpf_attr *attr; + + attr = zmalloc(sizeof(union bpf_attr)); + + attr->prog_type = RAND_ARRAY(bpf_prog_types); + + switch (attr->prog_type) { + case BPF_PROG_TYPE_SOCKET_FILTER: + bpf_gen_filter(&insns, &len); + break; + default: + // this will go away when all the other cases are enumerated + insns = zmalloc(page_size); + generate_rand_bytes((unsigned char *)insns, len); + break; + } + + attr->insn_cnt = len; + attr->insns = (u64) insns; + attr->license = (u64) license; + attr->log_level = 0; + attr->log_size = rnd() % page_size; + attr->log_buf = (u64) get_writable_address(page_size); +// attr->kern_version = TODO: stick uname in here. + + rec->a2 = (unsigned long) attr; + rec->a3 = sizeof(attr); +} + +static void sanitise_bpf(struct syscallrecord *rec) +{ + switch (rec->a1) { + case BPF_PROG_LOAD: + bpf_prog_load(rec); + break; + default: + break; + } +} + +static void post_bpf(struct syscallrecord *rec) +{ + union bpf_attr *attr; + + switch (rec->a1) { + case BPF_MAP_CREATE: + //TODO: add fd to local object cache + break; + + case BPF_PROG_LOAD: + //TODO: add fd to local object cache + + attr = (union bpf_attr *) rec->a2; + if (attr->prog_type == BPF_PROG_TYPE_SOCKET_FILTER) { + void *ptr = (void *) attr->insns; + free(ptr); + freeptr(&rec->a2); + } + break; + default: + break; + } +} static unsigned long bpf_flags[] = { BPF_MAP_CREATE, BPF_MAP_LOOKUP_ELEM, BPF_MAP_UPDATE_ELEM, BPF_MAP_DELETE_ELEM, @@ -23,7 +98,7 @@ .arg1type = ARG_OP, .arg1list = ARGLIST(bpf_flags), .arg2name = "uattr", - .arg2type = ARG_ADDRESS, .arg3name = "size", - .arg3type = ARG_LEN, + .sanitise = sanitise_bpf, + .post = post_bpf, }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trinity-1.6+git.20160520/syscalls/copy_file_range.c new/trinity-1.6+git.20160526/syscalls/copy_file_range.c --- old/trinity-1.6+git.20160520/syscalls/copy_file_range.c 2016-05-21 15:11:30.000000000 +0200 +++ new/trinity-1.6+git.20160526/syscalls/copy_file_range.c 2016-05-27 22:28:47.000000000 +0200 @@ -34,7 +34,7 @@ .arg5type = ARG_LEN, .arg6name = "flags", .arg6type = ARG_LIST, - .arg4list = ARGLIST(copy_file_range_flags), + .arg6list = ARGLIST(copy_file_range_flags), .flags = NEED_ALARM, .group = GROUP_VFS, };
