executor/executor_test.h - third_party/syzkaller - Git at Google

 // Copyright 2018 syzkaller project authors. All rights reserved.
 // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

 #include <stdlib.h>
 #include <sys/mman.h>
 #include <unistd.h>

 #ifdef __linux__
 #include <sys/prctl.h>
 #endif

 // sys/targets also know about these consts.
 static uint64 kernel_text_start = 0xc0dec0dec0000000;
 static uint64 kernel_text_mask = 0xffffff;

 static void os_init(int argc, char** argv, void* data, size_t data_size)
 {
 #ifdef __linux__
 	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 	// There's a risk that the parent has exited before we get to call prctl().
 	// In that case, let's assume that the child must have been reassigned to PID=1.
 	if (getppid() == 1)
 		exitf("the parent process was killed");
 #endif
 	void* got = mmap(data, data_size, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED_EXCLUSIVE, -1, 0);
 	if (data != got)
 		failmsg("mmap of data segment failed", "want %p, got %p", data, got);
 	is_kernel_64_bit = sizeof(unsigned long) == 8;
 }

 #ifdef __clang__
 #define notrace
 #else
 #define notrace __attribute__((no_sanitize_coverage))
 #endif

 extern "C" notrace void __sanitizer_cov_trace_pc(void)
 {
 	if (current_thread == nullptr || current_thread->cov.data == nullptr || current_thread->cov.collect_comps)
 		return;
 	uint64 pc = (uint64)__builtin_return_address(0);
 	// Convert to what is_kernel_pc will accept as valid coverage;
 	pc = kernel_text_start | (pc & kernel_text_mask);
 	// Note: we duplicate the following code instead of using a template function
 	// because it must not be instrumented which is hard to achieve for all compiler
 	// if the code is in a separate function.
 	if (is_kernel_64_bit) {
 		uint64* start = (uint64*)current_thread->cov.data;
 		uint64* end = (uint64*)current_thread->cov.data_end;
 		uint64 pos = start[0];
 		if (start + pos + 1 < end) {
 			start[0] = pos + 1;
 			start[pos + 1] = pc;
 		}
 	} else {
 		uint32* start = (uint32*)current_thread->cov.data;
 		uint32* end = (uint32*)current_thread->cov.data_end;
 		uint32 pos = start[0];
 		if (start + pos + 1 < end) {
 			start[0] = pos + 1;
 			start[pos + 1] = pc;
 		}
 	}
 }

 static intptr_t execute_syscall(const call_t* c, intptr_t a[kMaxArgs])
 {
 	// Inject coverage PC even when built w/o coverage instrumentation.
 	// This allows to pass machine check with coverage enabled.
 	// pkg/fuzzer tests with coverage instrumentation shouldn't be distracted by the additional PC,
 	// and syz_inject_cover overwrites the whole array so will remote it.
 	__sanitizer_cov_trace_pc();
 	return c->call(a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8]);
 }

 static void cover_open(cover_t* cov, bool extra)
 {
 	cov->data_size = kCoverSize * sizeof(unsigned long);
 }

 static void cover_enable(cover_t* cov, bool collect_comps, bool extra)
 {
 	cov->collect_comps = collect_comps;
 }

 static void cover_reset(cover_t* cov)
 {
 	*(uint64*)(cov->data) = 0;
 }

 static void cover_collect(cover_t* cov)
 {
 	if (is_kernel_64_bit)
 		cov->size = *(uint64*)cov->data;
 	else
 		cov->size = *(uint32*)cov->data;
 }

 static void cover_protect(cover_t* cov)
 {
 }

 static void cover_mmap(cover_t* cov)
 {
 	if (cov->mmap_alloc_ptr != NULL)
 		fail("cover_mmap invoked on an already mmapped cover_t object");
 	if (cov->data_size == 0)
 		fail("cover_t structure is corrupted");
 	cov->mmap_alloc_size = cov->data_size;
 	cov->mmap_alloc_ptr = (char*)mmap(NULL, cov->mmap_alloc_size,
 					  PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
 	if (cov->mmap_alloc_ptr == MAP_FAILED)
 		exitf("cover mmap failed");
 	cov->data = cov->mmap_alloc_ptr;
 	cov->data_end = cov->data + cov->mmap_alloc_size;
 	cov->data_offset = is_kernel_64_bit ? sizeof(uint64_t) : sizeof(uint32_t);
 	// We don't care about the specific PC values for now.
 	// Once we do, we might want to consider ASLR here.
 	cov->pc_offset = 0;
 }

 static void cover_unprotect(cover_t* cov)
 {
 }

 static long inject_cover(cover_t* cov, long a, long b)
 {
 	if (cov->data == nullptr)
 		return ENOENT;
 	uint32 size = std::min((uint32)b, cov->data_size);
 	memcpy(cov->data, (void*)a, size);
 	memset(cov->data + size, 0xcd, std::min<uint64>(100, cov->data_size - size));
 	return 0;
 }

 static long syz_inject_cover(volatile long a, volatile long b)
 {
 	return inject_cover(&current_thread->cov, a, b);
 }

 static long syz_inject_remote_cover(volatile long a, volatile long b)
 {
 	return inject_cover(&extra_cov, a, b);
 }

 static const char* setup_fault()
 {
 	return nullptr;
 }

 static const char* setup_leak()
 {
 	return "leak detection is not supported";
 }

 // Test various ways how feature setup can fail.
 // We don't care about these features for test OS,
 // this is just to test the feature support detection code.
 #define SYZ_HAVE_FEATURES 1
 static feature_t features[] = {
     {rpc::Feature::Fault, setup_fault},
     {rpc::Feature::Leak, setup_leak},
 };
	// Copyright 2018 syzkaller project authors. All rights reserved.
	// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

	#include <stdlib.h>
	#include <sys/mman.h>
	#include <unistd.h>

	#ifdef __linux__
	#include <sys/prctl.h>
	#endif

	// sys/targets also know about these consts.
	static uint64 kernel_text_start = 0xc0dec0dec0000000;
	static uint64 kernel_text_mask = 0xffffff;

	static void os_init(int argc, char** argv, void* data, size_t data_size)
	{
	#ifdef __linux__
	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
	// There's a risk that the parent has exited before we get to call prctl().
	// In that case, let's assume that the child must have been reassigned to PID=1.
	if (getppid() == 1)
	exitf("the parent process was killed");
	#endif
	void* got = mmap(data, data_size, PROT_READ \| PROT_WRITE, MAP_ANON \| MAP_PRIVATE \| MAP_FIXED_EXCLUSIVE, -1, 0);
	if (data != got)
	failmsg("mmap of data segment failed", "want %p, got %p", data, got);
	is_kernel_64_bit = sizeof(unsigned long) == 8;
	}

	#ifdef __clang__
	#define notrace
	#else
	#define notrace __attribute__((no_sanitize_coverage))
	#endif

	extern "C" notrace void __sanitizer_cov_trace_pc(void)
	{
	if (current_thread == nullptr \|\| current_thread->cov.data == nullptr \|\| current_thread->cov.collect_comps)
	return;
	uint64 pc = (uint64)__builtin_return_address(0);
	// Convert to what is_kernel_pc will accept as valid coverage;
	pc = kernel_text_start \| (pc & kernel_text_mask);
	// Note: we duplicate the following code instead of using a template function
	// because it must not be instrumented which is hard to achieve for all compiler
	// if the code is in a separate function.
	if (is_kernel_64_bit) {
	uint64* start = (uint64*)current_thread->cov.data;
	uint64* end = (uint64*)current_thread->cov.data_end;
	uint64 pos = start[0];
	if (start + pos + 1 < end) {
	start[0] = pos + 1;
	start[pos + 1] = pc;
	}
	} else {
	uint32* start = (uint32*)current_thread->cov.data;
	uint32* end = (uint32*)current_thread->cov.data_end;
	uint32 pos = start[0];
	if (start + pos + 1 < end) {
	start[0] = pos + 1;
	start[pos + 1] = pc;
	}
	}
	}

	static intptr_t execute_syscall(const call_t* c, intptr_t a[kMaxArgs])
	{
	// Inject coverage PC even when built w/o coverage instrumentation.
	// This allows to pass machine check with coverage enabled.
	// pkg/fuzzer tests with coverage instrumentation shouldn't be distracted by the additional PC,
	// and syz_inject_cover overwrites the whole array so will remote it.
	__sanitizer_cov_trace_pc();
	return c->call(a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8]);
	}

	static void cover_open(cover_t* cov, bool extra)
	{
	cov->data_size = kCoverSize * sizeof(unsigned long);
	}

	static void cover_enable(cover_t* cov, bool collect_comps, bool extra)
	{
	cov->collect_comps = collect_comps;
	}

	static void cover_reset(cover_t* cov)
	{
	(uint64)(cov->data) = 0;
	}

	static void cover_collect(cover_t* cov)
	{
	if (is_kernel_64_bit)
	cov->size = (uint64)cov->data;
	else
	cov->size = (uint32)cov->data;
	}

	static void cover_protect(cover_t* cov)
	{
	}

	static void cover_mmap(cover_t* cov)
	{
	if (cov->mmap_alloc_ptr != NULL)
	fail("cover_mmap invoked on an already mmapped cover_t object");
	if (cov->data_size == 0)
	fail("cover_t structure is corrupted");
	cov->mmap_alloc_size = cov->data_size;
	cov->mmap_alloc_ptr = (char*)mmap(NULL, cov->mmap_alloc_size,
	PROT_READ \| PROT_WRITE, MAP_PRIVATE \| MAP_ANON, -1, 0);
	if (cov->mmap_alloc_ptr == MAP_FAILED)
	exitf("cover mmap failed");
	cov->data = cov->mmap_alloc_ptr;
	cov->data_end = cov->data + cov->mmap_alloc_size;
	cov->data_offset = is_kernel_64_bit ? sizeof(uint64_t) : sizeof(uint32_t);
	// We don't care about the specific PC values for now.
	// Once we do, we might want to consider ASLR here.
	cov->pc_offset = 0;
	}

	static void cover_unprotect(cover_t* cov)
	{
	}

	static long inject_cover(cover_t* cov, long a, long b)
	{
	if (cov->data == nullptr)
	return ENOENT;
	uint32 size = std::min((uint32)b, cov->data_size);
	memcpy(cov->data, (void*)a, size);
	memset(cov->data + size, 0xcd, std::min<uint64>(100, cov->data_size - size));
	return 0;
	}

	static long syz_inject_cover(volatile long a, volatile long b)
	{
	return inject_cover(&current_thread->cov, a, b);
	}

	static long syz_inject_remote_cover(volatile long a, volatile long b)
	{
	return inject_cover(&extra_cov, a, b);
	}

	static const char* setup_fault()
	{
	return nullptr;
	}

	static const char* setup_leak()
	{
	return "leak detection is not supported";
	}

	// Test various ways how feature setup can fail.
	// We don't care about these features for test OS,
	// this is just to test the feature support detection code.
	#define SYZ_HAVE_FEATURES 1
	static feature_t features[] = {
	{rpc::Feature::Fault, setup_fault},
	{rpc::Feature::Leak, setup_leak},
	};