static void bpf_prog_load(union bpf_attr *attr)
{
unsigned long *insns = NULL, len = 0;
attr->prog_type = RAND_ARRAY(bpf_prog_types);
switch (attr->prog_type) {
case BPF_PROG_TYPE_SOCKET_FILTER:
bpf_gen_filter(&insns, &len);
break;
default:
// this will go away when all the other cases are enumerated
insns = zmalloc(page_size);
generate_rand_bytes((unsigned char *)insns, len);
break;
}
attr->insn_cnt = len;
attr->insns = (u64) insns;
attr->license = (u64) license;
attr->log_level = 0;
attr->log_size = rnd() % page_size;
attr->log_buf = (u64) get_writable_address(page_size);
attr->kern_version = rnd(); // TODO: stick uname in here.
}
void socket_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet)
{
so->level = SOL_SOCKET;
so->optname = RAND_ARRAY(socket_opts);
/* Adjust length according to operation set. */
switch (so->optname) {
case SO_LINGER:
so->optlen = sizeof(struct linger);
break;
case SO_RCVTIMEO:
case SO_SNDTIMEO:
so->optlen = sizeof(struct timeval);
break;
case SO_ATTACH_FILTER: {
unsigned long *optval = NULL, optlen = 0;
bpf_gen_filter(&optval, &optlen);
so->optval = (unsigned long) optval;
so->optlen = optlen;
break;
}
default:
break;
}
}
void bluetooth_setsockopt(struct sockopt *so)
{
switch(rand() % 5) {
case 0: so->level = SOL_HCI; break;
case 1: so->level = SOL_L2CAP; break;
case 2: so->level = SOL_SCO; break;
case 3: so->level = SOL_RFCOMM; break;
case 4: /* leave level unchanged */
;;
default:
break;
}
switch (so->level) {
case SOL_HCI:
so->optname = RAND_ARRAY(bluetooth_hci_opts);
break;
case SOL_L2CAP:
so->optname = RAND_ARRAY(bluetooth_l2cap_opts);
break;
case SOL_SCO: /* no options currently */
break;
case SOL_RFCOMM:
so->optname = RAND_ARRAY(bluetooth_rfcomm_opts);
break;
case SOL_BLUETOOTH:
so->optname = RAND_ARRAY(bluetooth_opts);
break;
default: break;
}
}
static void netlink_gen_sockaddr(struct sockaddr **addr, socklen_t *addrlen)
{
struct sockaddr_nl *nl;
const unsigned long nl_groups[] = {
RTNLGRP_NONE, RTNLGRP_LINK, RTNLGRP_NOTIFY, RTNLGRP_NEIGH,
RTNLGRP_TC, RTNLGRP_IPV4_IFADDR, RTNLGRP_IPV4_MROUTE, RTNLGRP_IPV4_ROUTE,
RTNLGRP_IPV4_RULE, RTNLGRP_IPV6_IFADDR, RTNLGRP_IPV6_MROUTE, RTNLGRP_IPV6_ROUTE,
RTNLGRP_IPV6_IFINFO, RTNLGRP_DECnet_IFADDR, RTNLGRP_NOP2, RTNLGRP_DECnet_ROUTE,
RTNLGRP_DECnet_RULE, RTNLGRP_NOP4, RTNLGRP_IPV6_PREFIX, RTNLGRP_IPV6_RULE,
RTNLGRP_ND_USEROPT, RTNLGRP_PHONET_IFADDR, RTNLGRP_PHONET_ROUTE, RTNLGRP_DCB,
RTNLGRP_IPV4_NETCONF, RTNLGRP_IPV6_NETCONF, RTNLGRP_MDB, RTNLGRP_MPLS_ROUTE,
RTNLGRP_NSID, RTNLGRP_MPLS_NETCONF,
};
nl = zmalloc(sizeof(struct sockaddr_nl));
nl->nl_family = PF_NETLINK;
nl->nl_pid = 0; // destination is always kernel
nl->nl_groups = RAND_ARRAY(nl_groups);
*addr = (struct sockaddr *) nl;
*addrlen = sizeof(struct sockaddr_nl);
}
static void rxrpc_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet)
{
so->level = SOL_RXRPC;
so->optname = RAND_ARRAY(rxrpc_opts);
}
static void rose_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet)
{
so->level = SOL_ROSE;
so->optname = RAND_ARRAY(rose_opts);
}
static void irda_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet)
{
so->level = SOL_IRDA;
so->optname = RAND_ARRAY(irda_opts);
}
void dccp_setsockopt(struct sockopt *so)
{
so->optname = RAND_ARRAY(dccp_opts);
}
void icmpv6_setsockopt(struct sockopt *so)
{
so->optname = RAND_ARRAY(icmpv6_opts);
}
static void sanitise_bpf(struct syscallrecord *rec)
{
union bpf_attr *attr;
unsigned long bpf_map_types[] = {
BPF_MAP_TYPE_HASH, BPF_MAP_TYPE_ARRAY, BPF_MAP_TYPE_PROG_ARRAY, BPF_MAP_TYPE_PERF_EVENT_ARRAY,
BPF_MAP_TYPE_PERCPU_HASH, BPF_MAP_TYPE_PERCPU_ARRAY, BPF_MAP_TYPE_STACK_TRACE, BPF_MAP_TYPE_CGROUP_ARRAY,
BPF_MAP_TYPE_LRU_HASH, BPF_MAP_TYPE_LRU_HASH, BPF_MAP_TYPE_LRU_PERCPU_HASH, BPF_MAP_TYPE_LPM_TRIE,
};
attr = zmalloc(sizeof(union bpf_attr));
rec->a2 = (unsigned long) attr;
switch (rec->a1) {
case BPF_MAP_CREATE:
attr->map_type = RAND_ARRAY(bpf_map_types);
attr->key_size = rnd() % 1024;
attr->value_size = rnd() % (1024 * 64);
attr->max_entries = rnd() % 1024;
attr->flags = RAND_RANGE(0, 4);
rec->a3 = 20;
break;
case BPF_MAP_LOOKUP_ELEM:
attr->map_fd = get_rand_bpf_fd();
attr->key = RAND_RANGE(0, 10);
attr->value = rnd();
rec->a3 = 32;
break;
case BPF_MAP_UPDATE_ELEM:
attr->map_fd = get_rand_bpf_fd();
attr->key = RAND_RANGE(0, 10);
attr->value = rnd();
attr->next_key = rnd();
attr->flags = RAND_RANGE(0, 4);
rec->a3 = 32;
break;
case BPF_MAP_DELETE_ELEM:
attr->map_fd = get_rand_bpf_fd();
attr->key = RAND_RANGE(0, 10);
rec->a3 = 32;
break;
case BPF_MAP_GET_NEXT_KEY:
attr->map_fd = get_rand_bpf_fd();
attr->key = RAND_RANGE(0, 10);
attr->value = rnd();
rec->a3 = 32;
break;
case BPF_OBJ_PIN:
case BPF_OBJ_GET:
attr->map_fd = get_rand_bpf_fd();
rec->a3 = 32;
break;
case BPF_PROG_LOAD:
bpf_prog_load(attr);
rec->a3 = 48;
break;
default:
break;
}
}
void netlink_setsockopt(struct sockopt *so)
{
so->optname = RAND_ARRAY(netlink_opts);
}
void atm_setsockopt(struct sockopt *so)
{
so->optname = RAND_ARRAY(atm_opts);
}
static void netlink_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet)
{
so->level = SOL_NETLINK;
so->optname = RAND_ARRAY(netlink_opts);
}
void rxrpc_setsockopt(struct sockopt *so)
{
so->optname = RAND_ARRAY(rxrpc_opts);
}
static void caif_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet)
{
so->level = SOL_CAIF;
so->optname = RAND_ARRAY(caif_opts);
}
static void atm_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet)
{
so->level = SOL_ATM;
so->optname = RAND_ARRAY(atm_opts);
}
void rose_setsockopt(struct sockopt *so)
{
so->optname = RAND_ARRAY(rose_opts);
}
void tcp_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet)
{
so->optname = RAND_ARRAY(tcp_opts);
}
void tipc_setsockopt(struct sockopt *so)
{
so->optname = RAND_ARRAY(tipc_opts);
so->optlen = sizeof(__u32);
}
void llc_setsockopt(struct sockopt *so)
{
so->optname = RAND_ARRAY(llc_opts);
}
