static void bpf_prog_load(union bpf_attr *attr) { unsigned long *insns = NULL, len = 0; attr->prog_type = RAND_ARRAY(bpf_prog_types); switch (attr->prog_type) { case BPF_PROG_TYPE_SOCKET_FILTER: bpf_gen_filter(&insns, &len); break; default: // this will go away when all the other cases are enumerated insns = zmalloc(page_size); generate_rand_bytes((unsigned char *)insns, len); break; } attr->insn_cnt = len; attr->insns = (u64) insns; attr->license = (u64) license; attr->log_level = 0; attr->log_size = rnd() % page_size; attr->log_buf = (u64) get_writable_address(page_size); attr->kern_version = rnd(); // TODO: stick uname in here. }
static void unix_gen_sockaddr(struct sockaddr **addr, socklen_t *addrlen) { struct sockaddr_un *unixsock; unsigned int len; unixsock = zmalloc(sizeof(struct sockaddr_un)); unixsock->sun_family = PF_UNIX; len = rnd() % 20; generate_rand_bytes((unsigned char *)unixsock->sun_path, len); *addr = (struct sockaddr *) unixsock; *addrlen = sizeof(struct sockaddr_un); }
static void sanitise_send(struct syscallrecord *rec) { struct socketinfo *si = (struct socketinfo *) rec->a1; const struct netproto *proto; void *ptr; size_t size; rec->a1 = fd_from_socketinfo(si); if (si == NULL) // handle --disable-fds=sockets goto skip_si; proto = net_protocols[si->triplet.family].proto; if (proto != NULL) { if (proto->gen_packet != NULL) { ptr = &rec->a2; proto->gen_packet(&si->triplet, ptr, &rec->a3); // printf("Sending to family:%d type:%d proto:%d\n", // si->triplet.family, si->triplet.type, si->triplet.protocol); return; } } skip_si: /* The rest of this function is only used as a fallback, if the per-proto * send()'s aren't implemented. */ if (RAND_BOOL()) size = 1; else size = rnd() % page_size; ptr = malloc(size); rec->a2 = (unsigned long) ptr; if (ptr == NULL) return; rec->a3 = size; generate_rand_bytes(ptr, size); }
static void rose_gen_sockaddr(struct sockaddr **addr, socklen_t *addrlen) { struct sockaddr_rose *rose; rose = zmalloc(sizeof(struct sockaddr_rose)); rose->srose_family = PF_ROSE; rose->srose_addr.rose_addr[0] = rnd(); rose->srose_addr.rose_addr[1] = rnd(); rose->srose_addr.rose_addr[2] = rnd(); rose->srose_addr.rose_addr[3] = rnd(); rose->srose_addr.rose_addr[4] = rnd(); generate_rand_bytes((unsigned char *) rose->srose_call.ax25_call, sizeof(ax25_address)); rose->srose_ndigis = rnd(); *addr = (struct sockaddr *) rose; *addrlen = sizeof(struct sockaddr_rose); }
static void sanitise_send(struct syscallrecord *rec) { void *ptr; unsigned int size; rec->a1 = generic_fd_from_socketinfo((struct socketinfo *) rec->a1); if (RAND_BOOL()) size = 1; else size = rand() % page_size; ptr = malloc(size); rec->a2 = (unsigned long) ptr; if (ptr == NULL) return; rec->a3 = size; // TODO: only use this as a fallback, and actually have // some per-proto generators here. generate_rand_bytes(ptr, size); }