Esempio n. 1
0
static void * _get_address(unsigned char null_allowed)
{
	void *addr = NULL;
	int i;

	/* Because we get called during startup when we create fd's, we need
	 * to special case this, as we can't use get_non_null_address at that point */
	if (getpid() == shm->mainpid)
		return page_rand;

	if (null_allowed == TRUE)
		i = rand() % 4;
	else
		i = rand_range(1, 3);

	switch (i) {
	case 0: addr = NULL;
		break;
	case 1:	addr = (void *) KERNEL_ADDR;
		break;
	case 2:	addr = (void *)(unsigned long)rand64();
		break;

	case 3:	addr = get_writable_address(page_size);
		break;
	}
	return addr;
}
Esempio n. 2
0
static void bpf_prog_load(union bpf_attr *attr)
{
	unsigned long *insns = NULL, len = 0;
	attr->prog_type = RAND_ARRAY(bpf_prog_types);

	switch (attr->prog_type) {
	case BPF_PROG_TYPE_SOCKET_FILTER:
		bpf_gen_filter(&insns, &len);
		break;

	default:
		// this will go away when all the other cases are enumerated
		insns = zmalloc(page_size);
		generate_rand_bytes((unsigned char *)insns, len);
		break;
	}

	attr->insn_cnt = len;
	attr->insns = (u64) insns;
	attr->license = (u64) license;
	attr->log_level = 0;
	attr->log_size = rnd() % page_size;
	attr->log_buf = (u64) get_writable_address(page_size);
	attr->kern_version = rnd();	// TODO: stick uname in here.
}
Esempio n. 3
0
static unsigned long random_ioctl_arg(void)
{
	if (RAND_BOOL()) {
		return (unsigned long) rand64();
	} else {
		void *page;

		page = get_writable_address(page_size);
		generate_random_page(page);

		return (unsigned long) page;
	}
}
Esempio n. 4
0
static void dm_sanitise(const struct ioctl_group *grp, struct syscallrecord *rec)
{
	struct dm_ioctl *dm;

	pick_random_ioctl(grp, rec);

	rec->a3 = (unsigned long) get_writable_address(sizeof(struct dm_ioctl));
	dm = (struct dm_ioctl *) rec->a3;

	/* set a sensible version to get past the initial checks */
	dm->version[0] = DM_VERSION_MAJOR;
	dm->version[1] = DM_VERSION_MINOR;
	dm->version[2] = DM_VERSION_PATCHLEVEL;

	/* clear one of these strings to pass some kernel validation */
	if (RAND_BOOL())
		dm->name[0] = 0;
	else
		dm->uuid[0] = 0;
}
Esempio n. 5
0
static unsigned long fill_arg(struct syscallrecord *rec, unsigned int argnum)
{
	struct syscallentry *entry;
	unsigned int call;
	enum argtype argtype;

	call = rec->nr;
	entry = syscalls[call].entry;

	if (argnum > entry->num_args)
		return 0;

	argtype = get_argtype(entry, argnum);

	switch (argtype) {
	case ARG_UNDEFINED:
		if (RAND_BOOL())
			return (unsigned long) rand64();
		return (unsigned long) get_writable_address(page_size);

	case ARG_FD:
		if (RAND_BOOL()) {
			unsigned int i;
			/* If this is the 2nd or more ARG_FD, make it unique */
			for (i = 0; i < argnum; i++) {
				enum argtype arg;
				arg = get_argtype(entry, i);
				if (arg == ARG_FD)
					return get_new_random_fd();
			}
		}
		return get_random_fd();

	case ARG_LEN:
		return (unsigned long) get_len();

	case ARG_ADDRESS:
		return handle_arg_address(rec, argnum);

	case ARG_NON_NULL_ADDRESS:
		return (unsigned long) get_non_null_address();

	case ARG_MMAP:
		return (unsigned long) get_map();

	case ARG_PID:
		return (unsigned long) get_pid();

	case ARG_RANGE:
		return handle_arg_range(entry, argnum);

	case ARG_OP:	/* Like ARG_LIST, but just a single value. */
		return handle_arg_op(entry, argnum);

	case ARG_LIST:
		return handle_arg_list(entry, argnum);

	case ARG_CPU:
		return (unsigned long) get_cpu();

	case ARG_PATHNAME:
		return (unsigned long) generate_pathname();

	case ARG_IOVEC:
		return handle_arg_iovec(entry, rec, argnum);

	case ARG_IOVECLEN:
	case ARG_SOCKADDRLEN:
		/* We already set the len in the ARG_IOVEC/ARG_SOCKADDR case
		 * So here we just return what we had set there. */
		return get_argval(rec, argnum);

	case ARG_SOCKADDR:
		return handle_arg_sockaddr(entry, rec, argnum);

	case ARG_MODE_T:
		return handle_arg_mode_t();

	case ARG_SOCKETINFO:
		return (unsigned long) get_rand_socketinfo();
	}

	BUG("unreachable!\n");
}