On Fri, Jun 1, 2018 at 12:58 PM, Chi Pham <
chi...@gmail.com> wrote:
> Hi Dmitry,
>
> Thanks for making syzkaller, it's a very interesting project!
>
> I've been reading syzkaller descriptions to understand how they relate to
> the syscall implementations.
> This has spurred a couple of questions that I hope you can answer:
>
> 1. Resources are, as I understand, values that are transferred between
> functions and other functions/data types, i.e. they describe a sort of data
> dependency.
> I was puzzled by this syntax: resource fd[int32]: 0xffffffffffffffff,
> AT_FDCWD
> Specifically, what does the 0xfff..., AT_FDCWD signify in this case - is
> it a sort of value constraint? And if yes, what for?
+syzkaller mailing list
Hi Chi,
I've just extended description of resources in documentation, please
see if it answers your questions:
https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions_syntax.md#resources
> 2. Return values are discarded unless they are resources. What about out
> parameters? (i.e. uninitialised pointers passed as arguments, to be
> initialised by the function)
> Based on the existing descriptions, I'm guessing they don't matter, aside
> from needing to be valid memory to prevent the program from failing on
> copy_to_user.
Correct.
Values in output structures only matter if there are some resources
returned, e.g. see pipe syscall:
https://github.com/google/syzkaller/blob/master/sys/linux/sys.txt#L85
Pipe returns the resulting fd's in a struct passed into the syscall.
> 3. Sometimes data types are described to have specific constant values, e.g.
> for flags or padding. But I've come across some cases where I couldn't
> immediately see why. Example: in sys/linux/sndcontrol.txt, line 57, the
> field "type" of the struct "snd_ctl_elem_info" is set to 0. But based on the
> source code (include/uapi/sound/asound.h), it looks like 0 corresponds to
> SNDRV_CTL_ELEM_TYPE_NONE, and there are several other possible types.
> What is the reasoning behind setting it to 0? Is it just in this specific
> case it makes sense, i.e. it requires some domain-specific knowledge about
> how the structs are used?
I think it's just a bug in our descriptions. It's hard to extract them
because interfaces are complex and undocumented. I've just pushed a
commit that fixes this and few other things in sndcontrol
descriptions:
https://github.com/google/syzkaller/commit/63f18a76c394930d1368a6b120b9e432bb37d332
> 4. Regarding size: how do you decide whether an int should be 32-bit or
> 64-bit?
> E.g. when some struct field may be declared in the Linux header as "int",
> but in the syzkaller description, it needs to have a size.
> Is the convention to just put int32 when not specified by the source?
C's int type does not have size in its name, but it has well defined
size in ABI. A type simply can't have no size, whether it's spelled
explicitly or not. E.g. char, bool, long and short also don't have
sizes in their names, but they do have sizes. Size of C's int is 4
bytes on all relevant platforms, thus it is translated to int32. We
just make the size explicit.
> 5. Initialising the devices: what is the difference between using
> syz_open_dev and openat? Is there any documentation for these
> syzkaller-specific functions?
You can see source for these pseudo-syscalls here:
https://github.com/google/syzkaller/blob/master/executor/common_linux.h
The only difference between openat and syz_open_dev is that
syz_open_dev substitutes '#' in name with passed in id. This is used
to open families of devices like /dev/snd/controlC0,
/dev/snd/controlC1, /dev/snd/controlC2.
> Background: I'm a student working with Julia Lawall on the possibilities of
> auto-inferring some of the simpler interfaces (I'm aware of the
> headerparser, my approach will involve some source code analysis). I'd also
> like to manually make a few syzkaller descriptions, just to get a better
> feel for it.
Great!
I've filed an issue for this recently:
https://github.com/google/syzkaller/issues/590
You may want to drop a note there to avoid duplicated with other
people. Are you looking at using Coccinelle? Or clang?
Thanks