syscalls dependency

[joey....@gmail.com]

Hi,

Assume I have the syscalls execution like below:

r0=syz_open_dev("/dev/xx", ...)

ioctl$A(r0, cmd1, arg1)

ioctl$B(r0, cmd2, arg2)

Where I want arg1 and arg2 are exactly the same pointer, is it possible?

And another question is:

if arg2 is sub member of arg1, how can I pass it to ioctl$B?

Thanks.

[Dmitry Vyukov]

On Wed, Dec 26, 2018 at 4:21 AM <joey....@gmail.com> wrote:
>
> Hi,
> Assume I have the syscalls execution like below:
>
> r0=syz_open_dev("/dev/xx", ...)
> ioctl$A(r0, cmd1, arg1)
> ioctl$B(r0, cmd2, arg2)
>
> Where I want arg1 and arg2 are exactly the same pointer, is it possible?

Hi Joel,

No, unfortunately this is not supported. Since this is needed only for
io_submit/io_cancel of known syscalls, this was never implemented.

> And another question is:
> if arg2 is sub member of arg1, how can I pass it to ioctl$B?

Please clarify what you mean by sub member. Like is it a
pointer/value? What type of value? Created by user/kernel?

[joey....@gmail.com]

The arg1 is a ptr to a structure while has an pointer to another struct which I need to pass to arg2.

Do you have any suggestion on the code implementation?

For example can I declare in description file that arg1 as global struct, which I then can pass to another syscall (instead of random input to the 2nd sycall)?

在 2018年12月26日星期三 UTC+8下午3:34:20，Dmitry Vyukov写道：

[Dmitry Vyukov]

On Wed, Dec 26, 2018 at 9:20 AM <joey....@gmail.com> wrote:
>
> The arg1 is a ptr to a structure while has an pointer to another struct which I need to pass to arg2.
>
> Do you have any suggestion on the code implementation?
> For example can I declare in description file that arg1 as global struct, which I then can pass to another syscall (instead of random input to the 2nd sycall)?

You need to pass a pointer or the struct (pointee)? It's hard to
understand what exactly you want to achieve, and details matter. What
device/ioctl is this? Please a pull request what what you have now,
this will make it easier to understand what we are talking about.

> 在 2018年12月26日星期三 UTC+8下午3:34:20，Dmitry Vyukov写道：
>>
>> On Wed, Dec 26, 2018 at 4:21 AM <joey....@gmail.com> wrote:
>> >
>> > Hi,
>> > Assume I have the syscalls execution like below:
>> >
>> > r0=syz_open_dev("/dev/xx", ...)
>> > ioctl$A(r0, cmd1, arg1)
>> > ioctl$B(r0, cmd2, arg2)
>> >
>> > Where I want arg1 and arg2 are exactly the same pointer, is it possible?
>>
>> Hi Joel,
>>
>> No, unfortunately this is not supported. Since this is needed only for
>> io_submit/io_cancel of known syscalls, this was never implemented.
>>
>> > And another question is:
>> > if arg2 is sub member of arg1, how can I pass it to ioctl$B?
>>
>> Please clarify what you mean by sub member. Like is it a
>> pointer/value? What type of value? Created by user/kernel?
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[joey....@gmail.com]

Hi Dmitry,

I created https://github.com/google/syzkaller/issues/900

The device is video which needs to first open ion in video own driver and then open another v4l device for futher ioctl operations.

I think the syz-executor converts the description files to c like programs, however in c, we can pass args across syscalls like below.

struct arg1 {

  handle int32;

}

ioctl$A(fd_1, cmd, arg1)

ioctl$B(fd_2, cmd, arg1->handle)

How to archive that in syzkaller description file?

在 2018年12月26日星期三 UTC+8下午4:41:21，Dmitry Vyukov写道：

[joey....@gmail.com]

I don't have any code yet. Just to show you the sequence in c program:

fd_1 = open("/dev/xx"...)

ioctl(fd_1, cmd, arg1) // ion allocated

mmap(0, size, PROT_READ|PROT_WRITE, MAP_SHAED, arg1.out.fd,0)

fd_2 = open("/dev/yy"..)

arg2.handle = arg1->handle

ioctl(fd_2, cmd, &arg2)

I was thinking two solutions:

1. Extend description files logic to be able to pass arg1->handle to arg2->handle like c.

2. syzkaller only works like libfuzzer to provide the interface to give the corpus to another c compiled program.

在 2018年12月27日星期四 UTC+8上午9:50:23，joey....@gmail.com写道：

[Dmitry Vyukov]

On Thu, Dec 27, 2018 at 2:50 AM <joey....@gmail.com> wrote:
>
> Hi Dmitry,
> I created https://github.com/google/syzkaller/issues/900

FTR, answered on the issue.

[joey....@gmail.com]

resource only accepts int like underlying type while arg is struct.

so `resource mem_arg[arg]` will fail during build.

And I know there is fd_ion, but the xx driver has its own ion buffer implementation. You think ioctl(fd_ion, cmd, arg) will work?

在 2018年12月27日星期四 UTC+8下午4:01:48，Dmitry Vyukov写道：

[Dmitry Vyukov]

On Fri, Dec 28, 2018 at 4:32 AM <joey....@gmail.com> wrote:
>
> resource only accepts int like underlying type while arg is struct.

That's what you showed me:

ioctl(fd_1, cmd, arg1) // ion allocated

arg2.handle = arg1->handle
ioctl(fd_2, cmd, &arg2)

resources cover this.
Show the exact device, header and interfaces we are talking about.