search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
move_pages: just use calloc
[trinity.git] / syscalls / execve.c
blob69f062a73b71648043bb99ed9a5e9dae028923ed
1 /*
2 * SYSCALL_DEFINE3(execve,
3 * const char __user *, filename,
4 * const char __user *const __user *, argv,
5 * const char __user *const __user *, envp)
6 *
7 * On success, execve() does not return
8 * on error -1 is returned, and errno is set appropriately.
9 *
10 * TODO: Redirect stdin/stdout.
11 */
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include "arch.h" // page_size
15 #include "random.h" // generate_random_page
16 #include "sanitise.h"
17 #include "shm.h"
18 #include "trinity.h" // __unused__
19
20 static unsigned long ** gen_ptrs_to_crap(void)
21 {
22 void **ptr;
23 unsigned int i;
24 unsigned int count = rand() % 32;
25
26 /* Fabricate argv */
27 ptr = malloc(count * sizeof(void *)); // FIXME: LEAK
28 if (ptr == NULL)
29 return NULL;
30
31 for (i = 0; i < count; i++) {
32 ptr[i] = malloc(page_size); // FIXME: LEAK
33 if (ptr[i] != NULL)
34 generate_random_page((char *) ptr[i]);
35 }
36
37 return (unsigned long **) ptr;
38 }
39
40 static void sanitise_execve(__unused__ int childno)
41 {
42 /* we don't want to block if something tries to read from stdin */
43 fclose(stdin);
44
45 /* Fabricate argv */
46 shm->syscall[childno].a2 = (unsigned long) gen_ptrs_to_crap();
47
48 /* Fabricate envp */
49 shm->syscall[childno].a3 = (unsigned long) gen_ptrs_to_crap();
50 }
51
52 struct syscallentry syscall_execve = {
53 .name = "execve",
54 .num_args = 3,
55 .arg1name = "name",
56 .arg1type = ARG_PATHNAME,
57 .arg2name = "argv",
58 .arg2type = ARG_ADDRESS,
59 .arg3name = "envp",
60 .arg3type = ARG_ADDRESS,
61 .sanitise = sanitise_execve,
62 .group = GROUP_VFS,
63 .flags = EXTRA_FORK,
64 };
Linux systemcall fuzzer