search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
add to, and prioritize the TODO a little.
[trinity.git] / maps.c
blobbe4f9af5b2de4c04535baf3087cc2c86bade06cc
1 #include <stdlib.h>
2 #include <string.h>
3 #include <sys/mman.h>
4 #include <sys/types.h>
5 #include <sys/stat.h>
6 #include "arch.h"
7 #include "list.h"
8 #include "child.h"
9 #include "maps.h"
10 #include "random.h"
11 #include "shm.h"
12 #include "trinity.h" // page_size
13
14 /* Walk a list, get a random element */
15 static struct map * __get_map(struct list_head *head, unsigned int max)
16 {
17 struct list_head *node;
18
19 unsigned int i, j = 0;
20
21 i = rand() % max;
22
23 list_for_each(node, head) {
24 struct map *m;
25
26 m = (struct map *) node;
27
28 if (i == j)
29 return m;
30 j++;
31 }
32 return NULL;
33 }
34
35 /* Return a pointer a previous mmap() that we did, either during startup,
36 * or from a fuzz result. */
37 struct map * get_map(void)
38 {
39 struct map *map;
40 bool local = FALSE;
41
42 /* We can get called by child processes, and also during startup by
43 * the main process when it constructs page_rand etc.
44 * If we're not running in child context, just do shared mappings.
45 * because main doesn't have any 'local' mappings.
46 */
47 if (this_child != 0) {
48 if (shm->num_mappings[this_child] > 0)
49 local = rand_bool();
50 }
51
52 if (local == TRUE)
53 map = __get_map(&shm->mappings[this_child]->list, shm->num_mappings[this_child]);
54 else
55 map = __get_map(&shared_mappings->list, num_shared_mappings);
56
57 return map;
58 }
59
60 static void delete_local_mapping(int childno, struct map *map)
61 {
62 list_del(&map->list);
63 shm->num_mappings[childno]--;
64 }
65
66 /* Called from munmap()'s ->post routine. */
67 void delete_mapping(int childno, struct map *map)
68 {
69 if (map->type == MAP_LOCAL)
70 delete_local_mapping(childno, map);
71
72 /* Right now, we don't want to delete MAP_GLOBAL mappings */
73 }
74
75 /* used in several sanitise_* functions. */
76 struct map * common_set_mmap_ptr_len(int childno)
77 {
78 struct map *map;
79
80 map = (struct map *) shm->syscall[childno].a1;
81 shm->scratch[childno] = (unsigned long) map; /* Save this for ->post */
82 if (map == NULL) {
83 shm->syscall[childno].a1 = 0;
84 shm->syscall[childno].a2 = 0;
85 return NULL;
86 }
87
88 shm->syscall[childno].a1 = (unsigned long) map->ptr;
89 shm->syscall[childno].a2 = map->size; //TODO: Munge this.
90
91 return map;
92 }
93
94 /*
95 * Routine to perform various kinds of write operations to a mapping
96 * that we created.
97 */
98 void dirty_mapping(struct map *map)
99 {
100 char *p = map->ptr;
101 unsigned int i;
102 unsigned int num_pages = map->size / page_size;
103
104 /* Check mapping is writable, or we'll segv.
105 * TODO: Perhaps we should do that, and trap it, mark it writable,
106 * then reprotect after we dirtied it ? */
107 if (!(map->prot & PROT_WRITE))
108 return;
109
110 switch (rand() % 6) {
111 case 0:
112 /* Just fault in one page. */
113 p[rand() % map->size] = rand();
114 break;
115
116 case 1:
117 /* fault in the whole mapping. */
118 for (i = 0; i < map->size; i += page_size)
119 p[i] = rand();
120 break;
121
122 case 2:
123 /* every other page. */
124 for (i = 0; i < map->size; i += (page_size * 2))
125 p[i] = rand();
126 break;
127
128 case 3:
129 /* whole mapping in reverse */
130 for (i = (map->size - page_size); i > 0; i -= page_size)
131 p[i] = rand();
132 break;
133
134 case 4:
135 /* fault in a random set of map->size pages. (some may be faulted >once) */
136 for (i = 0; i < num_pages; i++)
137 p[(rand() % (num_pages + 1)) * page_size] = rand();
138 break;
139
140 case 5:
141 /* fault in the last page in a mapping
142 * Fill it with ascii, in the hope we do something like
143 * a strlen and go off the end. */
144 memset((void *) p + (map->size - page_size), 'A', page_size);
145 break;
146 }
147 }
Linux systemcall fuzzer