[compiler-rt] r210533 - [sanitizer] Relax sanity checks in ioctl decoding.

Tue Jun 10 06:54:15 PDT 2014

Author: eugenis
Date: Tue Jun 10 08:54:15 2014
New Revision: 210533

URL: http://llvm.org/viewvc/llvm-project?rev=210533&view=rev
Log:
[sanitizer] Relax sanity checks in ioctl decoding.

Standard KVM ioctls don't pass currect ioctl_decode().

Modified:
    compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors_ioctl.inc
    compiler-rt/trunk/lib/sanitizer_common/tests/sanitizer_ioctl_test.cc

Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors_ioctl.inc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors_ioctl.inc?rev=210533&r1=210532&r2=210533&view=diff
==============================================================================

--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors_ioctl.inc (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors_ioctl.inc Tue Jun 10 08:54:15 2014
@@ -529,7 +529,7 @@ static bool ioctl_decode(unsigned req, i
   desc->name = "<DECODED_IOCTL>";
   desc->size = IOC_SIZE(req);
   // Sanity check.
-  if (desc->size > 1024) return false;
+  if (desc->size > 0xFFFF) return false;
   unsigned dir = IOC_DIR(req);
   switch (dir) {
     case IOC_NONE:
@@ -547,10 +547,10 @@ static bool ioctl_decode(unsigned req, i
     default:
       return false;
   }
-  if (desc->type != IOC_NONE && desc->size == 0) return false;
-  char id = IOC_TYPE(req);
+  // Size can be 0 iff type is NONE.
+  if ((desc->type == IOC_NONE) != (desc->size == 0)) return false;
   // Sanity check.
-  if (!(id >= 'a' && id <= 'z') && !(id >= 'A' && id <= 'Z')) return false;
+  if (IOC_TYPE(req) == 0) return false;
   return true;
 }
 

Modified: compiler-rt/trunk/lib/sanitizer_common/tests/sanitizer_ioctl_test.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/tests/sanitizer_ioctl_test.cc?rev=210533&r1=210532&r2=210533&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/tests/sanitizer_ioctl_test.cc (original)
+++ compiler-rt/trunk/lib/sanitizer_common/tests/sanitizer_ioctl_test.cc Tue Jun 10 08:54:15 2014
@@ -75,4 +75,29 @@ TEST(SanitizerIoctl, Fixup) {
   EXPECT_EQ(EVIOCGKEY(0), desc->req);
 }
 
+// Test decoding KVM ioctl numbers.
+TEST(SanitizerIoctl, KVM_GET_MP_STATE) {
+  ioctl_desc desc;
+  bool res = ioctl_decode(0x8004ae98U, &desc);
+  EXPECT_TRUE(res);
+  EXPECT_EQ(ioctl_desc::WRITE, desc.type);
+  EXPECT_EQ(4U, desc.size);
+}
+
+TEST(SanitizerIoctl, KVM_GET_LAPIC) {
+  ioctl_desc desc;
+  bool res = ioctl_decode(0x8400ae8eU, &desc);
+  EXPECT_TRUE(res);
+  EXPECT_EQ(ioctl_desc::WRITE, desc.type);
+  EXPECT_EQ(1024U, desc.size);
+}
+
+TEST(SanitizerIoctl, KVM_GET_MSR_INDEX_LIST) {
+  ioctl_desc desc;
+  bool res = ioctl_decode(0xc004ae02U, &desc);
+  EXPECT_TRUE(res);
+  EXPECT_EQ(ioctl_desc::READWRITE, desc.type);
+  EXPECT_EQ(4U, desc.size);
+}
+
 #endif // SANITIZER_LINUX



