From 0e0170ac867c821d90c352491e5bee4003e1fddd Mon Sep 17 00:00:00 2001 From: mpi Date: Tue, 7 Sep 2021 19:29:12 +0000 Subject: [PATCH] Check that map/hist functions are called with the right argument. Change the parser to make clear() and zero() accept only local and global variables as arguments. Since the parser has no knowledge of the type of a variable abort the execution if clear() or zero() are being called with something other than a map or hist. Fix assertions found by jasper@ with AFL++ (port coming soon!). ok jasper@ --- usr.sbin/btrace/bt_parse.y | 20 +++++++++++++------- usr.sbin/btrace/btrace.c | 8 +++++++- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/usr.sbin/btrace/bt_parse.y b/usr.sbin/btrace/bt_parse.y index 9639019183d..e1e8da69648 100644 --- a/usr.sbin/btrace/bt_parse.y +++ b/usr.sbin/btrace/bt_parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: bt_parse.y,v 1.38 2021/09/07 19:18:08 mpi Exp $ */ +/* $OpenBSD: bt_parse.y,v 1.39 2021/09/07 19:29:12 mpi Exp $ */ /* * Copyright (c) 2019-2021 Martin Pieuchot @@ -117,7 +117,8 @@ static int pflag; /* Builtins */ %token BUILTIN BEGIN END HZ IF /* Functions and Map operators */ -%token F_DELETE F_PRINT FUNC0 FUNC1 FUNCN OP1 OP4 MOP0 MOP1 +%token F_DELETE F_PRINT +%token MFUNC FUNC0 FUNC1 FUNCN OP1 OP4 MOP0 MOP1 %token STRING CSTRING %token NUMBER @@ -128,7 +129,7 @@ static int pflag; %type filter %type action stmt stmtblck stmtlist block %type pat vargs mentry mpat pargs -%type expr term fterm factor +%type expr term fterm variable factor %% grammar : /* empty */ @@ -206,11 +207,14 @@ fterm : fterm '*' factor { $$ = ba_op(B_AT_OP_MULT, $1, $3); } | factor ; +variable: lvar { $$ = bl_find($1); } + | gvar { $$ = bg_find($1); } + ; + factor : '(' expr ')' { $$ = $2; } | staticv { $$ = ba_new($1, B_AT_LONG); } | BUILTIN { $$ = ba_new(NULL, $1); } - | lvar { $$ = bl_find($1); } - | gvar { $$ = bg_find($1); } + | variable | mentry ; @@ -232,6 +236,7 @@ stmt : ';' NL { $$ = NULL; } | gvar '[' vargs ']' '=' mpat { $$ = bm_insert($1, $3, $6); } | FUNCN '(' vargs ')' { $$ = bs_new($1, $3, NULL); } | FUNC1 '(' pat ')' { $$ = bs_new($1, $3, NULL); } + | MFUNC '(' variable ')' { $$ = bs_new($1, $3, NULL); } | FUNC0 '(' ')' { $$ = bs_new($1, NULL, NULL); } | F_DELETE '(' mentry ')' { $$ = bm_op($1, $3, NULL); } | F_PRINT '(' pargs ')' { $$ = bs_new($1, $3, NULL); } @@ -246,6 +251,7 @@ stmtlist: stmtlist stmtblck { $$ = bs_append($1, $2); } | stmtlist stmt { $$ = bs_append($1, $2); } | stmtblck | stmt + | /* empty */ ; block : '{' stmt ';' '}' { $$ = $2; } @@ -650,7 +656,7 @@ lookup(char *s) { "arg7", BUILTIN, B_AT_BI_ARG7 }, { "arg8", BUILTIN, B_AT_BI_ARG8 }, { "arg9", BUILTIN, B_AT_BI_ARG9 }, - { "clear", FUNC1, B_AC_CLEAR }, + { "clear", MFUNC, B_AC_CLEAR }, { "comm", BUILTIN, B_AT_BI_COMM }, { "count", MOP0, B_AT_MF_COUNT }, { "cpu", BUILTIN, B_AT_BI_CPU }, @@ -672,7 +678,7 @@ lookup(char *s) { "tid", BUILTIN, B_AT_BI_TID }, { "time", FUNC1, B_AC_TIME }, { "ustack", BUILTIN, B_AT_BI_USTACK }, - { "zero", FUNC1, B_AC_ZERO }, + { "zero", MFUNC, B_AC_ZERO }, }; return bsearch(s, kws, nitems(kws), sizeof(kws[0]), kw_cmp); diff --git a/usr.sbin/btrace/btrace.c b/usr.sbin/btrace/btrace.c index 2530126271a..ccdfabea109 100644 --- a/usr.sbin/btrace/btrace.c +++ b/usr.sbin/btrace/btrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: btrace.c,v 1.47 2021/09/03 16:45:44 jasper Exp $ */ +/* $OpenBSD: btrace.c,v 1.48 2021/09/07 19:29:12 mpi Exp $ */ /* * Copyright (c) 2019 - 2021 Martin Pieuchot @@ -748,6 +748,9 @@ stmt_clear(struct bt_stmt *bs) assert(bs->bs_var == NULL); assert(ba->ba_type == B_AT_VAR); + if (bv->bv_type != B_VT_MAP && bv->bv_type != B_VT_HIST) + errx(1, "invalid variable type for clear(%s)", ba_name(ba)); + map_clear((struct map *)bv->bv_value); bv->bv_value = NULL; @@ -937,6 +940,9 @@ stmt_zero(struct bt_stmt *bs) assert(bs->bs_var == NULL); assert(ba->ba_type == B_AT_VAR); + if (bv->bv_type != B_VT_MAP && bv->bv_type != B_VT_HIST) + errx(1, "invalid variable type for zero(%s)", ba_name(ba)); + map_zero((struct map *)bv->bv_value); debug("map=%p '%s' zero\n", bv->bv_value, bv_name(bv)); -- 2.20.1