2017-05-12

Android SYSCALL_DEFINE

Test


@staticmethod
def get_syscall_from_file(file_full_path, func_list):
    """
    SYSCALL_DEFINE2(xxx)
    :param file_full_path: source file full path
    :param func_list: used to return
    :return: ["SYSCALL_DEFINE(xxx)", "SYSCALL_DEFINE1(xxx)", ...]
    """
    regex_proc = r"((?<=[\s:~])\**SYSCALL_DEFINE\d*\s*\(([\(\w\)\s,<>\[\].=&':/*]*?)\).*(const)?\s*(?={))"
    if not isinstance(file_full_path, str) or not isinstance(func_list, list):
        raise TypeError
    try:
        with open(file_full_path, "r") as f:
            content = f.read()
            result = re.finditer(regex_proc, content)
            for i in result:
                syscall_define = i.group(0).replace("\n", "").replace("\t", "").strip()
                func_list.append(syscall_define)
    except Exception as e:
        print(str(e))
{
  "msm/arch/alpha/kernel/osf_sys.c": [
    "SYSCALL_DEFINE1(osf_brk, unsigned long, brk)",
    "SYSCALL_DEFINE4(osf_set_program_attributes, unsigned long, text_start,unsigned long, text_len, unsigned long, bss_start,unsigned long, bss_len)",
    "SYSCALL_DEFINE4(osf_getdirentries, unsigned int, fd,struct osf_dirent __user *, dirent, unsigned int, count,long __user *, basep)",
    "SYSCALL_DEFINE6(osf_mmap, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags, unsigned long, fd,unsigned long, off)",
    "SYSCALL_DEFINE3(osf_statfs, const char __user *, pathname,struct osf_statfs __user *, buffer, unsigned long, bufsiz)",
    "SYSCALL_DEFINE3(osf_fstatfs, unsigned long, fd,struct osf_statfs __user *, buffer, unsigned long, bufsiz)",
    "SYSCALL_DEFINE4(osf_mount, unsigned long, typenr, const char __user *, path,int, flag, void __user *, data)",
    "SYSCALL_DEFINE1(osf_utsname, char __user *, name)",
    "SYSCALL_DEFINE0(getpagesize)",
    "SYSCALL_DEFINE0(getdtablesize)",
    "SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)",
    "SYSCALL_DEFINE2(osf_proplist_syscall, enum pl_code, code,union pl_args __user *, args)",
    "SYSCALL_DEFINE2(osf_sigstack, struct sigstack __user *, uss,struct sigstack __user *, uoss)",
    "SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)",
    "SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,unsigned long, nbytes, int __user *, start, void __user *, arg)",
    "SYSCALL_DEFINE5(osf_setsysinfo, unsigned long, op, void __user *, buffer,unsigned long, nbytes, int __user *, start, void __user *, arg)",
    "SYSCALL_DEFINE2(osf_gettimeofday, struct timeval32 __user *, tv,struct timezone __user *, tz)",
    "SYSCALL_DEFINE2(osf_settimeofday, struct timeval32 __user *, tv,struct timezone __user *, tz)",
    "SYSCALL_DEFINE2(osf_getitimer, int, which, struct itimerval32 __user *, it)",
    "SYSCALL_DEFINE3(osf_setitimer, int, which, struct itimerval32 __user *, in,struct itimerval32 __user *, out)",
    "SYSCALL_DEFINE2(osf_utimes, const char __user *, filename,struct timeval32 __user *, tvs)",
    "SYSCALL_DEFINE5(osf_select, int, n, fd_set __user *, inp, fd_set __user *, outp,fd_set __user *, exp, struct timeval32 __user *, tvp)",
    "SYSCALL_DEFINE2(osf_getrusage, int, who, struct rusage32 __user *, ru)",
    "SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,struct rusage32 __user *, ur)",
    "SYSCALL_DEFINE2(osf_usleep_thread, struct timeval32 __user *, sleep,struct timeval32 __user *, remain)",
    "SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p)",
    "SYSCALL_DEFINE3(osf_readv, unsigned long, fd,const struct iovec __user *, vector, unsigned long, count)",
    "SYSCALL_DEFINE3(osf_writev, unsigned long, fd,const struct iovec __user *, vector, unsigned long, count)"
  ],
  "msm/arch/alpha/kernel/signal.c": [
    "SYSCALL_DEFINE2(osf_sigprocmask, int, how, unsigned long, newmask)",
    "SYSCALL_DEFINE3(osf_sigaction, int, sig,const struct osf_sigaction __user *, act,struct osf_sigaction __user *, oact)",
    "SYSCALL_DEFINE5(rt_sigaction, int, sig, const struct sigaction __user *, act,struct sigaction __user *, oact,size_t, sigsetsize, void __user *, restorer)",
    "SYSCALL_DEFINE1(sigsuspend, old_sigset_t, mask)"
  ],
  "msm/arch/blackfin/kernel/sys_bfin.c": [
    "SYSCALL_DEFINE3(cacheflush, unsigned long, addr, unsigned long, len, int, op)"
  ],
  "msm/arch/c6x/kernel/process.c": [
    "SYSCALL_DEFINE1(c6x_clone, struct pt_regs *, regs)",
    "SYSCALL_DEFINE4(c6x_execve, const char __user *, name,const char __user *const __user *, argv,const char __user *const __user *, envp,struct pt_regs *, regs)"
  ],
  "msm/arch/mips/kernel/linux32.c": [
    "SYSCALL_DEFINE6(32_mmap2, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags, unsigned long, fd,unsigned long, pgoff)",
    "SYSCALL_DEFINE4(32_truncate64, const char __user *, path,unsigned long, __dummy, unsigned long, a2, unsigned long, a3)",
    "SYSCALL_DEFINE4(32_ftruncate64, unsigned long, fd, unsigned long, __dummy,unsigned long, a2, unsigned long, a3)",
    "SYSCALL_DEFINE5(32_llseek, unsigned int, fd, unsigned int, offset_high,unsigned int, offset_low, loff_t __user *, result,unsigned int, origin)",
    "SYSCALL_DEFINE6(32_pread, unsigned long, fd, char __user *, buf, size_t, count,unsigned long, unused, unsigned long, a4, unsigned long, a5)",
    "SYSCALL_DEFINE6(32_pwrite, unsigned int, fd, const char __user *, buf,size_t, count, u32, unused, u64, a4, u64, a5)",
    "SYSCALL_DEFINE2(32_sched_rr_get_interval, compat_pid_t, pid,struct compat_timespec __user *, interval)",
    "SYSCALL_DEFINE6(32_ipc, u32, call, long, first, long, second, long, third,unsigned long, ptr, unsigned long, fifth)",
    "SYSCALL_DEFINE6(32_ipc, u32, call, int, first, int, second, int, third,u32, ptr, u32, fifth)",
    "SYSCALL_DEFINE4(n32_semctl, int, semid, int, semnum, int, cmd, u32, arg)",
    "SYSCALL_DEFINE4(n32_msgsnd, int, msqid, u32, msgp, unsigned int, msgsz,int, msgflg)",
    "SYSCALL_DEFINE5(n32_msgrcv, int, msqid, u32, msgp, size_t, msgsz,int, msgtyp, int, msgflg)",
    "SYSCALL_DEFINE1(32_personality, unsigned long, personality)",
    "SYSCALL_DEFINE4(32_sendfile, long, out_fd, long, in_fd,compat_off_t __user *, offset, s32, count)",
    "SYSCALL_DEFINE6(32_fanotify_mark, int, fanotify_fd, unsigned int, flags,u64, a3, u64, a4, int, dfd, const char  __user *, pathname)",
    "SYSCALL_DEFINE6(32_futex, u32 __user *, uaddr, int, op, u32, val,struct compat_timespec __user *, utime, u32 __user *, uaddr2,u32, val3)"
  ],
  "msm/arch/mips/kernel/signal.c": [
    "SYSCALL_DEFINE3(sigaction, int, sig, const struct sigaction __user *, act,struct sigaction __user *, oact)"
  ],
  "msm/arch/mips/kernel/signal32.c": [
    "SYSCALL_DEFINE3(32_sigaction, long, sig, const struct sigaction32 __user *, act,struct sigaction32 __user *, oact)",
    "SYSCALL_DEFINE4(32_rt_sigaction, int, sig,const struct sigaction32 __user *, act,struct sigaction32 __user *, oact, unsigned int, sigsetsize)",
    "SYSCALL_DEFINE4(32_rt_sigprocmask, int, how, compat_sigset_t __user *, set,compat_sigset_t __user *, oset, unsigned int, sigsetsize)",
    "SYSCALL_DEFINE2(32_rt_sigpending, compat_sigset_t __user *, uset,unsigned int, sigsetsize)",
    "SYSCALL_DEFINE3(32_rt_sigqueueinfo, int, pid, int, sig,compat_siginfo_t __user *, uinfo)",
    "SYSCALL_DEFINE5(32_waitid, int, which, compat_pid_t, pid,     compat_siginfo_t __user *, uinfo, int, options,     struct compat_rusage __user *, uru)"
  ],
  "msm/arch/mips/kernel/syscall.c": [
    "SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags, unsigned long,fd, off_t, offset)",
    "SYSCALL_DEFINE6(mips_mmap2, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags, unsigned long, fd,unsigned long, pgoff)",
    "SYSCALL_DEFINE1(set_thread_area, unsigned long, addr)",
    "SYSCALL_DEFINE3(cachectl, char *, addr, int, nbytes, int, op)"
  ],
  "msm/arch/mips/mm/cache.c": [
    "SYSCALL_DEFINE3(cacheflush, unsigned long, addr, unsigned long, bytes,unsigned int, cache)"
  ],
  "msm/arch/powerpc/platforms/cell/spu_syscalls.c": [
    "SYSCALL_DEFINE4(spu_create, const char __user *, name, unsigned int, flags,umode_t, mode, int, neighbor_fd)"
  ],
  "msm/arch/s390/kernel/process.c": [
    "SYSCALL_DEFINE0(fork)",
    "SYSCALL_DEFINE4(clone, unsigned long, newsp, unsigned long, clone_flags,int __user *, parent_tidptr, int __user *, child_tidptr)",
    "SYSCALL_DEFINE0(vfork)",
    "SYSCALL_DEFINE3(execve, const char __user *, name,const char __user *const __user *, argv,const char __user *const __user *, envp)"
  ],
  "msm/arch/s390/kernel/signal.c": [
    "SYSCALL_DEFINE3(sigsuspend, int, history0, int, history1, old_sigset_t, mask)",
    "SYSCALL_DEFINE3(sigaction, int, sig, const struct old_sigaction __user *, act,struct old_sigaction __user *, oact)",
    "SYSCALL_DEFINE2(sigaltstack, const stack_t __user *, uss,stack_t __user *, uoss)",
    "SYSCALL_DEFINE0(sigreturn)",
    "SYSCALL_DEFINE0(rt_sigreturn)"
  ],
  "msm/arch/s390/kernel/sys_s390.c": [
    "SYSCALL_DEFINE1(mmap2, struct s390_mmap_arg_struct __user *, arg)",
    "SYSCALL_DEFINE5(s390_ipc, uint, call, int, first, unsigned long, second,unsigned long, third, void __user *, ptr)",
    "SYSCALL_DEFINE1(s390_personality, unsigned int, personality)",
    "SYSCALL_DEFINE5(s390_fadvise64, int, fd, u32, offset_high, u32, offset_low,size_t, len, int, advice)",
    "SYSCALL_DEFINE1(s390_fadvise64_64, struct fadvise64_64_args __user *, args)",
    "SYSCALL_DEFINE(s390_fallocate)(int fd, int mode, loff_t offset,       u32 len_high, u32 len_low)"
  ],
  "msm/arch/sparc/kernel/sys_sparc_64.c": [
    "SYSCALL_DEFINE1(sparc_pipe_real, struct pt_regs *, regs)",
    "SYSCALL_DEFINE6(sparc_ipc, unsigned int, call, int, first, unsigned long, second,unsigned long, third, void __user *, ptr, long, fifth)",
    "SYSCALL_DEFINE1(sparc64_personality, unsigned long, personality)",
    "SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags, unsigned long, fd,unsigned long, off)",
    "SYSCALL_DEFINE2(64_munmap, unsigned long, addr, size_t, len)",
    "SYSCALL_DEFINE5(64_mremap, unsigned long, addr,unsigned long, old_len,unsigned long, new_len, unsigned long, flags,unsigned long, new_addr)",
    "SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)",
    "SYSCALL_DEFINE5(utrap_install, utrap_entry_t, type,utrap_handler_t, new_p, utrap_handler_t, new_d,utrap_handler_t __user *, old_p,utrap_handler_t __user *, old_d)",
    "SYSCALL_DEFINE5(rt_sigaction, int, sig, const struct sigaction __user *, act,struct sigaction __user *, oact, void __user *, restorer,size_t, sigsetsize)"
  ],
  "msm/arch/tile/kernel/process.c": [
    "SYSCALL_DEFINE5(clone, unsigned long, clone_flags, unsigned long, newsp,void __user *, parent_tidptr, void __user *, child_tidptr,struct pt_regs *, regs)",
    "SYSCALL_DEFINE4(execve, const char __user *, path,const char __user *const __user *, argv,const char __user *const __user *, envp,struct pt_regs *, regs)"
  ],
  "msm/arch/tile/kernel/signal.c": [
    "SYSCALL_DEFINE3(sigaltstack, const stack_t __user *, uss,stack_t __user *, uoss, struct pt_regs *, regs)",
    "SYSCALL_DEFINE1(rt_sigreturn, struct pt_regs *, regs)"
  ],
  "msm/arch/tile/kernel/sys.c": [
    "SYSCALL_DEFINE0(flush_cache)",
    "SYSCALL_DEFINE6(mmap2, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags,unsigned long, fd, unsigned long, off_4k)",
    "SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags,unsigned long, fd, off_t, offset)"
  ],
  "msm/arch/tile/mm/fault.c": [
    "SYSCALL_DEFINE2(cmpxchg_badaddr, unsigned long, address,struct pt_regs *, regs)"
  ],
  "msm/arch/unicore32/kernel/sys.c": [
    "SYSCALL_DEFINE6(mmap2, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags,unsigned long, fd, unsigned long, off_4k)"
  ],
  "msm/arch/x86/kernel/sys_x86_64.c": [
    "SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags,unsigned long, fd, unsigned long, off)"
  ],
  "msm/drivers/pci/syscall.c": [
    "SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn,unsigned long, off, unsigned long, len, void __user *, buf)",
    "SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,unsigned long, off, unsigned long, len, void __user *, buf)"
  ],
  "msm/fs/aio.c": [
    "SYSCALL_DEFINE2(io_setup, unsigned, nr_events, aio_context_t __user *, ctxp)",
    "SYSCALL_DEFINE1(io_destroy, aio_context_t, ctx)",
    "SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,struct iocb __user * __user *, iocbpp)",
    "SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,struct io_event __user *, result)",
    "SYSCALL_DEFINE5(io_getevents, aio_context_t, ctx_id,long, min_nr,long, nr,struct io_event __user *, events,struct timespec __user *, timeout)"
  ],
  "msm/fs/buffer.c": [
    "SYSCALL_DEFINE2(bdflush, int, func, long, data)"
  ],
  "msm/fs/dcache.c": [
    "SYSCALL_DEFINE2(getcwd, char __user *, buf, unsigned long, size)"
  ],
  "msm/fs/dcookies.c": [
    "SYSCALL_DEFINE(lookup_dcookie)(u64 cookie64, char __user * buf, size_t len)"
  ],
  "msm/fs/eventfd.c": [
    "SYSCALL_DEFINE2(eventfd2, unsigned int, count, int, flags)",
    "SYSCALL_DEFINE1(eventfd, unsigned int, count)"
  ],
  "msm/fs/eventpoll.c": [
    "SYSCALL_DEFINE1(epoll_create1, int, flags)",
    "SYSCALL_DEFINE1(epoll_create, int, size)",
    "SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,struct epoll_event __user *, event)",
    "SYSCALL_DEFINE4(epoll_wait, int, epfd, struct epoll_event __user *, events,int, maxevents, int, timeout)",
    "SYSCALL_DEFINE6(epoll_pwait, int, epfd, struct epoll_event __user *, events,int, maxevents, int, timeout, const sigset_t __user *, sigmask,size_t, sigsetsize)"
  ],
  "msm/fs/exec.c": [
    "SYSCALL_DEFINE1(uselib, const char __user *, library)"
  ],
  "msm/fs/fcntl.c": [
    "SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags)",
    "SYSCALL_DEFINE2(dup2, unsigned int, oldfd, unsigned int, newfd)",
    "SYSCALL_DEFINE1(dup, unsigned int, fildes)",
    "SYSCALL_DEFINE3(fcntl, unsigned int, fd, unsigned int, cmd, unsigned long, arg)",
    "SYSCALL_DEFINE3(fcntl64, unsigned int, fd, unsigned int, cmd,unsigned long, arg)"
  ],
  "msm/fs/fhandle.c": [
    "SYSCALL_DEFINE5(name_to_handle_at, int, dfd, const char __user *, name,struct file_handle __user *, handle, int __user *, mnt_id,int, flag)",
    "SYSCALL_DEFINE3(open_by_handle_at, int, mountdirfd,struct file_handle __user *, handle,int, flags)"
  ],
  "msm/fs/filesystems.c": [
    "SYSCALL_DEFINE3(sysfs, int, option, unsigned long, arg1, unsigned long, arg2)"
  ],
  "msm/fs/ioctl.c": [
    "SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd, unsigned long, arg)"
  ],
  "msm/fs/ioprio.c": [
    "SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)",
    "SYSCALL_DEFINE2(ioprio_get, int, which, int, who)"
  ],
  "msm/fs/locks.c": [
    "SYSCALL_DEFINE2(flock, unsigned int, fd, unsigned int, cmd)"
  ],
  "msm/fs/namei.c": [
    "SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,unsigned, dev)",
    "SYSCALL_DEFINE3(mknod, const char __user *, filename, umode_t, mode, unsigned, dev)",
    "SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode)",
    "SYSCALL_DEFINE2(mkdir, const char __user *, pathname, umode_t, mode)",
    "SYSCALL_DEFINE1(rmdir, const char __user *, pathname)",
    "SYSCALL_DEFINE3(unlinkat, int, dfd, const char __user *, pathname, int, flag)",
    "SYSCALL_DEFINE1(unlink, const char __user *, pathname)",
    "SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,int, newdfd, const char __user *, newname)",
    "SYSCALL_DEFINE2(symlink, const char __user *, oldname, const char __user *, newname)",
    "SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,int, newdfd, const char __user *, newname, int, flags)",
    "SYSCALL_DEFINE2(link, const char __user *, oldname, const char __user *, newname)",
    "SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,int, newdfd, const char __user *, newname)",
    "SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newname)"
  ],
  "msm/fs/namespace.c": [
    "SYSCALL_DEFINE2(umount, char __user *, name, int, flags)",
    "SYSCALL_DEFINE1(oldumount, char __user *, name)",
    "SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,char __user *, type, unsigned long, flags, void __user *, data)",
    "SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,const char __user *, put_old)"
  ],
  "msm/fs/open.c": [
    "SYSCALL_DEFINE2(truncate, const char __user *, path, long, length)",
    "SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length)",
    "SYSCALL_DEFINE(truncate64)(const char __user * path, loff_t length)",
    "SYSCALL_DEFINE(ftruncate64)(unsigned int fd, loff_t length)",
    "SYSCALL_DEFINE(fallocate)(int fd, int mode, loff_t offset, loff_t len)",
    "SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)",
    "SYSCALL_DEFINE2(access, const char __user *, filename, int, mode)",
    "SYSCALL_DEFINE1(chdir, const char __user *, filename)",
    "SYSCALL_DEFINE1(fchdir, unsigned int, fd)",
    "SYSCALL_DEFINE1(chroot, const char __user *, filename)",
    "SYSCALL_DEFINE2(fchmod, unsigned int, fd, umode_t, mode)",
    "SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, umode_t, mode)",
    "SYSCALL_DEFINE2(chmod, const char __user *, filename, umode_t, mode)",
    "SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)",
    "SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,gid_t, group, int, flag)",
    "SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group)",
    "SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group)",
    "SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode)",
    "SYSCALL_DEFINE4(openat, int, dfd, const char __user *, filename, int, flags,umode_t, mode)",
    "SYSCALL_DEFINE2(creat, const char __user *, pathname, umode_t, mode)",
    "SYSCALL_DEFINE1(close, unsigned int, fd)",
    "SYSCALL_DEFINE0(vhangup)"
  ],
  "msm/fs/pipe.c": [
    "SYSCALL_DEFINE2(pipe2, int __user *, fildes, int, flags)",
    "SYSCALL_DEFINE1(pipe, int __user *, fildes)"
  ],
  "msm/fs/read_write.c": [
    "SYSCALL_DEFINE3(lseek, unsigned int, fd, off_t, offset, unsigned int, origin)",
    "SYSCALL_DEFINE5(llseek, unsigned int, fd, unsigned long, offset_high,unsigned long, offset_low, loff_t __user *, result,unsigned int, origin)",
    "SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)",
    "SYSCALL_DEFINE3(write, unsigned int, fd, const char __user *, buf,size_t, count)",
    "SYSCALL_DEFINE(pread64)(unsigned int fd, char __user *buf,size_t count, loff_t pos)",
    "SYSCALL_DEFINE(pwrite64)(unsigned int fd, const char __user *buf, size_t count, loff_t pos)",
    "SYSCALL_DEFINE3(readv, unsigned long, fd, const struct iovec __user *, vec,unsigned long, vlen)",
    "SYSCALL_DEFINE3(writev, unsigned long, fd, const struct iovec __user *, vec,unsigned long, vlen)",
    "SYSCALL_DEFINE5(preadv, unsigned long, fd, const struct iovec __user *, vec,unsigned long, vlen, unsigned long, pos_l, unsigned long, pos_h)",
    "SYSCALL_DEFINE5(pwritev, unsigned long, fd, const struct iovec __user *, vec,unsigned long, vlen, unsigned long, pos_l, unsigned long, pos_h)",
    "SYSCALL_DEFINE4(sendfile, int, out_fd, int, in_fd, off_t __user *, offset, size_t, count)",
    "SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd, loff_t __user *, offset, size_t, count)"
  ],
  "msm/fs/readdir.c": [
    "SYSCALL_DEFINE3(old_readdir, unsigned int, fd,struct old_linux_dirent __user *, dirent, unsigned int, count)",
    "SYSCALL_DEFINE3(getdents, unsigned int, fd,struct linux_dirent __user *, dirent, unsigned int, count)",
    "SYSCALL_DEFINE3(getdents64, unsigned int, fd,struct linux_dirent64 __user *, dirent, unsigned int, count)"
  ],
  "msm/fs/select.c": [
    "SYSCALL_DEFINE5(select, int, n, fd_set __user *, inp, fd_set __user *, outp,fd_set __user *, exp, struct timeval __user *, tvp)",
    "SYSCALL_DEFINE6(pselect6, int, n, fd_set __user *, inp, fd_set __user *, outp,fd_set __user *, exp, struct timespec __user *, tsp,void __user *, sig)",
    "SYSCALL_DEFINE1(old_select, struct sel_arg_struct __user *, arg)",
    "SYSCALL_DEFINE3(poll, struct pollfd __user *, ufds, unsigned int, nfds,int, timeout_msecs)",
    "SYSCALL_DEFINE5(ppoll, struct pollfd __user *, ufds, unsigned int, nfds,struct timespec __user *, tsp, const sigset_t __user *, sigmask,size_t, sigsetsize)"
  ],
  "msm/fs/signalfd.c": [
    "SYSCALL_DEFINE4(signalfd4, int, ufd, sigset_t __user *, user_mask,size_t, sizemask, int, flags)",
    "SYSCALL_DEFINE3(signalfd, int, ufd, sigset_t __user *, user_mask,size_t, sizemask)"
  ],
  "msm/fs/splice.c": [
    "SYSCALL_DEFINE4(vmsplice, int, fd, const struct iovec __user *, iov,unsigned long, nr_segs, unsigned int, flags)",
    "SYSCALL_DEFINE6(splice, int, fd_in, loff_t __user *, off_in,int, fd_out, loff_t __user *, off_out,size_t, len, unsigned int, flags)",
    "SYSCALL_DEFINE4(tee, int, fdin, int, fdout, size_t, len, unsigned int, flags)"
  ],
  "msm/fs/stat.c": [
    "SYSCALL_DEFINE2(stat, const char __user *, filename,struct __old_kernel_stat __user *, statbuf)",
    "SYSCALL_DEFINE2(lstat, const char __user *, filename,struct __old_kernel_stat __user *, statbuf)",
    "SYSCALL_DEFINE2(fstat, unsigned int, fd, struct __old_kernel_stat __user *, statbuf)",
    "SYSCALL_DEFINE2(newstat, const char __user *, filename,struct stat __user *, statbuf)",
    "SYSCALL_DEFINE2(newlstat, const char __user *, filename,struct stat __user *, statbuf)",
    "SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename,struct stat __user *, statbuf, int, flag)",
    "SYSCALL_DEFINE2(newfstat, unsigned int, fd, struct stat __user *, statbuf)",
    "SYSCALL_DEFINE4(readlinkat, int, dfd, const char __user *, pathname,char __user *, buf, int, bufsiz)",
    "SYSCALL_DEFINE3(readlink, const char __user *, path, char __user *, buf,int, bufsiz)",
    "SYSCALL_DEFINE2(stat64, const char __user *, filename,struct stat64 __user *, statbuf)",
    "SYSCALL_DEFINE2(lstat64, const char __user *, filename,struct stat64 __user *, statbuf)",
    "SYSCALL_DEFINE2(fstat64, unsigned long, fd, struct stat64 __user *, statbuf)",
    "SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename,struct stat64 __user *, statbuf, int, flag)"
  ],
  "msm/fs/statfs.c": [
    "SYSCALL_DEFINE2(statfs, const char __user *, pathname, struct statfs __user *, buf)",
    "SYSCALL_DEFINE3(statfs64, const char __user *, pathname, size_t, sz, struct statfs64 __user *, buf)",
    "SYSCALL_DEFINE2(fstatfs, unsigned int, fd, struct statfs __user *, buf)",
    "SYSCALL_DEFINE3(fstatfs64, unsigned int, fd, size_t, sz, struct statfs64 __user *, buf)",
    "SYSCALL_DEFINE2(ustat, unsigned, dev, struct ustat __user *, ubuf)"
  ],
  "msm/fs/sync.c": [
    "SYSCALL_DEFINE0(sync)",
    "SYSCALL_DEFINE1(syncfs, int, fd)",
    "SYSCALL_DEFINE1(fsync, unsigned int, fd)",
    "SYSCALL_DEFINE1(fdatasync, unsigned int, fd)",
    "SYSCALL_DEFINE(sync_file_range)(int fd, loff_t offset, loff_t nbytes,unsigned int flags)",
    "SYSCALL_DEFINE(sync_file_range2)(int fd, unsigned int flags, loff_t offset, loff_t nbytes)"
  ],
  "msm/fs/timerfd.c": [
    "SYSCALL_DEFINE2(timerfd_create, int, clockid, int, flags)",
    "SYSCALL_DEFINE4(timerfd_settime, int, ufd, int, flags,const struct itimerspec __user *, utmr,struct itimerspec __user *, otmr)",
    "SYSCALL_DEFINE2(timerfd_gettime, int, ufd, struct itimerspec __user *, otmr)"
  ],
  "msm/fs/utimes.c": [
    "SYSCALL_DEFINE2(utime, char __user *, filename, struct utimbuf __user *, times)",
    "SYSCALL_DEFINE4(utimensat, int, dfd, const char __user *, filename,struct timespec __user *, utimes, int, flags)",
    "SYSCALL_DEFINE3(futimesat, int, dfd, const char __user *, filename,struct timeval __user *, utimes)",
    "SYSCALL_DEFINE2(utimes, char __user *, filename,struct timeval __user *, utimes)"
  ],
  "msm/fs/xattr.c": [
    "SYSCALL_DEFINE5(setxattr, const char __user *, pathname,const char __user *, name, const void __user *, value,size_t, size, int, flags)",
    "SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname,const char __user *, name, const void __user *, value,size_t, size, int, flags)",
    "SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name,const void __user *,value, size_t, size, int, flags)",
    "SYSCALL_DEFINE4(getxattr, const char __user *, pathname,const char __user *, name, void __user *, value, size_t, size)",
    "SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname,const char __user *, name, void __user *, value, size_t, size)",
    "SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name,void __user *, value, size_t, size)",
    "SYSCALL_DEFINE3(listxattr, const char __user *, pathname, char __user *, list,size_t, size)",
    "SYSCALL_DEFINE3(llistxattr, const char __user *, pathname, char __user *, list,size_t, size)",
    "SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size)",
    "SYSCALL_DEFINE2(removexattr, const char __user *, pathname,const char __user *, name)",
    "SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname,const char __user *, name)",
    "SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)"
  ],
  "msm/fs/notify/fanotify/fanotify_user.c": [
    "SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)",
    "SYSCALL_DEFINE(fanotify_mark)(int fanotify_fd, unsigned int flags,      __u64 mask, int dfd,      const char  __user * pathname)"
  ],
  "msm/fs/notify/inotify/inotify_user.c": [
    "SYSCALL_DEFINE1(inotify_init1, int, flags)",
    "SYSCALL_DEFINE0(inotify_init)",
    "SYSCALL_DEFINE3(inotify_add_watch, int, fd, const char __user *, pathname,u32, mask)",
    "SYSCALL_DEFINE2(inotify_rm_watch, int, fd, __s32, wd)"
  ],
  "msm/fs/quota/quota.c": [
    "SYSCALL_DEFINE4(quotactl, unsigned int, cmd, const char __user *, special,qid_t, id, void __user *, addr)"
  ],
  "msm/ipc/mqueue.c": [
    "SYSCALL_DEFINE4(mq_open, const char __user *, u_name, int, oflag, umode_t, mode,struct mq_attr __user *, u_attr)",
    "SYSCALL_DEFINE1(mq_unlink, const char __user *, u_name)",
    "SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr,size_t, msg_len, unsigned int, msg_prio,const struct timespec __user *, u_abs_timeout)",
    "SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr,size_t, msg_len, unsigned int __user *, u_msg_prio,const struct timespec __user *, u_abs_timeout)",
    "SYSCALL_DEFINE2(mq_notify, mqd_t, mqdes,const struct sigevent __user *, u_notification)",
    "SYSCALL_DEFINE3(mq_getsetattr, mqd_t, mqdes,const struct mq_attr __user *, u_mqstat,struct mq_attr __user *, u_omqstat)"
  ],
  "msm/ipc/msg.c": [
    "SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)",
    "SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, struct msqid_ds __user *, buf)",
    "SYSCALL_DEFINE4(msgsnd, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz,int, msgflg)",
    "SYSCALL_DEFINE5(msgrcv, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz,long, msgtyp, int, msgflg)"
  ],
  "msm/ipc/sem.c": [
    "SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)",
    "SYSCALL_DEFINE(semctl)(int semid, int semnum, int cmd, union semun arg)",
    "SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,unsigned, nsops, const struct timespec __user *, timeout)",
    "SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops,unsigned, nsops)"
  ],
  "msm/ipc/shm.c": [
    "SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)",
    "SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)",
    "SYSCALL_DEFINE3(shmat, int, shmid, char __user *, shmaddr, int, shmflg)",
    "SYSCALL_DEFINE1(shmdt, char __user *, shmaddr)"
  ],
  "msm/ipc/syscall.c": [
    "SYSCALL_DEFINE6(ipc, unsigned int, call, int, first, unsigned long, second,unsigned long, third, void __user *, ptr, long, fifth)"
  ],
  "msm/kernel/acct.c": [
    "SYSCALL_DEFINE1(acct, const char __user *, name)"
  ],
  "msm/kernel/capability.c": [
    "SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)",
    "SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)"
  ],
  "msm/kernel/exec_domain.c": [
    "SYSCALL_DEFINE1(personality, unsigned int, personality)"
  ],
  "msm/kernel/exit.c": [
    "SYSCALL_DEFINE1(exit, int, error_code)",
    "SYSCALL_DEFINE1(exit_group, int, error_code)",
    "SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,infop, int, options, struct rusage __user *, ru)",
    "SYSCALL_DEFINE4(wait4, pid_t, upid, int __user *, stat_addr,int, options, struct rusage __user *, ru)",
    "SYSCALL_DEFINE3(waitpid, pid_t, pid, int __user *, stat_addr, int, options)"
  ],
  "msm/kernel/fork.c": [
    "SYSCALL_DEFINE1(set_tid_address, int __user *, tidptr)",
    "SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)"
  ],
  "msm/kernel/futex.c": [
    "SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head,size_t, len)",
    "SYSCALL_DEFINE3(get_robust_list, int, pid,struct robust_list_head __user * __user *, head_ptr,size_t __user *, len_ptr)",
    "SYSCALL_DEFINE6(futex, u32 __user *, uaddr, int, op, u32, val,struct timespec __user *, utime, u32 __user *, uaddr2,u32, val3)"
  ],
  "msm/kernel/groups.c": [
    "SYSCALL_DEFINE2(getgroups, int, gidsetsize, gid_t __user *, grouplist)",
    "SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)"
  ],
  "msm/kernel/hrtimer.c": [
    "SYSCALL_DEFINE2(nanosleep, struct timespec __user *, rqtp,struct timespec __user *, rmtp)"
  ],
  "msm/kernel/itimer.c": [
    "SYSCALL_DEFINE2(getitimer, int, which, struct itimerval __user *, value)",
    "SYSCALL_DEFINE3(setitimer, int, which, struct itimerval __user *, value,struct itimerval __user *, ovalue)"
  ],
  "msm/kernel/kexec.c": [
    "SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,struct kexec_segment __user *, segments, unsigned long, flags)"
  ],
  "msm/kernel/module.c": [
    "SYSCALL_DEFINE2(delete_module, const char __user *, name_user,unsigned int, flags)",
    "SYSCALL_DEFINE3(init_module, void __user *, umod,unsigned long, len, const char __user *, uargs)"
  ],
  "msm/kernel/nsproxy.c": [
    "SYSCALL_DEFINE2(setns, int, fd, int, nstype)"
  ],
  "msm/kernel/posix-timers.c": [
    "SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,struct sigevent __user *, timer_event_spec,timer_t __user *, created_timer_id)",
    "SYSCALL_DEFINE2(timer_gettime, timer_t, timer_id,struct itimerspec __user *, setting)",
    "SYSCALL_DEFINE1(timer_getoverrun, timer_t, timer_id)",
    "SYSCALL_DEFINE4(timer_settime, timer_t, timer_id, int, flags,const struct itimerspec __user *, new_setting,struct itimerspec __user *, old_setting)",
    "SYSCALL_DEFINE1(timer_delete, timer_t, timer_id)",
    "SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,const struct timespec __user *, tp)",
    "SYSCALL_DEFINE2(clock_gettime, const clockid_t, which_clock,struct timespec __user *,tp)",
    "SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,struct timex __user *, utx)",
    "SYSCALL_DEFINE2(clock_getres, const clockid_t, which_clock,struct timespec __user *, tp)",
    "SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags,const struct timespec __user *, rqtp,struct timespec __user *, rmtp)"
  ],
  "msm/kernel/printk.c": [
    "SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)"
  ],
  "msm/kernel/ptrace.c": [
    "SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,unsigned long, data)"
  ],
  "msm/kernel/seccomp.c": [
    "SYSCALL_DEFINE3(seccomp, unsigned int, op, unsigned int, flags, const char __user *, uargs)"
  ],
  "msm/kernel/signal.c": [
    "SYSCALL_DEFINE0(restart_syscall)",
    "SYSCALL_DEFINE4(rt_sigprocmask, int, how, sigset_t __user *, nset,sigset_t __user *, oset, size_t, sigsetsize)",
    "SYSCALL_DEFINE2(rt_sigpending, sigset_t __user *, set, size_t, sigsetsize)",
    "SYSCALL_DEFINE4(rt_sigtimedwait, const sigset_t __user *, uthese,siginfo_t __user *, uinfo, const struct timespec __user *, uts,size_t, sigsetsize)",
    "SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)",
    "SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid_t, pid, int, sig)",
    "SYSCALL_DEFINE2(tkill, pid_t, pid, int, sig)",
    "SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,siginfo_t __user *, uinfo)",
    "SYSCALL_DEFINE4(rt_tgsigqueueinfo, pid_t, tgid, pid_t, pid, int, sig,siginfo_t __user *, uinfo)",
    "SYSCALL_DEFINE1(sigpending, old_sigset_t __user *, set)",
    "SYSCALL_DEFINE3(sigprocmask, int, how, old_sigset_t __user *, nset,old_sigset_t __user *, oset)",
    "SYSCALL_DEFINE4(rt_sigaction, int, sig,const struct sigaction __user *, act,struct sigaction __user *, oact,size_t, sigsetsize)",
    "SYSCALL_DEFINE0(sgetmask)",
    "SYSCALL_DEFINE1(ssetmask, int, newmask)",
    "SYSCALL_DEFINE2(signal, int, sig, __sighandler_t, handler)",
    "SYSCALL_DEFINE0(pause)",
    "SYSCALL_DEFINE2(rt_sigsuspend, sigset_t __user *, unewset, size_t, sigsetsize)"
  ],
  "msm/kernel/sys.c": [
    "SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval)",
    "SYSCALL_DEFINE2(getpriority, int, which, int, who)",
    "SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd,void __user *, arg)",
    "SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)",
    "SYSCALL_DEFINE1(setgid, gid_t, gid)",
    "SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)",
    "SYSCALL_DEFINE1(setuid, uid_t, uid)",
    "SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)",
    "SYSCALL_DEFINE3(getresuid, uid_t __user *, ruid, uid_t __user *, euid, uid_t __user *, suid)",
    "SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)",
    "SYSCALL_DEFINE3(getresgid, gid_t __user *, rgid, gid_t __user *, egid, gid_t __user *, sgid)",
    "SYSCALL_DEFINE1(setfsuid, uid_t, uid)",
    "SYSCALL_DEFINE1(setfsgid, gid_t, gid)",
    "SYSCALL_DEFINE1(times, struct tms __user *, tbuf)",
    "SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid)",
    "SYSCALL_DEFINE1(getpgid, pid_t, pid)",
    "SYSCALL_DEFINE0(getpgrp)",
    "SYSCALL_DEFINE1(getsid, pid_t, pid)",
    "SYSCALL_DEFINE0(setsid)",
    "SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)",
    "SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)",
    "SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)",
    "SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)",
    "SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)",
    "SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len)",
    "SYSCALL_DEFINE2(getrlimit, unsigned int, resource, struct rlimit __user *, rlim)",
    "SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,struct rlimit __user *, rlim)",
    "SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource,const struct rlimit64 __user *, new_rlim,struct rlimit64 __user *, old_rlim)",
    "SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)",
    "SYSCALL_DEFINE2(getrusage, int, who, struct rusage __user *, ru)",
    "SYSCALL_DEFINE1(umask, int, mask)",
    "SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,unsigned long, arg4, unsigned long, arg5)",
    "SYSCALL_DEFINE3(getcpu, unsigned __user *, cpup, unsigned __user *, nodep,struct getcpu_cache __user *, unused)"
  ],
  "msm/kernel/sysctl_binary.c": [
    "SYSCALL_DEFINE1(sysctl, struct __sysctl_args __user *, args)"
  ],
  "msm/kernel/time.c": [
    "SYSCALL_DEFINE1(time, time_t __user *, tloc)",
    "SYSCALL_DEFINE1(stime, time_t __user *, tptr)",
    "SYSCALL_DEFINE2(gettimeofday, struct timeval __user *, tv,struct timezone __user *, tz)",
    "SYSCALL_DEFINE2(settimeofday, struct timeval __user *, tv,struct timezone __user *, tz)",
    "SYSCALL_DEFINE1(adjtimex, struct timex __user *, txc_p)"
  ],
  "msm/kernel/timer.c": [
    "SYSCALL_DEFINE1(alarm, unsigned int, seconds)",
    "SYSCALL_DEFINE0(getpid)",
    "SYSCALL_DEFINE0(getppid)",
    "SYSCALL_DEFINE0(getuid)",
    "SYSCALL_DEFINE0(geteuid)",
    "SYSCALL_DEFINE0(getgid)",
    "SYSCALL_DEFINE0(getegid)",
    "SYSCALL_DEFINE0(gettid)",
    "SYSCALL_DEFINE1(sysinfo, struct sysinfo __user *, info)"
  ],
  "msm/kernel/uid16.c": [
    "SYSCALL_DEFINE3(chown16, const char __user *, filename, old_uid_t, user, old_gid_t, group)",
    "SYSCALL_DEFINE3(lchown16, const char __user *, filename, old_uid_t, user, old_gid_t, group)",
    "SYSCALL_DEFINE3(fchown16, unsigned int, fd, old_uid_t, user, old_gid_t, group)",
    "SYSCALL_DEFINE2(setregid16, old_gid_t, rgid, old_gid_t, egid)",
    "SYSCALL_DEFINE1(setgid16, old_gid_t, gid)",
    "SYSCALL_DEFINE2(setreuid16, old_uid_t, ruid, old_uid_t, euid)",
    "SYSCALL_DEFINE1(setuid16, old_uid_t, uid)",
    "SYSCALL_DEFINE3(setresuid16, old_uid_t, ruid, old_uid_t, euid, old_uid_t, suid)",
    "SYSCALL_DEFINE3(getresuid16, old_uid_t __user *, ruid, old_uid_t __user *, euid, old_uid_t __user *, suid)",
    "SYSCALL_DEFINE3(setresgid16, old_gid_t, rgid, old_gid_t, egid, old_gid_t, sgid)",
    "SYSCALL_DEFINE3(getresgid16, old_gid_t __user *, rgid, old_gid_t __user *, egid, old_gid_t __user *, sgid)",
    "SYSCALL_DEFINE1(setfsuid16, old_uid_t, uid)",
    "SYSCALL_DEFINE1(setfsgid16, old_gid_t, gid)",
    "SYSCALL_DEFINE2(getgroups16, int, gidsetsize, old_gid_t __user *, grouplist)",
    "SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)",
    "SYSCALL_DEFINE0(getuid16)",
    "SYSCALL_DEFINE0(geteuid16)",
    "SYSCALL_DEFINE0(getgid16)",
    "SYSCALL_DEFINE0(getegid16)"
  ],
  "msm/kernel/events/core.c": [
    "SYSCALL_DEFINE5(perf_event_open,struct perf_event_attr __user *, attr_uptr,pid_t, pid, int, cpu, int, group_fd, unsigned long, flags)"
  ],
  "msm/kernel/sched/core.c": [
    "SYSCALL_DEFINE1(nice, int, increment)",
    "SYSCALL_DEFINE3(sched_setscheduler, pid_t, pid, int, policy,struct sched_param __user *, param)",
    "SYSCALL_DEFINE2(sched_setparam, pid_t, pid, struct sched_param __user *, param)",
    "SYSCALL_DEFINE1(sched_getscheduler, pid_t, pid)",
    "SYSCALL_DEFINE2(sched_getparam, pid_t, pid, struct sched_param __user *, param)",
    "SYSCALL_DEFINE3(sched_setaffinity, pid_t, pid, unsigned int, len,unsigned long __user *, user_mask_ptr)",
    "SYSCALL_DEFINE3(sched_getaffinity, pid_t, pid, unsigned int, len,unsigned long __user *, user_mask_ptr)",
    "SYSCALL_DEFINE0(sched_yield)",
    "SYSCALL_DEFINE1(sched_get_priority_max, int, policy)",
    "SYSCALL_DEFINE1(sched_get_priority_min, int, policy)",
    "SYSCALL_DEFINE2(sched_rr_get_interval, pid_t, pid,struct timespec __user *, interval)"
  ],
  "msm/mm/fadvise.c": [
    "SYSCALL_DEFINE(fadvise64_64)(int fd, loff_t offset, loff_t len, int advice)",
    "SYSCALL_DEFINE(fadvise64)(int fd, loff_t offset, size_t len, int advice)"
  ],
  "msm/mm/filemap.c": [
    "SYSCALL_DEFINE(readahead)(int fd, loff_t offset, size_t count)"
  ],
  "msm/mm/fremap.c": [
    "SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,unsigned long, prot, unsigned long, pgoff, unsigned long, flags)"
  ],
  "msm/mm/madvise.c": [
    "SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)"
  ],
  "msm/mm/mempolicy.c": [
    "SYSCALL_DEFINE6(mbind, unsigned long, start, unsigned long, len,unsigned long, mode, unsigned long __user *, nmask,unsigned long, maxnode, unsigned, flags)",
    "SYSCALL_DEFINE3(set_mempolicy, int, mode, unsigned long __user *, nmask,unsigned long, maxnode)",
    "SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,const unsigned long __user *, old_nodes,const unsigned long __user *, new_nodes)",
    "SYSCALL_DEFINE5(get_mempolicy, int __user *, policy,unsigned long __user *, nmask, unsigned long, maxnode,unsigned long, addr, unsigned long, flags)"
  ],
  "msm/mm/migrate.c": [
    "SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,const void __user * __user *, pages,const int __user *, nodes,int __user *, status, int, flags)"
  ],
  "msm/mm/mincore.c": [
    "SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len,unsigned char __user *, vec)"
  ],
  "msm/mm/mlock.c": [
    "SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)",
    "SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, len)",
    "SYSCALL_DEFINE1(mlockall, int, flags)",
    "SYSCALL_DEFINE0(munlockall)"
  ],
  "msm/mm/mmap.c": [
    "SYSCALL_DEFINE1(brk, unsigned long, brk)",
    "SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags,unsigned long, fd, unsigned long, pgoff)",
    "SYSCALL_DEFINE1(old_mmap, struct mmap_arg_struct __user *, arg)",
    "SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)"
  ],
  "msm/mm/mprotect.c": [
    "SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,unsigned long, prot)"
  ],
  "msm/mm/mremap.c": [
    "SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,unsigned long, new_len, unsigned long, flags,unsigned long, new_addr)"
  ],
  "msm/mm/msync.c": [
    "SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags)"
  ],
  "msm/mm/nommu.c": [
    "SYSCALL_DEFINE1(brk, unsigned long, brk)",
    "SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,unsigned long, prot, unsigned long, flags,unsigned long, fd, unsigned long, pgoff)",
    "SYSCALL_DEFINE1(old_mmap, struct mmap_arg_struct __user *, arg)",
    "SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)",
    "SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,unsigned long, new_len, unsigned long, flags,unsigned long, new_addr)"
  ],
  "msm/mm/process_vm_access.c": [
    "SYSCALL_DEFINE6(process_vm_readv, pid_t, pid, const struct iovec __user *, lvec,unsigned long, liovcnt, const struct iovec __user *, rvec,unsigned long, riovcnt,unsigned long, flags)",
    "SYSCALL_DEFINE6(process_vm_writev, pid_t, pid,const struct iovec __user *, lvec,unsigned long, liovcnt, const struct iovec __user *, rvec,unsigned long, riovcnt,unsigned long, flags)"
  ],
  "msm/mm/swapfile.c": [
    "SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)",
    "SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)"
  ],
  "msm/net/socket.c": [
    "SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)",
    "SYSCALL_DEFINE4(socketpair, int, family, int, type, int, protocol,int __user *, usockvec)",
    "SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)",
    "SYSCALL_DEFINE2(listen, int, fd, int, backlog)",
    "SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,int __user *, upeer_addrlen, int, flags)",
    "SYSCALL_DEFINE3(accept, int, fd, struct sockaddr __user *, upeer_sockaddr,int __user *, upeer_addrlen)",
    "SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,int, addrlen)",
    "SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr __user *, usockaddr,int __user *, usockaddr_len)",
    "SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,int __user *, usockaddr_len)",
    "SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,unsigned, flags, struct sockaddr __user *, addr,int, addr_len)",
    "SYSCALL_DEFINE4(send, int, fd, void __user *, buff, size_t, len,unsigned, flags)",
    "SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,unsigned, flags, struct sockaddr __user *, addr,int __user *, addr_len)",
    "SYSCALL_DEFINE5(setsockopt, int, fd, int, level, int, optname,char __user *, optval, int, optlen)",
    "SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname,char __user *, optval, int __user *, optlen)",
    "SYSCALL_DEFINE2(shutdown, int, fd, int, how)",
    "SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)",
    "SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,unsigned int, vlen, unsigned int, flags)",
    "SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,unsigned int, flags)",
    "SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,unsigned int, vlen, unsigned int, flags,struct timespec __user *, timeout)",
    "SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)"
  ],
  "msm/security/keys/keyctl.c": [
    "SYSCALL_DEFINE5(add_key, const char __user *, _type,const char __user *, _description,const void __user *, _payload,size_t, plen,key_serial_t, ringid)",
    "SYSCALL_DEFINE4(request_key, const char __user *, _type,const char __user *, _description,const char __user *, _callout_info,key_serial_t, destringid)",
    "SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,unsigned long, arg4, unsigned long, arg5)"
  ]
}

2017-03-01

honggfuzz

1. TODO

2. 总结

2.1. 常用参数

-n 指定最大线程数

-f 原始输入种子文件目录

-W 有效变异种子文件输出目录

-e 指定输入文件扩展名 默认为*.fuzz

-d Debug info

--mutate_cmd|-c 扩展变异规则以代替原有变异方式, 当你通过-f提供输入样本目录后,在fuzzing时,随机提取的文件会直接传递给-c参数指定的扩展命令作变异

input_prepareExternalFile or input_postProcessFile:

bool input_prepareExternalFile(run_t* run) {
  // ...
  const char* const argv[] = {run->global->exe.externalCommand, fname, NULL};
  if (subproc_System(run, argv) != 0) {
    LOG_E("Subprocess '%s' returned abnormally", run->global->exe.externalCommand);
    return false;
  }
  // ...
}

uint8_t subproc_System(run_t* run, const char* const argv[]) {
  // ...
  execv(argv[0], (char* const*)&argv[0]);
  // ...
}

假如 run->global->exe.externalCommand = extcmd.py
则会执行 extcmd.py fname
在实现中可以通过open(argv[1])打开文件对数据进行处理

--mutations_per_run|-r 每个样例编译的最大次数 默认6

--pprocess_cmd 在原有的文件变异后再作处理

-P persistent模式

-t timeout

-F Max File Size

-V verifier 如果开启,则会验证崩溃样本(最大运行5次)

--exit_upon_crash 有崩溃直接退出fuzz

-R 生成报告文件

-E ENV参数,如增加sanitizers: ASAN_OPTIONS=coverage=1

-S sanitizer模式

参数放在 hfzz.exe.envs[]
hfuzz->sanitizer.enable
如果启用:

snprintf(buf, buflen, "%s=%s:%s:%s%s/%s", env, kASAN_OPTS, abortFlag, kSANLOGDIR,
            hfuzz->io.workDir, kLOGPREFIX);

kASAN_OPTS = kASAN_COMMON_OPTS:

"allow_user_segv_handler=1:" \
    "handle_segv=0:"             \
    "allocator_may_return_null=1:" kSAN_COMMON ":exitcode=" HF_XSTR(HF_SAN_EXIT_CODE)

#define kSAN_COMMON "symbolize=0"
/* Exit code is common for all sanitizers */
#define HF_SAN_EXIT_CODE 103

即:ASAN_OPTIONS=
"allow_user_segv_handler=1:handle_segv=0:allocator_may_return_null=1:symbolize=0:exitcode=103:abort_on_error=1:log_path=workDir/HF.sanitizer.log"

否则:

snprintf(buf, buflen, "%s=%s", env, kSAN_REGULAR);

/* If no sanitzer support was requested, simply make it use abort() on errors */
#define kSAN_REGULAR                                                 \
    "abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:" \
    "handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:"   \
    "symbolize=1:detect_leaks=0:disable_coredump=0:"                 \
    "detect_odr_violation=0"

-x static mode(_HF_DYNFILE_NONE) 不使用任何feedback.

--instrument|-z 使用编译时的feedback 默认 _HF_DYNFILE_SOFT

-w 字典,针对特殊格式的解析,如xml: https://github.com/rc0r/afl-fuzz/blob/master/dictionaries/xml.dict

实际变异中,命中字典格式变异存在随机性,如果需要只指定字典变异,需要修改源码

mangle_Dictionary -> mangle_DictionaryNoCheck
mangle_DictionaryInsert -> mangle_DictionaryInsertNoCheck
取随机数N,遍历标签取到内容,覆写/插入随机位置。

__FILE__ 相当于AFL中的@@, 在实际的运行中会被input_dir中的输入所替换,替换为文件句柄,可以通过open(fd)打开进行操作,参考honggfuzz/examples/badcode/targets/badcode1.c

bool arch_launchChild(run_t* run) {
    //...
    int x = 0;
    for (x = 0; x < ARGS_MAX && x < run->global->exe.argc; x++) {
        if (run->global->exe.persistent || run->global->exe.fuzzStdin) {
            args[x] = run->global->exe.cmdline[x];
        } else if (!strcmp(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) {
            args[x] = inputFile;
        } else if (strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) {
            const char* off = strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER);
            snprintf(argData, sizeof(argData), "%.*s%s", (int)(off - run->global->exe.cmdline[x]),
                run->global->exe.cmdline[x], inputFile);
            args[x] = argData;
        } else {
            args[x] = run->global->exe.cmdline[x];
        }
    }
    // ...
}

___FILE___:

必须在非persistent模式(-P)下,且没有指定stdin(-s)的情况下使用,

-s: run->global->exe.fuzzStdin
-P: run->global->exe.persistent

比如 ./badcode1 这个程序的 第1个参数是要处理的文件的名称,那么相应的 fuzz 的命令就是:
/honggfuzz -S -W ./outputs -f ./corpus -- ./badcode1 __FILE__
实际fuzz过程中,会将__FILE__替换成文件句柄传入,作为第一个参数, 即argv[1]=file_fd

--sancov|-C 使用ASAN_OPTIONS="coverage=1", clang-4使用,慢,已经废除(commit: 8267c77c0bfee82a528290c5e86c297291922dc6)。

--monitor_sigabrt: 默认是true,在=-S=模式下会设置ASAN标志 abort_on_error=1, 发生错误会调 abort() 返回错误代码,替代_exit()函数

2.2. 关于coverage计算模式

run->global->feedback.dynFileMethod字段记录着Trace方式

typedef enum {
    _HF_DYNFILE_NONE = 0x0,                             // -x 命令指定 static mode
    _HF_DYNFILE_INSTR_COUNT = 0x1,                      // --linux_perf_instr
    _HF_DYNFILE_BRANCH_COUNT = 0x2,                     // --linux_perf_branch
    _HF_DYNFILE_BTS_EDGE = 0x10,                        // --linux_perf_bts_edge
    _HF_DYNFILE_IPT_BLOCK = 0x20,                       // --linux_perf_ipt_block
    _HF_DYNFILE_SOFT = 0x40,                            // -z 编译时模式,初始化默认 -fsanitize-coverage
} dynFileMethod_t;

2.2.1. 1. SanitizerCoverage 模式

需要编译源码

编译添加CFLAGS: -fsanitize-coverage=trace-pc,trace-pc-guard,trace-cmp,trace-div,indirect-calls

默认方式_HF_DYNFILE_SOFT,通过重定义 SanitizerCoverage 中的函数来实现累加

Pc: __sanitizer_cov_trace_pc_guard

Edge: __sanitizer_cov_trace_pc_guard

Cmp: __sanitizer_cov_trace_cmpN, __sanitizer_cov_trace_switch, __sanitizer_cov_trace_divN, N=(1,2,4,8)

参考:

https://bcain-llvm.readthedocs.io/projects/clang/en/release_39/SanitizerCoverage/

https://github.com/google/sanitizers/wiki/SanitizerCommonFlags

2.2.2. 2. perf模式

不需要编译源码

fuzz时候通过添加参数实现

arch_perfCreate 创建 fd

perf_event_open(&pe, pid, -1, -1, PERF_FLAG_FD_CLOEXEC);

dynFileMethod_t             perf config                                                 fd

_HF_DYNFILE_INSTR_COUNT:    pe.config = PERF_COUNT_HW_INSTRUCTIONS                      &run->linux.cpuInstrFd
_HF_DYNFILE_BRANCH_COUNT:   pe.config = PERF_COUNT_HW_BRANCH_INSTRUCTIONS               &run->linux.cpuBranchFd
_HF_DYNFILE_BTS_EDGE:       pe.type = /sys/bus/event_source/devices/intel_bts/type      &run->linux.cpuIptBtsFd
_HF_DYNFILE_IPT_BLOCK:      pe.type = /sys/bus/event_source/devices/intel_pt/type,
                            pe.config = RTIT_CTL_DISRETC;                               &run->linux.cpuIptBtsFd

PERF_COUNT_HW_INSTRUCTIONS 完整执行的指令数
PERF_COUNT_HW_BRANCH_INSTRUCTIONS 完整执行的分支数

该模式需要硬件支持,简单验证:

在host运行perf命令即可得倒相应数据

./perf stat pwd
/home/secret/work

 Performance counter stats for 'pwd':

          0.277524      task-clock (msec)         #    0.017 CPUs utilized
                 1      context-switches          #    0.004 M/sec
                 0      cpu-migrations            #    0.000 K/sec
                56      page-faults               #    0.202 M/sec
           989,977      cycles                    #    3.567 GHz
   <not supported>      stalled-cycles-frontend
   <not supported>      stalled-cycles-backend
           656,001      instructions              #    0.66  insns per cycle
           135,672      branches                  #  488.866 M/sec
             7,481      branch-misses             #    5.51% of all branches

       0.016769350 seconds time elapsed

instructions 记录着指令数

参考:

http://www.man7.org/linux/man-pages/man2/perf_event_open.2.html

https://software.intel.com/en-us/vtune-amplifier-help-instructions-retired-event

2.3. 关于fuzz运行三种状态

hfuzz->feedback.state

typedef enum {
    _HF_STATE_UNSET = 0,                                // 初始化默认值
    _HF_STATE_STATIC = 1,                               // hfuzz->feedback.dynFileMethod == _HF_DYNFILE_NONE
    _HF_STATE_DYNAMIC_DRY_RUN = 2,                      // hfuzz->feedback.dynFileMethod != _HF_DYNFILE_NONE
    _HF_STATE_DYNAMIC_MAIN = 3,                         // hfuzz->socketFuzzer.enabled == true
} fuzzState_t;

2.3.1. 1. socket模式

hfuzz->feedback.state = _HF_STATE_DYNAMIC_MAIN

该模式用于fuzz socket服务

2.3.2. 2. persistent模式(常规模式)

正常设置语料库模式下,状态为 hfuzz->feedback.state = _HF_STATE_DYNAMIC_DRY_RUN, 执行所有语料库文件且不变异(run->mutationsPerRun = 0 不变异);

之后通过函数 fuzz_setDynamicMainState() 设置状态 hfuzz->feedback.state = _HF_STATE_DYNAMIC_MAIN (run->mutationsPerRun = -r指定变异次数,默认6),进入正常fuzz流程。

2.3.3. 3. -x 静态模式

hfuzz->feedback.state = _HF_STATE_STATIC

该模式会设置 hfuzz->feedback.dynFileMethod = _HF_DYNFILE_NONE, 不会使用perf模式,不会产生feedback,主要用于验证样本

如复现某个崩溃样本

./honggfuzz -f crash_dir -x -R ./bug_report --exit_upon_crash -- ./honggfuzz-example/bin/persistent-bin

2.5. 整个fuzz函数流

main ->
fuzz_threadsStart ->
fuzz_threadNew ->
fuzz_fuzzLoop ->
subproc_Run ->
subproc_New ->
arch_launchChild(子进程中执行)

bool subproc_Run(run_t* run) {
    run->timeStartedMillis = util_timeNowMillis();
    /*
        fork子进程,通过ptrace attach
        打开perf,用于记录完整执行的指令数
        execve执行fuzz实例
    */
    if (!subproc_New(run)) {
        LOG_E("subproc_New()");
        return false;
    }
    /*
        arch_perfEnable 启用perf,记录执行的指令数
    */
    arch_prepareParent(run);
    /*
        arch_checkWait() -> arch_traceAnalyze()/arch_perfAnalyze() ptrace/perf结果分析
        崩溃记录,记录 cpuInstrCnt 和 cpuBranchCnt,关闭perf
    */
    arch_reapChild(run);

    return true;
}

static bool subproc_New(run_t* run) {
    // ...
    run->pid = arch_fork(run);
    if (run->pid == -1) {
        PLOG_E("Couldn't fork");
        run->pid = 0;
        return false;
    }
    /* The child process */
    if (!run->pid) {
        // ...
        /*
            系统资源和文件初始化 setrlimit
            -E fsanitizer参数放入环境变量 putenv
        */
        if (!subproc_PrepareExecv(run)) {
            LOG_E("subproc_PrepareExecv() failed");
            exit(EXIT_FAILURE);
        }
        /*
            子进程执行
            1. prctl(PR_SET_DUMPABLE), 设置可以被attach
            2. 关闭ASLR
            3. 格式化fuzz实例参数,等待父进程attach,然后调用execve(args[0], (char* const*)args, environ);
        */
        if (!arch_launchChild(run)) {
            LOG_E("Error launching child process");
            kill(run->global->threads.mainPid, SIGTERM);
            _exit(1);
        }
        abort();
    }

    // ...

    /*
        1. fcntl(%d, F_SETOWN_EX),开启perf,用于记录完整执行的指令数
        2. arch_attachToNewPid():
            ptrace attatch fork子进程 (PTRACE_SEIZE方式,具体实现arch_traceAttach), 并通过 ptrace(PTRACE_CONT) Restart the stopped tracee process
    */
    arch_prepareParentAfterFork(run);
    // ...
    return true;
}

2.6. trace跟踪子进程

arch_reapChild() -> arch_checkWait() -> arch_traceAnalyze()

通过ptrace挂载子进程,捕获WIFSTOPPED状态,该状态表明目标进程退出,

之后通过 PTRACE_GETEVENTMSG 标志获取退出状态,进行退出状态码判断:

run->mainWorker=true(默认模式下): arch_traceSaveData
run->mainWorker=false(Verifier模式下): arch_traceAnalyzeData
HF_SAN_EXIT_CODE: arch_traceExitAnalyze

相关API:


long int ptrace(enum __ptrace_request request, pid_t pid, void * addr, void * data)
request决定ptrace做什么,pid是被跟踪进程的ID,data存储从进程空间偏移量为addr的地方开始将被读取/写入的数据.

pid_t wait4(pid_t pid,int *status,int options,struct rusage *rusage);
获得指定子进程的资源使用信息,通过参数 rusage 获得

PTRACE_SEIZE(since Linux 3.4) Attach to the process specified in pid
相对于 PTRACE_ATTACH, 该方式不会停止目标进程

PTRACE_CONT 让子进程继续运行

PTRACE_GETEVENTMSG (since Linux 2.5.46) 取回数据

arch_traceAnalyze()

3. xcode 调试

需要修改honggfuzz源码目录下的Makefile文件添加调试选项

diff --git a/Makefile b/Makefile
index fc5ea74..c6e1fdc 100644
--- a/Makefile
+++ b/Makefile
@@ -29,7 +29,8 @@ HFUZZ_CC_SRCS := hfuzz_cc/hfuzz-cc.c
 COMMON_CFLAGS := -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I.
 COMMON_LDFLAGS := -lm libhfcommon/libhfcommon.a
 COMMON_SRCS := $(sort $(wildcard *.c))
-CFLAGS ?= -O3 -mtune=native
+# CFLAGS ?= -O3 -mtune=native
+CFLAGS ?= -g -mtune=native
 LDFLAGS ?=
 LIBS_CFLAGS ?= -fPIC -fno-stack-protector
 GREP_COLOR ?=

之后参考文章 https://blog.csdn.net/kubibo/article/details/25902703

4. 源码分析

4.1. honggfuzz-clang编译器

honggfuzz/hfuzz_cc/hfuzz-cc.c

通过编译器名字(hfuzz-clang, hfuzz-clang++, hfuzz-g++, hfuzz-gcc)来判断使用哪种编译器编译。

hfuzz-clang         -> clang
hfuzz-clang++       -> clang++
hfuzz-g++           -> g++
hfuzz-gcc           -> gcc

之后是参数拼接,主要添加的优化参数列表(clang):

"-Wno-unused-command-line-argument";
"-fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div,indirect-calls";
"-mllvm";
"-sanitizer-coverage-prune-blocks=0";
"-mllvm";
"-sanitizer-coverage-level=3";
/*
 * Make the execution flow more explicit, allowing for more code blocks
 * (and better code coverage estimates)
 */
"-fno-inline";
"-fno-builtin";
"-fno-omit-frame-pointer";
"-D__NO_STRING_INLINES";
 /* Make it possible to use the libhfnetdriver */
"-DHFND_FUZZING_ENTRY_FUNCTION_CXX(x,y)="
                   "extern \"C\" int HonggfuzzNetDriver_main(x,y);"
                   "extern const char* LIBHFNETDRIVER_module_netdriver;"
                   "const char** LIBHFNETDRIVER_module_main = &LIBHFNETDRIVER_module_netdriver;"
                   "int HonggfuzzNetDriver_main(x,y)";
"-DHFND_FUZZING_ENTRY_FUNCTION(x,y)="
                   "int HonggfuzzNetDriver_main(x,y);"
                   "extern const char* LIBHFNETDRIVER_module_netdriver;"
                   "const char** LIBHFNETDRIVER_module_main = &LIBHFNETDRIVER_module_netdriver;"
                   "int HonggfuzzNetDriver_main(x,y)";
/* Intercept common *cmp functions */
"-Wl,--wrap=strcmp";
"-Wl,--wrap=strcasecmp";
"-Wl,--wrap=strncmp";
"-Wl,--wrap=strncasecmp";
"-Wl,--wrap=strstr";
"-Wl,--wrap=strcasestr";
"-Wl,--wrap=memcmp";
"-Wl,--wrap=bcmp";
"-Wl,--wrap=memmem";
"-Wl,--wrap=strcpy";
/* Apache's httpd mem/str cmp functions */
"-Wl,--wrap=ap_cstr_casecmp";
"-Wl,--wrap=ap_cstr_casecmpn";
"-Wl,--wrap=ap_strcasestr";
"-Wl,--wrap=apr_cstr_casecmp";
"-Wl,--wrap=apr_cstr_casecmpn";
/* Frequently used time-constant *SSL functions */
"-Wl,--wrap=CRYPTO_memcmp";
"-Wl,--wrap=OPENSSL_memcmp";
"-Wl,--wrap=OPENSSL_strcasecmp";
"-Wl,--wrap=OPENSSL_strncasecmp";
"-Wl,--wrap=memcmpct";
/* Frequently used libXML2 functions */
"-Wl,--wrap=xmlStrncmp";
"-Wl,--wrap=xmlStrcmp";
"-Wl,--wrap=xmlStrEqual";
"-Wl,--wrap=xmlStrcasecmp";
"-Wl,--wrap=xmlStrncasecmp";
"-Wl,--wrap=xmlStrstr";
"-Wl,--wrap=xmlStrcasestr";
/* Some Samba functions */
"-Wl,--wrap=memcmp_const_time";
"-Wl,--wrap=strcsequal";
/* Pull modules defining the following symbols (if they exist) */
args[j++] = "-Wl,-u,LIBHFNETDRIVER_module_main",
args[j++] = "-Wl,-u,LIBHFUZZ_module_instrument";
args[j++] = "-Wl,-u,LIBHFUZZ_module_memorycmp";
"/tmp/libhfnetdriver.uid.crc64.a";  // eg: /tmp/libhfnetdriver.1000.9a0f6dce36be32e.a, libhfnetdriver/libhfnetdriver.a
"/tmp/libhfuzz.uid.crc64.a"  // eg: /tmp/libhfuzz.1000.cb422fcd8679a683.a, libhfuzz/libhfuzz.a

-fsanitize参数

ASAN(AddressSanitizer) -fsanitize=address: 打开asan内存错误检查
-fno-omit-frame-pointer: 保留函数调用的帧信息,以便分析函数调用关系
UBSAN(UndefinedBehaviorSanitizer) -fsanitize=undefined: 未定义行为检测

4.2. 结构体说明

typedef struct {
    struct {
        size_t threadsMax;                                  // -n 指定最大线程数
        size_t threadsFinished;
        uint32_t threadsActiveCnt;
        pthread_t mainThread;
        pid_t mainPid;
        pthread_t threads[_HF_THREAD_MAX];
    } threads;
    struct {
        const char* inputDir;                               // -f 原始种子文件目录
        DIR* inputDirPtr;                                   // fdopendir(dir_fd) 打开的原始种子目录指针
        size_t fileCnt;                                     // 原始种子文件个数
        const char* fileExtn;                               // 文件扩展名, 不能包含 /
        bool fileCntDone;
        const char* workDir;                                // -W 有效变异种子文件输出目录
        const char* crashDir;
        const char* covDirAll;                              // 默认值为-f指定目录
        const char* covDirNew;
        bool saveUnique;
        size_t dynfileqCnt;
        pthread_rwlock_t dynfileq_mutex;
        TAILQ_HEAD(dyns_t, dynfile_t) dynfileq;
    } io;
    struct {
        int argc;
        const char* const* cmdline;                         // -- 后边跟的fuzz样例
        bool nullifyStdio;
        bool fuzzStdin;
        const char* externalCommand;                        // -c fuzz样例参数
        const char* postExternalCommand;
        bool netDriver;
        bool persistent;                                    // -P persistent模式
        uint64_t asLimit;
        uint64_t rssLimit;
        uint64_t dataLimit;
        uint64_t coreLimit;
        bool clearEnv;
        char* envs[128];                                    // -E ENV参数,如sanitizers
        sigset_t waitSigSet;
    } exe;
    struct {
        time_t timeStart;
        time_t runEndTime;
        time_t tmOut;                                       // -t timeout
        time_t lastCovUpdate;
        bool tmoutVTALRM;
    } timing;
    struct {
        const char* dictionaryFile;
        TAILQ_HEAD(strq_t, strings_t) dictq;
        size_t dictionaryCnt;
        size_t mutationsMax;
        unsigned mutationsPerRun;
        size_t maxFileSz;                                   // -F Max File Size
    } mutate;
    struct {
        bool useScreen;
        char cmdline_txt[65];
        int64_t lastDisplayMillis;
    } display;
    struct {
        bool useVerifier;                                   // -V verifier 如果开启,则会验证崩溃样本(最大运行5次)
        bool exitUponCrash;                                 // --exit_upon_crash 有崩溃直接退出fuzz
        const char* reportFile;                             // -R 生成报告文件
        pthread_mutex_t report_mutex;
        bool monitorSIGABRT;
        size_t dynFileIterExpire;
        bool only_printable;
    } cfg;
    struct {
        bool enable;                                          // -S sanitizer
    } sanitizer;
    struct {
        fuzzState_t state;
        feedback_t* feedbackMap;
        int bbFd;
        pthread_mutex_t feedback_mutex;
        const char* blacklistFile;
        uint64_t* blacklist;
        size_t blacklistCnt;
        bool skipFeedbackOnTimeout;
        dynFileMethod_t dynFileMethod;                      // -x static mode, feedback 默认 _HF_DYNFILE_SOFT
    } feedback;
    struct {
        size_t mutationsCnt;
        size_t crashesCnt;
        size_t uniqueCrashesCnt;
        size_t verifiedCrashesCnt;
        size_t blCrashesCnt;
        size_t timeoutedCnt;
    } cnts;
    struct {
        bool enabled;
        int serverSocket;
        int clientSocket;
    } socketFuzzer;
    /* For the Linux code */
    struct {
        int exeFd;
        hwcnt_t hwCnts;                             // 记录所有fuzz实例的代码覆盖数总和 edge pc cmp
        uint64_t dynamicCutOffAddr;
        bool disableRandomization;
        void* ignoreAddr;
        size_t numMajorFrames;
        const char* symsBlFile;
        char** symsBl;
        size_t symsBlCnt;
        const char* symsWlFile;
        char** symsWl;
        size_t symsWlCnt;
        uintptr_t cloneFlags;
        bool kernelOnly;
        bool useClone;
    } linux;
    /* For the NetBSD code */
    struct {
        void* ignoreAddr;
        size_t numMajorFrames;
        const char* symsBlFile;
        char** symsBl;
        size_t symsBlCnt;
        const char* symsWlFile;
        char** symsWl;
        size_t symsWlCnt;
    } netbsd;
} honggfuzz_t;


fuzzing thread:

typedef struct {
    honggfuzz_t* global;                // hfuzz实例
    pid_t pid;                          // 当前fuzz种子线程pid
    int64_t timeStartedMillis;
    char origFileName[PATH_MAX];
    char crashFileName[PATH_MAX];
    uint64_t pc;
    uint64_t backtrace;
    uint64_t access;
    int exception;
    char report[_HF_REPORT_SIZE];
    bool mainWorker;
    unsigned mutationsPerRun;
    struct dynfile_t* dynfileqCurrent;  // {data: 种子文件内容,size: 长度, pointers: 文件队列}
    uint8_t* dynamicFile;               // 指向name=hfuzz-input的buf, 该buff接受mangle变异的数据
    size_t dynamicFileSz;               // 种子文件size
    int dynamicFileFd;                  // 通过memfd_create创建name=hfuzz-input的匿名文件句柄
    int dynamicFileCopyFd;              // fuzz种子句柄,执行时会用过/dev/fd/%d方式打开并获取内容
    uint32_t fuzzNo;                    // 编号
    int persistentSock;
    bool waitingForReady;
    runState_t runState;
    bool tmOutSignaled;
#if !defined(_HF_ARCH_DARWIN)
    timer_t timerId;
#endif  // !defined(_HF_ARCH_DARWIN)

    struct {
        /* For Linux code */
        uint8_t* perfMmapBuf;
        uint8_t* perfMmapAux;
        hwcnt_t hwCnts;                 // 记录当前fuzz实例的代码覆盖数 edge pc cmp
        int cpuInstrFd;
        int cpuBranchFd;
        int cpuIptBtsFd;
    } linux;

    struct {
        /* For NetBSD code */
        uint8_t* perfMmapBuf;
        uint8_t* perfMmapAux;
        hwcnt_t hwCnts;
        int cpuInstrFd;
        int cpuBranchFd;
        int cpuIptBtsFd;
    } netbsd;
} run_t;
(lldb) print *hfuzz
(honggfuzz_t) $5 = {
  threads = {
    threadsMax = 2
    threadsFinished = 0
    threadsActiveCnt = 0
    mainThread = 0x000000013f19f380
    mainPid = 48586
    threads = {
      [0] = 0x0000000000000000
      [1] = 0x0000000000000000
      [2] = 0x0000000000000000
      [3] = 0x0000000000000000
      ...
      [255] = 0x0000000000000000
      ...
    }
  }
  io = {
    inputDir = 0x00007ffeefbffa3d "/Users/idhyt/Work/sec.ret/gitlab/opensourcefuzz/honggfuzz-example/bin/corpus_2019-02-28_13-48-20/"
    inputDirPtr = 0x000000013f601af0
    fileCnt = 5
    fileExtn = 0x000000010002cffb "fuzz"
    fileCntDone = false
    workDir = 0x00007ffeefbff9d8 "/Users/idhyt/Work/sec.ret/gitlab/opensourcefuzz/honggfuzz-example/bin/outputs_2019-02-28_13-48-20"
    crashDir = 0x00007ffeefbff9d8 "/Users/idhyt/Work/sec.ret/gitlab/opensourcefuzz/honggfuzz-example/bin/outputs_2019-02-28_13-48-20"
    covDirAll = 0x00007ffeefbffa3d "/Users/idhyt/Work/sec.ret/gitlab/opensourcefuzz/honggfuzz-example/bin/corpus_2019-02-28_13-48-20/"
    covDirNew = 0x0000000000000000 <no value available>
    saveUnique = true
    dynfileqCnt = 0
    dynfileq_mutex = (__sig = 766030772, __opaque = char [192] @ 0x00007fb4a533fa88)
    dynfileq = {
      tqh_first = 0x0000000000000000
      tqh_last = 0x0000000100128c68
    }
  }
  exe = {
    argc = 1
    cmdline = 0x000000013f302e68
    nullifyStdio = true
    fuzzStdin = false
    externalCommand = 0x0000000000000000 <no value available>
    postExternalCommand = 0x0000000000000000 <no value available>
    netDriver = false
    persistent = true
    asLimit = 0
    rssLimit = 0
    dataLimit = 0
    coreLimit = 0
    clearEnv = false
    envs = {
      [0] = 0x000000010005f5f0 "ASAN_OPTIONS=abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:symbolize=1:detect_leaks=0:disable_coredump=0:detect_odr_violation=0"
      [1] = 0x00000001000605f0 "UBSAN_OPTIONS=abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:symbolize=1:detect_leaks=0:disable_coredump=0:detect_odr_violation=0"
      [2] = 0x00000001000615f0 "MSAN_OPTIONS=abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:symbolize=1:detect_leaks=0:disable_coredump=0:detect_odr_violation=0"
      [3] = 0x00000001000625f0 "LSAN_OPTIONS=abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:symbolize=1:detect_leaks=0:disable_coredump=0:detect_odr_violation=0"
      [4] = 0x0000000000000000 <no value available>
      [5] = 0x0000000000000000 <no value available>
      ...
      [127] = 0x0000000000000000 <no value available>
    }
    waitSigSet = 541065216
  }
  timing = (timeStart = 1551337933, runEndTime = 0, tmOut = 10, lastCovUpdate = 1551337933, tmoutVTALRM = false)
  mutate = {
    dictionaryFile = 0x0000000000000000 <no value available>
    dictq = {
      tqh_first = 0x0000000000000000
      tqh_last = 0x0000000100129108
    }
    dictionaryCnt = 0
    mutationsMax = 0
    mutationsPerRun = 6
    maxFileSz = 8192
  }
  display = (useScreen = true, cmdline_txt = char [65] @ 0x00007fb4a5340019, lastDisplayMillis = 1551337933633)
  cfg = {
    useVerifier = false
    exitUponCrash = false
    reportFile = 0x0000000000000000 <no value available>
    report_mutex = (__sig = 850045863, __opaque = char [56] @ 0x00007fb4a5340080)
    monitorSIGABRT = true
    dynFileIterExpire = 0
    only_printable = false
  }
  sanitizer = (enable = false)
  feedback = {
    state = _HF_STATE_UNSET
    feedbackMap = 0x0000000142180000
    bbFd = 5
    feedback_mutex = (__sig = 850045863, __opaque = char [56] @ 0x00007fb4a53400f8)
    blacklistFile = 0x0000000000000000 <no value available>
    blacklist = 0x0000000000000000
    blacklistCnt = 0
    skipFeedbackOnTimeout = false
    dynFileMethod = _HF_DYNFILE_SOFT
  }
  cnts = {
    mutationsCnt = 0
    crashesCnt = 0
    uniqueCrashesCnt = 0
    verifiedCrashesCnt = 0
    blCrashesCnt = 0
    timeoutedCnt = 0
  }
  socketFuzzer = (enabled = false, serverSocket = -1, clientSocket = -1)
  linux = {
    exeFd = -1
    hwCnts = {
      cpuInstrCnt = 0
      cpuBranchCnt = 0
      bbCnt = 0
      newBBCnt = 0
      softCntPc = 0
      softCntEdge = 0
      softCntCmp = 0
    }
    dynamicCutOffAddr = 18446744073709551615
    disableRandomization = true
    ignoreAddr = 0x0000000000000000
    numMajorFrames = 7
    symsBlFile = 0x0000000000000000 <no value available>
    symsBl = 0x0000000000000000
    symsBlCnt = 0
    symsWlFile = 0x0000000000000000 <no value available>
    symsWl = 0x0000000000000000
    symsWlCnt = 0
    cloneFlags = 0
    kernelOnly = false
    useClone = true
  }
  netbsd = {
    ignoreAddr = 0x0000000000000000
    numMajorFrames = 7
    symsBlFile = 0x0000000000000000 <no value available>
    symsBl = 0x0000000000000000
    symsBlCnt = 0
    symsWlFile = 0x0000000000000000 <no value available>
    symsWl = 0x0000000000000000
    symsWlCnt = 0
  }
}

5. 编译

5.1. 1. 依赖库

sudo apt-get install libbfd-dev libunwind8-dev

### 2. GCC

sudo add-apt-repository ppa:jonathonf/gcc-7.1
sudo apt-get update
sudo apt-get install gcc-7 g++-7
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 70

5.2. 3. clang

要求 5.0+

sudo apt install clang-6.0

最新版

wget https://raw.githubusercontent.com/Dor1s/libfuzzer-workshop/master/checkout_build_install_llvm.sh
./checkout_build_install_llvm.sh

5.3. 4. 编译

git clone https://github.com/google/honggfuzz.git
cd honggfuzz
make

6. fuzz libxml2

6.1. 1. 依赖库

sudo apt install autoconf libtool liblzma-dev python-dev

6.2. 2. 编译libxml2

git clone https://github.com/GNOME/libxml2.git
cd libxml2/
git checkout f8a8c1f59db355b46962577e7b74f1a1e8149dc6
git branch libxml2-2.9.9
git checkout libxml2-2.9.9

./autogen.sh

hfuzz_cc_dir=/path/to/honggfuzz/hfuzz_cc
CFLAGS="-g -fno-omit-frame-pointer -fsanitize=address,undefined -fsanitize-coverage=trace-pc-guard"
CC="$hfuzz_cc_dir/hfuzz-clang $CFLAGS" CXX="$hfuzz_cc_dir/hfuzz-clang++ $CFLAGS" CCLD="$hfuzz_cc_dir/hfuzz-clang $CFLAGS" ./configure

make -j4

ls .libs/libxml2.a

6.3. 编译测试样例

测试样例: persistent-xml2

cd /path/to/honggfuzz/examples/libxml2

CFLAGS="-g -fno-omit-frame-pointer -fsanitize=address,undefined -fsanitize-coverage=trace-pc-guard"

./path/to/honggfuzz/hfuzz_cc/hfuzz-clang persistent-xml2.c $CFLAGS -I/path/to/libxml2/include -I/path/to/libxml2 /path/to/libxml2/.libs/libxml2.a /path/to/honggfuzz/libhfuzz/libhfuzz.a -o persistent-xml2

6.4. 执行

mkdir output_dir
mkdir corpus_dir
echo "test" > ./corpus_dir/origin

./path/to/honggfuzz/honggfuzz -P -S -W ./output_dir -f ./corpus_dir -- ./persistent-xml2

使用字典:
./path/to/honggfuzz/honggfuzz -P -S -w ./xml.dict -W ./output_dir -f ./corpus_dir -- ./persistent-xml2

6.5. issue

  1. Did you mean '-sanitizer-coverage-level=0'…

clang-5.0

  1. ASAN
==84373==LeakSanitizer has encountered a fatal error.
==84373==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
==84373==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)

fuzz去掉 -S 参数

  1. ubuntu 16.04 apt
Reading package lists... Done
E: Problem executing scripts APT::Update::Post-Invoke-Success
'if /usr/bin/test -w /var/cache/app-info -a -e /usr/bin/appstreamcli;
 then appstreamcli refresh > /dev/null;
 fi'
E: Sub-process returned an error code
sudo pkill -KILL appstreamcli
wget -P /tmp https://launchpad.net/ubuntu/+archive/primary/+files/appstream_0.9.4-1ubuntu1_amd64.deb https://launchpad.net/ubuntu/+archive/primary/+files/libappstream3_0.9.4-1ubuntu1_amd64.deb
sudo dpkg -i /tmp/appstream_0.9.4-1ubuntu1_amd64.deb /tmp/libappstream3_0.9.4-1ubuntu1_amd64.deb

Author: idhyt

Created: 2017-03-02 Thu 15:53

Validate

Android Root Zap Framework

‎ 1. Warning 请遵守GPL开源协议, 请遵守法律法规, 本项目仅供学习和交流, 请勿用于非法用途! 道路千万条, 安全第一条, 行车不规范, 亲人两行泪. 2. Android Root Zap Frame...