tools/syz-declextract: areas of improvement

[pimyn-girgis]

• Support more interfaces (See)
• Infer direction of non-const pointers.
  1. copy_to_user() and copy_from_user()
• Handling extern variables
  1. Extern variables are often defined in different translation units, and simply go unextracted. A promising solution is ASTImporter. Another more general solution is moving some processing to go. Also see Cross Translation Unit (CTU) Analysis and CTU in Zircon.
• Syscall specific:
  1. Handle 32bit system calls passing 64bit arguments.
  For example, sync_file_range2 is translated to arm_sync_file_range and in linux/386, the pointer size is 32 bits, which means system call arguments cannot be longer (No int64). So while argument offset should have the type int64, it is currently given intptr to avoid the following error:
  compilation of linux/386 target failed:
sys/linux/auto.txt:201:46: arm_sync_file_range$auto arg offset is larger than pointer size
  2. Infer if a system call returns a resource.
• Netlink specific:
  1. Netlink is converting to .yaml files (See Documentation/netlink/specs in kernel source code). The .yaml files are used to generate .c files during build, but the policies are defined as extern and not handled properly. 3.ii.a should improve the situation. Are any semantics lost in translation? Should we start focusing on yaml instead?
  2. Use more nla_policy fields to specify types and limits.
  3. Nested, Nested Array, and Bitfield 32 Netlink types.
• Handle pointers represented as u64 in structs. e.g.
• Add a test that ensures that automatic_helper attributes mark sufficient number of syscalls (enable all automatic + automatic_helper, check that none get transitively disabled; ensure that it will check precise resource types, e.g. if auto syscalls need fd, we have a syscall that returns fd, not only fd_namespace)
• Consider extracting interfaces for all arches separately and then merging them together. This may improve some edge cases if we care about several arches for a given kernel. For example, there are some arch-specific syscalls, or const values may vary (see tools/syz-declextract: more preparation for file_operations extraction #5539).
• Consider shrinking lists of files for openat calls. The openat$auto_kernfs_file_fops_kernfs_internal* looks insanely big and repetitive. There e.g. are paths from */usb1/* to */usb40/*, with the nested files/folders being absolutely the same for all 40 groups. Same for /sys/kernel/debug/block/nbd0/ ... /sys/kernel/debug/block/nbd15/. There's very little value to listing them all, so I wonder if we can come up with some heuristics to restrict the most repetitive parts of the output. Could it be that in these cases all nested files and folders refer to the same fops? Then we could e.g. just leave a glob instruction of the form /sys/devices/platform/* and not list them individually.

Also see #590

[dvyukov]

Looking at DNAFuzz: Descriptor-Aware Fuzzing for USB Drivers paper, wonder if we could also parse USB descriptors exposed by drivers to generate better USB inputs.

[a-nogikh]

Arch-specific syscalls should be marked as such, otherwise we get pkg/csource errors like this: #6468

So we should probably have auto.txt for syscalls that are relevant for all arches and a set of auto_ARCH.txt description files for everything else.