pkg/ifuzz/powerpc: add some RTAS fuzzing

RunTime Abstraction Services (RTAS) is an API used by the Linux
powerpc/pseries platform to talk to the hypervisor. Under KVM, this
is implemented as a custom hypercall (which we have support for) and
an in memory array of parameters. The hypercall is H_RTAS and its only
parameter is a pointer to the mentioned array. The vast majority of
RTAS calls are handled normally by QEMU and only a handful by KVM.

This adds fuzzing of 4 RTAS calls. This uses a chunk from main 256MB RAM
for parameters. The parameters are big endian hence "<<24" for the token.
To allow more targeted fuzzing, use iset.GenerateInt().

Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>

1 files changed, 14 insertions, 0 deletions

diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go
index 272527c41..ee9517117 100644
--- a/pkg/csource/generated.go
+++ b/pkg/csource/generated.go
@@ -7325,6 +7325,16 @@ struct kvm_text {
 	uintptr_t size;
 };
 
+static int kvmppc_define_rtas_kernel_token(int vmfd, unsigned token, const char* func)
+{
+	struct kvm_rtas_token_args args;
+
+	args.token = token;
+	strncpy(args.name, func, sizeof(args.name) - 1);
+
+	return ioctl(vmfd, KVM_PPC_RTAS_DEFINE_TOKEN, &args);
+}
+
 static int kvmppc_get_one_reg(int cpufd, uint64 id, void* target)
 {
 	struct kvm_one_reg reg = {.id = id, .addr = (uintptr_t)target};
@@ -7576,6 +7586,10 @@ static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long
 		};
 		ioctl(vmfd, KVM_ENABLE_CAP, &cap);
 	}
+	kvmppc_define_rtas_kernel_token(vmfd, 1, "ibm,set-xive");
+	kvmppc_define_rtas_kernel_token(vmfd, 2, "ibm,get-xive");
+	kvmppc_define_rtas_kernel_token(vmfd, 3, "ibm,int-on");
+	kvmppc_define_rtas_kernel_token(vmfd, 4, "ibm,int-off");
 
 	dump_text(host_mem, regs.pc, 8, debug_inst_opcode);
 	dump_text(host_mem, BOOK3S_INTERRUPT_DECREMENTER, 16, debug_inst_opcode);