diff options
| author | Alexey Kardashevskiy <aik@linux.ibm.com> | 2021-08-11 12:20:35 +1000 |
|---|---|---|
| committer | Aleksandr Nogikh <wp32pw@gmail.com> | 2021-11-09 18:19:37 +0100 |
| commit | 22b866596bd7ad15273e24db02a0ef693737eae8 (patch) | |
| tree | 36b6a0fba753ae64b193720b79ba0de2ac0ce70f /pkg | |
| parent | be386ae8800e02b4a9a3239c9565e9d40e253c84 (diff) | |
executor/common_linux: fuzz kvm_run
Syzkaller runs KVM until it exits and this is considered the end of
the KVM_RUN syscall. We can do a bit more with a VM if the exit was
legit (for example MMIO access or a hypercall). In such cases
the userspace emulates the request and stores the result in
the kvm_run struct (mmaped from vcpu_fd) which the next KVM_RUN
checks.
This defines specialized mmap and syz_memcpy_off to allow Syzkaller
fuzz the kvm_run struct with focus on the part where the huge union is.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
---
Changes:
v4:
* defined offset/size constants
* re-autogenerated dev_kvm.txt.const
v3:
* fixed syz_memcpy_off's src size
v2:
* limited changes to dev_kvm.txt instead of defining all new
syz_kvm_run.
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/host/syscalls_linux.go | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/pkg/host/syscalls_linux.go b/pkg/host/syscalls_linux.go index c69ccd82f..1d305b4e0 100644 --- a/pkg/host/syscalls_linux.go +++ b/pkg/host/syscalls_linux.go @@ -253,6 +253,14 @@ func isSyzIoUringSupported(c *prog.Syscall, target *prog.Target, sandbox string) return isSupportedSyscall(ioUringSyscall, target) } +func isSyzMemcpySupported(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) { + ret, msg := isSyzIoUringSupported(c, target, sandbox) + if ret { + return ret, msg + } + return isSyzKvmSetupCPUSupported(c, target, sandbox) +} + func isBtfVmlinuxSupported(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) { if err := osutil.IsAccessible("/sys/kernel/btf/vmlinux"); err != nil { return false, err.Error() @@ -299,14 +307,12 @@ var syzkallSupport = map[string]func(*prog.Syscall, *prog.Target, string) (bool, "syz_io_uring_submit": isSyzIoUringSupported, "syz_io_uring_complete": isSyzIoUringSupported, "syz_io_uring_setup": isSyzIoUringSupported, - // syz_memcpy_off is only used for io_uring descriptions, thus, enable it - // only if io_uring syscalls are enabled. - "syz_memcpy_off": isSyzIoUringSupported, - "syz_btf_id_by_name": isBtfVmlinuxSupported, - "syz_fuse_handle_req": isSyzFuseSupported, - "syz_80211_inject_frame": isWifiEmulationSupported, - "syz_80211_join_ibss": isWifiEmulationSupported, - "syz_usbip_server_init": isSyzUsbIPSupported, + "syz_memcpy_off": isSyzMemcpySupported, + "syz_btf_id_by_name": isBtfVmlinuxSupported, + "syz_fuse_handle_req": isSyzFuseSupported, + "syz_80211_inject_frame": isWifiEmulationSupported, + "syz_80211_join_ibss": isWifiEmulationSupported, + "syz_usbip_server_init": isSyzUsbIPSupported, } func isSupportedSyzkall(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) { |