diff options
| author | Alexey Kardashevskiy <aik@linux.ibm.com> | 2021-08-11 12:20:35 +1000 |
|---|---|---|
| committer | Aleksandr Nogikh <wp32pw@gmail.com> | 2021-11-09 18:19:37 +0100 |
| commit | 22b866596bd7ad15273e24db02a0ef693737eae8 (patch) | |
| tree | 36b6a0fba753ae64b193720b79ba0de2ac0ce70f /sys/linux/dev_kvm.txt.const | |
| parent | be386ae8800e02b4a9a3239c9565e9d40e253c84 (diff) | |
executor/common_linux: fuzz kvm_run
Syzkaller runs KVM until it exits and this is considered the end of
the KVM_RUN syscall. We can do a bit more with a VM if the exit was
legit (for example MMIO access or a hypercall). In such cases
the userspace emulates the request and stores the result in
the kvm_run struct (mmaped from vcpu_fd) which the next KVM_RUN
checks.
This defines specialized mmap and syz_memcpy_off to allow Syzkaller
fuzz the kvm_run struct with focus on the part where the huge union is.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
---
Changes:
v4:
* defined offset/size constants
* re-autogenerated dev_kvm.txt.const
v3:
* fixed syz_memcpy_off's src size
v2:
* limited changes to dev_kvm.txt instead of defining all new
syz_kvm_run.
Diffstat (limited to 'sys/linux/dev_kvm.txt.const')
| -rw-r--r-- | sys/linux/dev_kvm.txt.const | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/linux/dev_kvm.txt.const b/sys/linux/dev_kvm.txt.const index 328bcf235..67f2e8a1d 100644 --- a/sys/linux/dev_kvm.txt.const +++ b/sys/linux/dev_kvm.txt.const @@ -74,6 +74,10 @@ KVM_DIRTY_LOG_MANUAL_PROTECT_ENABLE = 1, arm:riscv64:??? KVM_DIRTY_TLB = 1074835114, 386:1074572970, arm:riscv64:???, mips64le:ppc64le:2148576938 KVM_ENABLE_CAP = 1080602275, arm:riscv64:???, mips64le:ppc64le:2154344099 KVM_ENABLE_CAP_SIZE = 104, arm:riscv64:??? +KVM_EXIT_HYPERCALL_OFFSET = 32, arm:riscv64:???, s390x:48 +KVM_EXIT_HYPERCALL_SIZE = 72, arm:riscv64:??? +KVM_EXIT_MMIO_OFFSET = 32, arm:riscv64:???, s390x:48 +KVM_EXIT_MMIO_SIZE = 24, arm:riscv64:??? KVM_GET_API_VERSION = 44544, arm:riscv64:???, mips64le:ppc64le:536915456 KVM_GET_CLOCK = 2150674044, arm:riscv64:???, mips64le:ppc64le:1076932220 KVM_GET_CPUID2 = 3221794449, arm:arm64:mips64le:ppc64le:riscv64:s390x:??? @@ -149,6 +153,7 @@ KVM_PPC_GET_SMMU_INFO = 2186325670, arm:riscv64:???, mips64le:ppc64le:1112583846 KVM_REGISTER_COALESCED_MMIO = 1074835047, arm:riscv64:???, mips64le:ppc64le:2148576871 KVM_REINJECT_CONTROL = 44657, arm:riscv64:???, mips64le:ppc64le:536915569 KVM_RUN = 44672, arm:riscv64:???, mips64le:ppc64le:536915584 +KVM_RUN_SIZE = 2352, arm:riscv64:???, s390x:2368 KVM_S390_INTERRUPT = 1074835092, arm:riscv64:???, mips64le:ppc64le:2148576916 KVM_S390_UCAS_MAP = 1075359312, arm:riscv64:???, mips64le:ppc64le:2149101136 KVM_S390_UCAS_UNMAP = 1075359313, arm:riscv64:???, mips64le:ppc64le:2149101137 @@ -233,4 +238,6 @@ MCI_STATUS_UC = 2305843009213693952, arm:arm64:mips64le:ppc64le:riscv64:s390x:?? MCI_STATUS_VAL = 9223372036854775808, arm:arm64:mips64le:ppc64le:riscv64:s390x:??? VMCS12_SIZE = 4096, arm:riscv64:??? __NR_ioctl = 54, amd64:16, arm:riscv64:???, arm64:29, mips64le:5015 +__NR_mmap = 90, 386:192, amd64:9, arm:riscv64:???, arm64:222, mips64le:5009 +__NR_mmap2 = 386:192, amd64:arm:arm64:mips64le:ppc64le:riscv64:s390x:??? __NR_openat = 386:295, amd64:257, arm:riscv64:???, arm64:56, mips64le:5247, ppc64le:286, s390x:288 |