diff options
| author | Alexey Kardashevskiy <aik@linux.ibm.com> | 2021-08-11 12:20:35 +1000 |
|---|---|---|
| committer | Aleksandr Nogikh <wp32pw@gmail.com> | 2021-11-09 18:19:37 +0100 |
| commit | 22b866596bd7ad15273e24db02a0ef693737eae8 (patch) | |
| tree | 36b6a0fba753ae64b193720b79ba0de2ac0ce70f /sys/linux/dev_kvm.txt | |
| parent | be386ae8800e02b4a9a3239c9565e9d40e253c84 (diff) | |
executor/common_linux: fuzz kvm_run
Syzkaller runs KVM until it exits and this is considered the end of
the KVM_RUN syscall. We can do a bit more with a VM if the exit was
legit (for example MMIO access or a hypercall). In such cases
the userspace emulates the request and stores the result in
the kvm_run struct (mmaped from vcpu_fd) which the next KVM_RUN
checks.
This defines specialized mmap and syz_memcpy_off to allow Syzkaller
fuzz the kvm_run struct with focus on the part where the huge union is.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
---
Changes:
v4:
* defined offset/size constants
* re-autogenerated dev_kvm.txt.const
v3:
* fixed syz_memcpy_off's src size
v2:
* limited changes to dev_kvm.txt instead of defining all new
syz_kvm_run.
Diffstat (limited to 'sys/linux/dev_kvm.txt')
| -rw-r--r-- | sys/linux/dev_kvm.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/sys/linux/dev_kvm.txt b/sys/linux/dev_kvm.txt index 6b735b2f3..e00624f66 100644 --- a/sys/linux/dev_kvm.txt +++ b/sys/linux/dev_kvm.txt @@ -193,6 +193,19 @@ syz_kvm_setup_cpu$x86(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in syz_kvm_setup_cpu$arm64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in, array[kvm_text_arm64, 1]], ntext len[text], flags const[0], opts ptr[in, array[kvm_setup_opt_arm64, 1]], nopt len[opts]) syz_kvm_setup_cpu$ppc64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in, array[kvm_text_ppc64, 1]], ntext len[text], flags flags[kvm_setup_flags_ppc64], opts ptr[in, array[kvm_setup_opt_ppc64, 1]], nopt len[opts]) +resource kvm_run_ptr[int64] +define KVM_RUN_SIZE sizeof(struct kvm_run) +mmap$KVM_VCPU(addr vma, len const[KVM_RUN_SIZE], prot flags[mmap_prot], flags flags[mmap_flags], cpufd fd_kvmcpu, offset const[0]) kvm_run_ptr +_ = __NR_mmap2 + +define KVM_EXIT_MMIO_OFFSET offsetof(struct kvm_run, mmio) +define KVM_EXIT_MMIO_SIZE sizeof_field(struct kvm_run, mmio) +syz_memcpy_off$KVM_EXIT_MMIO(dst kvm_run_ptr, off const[KVM_EXIT_MMIO_OFFSET], src ptr[in, array[int8, KVM_EXIT_MMIO_SIZE]], src_off const[0], nbytes len[src]) + +define KVM_EXIT_HYPERCALL_OFFSET offsetof(struct kvm_run, hypercall) +define KVM_EXIT_HYPERCALL_SIZE sizeof_field(struct kvm_run, hypercall) +syz_memcpy_off$KVM_EXIT_HYPERCALL(dst kvm_run_ptr, off const[KVM_EXIT_HYPERCALL_OFFSET], src ptr[in, array[int8, KVM_EXIT_HYPERCALL_SIZE]], src_off const[0], nbytes len[src]) + kvm_text_x86 [ textreal kvm_text_x86_real text16 kvm_text_x86_16 |