diff options
| author | Alexander Potapenko <glider@google.com> | 2026-01-27 17:20:16 +0100 |
|---|---|---|
| committer | Alexander Potapenko <glider@google.com> | 2026-02-09 09:43:36 +0000 |
| commit | d36c2ba14701aaa8b613b9babb65720a9b510bf9 (patch) | |
| tree | 356dfd2ea04462f093ba3598f2a6ead48d3ac2c4 /sys/linux/dev_kvm_amd64.txt | |
| parent | dcd3f1a34151f50991c29aa21677ba6f09159da8 (diff) | |
executor: sys/linux: Implement nested SYZOS loading
This commit introduces the `SYZOS_API_NESTED_LOAD_SYZOS` command to
enable running full SYZOS programs within a nested L2 guest, enhancing
fuzzing capabilities for nested virtualization.
Key changes include:
- Nested SYZOS Execution: The new command loads a SYZOS program into an
L2 VM, setting up its execution environment.
- ABI Refinement: Program size is now passed via the shared `syzos_globals`
memory region instead of registers, standardizing the ABI for L1 and L2.
- L2 State Management: Improved saving and restoring of L2 guest GPRs
across VM-exits using inline assembly wrappers for Intel and AMD.
- Nested UEXIT Propagation: Intercepts EPT/NPT faults on the exit page to
capture the L2 exit code from saved registers and forward it to L0 with
an incremented nesting level.
- L2 Memory Management: Updates to L2 page table setup, including skipping
NO_HOST_MEM regions to force exits, and a new `l2_gpa_to_pa` helper.
Diffstat (limited to 'sys/linux/dev_kvm_amd64.txt')
| -rw-r--r-- | sys/linux/dev_kvm_amd64.txt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/linux/dev_kvm_amd64.txt b/sys/linux/dev_kvm_amd64.txt index 4694f93cc..57b3e1538 100644 --- a/sys/linux/dev_kvm_amd64.txt +++ b/sys/linux/dev_kvm_amd64.txt @@ -102,6 +102,13 @@ syzos_api_nested_load_code { insns text[x86_64] } [packed] +syzos_api_nested_load_syzos { + vm_id syzos_api_vm_id + unused_pages int64 +# Can't limit the array size, because it leads to a recursive definition that cannot be compiled. + program array[syzos_api_call$x86] +} [packed] + # VMCS Component Encoding is a 32-bit value, but only bits 0:15 are used. # Certain bit combinations are invalid, because the number encodes additional # parameters like access type and width. @@ -184,6 +191,7 @@ syzos_api_call$x86 [ nested_load_code syzos_api$x86[302, syzos_api_nested_load_code] nested_vmlaunch syzos_api$x86[303, syzos_api_vm_id] nested_vmresume syzos_api$x86[304, syzos_api_vm_id] + nested_load_syzos syzos_api$x86[310, syzos_api_nested_load_syzos] nested_intel_vmwrite_mask syzos_api$x86[340, syzos_api_nested_intel_vmwrite_mask] nested_amd_vmcb_write_mask syzos_api$x86[380, syzos_api_nested_amd_vmcb_write_mask] nested_amd_invlpga syzos_api$x86[381, syzos_api_nested_amd_invlpga] |