aboutsummaryrefslogtreecommitdiffstats
path: root/sys
diff options
context:
space:
mode:
authorAlexander Potapenko <glider@google.com>2024-11-21 16:30:50 +0100
committerAlexander Potapenko <glider@google.com>2024-11-26 11:12:47 +0000
commit2ebbc7259f2bda405779335b46a2f519f14ec473 (patch)
treeb81960041de957bb95a917df9c42924d8ac6de9b /sys
parentae34cc2c773d3522e98ab8f038e2e5875fb9dac4 (diff)
executor: arm64: sys/linux: allocate 1024 pages for guest address space
Pass 1024 pages of memory to both syz_kvm_setup_syzos_vm() and syz_kvm_setup_cpu$arm64() to make sure that: - there is enough memory for guest allocations (e.g. ITS pages) - host can tamper with that memory, provoking more bugs
Diffstat (limited to 'sys')
-rw-r--r--sys/linux/dev_kvm.txt4
-rw-r--r--sys/linux/test/arm64-syz_kvm_setup_syzos_vm2
-rw-r--r--sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite2
-rw-r--r--sys/linux/test/arm64-syz_kvm_setup_syzos_vm-msr2
-rw-r--r--sys/linux/test/arm64-syz_kvm_setup_syzos_vm-smc2
-rw-r--r--sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv32
-rw-r--r--sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-cpu12
-rw-r--r--sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-its2
8 files changed, 9 insertions, 9 deletions
diff --git a/sys/linux/dev_kvm.txt b/sys/linux/dev_kvm.txt
index def833602..784b625fb 100644
--- a/sys/linux/dev_kvm.txt
+++ b/sys/linux/dev_kvm.txt
@@ -260,14 +260,14 @@ kvm_x86_rflags = 1, 2, 4, 16, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384,
# Pseudo call that setups VCPU into a reasonable interesting state for execution.
# The interface is designed for extensibility so that addition of new options does not invalidate all existing programs.
syz_kvm_setup_cpu$x86(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in, array[kvm_text_x86, 1]], ntext len[text], flags flags[kvm_setup_flags], opts ptr[in, array[kvm_setup_opt_x86, 0:2]], nopt len[opts])
-syz_kvm_setup_cpu$arm64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in, array[kvm_text_arm64, 1]], ntext len[text], flags const[0], opts ptr[in, array[kvm_setup_opt_arm64, 1]], nopt len[opts])
+syz_kvm_setup_cpu$arm64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[1024], text ptr[in, array[kvm_text_arm64, 1]], ntext len[text], flags const[0], opts ptr[in, array[kvm_setup_opt_arm64, 1]], nopt len[opts])
syz_kvm_setup_cpu$ppc64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in, array[kvm_text_ppc64, 1]], ntext len[text], flags flags[kvm_setup_flags_ppc64], opts ptr[in, array[kvm_setup_opt_ppc64, 1]], nopt len[opts])
kvm_num_irqs = 32, 64, 128, 256, 512
# This pseudo-syscall is ARM64-specific.
syz_kvm_vgic_v3_setup(fd fd_kvmvm, ncpus intptr[0:4], nirqs flags[kvm_num_irqs]) fd_kvmdev
resource kvm_syz_vm[int64]
-syz_kvm_setup_syzos_vm(fd fd_kvmvm) kvm_syz_vm
+syz_kvm_setup_syzos_vm(fd fd_kvmvm, usermem vma[1024]) kvm_syz_vm
syz_kvm_add_vcpu(vm kvm_syz_vm, text ptr[in, kvm_text_arm64], opts ptr[in, array[kvm_setup_opt_arm64, 1]], nopt len[opts]) fd_kvmcpu
resource kvm_run_ptr[int64]
diff --git a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm
index 4648c4595..29fcbb864 100644
--- a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm
+++ b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm
@@ -3,7 +3,7 @@
#
r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
-r2 = syz_kvm_setup_syzos_vm(r1)
+r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
# Perform two uexits. The first one is done via a code blob:
# d2802000 mov x0, #0x100 // #256
# f2bbbba0 movk x0, #0xdddd, lsl #16
diff --git a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite
index 69f0b176f..e10a26853 100644
--- a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite
+++ b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite
@@ -3,7 +3,7 @@
#
r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
-r2 = syz_kvm_setup_syzos_vm(r1)
+r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
# Emulate a uexit with the memwrite API command: write 0 at address ARM64_ADDR_UEXIT.
#
r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@memwrite={AUTO, AUTO, @generic={0xdddd0000, 0x100, 0x0, 0x8}}], AUTO}, 0x0, 0x0)
diff --git a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-msr b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-msr
index f242b47d5..b0298d87d 100644
--- a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-msr
+++ b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-msr
@@ -3,7 +3,7 @@
#
r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
-r2 = syz_kvm_setup_syzos_vm(r1)
+r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
#
# 0x603000000013c600 is VBAR_EL1, it aligns the written value on 0x20.
#
diff --git a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-smc b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-smc
index d165b2b92..0b9fa62c2 100644
--- a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-smc
+++ b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-smc
@@ -3,7 +3,7 @@
#
r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
-r2 = syz_kvm_setup_syzos_vm(r1)
+r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
#
# KVM_SET_DEVICE_ATTR: group=KVM_ARM_VM_SMCCC_CTRL, attr=KVM_ARM_VM_SMCCC_FILTER
# Filter: base=0xef000000, nr_functions=0x1000, action=KVM_SMCCC_FILTER_FWD_TO_USER
diff --git a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3 b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3
index 07bfa5f10..0c6b0dfc4 100644
--- a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3
+++ b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3
@@ -3,7 +3,7 @@
#
r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
-r2 = syz_kvm_setup_syzos_vm(r1)
+r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@irq_setup={AUTO, AUTO, {0x1, 0x20}}], AUTO}, 0x0, 0x0)
syz_kvm_vgic_v3_setup(r1, 0x1, 0x100)
ioctl$KVM_RUN(r3, AUTO, 0x0)
diff --git a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-cpu1 b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-cpu1
index 02551142b..a77ae90d0 100644
--- a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-cpu1
+++ b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-cpu1
@@ -3,7 +3,7 @@
#
r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
-r2 = syz_kvm_setup_syzos_vm(r1)
+r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@irq_setup={AUTO, AUTO, {0x1, 0x20}}], AUTO}, 0x0, 0x0)
r4 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@irq_setup={AUTO, AUTO, {0x1, 0x20}}], AUTO}, 0x0, 0x0)
syz_kvm_vgic_v3_setup(r1, 0x2, 0x100)
diff --git a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-its b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-its
index c1f151c8a..7752a8f6e 100644
--- a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-its
+++ b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-its
@@ -3,7 +3,7 @@
#
r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
-r2 = syz_kvm_setup_syzos_vm(r1)
+r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@irq_setup={AUTO, AUTO, {0x1, 0x20}}], AUTO}, 0x0, 0x0)
syz_kvm_vgic_v3_setup(r1, 0x1, 0x100)
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-11 21:24:00 +0000