diff options
Diffstat (limited to 'sys/linux')
| -rw-r--r-- | sys/linux/dev_binder.txt | 10 | ||||
| -rw-r--r-- | sys/linux/dev_binderfs.txt | 40 | ||||
| -rw-r--r-- | sys/linux/dev_binderfs.txt.const | 10 | ||||
| -rw-r--r-- | sys/linux/test/binder | 4 |
4 files changed, 57 insertions, 7 deletions
diff --git a/sys/linux/dev_binder.txt b/sys/linux/dev_binder.txt index b7b50f655..1fcfa6a95 100644 --- a/sys/linux/dev_binder.txt +++ b/sys/linux/dev_binder.txt @@ -1,10 +1,10 @@ # Copyright 2017 syzkaller project authors. All rights reserved. # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. -# Description uses binder device per test process, they are expected to be configured with -# CONFIG_ANDROID_BINDER_DEVICES="binder0,...,binder31". -# "binder,hwbinder,vndbinder" is also supported; this is the kconfig default and -# it's what's used on real Android devices (the main user of binder). +# These descriptions rely on binderfs being enabled and creating at least binder0 +# and binder1 devices right after a mount. +# "binder,hwbinder,vndbinder" devices are also supported; this is the kconfig default +# and it's what's used on real Android devices (the main user of binder). # Description assumes CONFIG_ANDROID_BINDER_IPC_32BIT is not set. include <linux/android/binder.h> @@ -19,8 +19,8 @@ type binder_handle int32[0:3] # It seems that cookies are only checked for inequality and non-matching cookies only cover error paths. type binder_cookie const[0, int64] -syz_open_dev$binderN(dev ptr[in, string["/dev/binder#"]], id proc[0, 1], flags flags[binder_open_flags]) fd_binder openat$binder(fd const[AT_FDCWD], file ptr[in, string["/dev/binder"]], flags flags[binder_open_flags], mode const[0]) fd_binder +openat$binderfs(fd const[AT_FDCWD], file ptr[in, string[binderfs_devpath]], flags flags[binder_open_flags], mode const[0]) fd_binder openat$hwbinder(fd const[AT_FDCWD], file ptr[in, string["/dev/hwbinder"]], flags flags[binder_open_flags], mode const[0]) fd_binder openat$vndbinder(fd const[AT_FDCWD], file ptr[in, string["/dev/vndbinder"]], flags flags[binder_open_flags], mode const[0]) fd_binder diff --git a/sys/linux/dev_binderfs.txt b/sys/linux/dev_binderfs.txt new file mode 100644 index 000000000..f2dff258a --- /dev/null +++ b/sys/linux/dev_binderfs.txt @@ -0,0 +1,40 @@ +# Copyright 2021 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +include <linux/fcntl.h> +include <linux/unistd.h> +include <linux/android/binderfs.h> + +# ./binderfs will be mounted by syz-executor, but let's also see how a single process +# operates with multiple ones. +binderfs_mountpoint = "./binderfs", "./binderfs2" + +# Control paths. +binderfs_ctrlpath = "./binderfs/binder-control", "./binderfs2/binder-control" + +# Device names. +binderfs_devname = "binder0", "binder1", "custom0", "custom1" + +# Unfortunately, syzlang does not currently favor string concatenation for open (and related) syscalls. So we concatenate it manually. +binderfs_devpath = "./binderfs/binder0", "./binderfs/binder1", "./binderfs/custom0", "./binderfs/custom1", "./binderfs2/binder0", "./binderfs2/binder1", "./binderfs2/custom0", "./binderfs2/custom1" + +mkdirat$binderfs(fd const[AT_FDCWD], path ptr[in, string[binderfs_mountpoint]], mode const[0x1ff]) +mount$binderfs(src ptr[in, string["binder"]], dst ptr[in, string[binderfs_mountpoint]], type ptr[in, string["binder"]], flags flags[mount_flags], opts ptr[in, fs_options[binderfs_options]]) +unlinkat$binderfs_device(fd const[AT_FDCWD], path ptr[in, string[binderfs_devpath]]) + +binderfs_options [ + max fs_opt_oct["max", int32] + stats stringnoz["stats=global"] +] [varlen] + +define BINDERFS_NAME_LEN BINDERFS_MAX_NAME + 1 + +binderfs_device { + name string[binderfs_devname, BINDERFS_NAME_LEN] (in) + major int32 (out) + minor int32 (out) +} + +resource fd_binderfs_ctrl[fd] +openat$binderfs_ctrl(fd const[AT_FDCWD], file ptr[in, string[binderfs_ctrlpath]], flags flags[binder_open_flags], mode const[0]) fd_binderfs_ctrl +ioctl$BINDER_CTL_ADD(fd fd_binderfs_ctrl, cmd const[BINDER_CTL_ADD], arg ptr[inout, binderfs_device]) diff --git a/sys/linux/dev_binderfs.txt.const b/sys/linux/dev_binderfs.txt.const new file mode 100644 index 000000000..f21650a03 --- /dev/null +++ b/sys/linux/dev_binderfs.txt.const @@ -0,0 +1,10 @@ +# Code generated by syz-sysgen. DO NOT EDIT. +arches = 386, amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x +AT_FDCWD = 18446744073709551516 +BINDERFS_NAME_LEN = 256 +BINDER_CTL_ADD = 3238552065 +__NR_ioctl = 54, amd64:16, arm64:riscv64:29, mips64le:5015 +__NR_mkdirat = 34, 386:296, amd64:258, arm:323, mips64le:5248, ppc64le:287, s390x:289 +__NR_mount = 21, amd64:165, arm64:riscv64:40, mips64le:5160 +__NR_openat = 56, 386:295, amd64:257, arm:322, mips64le:5247, ppc64le:286, s390x:288 +__NR_unlinkat = 35, 386:301, amd64:263, arm:328, mips64le:5253, ppc64le:292, s390x:294 diff --git a/sys/linux/test/binder b/sys/linux/test/binder index 8805d2deb..0c4445595 100644 --- a/sys/linux/test/binder +++ b/sys/linux/test/binder @@ -1,6 +1,6 @@ -r0 = syz_open_dev$binderN(&AUTO='/dev/binder#\x00', 0x0, 0x2) +r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, AUTO, &AUTO={AUTO, 0x100, 0x0, 0x0}) mmap$binder(&(0x7f00000a0000), 0x2000, 0x1, 0x11, r0, 0x0) -r1 = syz_open_dev$binderN(&AUTO='/dev/binder#\x00', 0x0, 0x2) +r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0) mmap$binder(&(0x7f00000c0000), 0x2000, 0x1, 0x11, r1, 0x0) ioctl$BINDER_WRITE_READ(r1, AUTO, &AUTO={AUTO, AUTO, &AUTO=[@transaction_sg={AUTO, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, AUTO, AUTO, &AUTO={@flat=@binder={AUTO, 0x0, 0x0, 0x0}, @fd={AUTO, AUTO, r0, AUTO, 0x0}, @ptr={AUTO, 0x0, &AUTO=""/10, AUTO, 0x0, 0x0}}, &AUTO={AUTO, AUTO, AUTO}}, 0x10}], AUTO, AUTO, &AUTO}) |