| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `no_squash` per-syscall attribute prevents the fuzzer from generating
squashed arguments to a particular syscall.
This is particularly helpful for pseudo-syscalls with elaborate
arguments that are hard to reason about when they are squashed - e.g.
for syz_kvm_add_vcpu() that takes a SYZOS program as an input.
I've considered an alternative solution that prohibits ANY for all
pseudo-syscalls. But there is a bunch of existing programs (both
the tests and the repros) for syscalls like syz_mount_image() for which
the benefit of not passing ANY is not immediately obvious.
I therefore decided to go with an explicit attribute that can later
be enforced for every pseudo-syscall at compile time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syscall attributes are extended with a fsck command field which lets
file system mount definitions specify a fsck-like command to run. This
is required because all file systems have a custom fsck command
invokation style.
When uploading a compressed image asset to the dashboard, syz-manager
also runs the fsck command and logs its output over the dashapi.
The dashboard logs these fsck logs into the database.
This has been requested by fs maintainer Ted Tso who would like to
quickly understand whether a filesystem is corrupted or not before
looking at a reproducer in more details. Ultimately, this could be used
as an early triage sign to determine whether a bug is obviously
critical.
|
| |
|
|
|
| |
Permit structs to recursively contain itself in arrays.
This is needed for netlink. Amusingly several netlink policies contain itself.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for using the value of constants in conditional
fields in addition to integers and flags. Intuitively, this probably
looks like it shouldn't be needed: constants are known so the condition
can be resolved ahead of time. It is however useful in the case of
templates (example in the next commit) where the type of a field may be
interchangeably an integer or a constant:
type example_t[TYPE] {
f1 TYPE
f2 int32 (if[value[f1] == 3])
}
type example1 example_t[int64]
type example2 example_t[const[0, int64]]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
| |
New usecases for 'fmt' arguments after enabling 'proc' type in context of structures
outlined in testdata/all.txt.
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The expression may either include integers/consts or reference other
fields in the structure via value[field1:field2:field3].
The fields on this path must all belong to structures and must not have
any if conditions themselves.
For unions, mandate that the last field has no conditions (it will be
the default one).
For structs, convert conditional fields into fields of a union type of
the following form:
anonymous_union [
value T (if[expression])
void void
]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Earlier only len[parent, T] was supported and meant the size of the
whole structure.
Logically, len[parent:b, T] should be equivalent to just len[b, T].
Let len[parent:parent:a, T] refer to the structure that encloses the
current one.
Support len fields inside unions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for the following syntax:
int8[constant]
as an equivalent to:
const[constant, int8]
The goal is to have a unified const/flags definition that we can use in
templates. For example:
type template[CLASS, ...] {
class int8:3[CLASS]
// ...
}
type singleClassType template[SINGLE_CONST]
type subClassType template[abc_class_flags]
In this example, the CLASS template field can be either a constant or a
flag. This is especially useful when defining both a generic instance of
the template as well as specialized instances (ex. bpf_alu_ops and
bpf_add_op).
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for the following syntax:
int_flags = 1, 5, 8, 9
int32[int_flags]
which is equivalent to:
int_flags = 1, 5, 8, 9
flags[int_flags, int32]
The second int type argument, align, is not allowed if the first
argument is a flag. The compiler will also error if the first argument
appears to be a flag (is ident and has no colon), but can't be found in
the map of flags.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
builtin
Create the `BufferCompressed` kind of `BufferType`, which will be used
to represent compressed data. Create the corresponding `compressed_image`
syzlang builtin, which is backed by `BufferCompressed`. For now, no
syscalls use this feature - this will be introduced in future commits.
We have to be careful to decompress the data before mutating, and
re-compress before storing. We make sure that any deserialised
`BufferCompressed` data is valid too.
`BufferCompressed` arguments are mutated using a generic heatmap. In
future, we could add variants of `BufferCompressed` or populate the
`BufferType` sub-kind, using it to choose different kinds of heatmap for
different uncompressed data formats.
Various operations on compressed data must be forbidden, so we check for
`BufferCompressed` in key places. We also have to ensure `compressed_image`
can only be used in syscalls that are marked `no_{generate,minimize}`.
Therefore, we add a generic compiler check which allows type
descriptions to require attributes on the syscalls which use them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a bunch of hacks in syz-extract, syz-sysgen and syz-check
with respect to description files unsupported on some arches,
or that must not be part of make extract.
Add 2 meta attribtues to files:
meta noextract
Tells `make extract` to not extract constants for this file.
Though, `syz-extract` can still be invoked manually on this file.
meta arches["arch1", "arch2"]
Restricts this file only to the given set of architectures.
`make extract` and ``make generate` will not use it on other architectures.
Later we can potentially use meta attributes to specify git tree/commit
that must be used for extraction. Maybe something else.
Fixes #2754
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: add new typename dirname
The current way to check files under sysfs or proc is:
- define a string to represent each file
- open the file
- pass the fd to write / read / close
The issues above are:
- Need to know what file present on target device
- Need to write openat for each file
With dirname added, which will open one file
in the directory randomly and then pass the fd to
write/read/close.
* all: use typename glob to match filename
Fixes #481
|
| | |
|
| |
|
|
|
|
|
| |
Flags with only 1 value 0 are transformed to ConstType.
Fmt did not expect that.
Fixes #1965
|
| |
|
|
|
|
| |
Add common infrastructure for syscall attributes.
Add few attributes we want, but they are not implemented for now
(don't affect behavior, this will follow).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Introduce common infrastructure for describing and parsing attribute
instead of custom per-attribute code scattered across several locations.
Change align attribute syntax from the weird align_N to align[N].
This also allows to use literal constants as N.
Introduce notion of builtin constants.
Currently we have only PTR_SIZE, which is needed to replace
align_ptr with align[PTR_SIZE].
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that we don't have conflicting sizes for the same argument
of the same syscall, e.g.:
foo$1(a int16)
foo$2(a int32)
This is useful for several reasons:
- we will be able avoid morphing syscalls into other syscalls
- we will be able to figure out more precise sizes for args
(lots of them are implicitly intptr, which is the largest
type on most important arches)
- found few bugs in linux descriptions
Update #477
Update #502
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The stringnozescapes does not make sense with filename,
also we may need similar escaping for string flags.
Handle escaped strings on ast level instead.
This avoids introducing new type and works seamleassly with flags.
As alternative I've also tried using strconv.Quote/Unquote
but it leads to ugly half-escaped strings:
"\xb0\x80s\xe8\xd4N\x91\xe3ڒ,\"C\x82D\xbb\x88\\i\xe2i\xc8\xe9\xd85\xb1\x14):M\xdcn"
Make hex-encoded strings a separate string format instead.
|
| |
|
|
|
|
| |
We used size as alignment, this is very wrong.
Found thanks to syz-check. Update #590
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We assumed that for ConstType alignment is equal to size,
which is perfectly reasonable for normal int8/16/32/64/ptr.
However, padding is also represented by ConstType of arbitrary size,
so if we added 157 bytes of padding that becomes alignment of
the padding field and as the result of the whole struct.
This affects very few structs, but quite radically and quite
important structs.
Discovered thanks to syz-check.
Update #590
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
|
|
| |
For any intN, values in the range [-MAX_INTN:MAX_INTN] are accepted.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
|
|
|
|
|
| |
Enables the syntax intN[start:end, alignment] for integer ranges. For
instance, int32[0:10, 2] represents even 32-bit numbers between 0 and 10
included. With this change, two NEED tags in syscall descriptions can be
addressed.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
|
|
|
|
|
|
| |
Without this fix, the compiler throws an error 'template argument BASE is
not used' for the following typedef.
type templ1[BASE] BASE
foo(a ptr[in, templ1[int64]])
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
|
|
| |
Similar to C offsetof gives offset of a field
from the beginning of the parent struct.
We have several TODOs in descriptions asking for this.
|
| |
|
|
| |
This allows to use len[syscall:arg] expressions.
|
| |
|
|
|
|
|
|
|
|
| |
This change adds compiler support for complex path
expressions in len targets. E.g. it allows to refer
to a sibling field as len[parent_struct:field:another_field].
See the docs change for details.
This is just a compiler change.
The feature is not yet supported by the prog package.
|
| |
|
|
|
|
|
|
|
|
|
| |
Ptr type has special handling of direction (pointers are always input).
But buffer type missed this special case all the time.
Make buffer less special by aliasing to the ptr[array[int8]] type.
As the result buffer type can't have optional trailing "opt" attribute
because we don't have such support for templates yet.
Change such cases to use ptr type directly.
Fixes #1097
|
| |
|
|
| |
8-byte vma is needed in several places in linux descriptions.
|
| |
|
|
|
|
| |
Currently we have to use 0xffffffffffffffff to represent -1,
and we can't express e.g. -20:20 int range.
Support negative consts to fix both problems.
|
| |
|
|
|
| |
fmt type allows to convert intergers and resources
to string representation.
|
| |
|
|
|
| |
Error on unused structs/unions/resources/flags.
Finds tons of bugs.
|
| |
|
|
|
|
|
| |
type optional[T] [
val T
void void
] [varlen]
|
| |
|
|
|
|
|
| |
Frequently it's useful to do something like:
int8['a':'z']
punctuation = ',', '-', ':'
|
| |
|
|
| |
The size attribute allows to pad a struct up to the specified size.
|
| |
|
|
|
| |
If all union options can be syscall arguments,
allow the union itself as syscall argument.
|
| |
|
|
| |
Can be useful for netfilter descriptions.
|
| |
|
|
|
| |
All netfilter subsystems use this unfortunately,
so demote this to a warning.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Unions with only 1 field are not actually unions,
and can always be replaced with the option type.
However, they are still useful when there will be
more options in future but currently only 1 is described.
Alternatives are:
- not using union (but then all existing programs will be
broken when union is finally introduced)
- adding a fake field (ugly and reduces fuzzer efficiency)
Allow unions with only 1 field.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Consider the following example:
type len_templ1[DATA1, DATA2] {
data DATA1
inner len_temp2[DATA2]
}
type len_temp2[DATA] {
data DATA
len len[len_templ1, int8]
}
Here len refers to a parent struct, but the struct is a template,
so it's actual name is something like "len_templ1[int8, int16]".
Currently this does not work as compiler barks at incorrect
len target.
Make this work.
|
| |
|
|
| |
This comes up in several contexts in netfilter.
|
| |
|
|
| |
Needed for netfilter descriptions.
|
| |
|
|
| |
Add stringnoz type.
|
| |
|
|
|
|
| |
"void": type with static size 0
mostly useful inside of templates and varlen unions
can't be syscall argument
|
|
|
Netlink descriptions contain tons of code duplication,
and need much more for proper descriptions. Introduce
type templates to simplify writing such descriptions
and remove code duplication.
Note: type templates are experimental, have poor error handling
and are subject to change.
Type templates can be declared as follows:
```
type buffer[DIR] ptr[DIR, array[int8]]
type fileoff[BASE] BASE
type nlattr[TYPE, PAYLOAD] {
nla_len len[parent, int16]
nla_type const[TYPE, int16]
payload PAYLOAD
} [align_4]
```
and later used as follows:
```
syscall(a buffer[in], b fileoff[int64], c ptr[in, nlattr[FOO, int32]])
```
|
