| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements syz_kvm_setup_cpu for riscv64 architecture.
The pseudo-syscall accepts VM fd, vCPU fd, host memory, and guest code
as parameters. Additional parameters (ntext, flags, opts, nopt) are
included for interface consistency with other architectures but are
currently unused on riscv64.
Implementation:
- Set up guest memory via KVM_SET_USER_MEMORY_REGION
- Copy guest code to guest memory
- Initialize guest registers to enable code execution in S-mode
- Return 0 on success, -1 on failure
Testing:
A test file syz_kvm_setup_cpu_riscv64 is included in sys/linux/test/
to verify basic functionality.
Known limitations:
- ifuzz is not yet compatible with riscv64. Temporary workaround: set
text[riscv64] to TextTarget and return nil in createTargetIfuzzConfig
for riscv64 to ensure generateText and mutateText work correctly.
This patch also adds support for KVM_GET_ONE_REG ioctl.
|
| |
|
|
| |
Any is the preferred over interface{} now in Go.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `no_squash` per-syscall attribute prevents the fuzzer from generating
squashed arguments to a particular syscall.
This is particularly helpful for pseudo-syscalls with elaborate
arguments that are hard to reason about when they are squashed - e.g.
for syz_kvm_add_vcpu() that takes a SYZOS program as an input.
I've considered an alternative solution that prohibits ANY for all
pseudo-syscalls. But there is a bunch of existing programs (both
the tests and the repros) for syscalls like syz_mount_image() for which
the benefit of not passing ANY is not immediately obvious.
I therefore decided to go with an explicit attribute that can later
be enforced for every pseudo-syscall at compile time.
|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| |
|
|
| |
New code will be limited to max 7 function params.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we have a bug in struct layout that affects
some corner cases that involve recursive structs.
The result of this bug is that we use wrong alignment 1
(not yet calculated) for some structs when calculating
layout of other structs.
The root cause of this bug is that we calculate struct
alignment too early in typeStruct.Gen when structs
are not yet laid out.
For this reason we moved struct size calculation to the
later phase (after compiler.layoutStruct).
Move alignment calculation from typeStruct.Gen to
compiler.layoutStruct to fix this.
|
| |
|
|
|
|
|
|
|
|
| |
This is nice on its own, but this will also help to prevent
lots of problems when we export more info from the clang tool in future.
The clang tool does not know what will end up in the final descriptions,
so it exports info about all consts that it encounters.
As the result we pull in lots of includes/defines, and lots of kernel
includes/defines are broken or create problems.
So the fewer we have, the better.
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| | |
|
| |
|
|
|
|
| |
Mark the whole file with "meta automatic" instead of marking each syscall.
This reduces size of descriptions + allows to do special things
with the whole file (e.g. we already treat auto consts specially).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syscall attributes are extended with a fsck command field which lets
file system mount definitions specify a fsck-like command to run. This
is required because all file systems have a custom fsck command
invokation style.
When uploading a compressed image asset to the dashboard, syz-manager
also runs the fsck command and logs its output over the dashapi.
The dashboard logs these fsck logs into the database.
This has been requested by fs maintainer Ted Tso who would like to
quickly understand whether a filesystem is corrupted or not before
looking at a reproducer in more details. Ultimately, this could be used
as an early triage sign to determine whether a bug is obviously
critical.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently if const values in 2 .const files have different value,
the compiler produces an error.
This is problematic for auto-extacted consts since we extract
them for only 1 arch now. So if a const has different values
for different arches, auto-extacted consts may not reflect that,
and we can get a mismatch with manual descriptions that has
correct values for all arches.
So if both manual and auto-extacted consts have different values,
silently prefer the manual ones.
I've tried to do some whitelisting of consts during auto-extaction,
but the list is large and changing over time.
This solution is not perfect since the manual descriptions may
have a bug, and the mismatch is actually pointing to that bug.
Maybe in future we could extract for all arches separately,
or do something else. But let's do this for now.
|
| |
|
|
|
| |
Permit structs to recursively contain itself in arrays.
This is needed for netlink. Amusingly several netlink policies contain itself.
|
| |
|
|
|
|
|
|
|
| |
We already do this in most cases except for template structs (nlattr notably).
Add consts that are used in template structs to all files that use them.
This helps to avoid flakiness, and allows to replace descriptions files
with other descriptions files without regenerating all const files.
This also fixes check for presence of descriptions for sys/linux/auto.txt.json.
|
| |
|
|
|
|
|
|
|
|
|
| |
ex. f3 field has logic or operator in if condition:
conditional_struct {
mask int32
f1 field1 (if[value[mask] & FIELD_FLAG1])
f2 int64 (if[value[mask] & FIELD_FLAG2])
f3 int64 (if[value[mask] == FIELD_FLAG1 || value[mask] == FIELD_FLAG2])
} [packed]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for using the value of constants in conditional
fields in addition to integers and flags. Intuitively, this probably
looks like it shouldn't be needed: constants are known so the condition
can be resolved ahead of time. It is however useful in the case of
templates (example in the next commit) where the type of a field may be
interchangeably an integer or a constant:
type example_t[TYPE] {
f1 TYPE
f2 int32 (if[value[f1] == 3])
}
type example1 example_t[int64]
type example2 example_t[const[0, int64]]
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
| |
written descriptions or both
Add "Auto" type and allow to choose descriptions mode in configurations. Defaults to using manual only.
|
| |
|
|
|
| |
New usecases for 'fmt' arguments after enabling 'proc' type in context of structures
outlined in testdata/all.txt.
|
| |
|
|
| |
Fix for recurseField() pass that fails due to 'fmt' argument not having a type specifier, if used inside a structure.
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
|
|
|
|
|
| |
Netbsd syzbot instance crashes trying to squash a pointer.
Pointers must not be squashed. This happens because of
recursive ucontext_t type that contains a pointer to itself.
When we assign SquashableElem recursive struct types may not be fully
generated yet, and ForeachArgType won't observe all types.
Assign SquashableElem after all types are fully generated.
|
| |
|
|
|
| |
Fix checking of Logf, it has string in 0-th arg.
Add checking of t.Errorf/Fatalf.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 3 issues:
1. We intended to squash only 'in' pointer elems,
but we looked at the pointer direction rather than elem direction.
Since pointers themselves are always 'in' we squashed a number of
types we didn't want to squash.
2. We can squash filenames, which can lead to generation of escaping filenames,
e.g. fuzzer managed to create "/" filename for blockdev_filename as:
mount(&(0x7f0000000000)=ANY=[@ANYBLOB='/'], ...)
Don't squash filenames.
3. We analyzed a concrete arg to see if it contains something
we don't want to squash (e.g. pointers). But the whole type
can still contain unsupported things in inactive union options,
or in 0-sized arrays. E.g. this happened in the mount case above.
Analyze the whole type to check for unsupported things.
This also moves most of the analysis to the compiler,
so mutation will be a bit faster.
This removes the following linux types from squashing.
1. These are not 'in':
btrfs_ioctl_search_args_v2
btrfs_ioctl_space_args
ethtool_cmd_u
fscrypt_add_key_arg
fscrypt_get_policy_ex_arg
fsverity_digest
hiddev_ioctl_string_arg
hidraw_report_descriptor
ifreq_dev_t[devnames, ptr[inout, ethtool_cmd_u]]
ifreq_dev_t[ipv4_tunnel_names, ptr[inout, ip_tunnel_parm]]
ifreq_dev_t["sit0", ptr[inout, ip_tunnel_prl]]
io_uring_probe
ip_tunnel_parm
ip_tunnel_prl
poll_cq_resp
query_port_cmd
query_qp_resp
resize_cq_resp
scsi_ioctl_probe_host_out_buffer
sctp_assoc_ids
sctp_authchunks
sctp_getaddrs
sctp_getaddrs_old
2. These contain pointers:
binder_objects
iovec[in, netlink_msg_route_sched]
iovec[in, netlink_msg_route_sched_retired]
msghdr_netlink[netlink_msg_route_sched]
msghdr_netlink[netlink_msg_route_sched_retired]
nvme_of_msg
3. These contain filenames:
binfmt_script
blockdev_filename
netlink_msg_route_sched
netlink_msg_route_sched_retired
selinux_create_req
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit ed571339c6ff ("pkg/compiler: support if[expr] attributes") added
support for conditional fields in structs and unions. Conditions however
cannot refer to flags, as in the following example:
struct {
f0 flags[some_flags, int32]
f1 int32 (if[value[f0] & FLAG1])
} [packed]
It will fail to compile with:
flags does not refer to an integer
This commit adds support for that syntax.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
If conditions of several union fields are satisfied, select one
randomly. This would be a more logical semantics.
When conditional struct fields are translated to unions, negate the
condition for the union alternative.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The expression may either include integers/consts or reference other
fields in the structure via value[field1:field2:field3].
The fields on this path must all belong to structures and must not have
any if conditions themselves.
For unions, mandate that the last field has no conditions (it will be
the default one).
For structs, convert conditional fields into fields of a union type of
the following form:
anonymous_union [
value T (if[expression])
void void
]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Earlier only len[parent, T] was supported and meant the size of the
whole structure.
Logically, len[parent:b, T] should be equivalent to just len[b, T].
Let len[parent:parent:a, T] refer to the structure that encloses the
current one.
Support len fields inside unions.
|
| |
|
|
| |
Signed-off-by: cui fliter <imcusg@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new compiler test to check that the int and string
flags are correctly flattened. That is, they contain the expected values
after flattening.
Note that for string flags, the compiler adds null bytes at the end of
all strings it processes. We must therefore add the same to the expected
output string flags.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds the requirement that nested flags must be at the end of
the list of values. For example,
flags1 = 1, 2, 3, 4, flags2
flags2 cannot be moved to another position in the list. The goal is to
simplify parsing of the list by humans.
Enforcing that the nested flags be at the end (vs. the beginning) makes
things a bit easier for the parser. If we enforced that they should be
at the beginning, then the parser would need to look further forward to
determine if a flags definition is an integer flags or a string flags.
flags1 = flags2, flags3, flags4, 5, 6
In this example, the parser would need to look to the 4th value in the
list to tell that it's an integer flags.
Suggested-by: Aleksandr Nogikh <nogikh@google.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This commit adds support for flags definitions such as:
flags1 = "string1", "string2"
flags2 = flags1, "string3"
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This commit refactors recurFlattenFlags using Go generics and new
interfaces so that it also applies to a different set of flags types.
In a subsequent commit, we will use that to perform the same recursive
flattening for string flags.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
To detect those circular dependencies, we simply keep track of which
flags we already visited when flattening the flags definition.
Suggested-by: Aleksandr Nogikh <nogikh@google.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for flags definitions such as:
flags1 = VAL1, VAL2
flags2 = flags1, VAL3
This is achieved by flattening nested flag definitions as part of the
compilation. That is, nested flags are compiled into their fully
unreferenced/unnested form.
This flattening cannot be achieved in a single pass over the flags
because we don't have a guarantee that we will encounter the subflags
(ex. flags1 above) before their superflags (ex. flags2 above). Instead,
in a first pass, we need to build an indexing of flags that we can use
to flatten superflags in a second pass.
Thankfully, this indexing is already computed in the form of
comp.intFlags. Thus, we only need to implement the second pass, done
with function compiler.flattenFlags().
This second pass walks the flag definitions recursively in an attemp to
fully flatten them. It errors out if a flag definition has more than 5
levels of nested definitions.
Being able to error in that way requires a bit of care in how we flatten
the flags. Consider the following example where flags1 to flags5 have
less than 5 leves of nesting, whereas flags6 should cause an error.
flags6 = VAL6, flags5
flags5 = VAL5, flags6
...
flags1 = VAL1
If we were to flatten the flag definitions in place, then we might walk
into flags5 first and fully flatten it. As a result, when we would walk
into flags6, we would detect a single level of nesting and wouldn't
error out. To avoid that, we work on the original set of nested flags
and copy the flattened flags over only once we're done with all flags.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
| |
This commit adds error cases that weren't covered before. They were
identified by looking at the coverage numbers for pkg/compiler.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
structFieldAttrs is filled with empty attrDesc structs and is never
changed at runtime. structFieldAttrs[X].CheckConsts is therefore
always nil.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
Since both flags and consts can be used as type-options for integers, we
want to avoid ambiguity by preventing a flag and a const from having the
same name.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for the following syntax:
int8[constant]
as an equivalent to:
const[constant, int8]
The goal is to have a unified const/flags definition that we can use in
templates. For example:
type template[CLASS, ...] {
class int8:3[CLASS]
// ...
}
type singleClassType template[SINGLE_CONST]
type subClassType template[abc_class_flags]
In this example, the CLASS template field can be either a constant or a
flag. This is especially useful when defining both a generic instance of
the template as well as specialized instances (ex. bpf_alu_ops and
bpf_add_op).
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for the following syntax:
int_flags = 1, 5, 8, 9
int32[int_flags]
which is equivalent to:
int_flags = 1, 5, 8, 9
flags[int_flags, int32]
The second int type argument, align, is not allowed if the first
argument is a flag. The compiler will also error if the first argument
appears to be a flag (is ident and has no colon), but can't be found in
the map of flags.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
This commit does not have functional changes. It simply extracts the
flags type generation into its own function so we can reuse it from the
int type generation in a subsequent commit.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Type args can currently have only one type of kindInt, kindIdent,
kindString, or kindAny. The descriptions are checked against expected
type arg kinds, with kindAny meaning that anything is allowed (often
restricted with custom checks).
Concretely, it means that in a description as follows, arg1 and arg2
can each take a single kind of values.
type[arg1, arg2]
This is limiting if we want arg1 to be able to take both an int or
flags. We thus need type args to support having mixed kinds. This
commit achieves this by turning the kind constants into bit flags.
This will be useful in a subsequent commit, but we can also already use
it for one existing type arg, the first of string types:
string[literal_or_flags, size]
literal_or_flags changes from kindAny to kindIdent|kindString and we can
remove the custom check that used to enforce this.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
The problem mentioned in the previous commit is actually not only
ANY-specific, it's only by a happy coincidence that all our descriptions
already avoided such situations.
Enforce this rule at the compilation stage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We had a problem -- using inout ANYUNION leads to syzkaller generating
copyout instructions for fmt[X, resource] types.
Add a validation rule to detect this during tests.
Fix this by supporting (in) for union fields. Previously, all union
field direction attributes were banned as they were making things more
complicated.
The (in) attribute is definitely safe and allows for more flexibility.
|
| |
|
|
|
| |
1) Make FabricateSyscallConsts() operate on ConstFile.
2) Expose Pos inside ConstInfo.
|
| |
|
|
|
|
| |
The new method checks whether the value is defined for at least one of
the known arches.
Refactor ConstFile tests.
|
| |
|
|
|
|
|
|
|
| |
Prohibit arg direction from being DirIn if other calls use the resource
as input.
Fix one case where we used to violate it - during argument squashing.
Reported-by: John Miller <jm3228520@gmail.com>
|
| |
|
|
| |
This centralizes all strings.HasPrefix(callName, "syz_") checks.
|
