| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Any is the preferred over interface{} now in Go.
|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| |
|
|
|
|
|
| |
Currently the commands we have in go:generate first create an empty file
and then write final contents. This breaks any parallel builds of the source.
Even running go generate ./... does not work.
Write output files atomically.
|
| |
|
|
|
|
| |
The generator does not run and generates broken code.
It looks like the generated file was edited manully.
Fix that.
|
| | |
|
| |
|
|
|
| |
Add a different decoding failure that occurred with iset.ModeProt16.
This one is also fixed by https://github.com/google/syzkaller/pull/4733.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Decode() was only checking full opcode byte(s), whereas certain
instructions are encoded in a way that some bits of the opcode are
stored in the ModR/M byte.
In particular, e.g. there is a variation of MUL encoded as:
F7 /4
(which means the opcode byte is F7, and MODRM.reg is 4), and a variation
of TEST encoded as:
F7 /0
(opcode byte is also F7, and MODRM.reg is 0), which were previously
indistinguishable (the decoder would incorrectly treat the MUL instruction
as a TEST instruction if there were at least four extra bytes following it).
Make sure to calculate and check the MODRM.reg value if insn.Reg is set to a
non-negative value.
|
| |
|
|
|
| |
For the following fix to x86 instruction decoding, add a regression test
reported by syzbot.
|
| |
|
|
| |
It is just more readable than %v.
|
| | |
|
| |
|
|
| |
This should fix compile-time errors with GOARCH=386
|
| |
|
|
|
|
| |
This patch adds instruction generator for ARM64 based on the descriptions
provided as part of Go's arm64asm package. It also implements support for
pseudo-instructions for calling ARM64 hypercalls.
|
| |
|
|
| |
Make sure random text generation works as a whole, not just for single instructions.
|
| | |
|
| | |
|
| |
|
|
|
| |
The code to send rand source is dublicated in several packages.
Move it to testutil package.
|
| |
|
|
|
|
|
|
|
|
|
| |
The source PowerISA latex files have updated:
- changed files layout;
- "cntlzw." got corrected.
The fixed are not used by syzkaller in macros so there should be
no huge change in behaviour, if any.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The source PowerISA latex files have updated so refresh the instruction
list. The fixed are not used by syzkaller in macros so there should be
no huge change in behaviour, if any.
While at this, simplify+comment the conversion script and fix handling of
privileged instructions, apparently a debug version of the convertion
script made it to the git repo.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
The PowerISA 3.1 architecture (POWER10 CPU) added new "prefixed"
instruction format so from now on instructions are either 4 or 8 bytes
long.
This adds those new prefixed instructions to the fuzzer.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The existing instruction list is generated by a script which parsed
the output of pdftotext which produced less than a perfect result.
There is ongoing effort to have the instruction set specification in
a machine readable format (latex) which this uses to fix errors.
As the new spec is a newer PowerISA 3.1 (POWER10) which removed
transactional memory instructions and added some new instructions,
this change is reflected here.
This fixes randomization of paired paramemers (pair of registers
for quadword instructions) to not generate odd (==incorrect) numbers.
This includes the new conversion script.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds xxxOpcode helpers which produce valid opcodes for Encode()
(external ifuzz API) and enc() (pseudo instruction fuzzer) from
passed opcode/mask/bits. This is going to be needed for prefixes
in prefixed instruction (the following patch adds such support).
This should not cause behavioral change.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instruction descriptions use maps to describe instruction operands which
works fine but due to the Go's unordered map implementation,
the determination test fails as per
https://github.com/google/syzkaller/issues/2790
Since there is no appalling reason why it should be a map, this converts
maps to slices.
As this changes every single instruction, use the opportunity and sort
the instructions by mnemonic to make further updates easier to follow.
Neigher change should not cause any change in behavior.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There are only 2 instructions - tlbie and tlbiel (TLB invalidation) -
which are marked 64bit only and there is no obvious reason why they
would not work in the 32bit mode - they seem working but even if they
did not, making a special case just for these two is overkill.
This ditches the M64 flag.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PowerISA pdf parser made several wrong assumptions about the format
("copy"/"paste."/...) and missed that some fields are split and have
reverse order ("rldicr" and similar). Another problem with parsing
2 column page layout.
This makes powerpc.Insn.Fields value type from tuple to an array of
tuples and fixes encodeBits() accordingly.
This fixes powerisa30_to_syz to store all the bits and split "MB"/"ME"
in 2 halves sorted in the way encodeBits() loops.
This should not change the coverage dramatically but this improves
pseudo instructions as "rldicr" is used to preload registers although
no huge difference expected there either as the problem was with top
32bits and hypercall/rtastoken numbers are 16bit anyway.
While at this, this fixes powerisa30_to_syz to make "make generate" not
change insns.go. This also drops comments from the generated file as are
proven to be useless and just increase lengths of already long lines
(vim hates it).
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The instructions are made of opcode (split in 1..3 groups of fields) and
parameters (immediate values, register numbers, flags). The insns.go is
expected to have all the bits covered but some bits might be missing which
this randomizes.
This adds preloading of "RS" for better fuzzing of "mtmsr(d)"
instructions ("Move To Machine State Register (Doubleword)").
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
MSR is an SPR (Special Purpose Register) which controls endianness,
32/64 bits, privilege state and other CPU state bits. Some bits can be
changed by the "mtmsr" instruction ("Move To MSR") but for the privilege
bits "rfid" ("Return From Interrrupt Doubleword") needs to be used and
SRR0/SRR1 SPRs need to be preloaded with the desired mode and an address
to jump.
This adds an "rfid" pseudo instruction.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment syzkaller only fuzzes the platform architecture defined
hypercalls. However there are custom defined hypercalls which KVM handles,
they make 2 groups - an extension of hypercalls and so-called ultracalls
which are handled by the secure VM firmware but in absense of the secure
VM facility, KVM gets to handle those as errors.
This enables the two extra groups of hypercalls in KVM. If not enabled,
KVM exits to let the userspace handle them (which syzkaller does not do).
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RunTime Abstraction Services (RTAS) is an API used by the Linux
powerpc/pseries platform to talk to the hypervisor. Under KVM, this
is implemented as a custom hypercall (which we have support for) and
an in memory array of parameters. The hypercall is H_RTAS and its only
parameter is a pointer to the mentioned array. The vast majority of
RTAS calls are handled normally by QEMU and only a handful by KVM.
This adds fuzzing of 4 RTAS calls. This uses a chunk from main 256MB RAM
for parameters. The parameters are big endian hence "<<24" for the token.
To allow more targeted fuzzing, use iset.GenerateInt().
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
| |
In order to keep all macro instruction helpers together, his moves
the "sc" helper to the instruction set next to ld64().
This should not cause any behavioral change.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GenerateInt() generates sort of random numbers for instruction fuzzer
with focus on corner cases, let's use it for POWERPC too.
Since we want memory access instruction to try these addresses, we preload
generated values in GPRs used by just generated instruction.
This in turn requires Insn::Encode() access for the instruction map to
encode load instructions so this moves ld64() from the generator to
insnSetMap and adds Insn::insnMap. This adds enc() to encode just
the instruction without any randomization.
This does not add additional instructions if cfg.MemRegions is empty so
the ifuzz_test.go test still passes.
Since EncodeParam() is not used by anything but Encode(), this open codes
it.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
| |
This is used in a few places already and more are coming, make it
a struct for better readability.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
| |
The helper generates random int values including addresses from
interesting memory regions. This seems useful for all arches, share it.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
"make generate" produces this diff when go 1.17 (go1.17-c95464f0ea3f==upstream)
is used. Seems compatible with >=1.16.
https://github.com/golang/go/commit/4d2d89ff42ca documents the syntax.
https://github.com/golang/go/commit/eeadce2d8713 enforces "ignore" for
unsatisfiable tags hence the pkg/csource/gen.go change.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Presumably with older Go versions we are getting:
pkg/ifuzz/x86/decode.go:100:19: invalid operation:
1 << mode (shift count type int, must be unsigned integer)
Fix that and maybe some future similar errors by making
these types unsigned.
|
| |
|
|
|
|
|
|
|
| |
ifuzzimpl is too lenghty and too clumsy on my taste
(nm/vmimpl worked better b/c it's shorter and used less).
I've tried to come up with something shorter and nicer.
We could use "insn" as a common name for "instruction" in ifuzz,
but it's a commonly used name already so would cause lots of conflicts.
"iset" is somewhat descriptive, short and nice.
|
| |
|
|
| |
We now can implement IsCompatible portably.
|
| |
|
|
|
| |
It's currently duplicated in x86 and powerpc.
Move to ifuzzimpl.
|
| | |
|
| |
|
|
| |
x86.InsnSetX86 is excessive. Everything in x86 package is x86-ish already.
|
| |
|
|
|
| |
We don't need GetMode, GetPriv, IsCompatible in Insn interface.
Replace GetName and GetPseudo with single Info method.
|
| |
|
|
| |
ModeInsns is only used in tests. Move it there.
|
| |
|
|
|
|
|
|
|
| |
ifuzzimpl imports the public interface package ifuzz
and prog package needs to import ifuzzimpl (implementation guts that
nobody outside of ifuzz should care about). This is not right.
Invert everything so that prog package only needs to import ifuzz
and ifuzz imports ifuzzimpl.
|
| |
|
|
| |
Testing different arches is a good use for sub-tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds KVM's syz_kvm_setup_cpu pseudo syscall. This adds placeholder
for options (none implemented yet).
This adds instruction generator for ifuzz; this also adds a few pseudo
instructions to simulate super/hyper/ultracalls
(a PPC64/pseries platform thing).
The insns.go is generated from PowerISA_public.v3.0B.pdf [1] by
a horrendous python3 script on top of pdftotext. The ISA covers POWER9
which is the latest available POWER CPU at the moment. The next ISA
for POWER10 is quite different and we will deal with it later.
The // comment after every instruction is a fixed opcode list for
verification purposes.
This does not define DecodeExt as there is no obvious replacement of
the Intel XED library for POWERPC (gapstone-capstone, later, may be).
[1] https://openpowerfoundation.org/?resource_lib=power-isa-version-3-0
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment ifuzz only generates x86 instructions. In order to support
instruction fuzzing for others (ARM, POWERPC), some separation of
the common and arch layers is needed.
This adds 2 packages:
1. "x86" where x86 instruction generator goes to
2. "ifuzzimpl which contains some common code.
The goal was to keep changes to the rand.go to the minimum.
The next patch will use this when adding PPC64.
This should cause no behavioural change.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use the standard Go convention for Go files:
https://golang.org/pkg/cmd/go/internal/generate
Use github linguish for other files:
https://github.com/github/linguist#generated-code
Both are understood by github and should result
in these files being collapsed in PRs by default.
|
| |
|
|
|
|
|
| |
Fix capitalization, dots at the end
and two spaces after a period.
Update #1876
|
| | |
|
