| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Add open callback if there are no other unique callbacks.
This happens for e.g. seq files which only have unique open,
while read is a common seq_read callback.
|
| |
|
|
|
|
| |
Use resolved Function references instead of string names for fileops
callback resolution. Function names are not unique, a number of callbacks
have the same names.
|
| |
|
|
|
|
| |
Currently we misparse some function references, e.g. for:
.write = (foo) ? bar : baz,
we extract "foo". Extract first function reference from such expressions.
|
| |
|
|
|
| |
Some ioctls are declared inconsistently using enums rather than macros.
Extract these as well.
|
| |
|
|
|
|
| |
Add coverage percent for kernel interfaces.
The current data is generated with Mar coverage report
on kernel commit 1e7857b28020ba57ca7fdafae7ac855ba326c697.
|
| |
|
|
|
|
| |
Export each syscall variant (e.g. fcnt$*) as a separate interface.
Effectively these are separate syscalls. We will want this for
ioctl as well (it's not 1 interface).
|
| |
|
|
|
|
| |
Use scope-based dataflow analysis for syscall variants (including ioctls).
As the result we only consider code that relates to a partiuclar command/ioctl,
and can infer arguments/return types for each command/ioctl independently.
|
| |
|
|
| |
Update auto.txt and consts on v6.15-rc1.
|
| |
|
|
|
|
|
|
| |
Use function scope information extracted in the previous commit
to infer multiplexed syscalls (fcntl, prctl, ...) and infer
their arguments.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extract info about function scopes formed by switch'es on function arguments.
For example if we have:
void foo(..., int cmd, ...)
{
...
switch (cmd) {
case FOO:
... block 1 ...
case BAR:
... block 2 ...
}
...
}
We record that any data flow within block 1 is only relevant
when foo's arg cmd has value FOO, similarly for block 2 and BAR.
This allows to do 3 things:
1. Locate ioctl commands that are switched on within transitively
called functions.
2. Infer return value for each ioctl command.
3. Infer argument type when it's not specified in _IO macro.
This will also allow to infer other multiplexed syscalls.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
| |
This is nice on its own, but this will also help to prevent
lots of problems when we export more info from the clang tool in future.
The clang tool does not know what will end up in the final descriptions,
so it exports info about all consts that it encounters.
As the result we pull in lots of includes/defines, and lots of kernel
includes/defines are broken or create problems.
So the fewer we have, the better.
|
| |
|
|
|
|
| |
Use data flow analysis to infer syscall argument, return value,
and struct field types.
See the comment in pkg/declextract/typing.go for more details.
|
| |
|
|
|
|
| |
We use auto_todo type as an element of array for void*.
array[int8] is lowered to the buffer type, which is much
better handled by the fuzzer engine + closer resembles real blobs.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Emit descriptions for special files in /dev, /sys, /proc, and ./.
pkg/declextract combines file_operations info produced by the clang tool
with the dynamic probing info produced by pkg/ifaceprobe in order
to produce complete descriptions for special files.
|
| |
|
|
| |
Emit families w/o policy, emit duplicate commands.
|
| | |
|
| |
|
|
|
|
|
| |
Emit all information related to a single netlink family close to each other.
Previously we emitted them scattered and grouped by info type.
That was both inconvinient to emit and inconvinient to read.
NFC.
|
| |
|
|
|
|
| |
Currently we append "$auto", or "$auto_record", or prepend "auto_",
or insert "auto" somewhere in the middle.
Use more consistent naming: always append "$auto".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz-declextract accumulated a bunch of code health problems
so that now it's hard to change/extend it, lots of new features
can only be added in in hacky ways and cause lots of code duplication.
It's also completly untested. Rewrite the tool to:
- move as much code as possible to Go (working with the clang tool
is painful for a number of reasons)
- allow testing and add unit tests (first layer of tests test
what information is produced by the clang tool, second layer
of tests test how that information is transformed to descriptions)
- allow extending the clang tool output to export arbitrary info
in non-hacky way (now it produces arbitrary JSON instead of a mix
of incomplete descriptions and interfaces)
- remove code duplication in the clang tool and provide common
infrastructure to add new analysis w/o causing more duplication
- provide more convinient primitives in the clang tool
- improve code style consistency and stick to the LLVM code style
(in particular, variable names must start with a capital letter,
single-statement blocks are not surrounded with {})
- remove intermixing of code that works on different levels
(currently we have AST analysis + busness logic + printfs
all intermixed with each other)
- provide several helper Go packages for better code structuring
(e.g. pkg/clangtool just runs the tool on source files in parallel
and returns results, this already separates a bunch of low-level
logic from the rest of the code under a simple abstraction)
I've tried to make the output match the current output as much as possible
so that the diff is managable (in some cases at the cost of code quality,
this should be fixed in future commits). There are still some differences,
but hopefully they are managable for review (more includes/defines,
reordered some netlink attributes).
Fixed minor bugs are fixed along the way, but mostly NFC:
1. Some unions were incorrectly emitted as [varlen]
(C unions are never varlen).
2. Only a of [packed], [align[N]] attributes was emitted
for struct (both couldn't be emitted).
|
| |
|
|
|
|
| |
Mark the whole file with "meta automatic" instead of marking each syscall.
This reduces size of descriptions + allows to do special things
with the whole file (e.g. we already treat auto consts specially).
|
| |
|
|
| |
They can clash with our manual flags names.
|
| |
|
|
|
|
|
| |
Update to upstream commit 228a1157fb9f.
VFIO_TYPE1_NESTING_IOMMU const was removed in 35890f85573c.
Remove it from descriptions.
|
| | |
|
| |
|
|
| |
These are not accepted as inputs (NLA_REJECT is usually used in dump operation).
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Currently syscall selection is non-deterministic and we frequently
choose wrond ones. This leads to flaky argument names/types,
and wrong argument types (e.g. int16 instead of uid,
old_utimbuf32 instead of utimbuf, etc).
Make syscall selection robust and correct.
|
| |
|
|
| |
Combine all fixed header parts in a single raw string literal.
|
| |
|
|
| |
Regenerate descriptions on kernel commit 715ca9dd687f89ddaac8ec8ccb3b5e5a30311a99.
|
| |
|
|
| |
syz-declextract
|
| | |
|
| | |
|
| |
|
|
| |
Added the result of running syz-declextract. Added auto-manual.txt containing necessary manually written descriptions.
|
| |
|
|
| |
default config of the Linux kernel
|
|
|
and filter syscalls based on architectures
Start generating descriptions directly in syz-declextract. Automatically generated descriptions are marked with "auto"
attribute and parameter names are changed if they use a reserved keyword. By default, all parameters are of type intptr;
This is intended to change later. "run" now produces deterministic output and filters system calls to only allow ones
supported by syzkaller supported architectures, and renames any system calls that need to be renamed.
|
