| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done to solve a particular test failure running:
$ tools/syz-env go test ./prog -run TestSpecialStructs
, which failed on PPC64, because prog/rand.go instanciated a call to
syz_kvm_setup_syzos_vm(), which requested too much memory (1024 pages)
from the allocator (PPC64 uses 64k pages, so the number of available pages
is lower).
On the other hand, factoring out syzos-related descriptions is probably
a nice thing to do anyway.
|
| |
|
|
|
|
|
| |
Pass 1024 pages of memory to both syz_kvm_setup_syzos_vm() and
syz_kvm_setup_cpu$arm64() to make sure that:
- there is enough memory for guest allocations (e.g. ITS pages)
- host can tamper with that memory, provoking more bugs
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
In addition to random offsets passed to SYZOS_API_MEMWRITE, use VGICv3
distributor/redistributor base and offsets of the corresponding registers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz_kvm_add_vcpu
The old syz_kvm_setup_cpu() API mixed together VM and VCPU setup, making it
harder to create and fuzz two VCPUs in the same VM.
Introduce two new pseudo-syscalls, syz_kvm_setup_syzos_vm() and syz_kvm_add_vcpu(),
that will simplify this task.
syz_kvm_setup_syzos_vm() takes a VM file descriptor, performs VM setup
(allocates guest memory and installs SYZOS code into it) and returns a
new kvm_syz_vm resource, which is in fact a pointer to `struct kvm_syz_vm`
encapsulating VM-specific data in the C code.
syz_kvm_add_vcpu() takes the VM ID denoted by kvm_syz_vm and creates a
new VCPU within that VM with a proper CPU number. It then stores the
fuzzer-supplied SYZOS API sequence into the corresponding part (indexed by
CPU number) of the VM memory slot, and sets up the CPU registers to interpret
that sequence.
The new pseudo-syscall let the fuzzer create independent CPUs that run different
code sequences without interfering with each other.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-irqfd for more details.
|
| |
|
|
|
| |
- use specific flags in kvm_msi and kvm_irq_routing_entry
- add KVM_IRQ_ROUTING_XEN_EVTCHN to kvm_irq_routing_entry_type
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-clock for more info.
|
| |
|
|
| |
KVM_IRQ_LINE_STATUS is declared as _IOWR(), so it should be able to return values.
|
| |
|
|
|
|
| |
Both kvm_device_attr_generic and kvm_device_attr_arm64 are passed to
ioctl$KVM_SET_DEVICE_ATTR and ioctl$KVM_GET_DEVICE_ATTR as read-only,
but the `addr` parameter should be marked as inout.
|
| |
|
|
|
|
| |
Despite it only reads data from the kernel, and CPU creation is anyway
handled by syz_kvm_setup_cpu(), adding this ioctl will increase coverage
and potentially trigger interactions with KVM_ARM_VCPU_INIT.
|
| |
|
|
|
|
| |
This ioctl is mentioned at
https://docs.kernel.org/virt/kvm/api.html#kvm-cap-dirty-log-ring-kvm-cap-dirty-log-ring-acq-rel,
but doesn't have its own doc entry.
|
| |
|
|
| |
This is an x86-only ioctl: https://docs.kernel.org/virt/kvm/api.html#kvm-get-xsave2
|
| |
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/api.html#kvm-set-memory-attributes,
this is an x86-only ioctl.
|
| |
|
|
|
|
| |
Certain ioctls accept CPU features as numbers in the range 0..6
(aka KVM_ARM_VCPU_POWER_OFF..KVM_ARM_VCPU_SVE), whereas other
ioctls accept them as a bit mask.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add the capabilities described in https://docs.kernel.org/virt/kvm/api.html,
but previously missing from the descriptions.
Most of these are VM capabilities for x86 and arm64, apart from KVM_CAP_SYNC_REGS,
which is a VCPU capability.
VM/VCPU attribution is poorly documented, so I referred to LXR to figure that out.
|
| |
|
|
|
|
| |
KVM provides a number of vendor-specific hypercall functions that are
hard to discover without explicitly listing their IDs in the descriptions
file.
|
| |
|
|
|
|
|
|
|
| |
According to
https://elixir.bootlin.com/linux/v6.10.9/source/include/uapi/linux/kvm.h,
the third member of `struct kvm_coalesced_mmio_zone` is a union of
`__u32 pad` and `__u32 pio`, where `pio` can be 0 or 1, depending on whether
the user wants to use KVM_MMIO_BUS or KVM_PIO_BUS (see also
https://elixir.bootlin.com/linux/v6.10.9/source/virt/kvm/coalesced_mmio.c#L137)
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-set-user-memory-region2
for more details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-create-guest-memfd
for more details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-pre-fault-memory
for details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-arm-set-counter-offset
for more details.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-arm-vcpu-finalize for details
|
| |
|
|
|
| |
Add KVM_ARM_VCPU_PTRAUTH_ADDRESS, KVM_ARM_VCPU_PTRAUTH_GENERIC, KVM_ARM_VCPU_SVE
from https://docs.kernel.org/virt/kvm/api.html#kvm-arm-vcpu-init
|
| | |
|
| |
|
|
|
| |
Add KVM_GUESTDBG_EXIT_PENDING (s390) and KVM_GUESTDBG_BLOCKIRQ (x86)
that were previously missing.
|
| |
|
|
| |
As per https://docs.kernel.org/virt/kvm/api.html#kvm-get-vcpu-events
|
| |
|
|
|
|
|
|
| |
The new API call will be used to write values to guest memory specified
by base+offset.
Writing to e.g. MMIO registers for VGIC (or any other MMIO ranges) may
result in new coverage.
|
| |
|
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/api.html#kvm-ioeventfd,
datam should be the optional expected data value written by
the guest (we keep it random for now), whereas addr is the MMIO address.
|
| |
|
|
| |
Do not specify the attribute input types for now.
|
| |
|
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/devices/vcpu.html,
VCPUs also have device attributes. Add descriptions for ioctls that
manipulate those attributes.
|
| |
|
|
|
|
|
|
| |
Implement basic IRQ controller setup for VMs with a single CPU.
SYZOS_API_IRQ_SETUP sets up the VGICv3 distributor/redistributor and
enables the specified number of SPIs starting from 32.
The default IRQ handler is set up to perform a uexit(-2).
|
| |
|
|
|
| |
The new pseudo-syscall sets up VGICv3 IRQ controller on the host.
That still requires guest setup code, which will be submitted separately.
|
| |
|
|
|
| |
Make the necessary changes to support HVC in addition to SMC.
These two may subtly differ, so they are handled separately.
|
| |
|
|
|
| |
As suggested by Dmitry, use a template to avoid duplication in various syzos types.
Also adjust the existing tests.
|
| |
|
|
|
|
|
|
| |
Provide an API call to invoke the ARM64 Secure Monitor Call instruction
with user-supplied function id and 5 parameters passed in registers x1-x5.
For now only `smc #0` is invoked, although in the future we may want to
pass other (reserved) immediate values to SMC.
|
| |
|
|
|
|
|
| |
In addition to device FDs, certain arches (s390 and ARM64) allow applying
device attributes to VM FDs (https://docs.kernel.org/virt/kvm/devices/vm.html)
Add descriptions for the corresponding ioctls on ARM64, including support
for setting SMCCC filters via struct kvm_smccc_filter.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
MSR is an ARM64 instruction that writes a value from a GP register to
one of the system CPU registers. Exposing those registers to a fuzzer will
let us trigger unexpected behavior in handling them on the kernel side.
The SYZOS_API_MSR call has two int64 arguments, register ID and value.
Register IDs are 64-bit values obtained from ARM64_SYS_REG() in the Linux asm/kvm.h
UAPI header. Same register IDs are used by ioctl$KVM_GET_ONE_REG and
ioctl$KVM_SET_ONE_REG.
Also add sys/linux/test/syz_kvm_setup_cpu_arm64-msr
|
| |
|
|
|
|
|
| |
Split the definition of kvm_one_reg into ARM-specific and non-ARM-specific
parts. For the ARM-specific ones, use the result of
go run tools/arm64/registers.go tools/arm64/msr_mrs.txt
as the new list of constants.
|
| |
|
|
|
| |
Instead of guessing the size of the mmap area for struct vcpu_run,
always obtain it from ioctl(KVM_GET_VCPU_MMAP_SIZE).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow guest payload to call syzos API functions. The available calls
are enumerated by SYZOS_API_* constants, and have a form of:
struct api_call {
uint64 call;
uint64 struct_size;
/* arbitrary call-related data here */
};
Complex instruction sequences are too easy to break, so most of the time
fuzzer won't be able to efficiently mutate them.
We replace kvm_text_arm64 with a sequence of `struct api_call`, making it
possible to intermix assembly instructions (SYZOS_API_CODE) with
higher-level constructs.
Right now the supported calls are:
- SYZOS_API_UEXIT - abort from KVM_RUN (1 argument: exit code, uint64)
- SYZOS_API_CODE - execute an ARM64 assembly blob
(1 argument: inline array of int32's)
|
| |
|
|
| |
Update the list of device type flags to match that of Linux 6.9
|
| |
|
|
|
|
|
|
|
| |
Make the following changes for extraction to succeed:
- drop the KVM API constants for features removed in 6.9;
- hardcode the three TUNNEL_*_OPT constants that cannot be extracted due to a header change;
- hardcode the HCI_OP_* constants removed in 99fca36c8b412 ("Bluetooth: HCI: Remove HCI_AMP support");
- hardcode the L2CAP_* constants removed in e7b02296fb40 ("Bluetooth: Remove BT_HS");
- hardcode LANDLOCK_ACCESS_FS_IOCTL_DEV until it hits upstream.
|
| |
|
|
|
| |
Split out deprecated descriptions from socket_netlink_route_sched.txt.
Adjust outdated descriptions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a bunch of hacks in syz-extract, syz-sysgen and syz-check
with respect to description files unsupported on some arches,
or that must not be part of make extract.
Add 2 meta attribtues to files:
meta noextract
Tells `make extract` to not extract constants for this file.
Though, `syz-extract` can still be invoked manually on this file.
meta arches["arch1", "arch2"]
Restricts this file only to the given set of architectures.
`make extract` and ``make generate` will not use it on other architectures.
Later we can potentially use meta attributes to specify git tree/commit
that must be used for extraction. Maybe something else.
Fixes #2754
|
| |
|
|
| |
Update #590
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syzkaller runs KVM until it exits and this is considered the end of
the KVM_RUN syscall. We can do a bit more with a VM if the exit was
legit (for example MMIO access or a hypercall). In such cases
the userspace emulates the request and stores the result in
the kvm_run struct (mmaped from vcpu_fd) which the next KVM_RUN
checks.
This defines specialized mmap and syz_memcpy_off to allow Syzkaller
fuzz the kvm_run struct with focus on the part where the huge union is.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
---
Changes:
v4:
* defined offset/size constants
* re-autogenerated dev_kvm.txt.const
v3:
* fixed syz_memcpy_off's src size
v2:
* limited changes to dev_kvm.txt instead of defining all new
syz_kvm_run.
|
