| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
This ioctl accepts an arch-specific struct as an argument, so better split it
into several arch-specific ioctls.
To avoid compilation errors on exotic arches like MIPS, this patch also adds
sys/linux/dev_kvm_extra.txt that takes care of them.
While at it, also define KVM_GUESTDBG_USE_HW.
|
| |
|
|
|
| |
This is mostly for the sake of completeness, other KVM ioctls do not
interact with the created FD anyway.
|
| |
|
|
|
|
|
|
| |
For certain ioctls https://www.kernel.org/doc/Documentation/virt/kvm/api.txt
lists their parameters as "in/out".
Change their descriptions to reflect that.
Also define KVM_GET_MSR_FEATURE_INDEX_LIST and KVM_GET_SUPPORTED_HV_CPUID
|
| |
|
|
| |
This should increase SEV coverage on AMD, also reach some dusty corners on ARM.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
|
| |
This commit moves the various x86/amd64 ioctl descriptions and their
relevant structs/flags to the architecture-specific file and updates
the corresponding const files.
|
| |
|
|
| |
Remove constants that are already covered by arm64_bitmap and arm64_fw in kvm_one_reg.
|
| |
|
|
|
|
| |
Declare register classes for Bitmap, FW, SVE registers.
Also move generation of CCSIDR, FP and core registers from registers.go
to the text description.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done to solve a particular test failure running:
$ tools/syz-env go test ./prog -run TestSpecialStructs
, which failed on PPC64, because prog/rand.go instanciated a call to
syz_kvm_setup_syzos_vm(), which requested too much memory (1024 pages)
from the allocator (PPC64 uses 64k pages, so the number of available pages
is lower).
On the other hand, factoring out syzos-related descriptions is probably
a nice thing to do anyway.
|
| |
|
|
|
|
|
| |
Pass 1024 pages of memory to both syz_kvm_setup_syzos_vm() and
syz_kvm_setup_cpu$arm64() to make sure that:
- there is enough memory for guest allocations (e.g. ITS pages)
- host can tamper with that memory, provoking more bugs
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
In addition to random offsets passed to SYZOS_API_MEMWRITE, use VGICv3
distributor/redistributor base and offsets of the corresponding registers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz_kvm_add_vcpu
The old syz_kvm_setup_cpu() API mixed together VM and VCPU setup, making it
harder to create and fuzz two VCPUs in the same VM.
Introduce two new pseudo-syscalls, syz_kvm_setup_syzos_vm() and syz_kvm_add_vcpu(),
that will simplify this task.
syz_kvm_setup_syzos_vm() takes a VM file descriptor, performs VM setup
(allocates guest memory and installs SYZOS code into it) and returns a
new kvm_syz_vm resource, which is in fact a pointer to `struct kvm_syz_vm`
encapsulating VM-specific data in the C code.
syz_kvm_add_vcpu() takes the VM ID denoted by kvm_syz_vm and creates a
new VCPU within that VM with a proper CPU number. It then stores the
fuzzer-supplied SYZOS API sequence into the corresponding part (indexed by
CPU number) of the VM memory slot, and sets up the CPU registers to interpret
that sequence.
The new pseudo-syscall let the fuzzer create independent CPUs that run different
code sequences without interfering with each other.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-irqfd for more details.
|
| |
|
|
|
| |
- use specific flags in kvm_msi and kvm_irq_routing_entry
- add KVM_IRQ_ROUTING_XEN_EVTCHN to kvm_irq_routing_entry_type
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-clock for more info.
|
| |
|
|
| |
KVM_IRQ_LINE_STATUS is declared as _IOWR(), so it should be able to return values.
|
| |
|
|
|
|
| |
Both kvm_device_attr_generic and kvm_device_attr_arm64 are passed to
ioctl$KVM_SET_DEVICE_ATTR and ioctl$KVM_GET_DEVICE_ATTR as read-only,
but the `addr` parameter should be marked as inout.
|
| |
|
|
|
|
| |
Despite it only reads data from the kernel, and CPU creation is anyway
handled by syz_kvm_setup_cpu(), adding this ioctl will increase coverage
and potentially trigger interactions with KVM_ARM_VCPU_INIT.
|
| |
|
|
|
|
| |
This ioctl is mentioned at
https://docs.kernel.org/virt/kvm/api.html#kvm-cap-dirty-log-ring-kvm-cap-dirty-log-ring-acq-rel,
but doesn't have its own doc entry.
|
| |
|
|
| |
This is an x86-only ioctl: https://docs.kernel.org/virt/kvm/api.html#kvm-get-xsave2
|
| |
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/api.html#kvm-set-memory-attributes,
this is an x86-only ioctl.
|
| |
|
|
|
|
| |
Certain ioctls accept CPU features as numbers in the range 0..6
(aka KVM_ARM_VCPU_POWER_OFF..KVM_ARM_VCPU_SVE), whereas other
ioctls accept them as a bit mask.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add the capabilities described in https://docs.kernel.org/virt/kvm/api.html,
but previously missing from the descriptions.
Most of these are VM capabilities for x86 and arm64, apart from KVM_CAP_SYNC_REGS,
which is a VCPU capability.
VM/VCPU attribution is poorly documented, so I referred to LXR to figure that out.
|
| |
|
|
|
|
| |
KVM provides a number of vendor-specific hypercall functions that are
hard to discover without explicitly listing their IDs in the descriptions
file.
|
| |
|
|
|
|
|
|
|
| |
According to
https://elixir.bootlin.com/linux/v6.10.9/source/include/uapi/linux/kvm.h,
the third member of `struct kvm_coalesced_mmio_zone` is a union of
`__u32 pad` and `__u32 pio`, where `pio` can be 0 or 1, depending on whether
the user wants to use KVM_MMIO_BUS or KVM_PIO_BUS (see also
https://elixir.bootlin.com/linux/v6.10.9/source/virt/kvm/coalesced_mmio.c#L137)
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-set-user-memory-region2
for more details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-create-guest-memfd
for more details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-pre-fault-memory
for details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-arm-set-counter-offset
for more details.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-arm-vcpu-finalize for details
|
| |
|
|
|
| |
Add KVM_ARM_VCPU_PTRAUTH_ADDRESS, KVM_ARM_VCPU_PTRAUTH_GENERIC, KVM_ARM_VCPU_SVE
from https://docs.kernel.org/virt/kvm/api.html#kvm-arm-vcpu-init
|
| | |
|
| |
|
|
|
| |
Add KVM_GUESTDBG_EXIT_PENDING (s390) and KVM_GUESTDBG_BLOCKIRQ (x86)
that were previously missing.
|
| |
|
|
| |
As per https://docs.kernel.org/virt/kvm/api.html#kvm-get-vcpu-events
|
| |
|
|
|
|
|
|
| |
The new API call will be used to write values to guest memory specified
by base+offset.
Writing to e.g. MMIO registers for VGIC (or any other MMIO ranges) may
result in new coverage.
|
| |
|
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/api.html#kvm-ioeventfd,
datam should be the optional expected data value written by
the guest (we keep it random for now), whereas addr is the MMIO address.
|
| |
|
|
| |
Do not specify the attribute input types for now.
|
| |
|
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/devices/vcpu.html,
VCPUs also have device attributes. Add descriptions for ioctls that
manipulate those attributes.
|
| |
|
|
|
|
|
|
| |
Implement basic IRQ controller setup for VMs with a single CPU.
SYZOS_API_IRQ_SETUP sets up the VGICv3 distributor/redistributor and
enables the specified number of SPIs starting from 32.
The default IRQ handler is set up to perform a uexit(-2).
|
| |
|
|
|
| |
The new pseudo-syscall sets up VGICv3 IRQ controller on the host.
That still requires guest setup code, which will be submitted separately.
|
| |
|
|
|
| |
Make the necessary changes to support HVC in addition to SMC.
These two may subtly differ, so they are handled separately.
|
| |
|
|
|
| |
As suggested by Dmitry, use a template to avoid duplication in various syzos types.
Also adjust the existing tests.
|
| |
|
|
|
|
|
|
| |
Provide an API call to invoke the ARM64 Secure Monitor Call instruction
with user-supplied function id and 5 parameters passed in registers x1-x5.
For now only `smc #0` is invoked, although in the future we may want to
pass other (reserved) immediate values to SMC.
|
| |
|
|
|
|
|
| |
In addition to device FDs, certain arches (s390 and ARM64) allow applying
device attributes to VM FDs (https://docs.kernel.org/virt/kvm/devices/vm.html)
Add descriptions for the corresponding ioctls on ARM64, including support
for setting SMCCC filters via struct kvm_smccc_filter.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
MSR is an ARM64 instruction that writes a value from a GP register to
one of the system CPU registers. Exposing those registers to a fuzzer will
let us trigger unexpected behavior in handling them on the kernel side.
The SYZOS_API_MSR call has two int64 arguments, register ID and value.
Register IDs are 64-bit values obtained from ARM64_SYS_REG() in the Linux asm/kvm.h
UAPI header. Same register IDs are used by ioctl$KVM_GET_ONE_REG and
ioctl$KVM_SET_ONE_REG.
Also add sys/linux/test/syz_kvm_setup_cpu_arm64-msr
|
| |
|
|
|
|
|
| |
Split the definition of kvm_one_reg into ARM-specific and non-ARM-specific
parts. For the ARM-specific ones, use the result of
go run tools/arm64/registers.go tools/arm64/msr_mrs.txt
as the new list of constants.
|
