| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements syz_kvm_setup_cpu for riscv64 architecture.
The pseudo-syscall accepts VM fd, vCPU fd, host memory, and guest code
as parameters. Additional parameters (ntext, flags, opts, nopt) are
included for interface consistency with other architectures but are
currently unused on riscv64.
Implementation:
- Set up guest memory via KVM_SET_USER_MEMORY_REGION
- Copy guest code to guest memory
- Initialize guest registers to enable code execution in S-mode
- Return 0 on success, -1 on failure
Testing:
A test file syz_kvm_setup_cpu_riscv64 is included in sys/linux/test/
to verify basic functionality.
Known limitations:
- ifuzz is not yet compatible with riscv64. Temporary workaround: set
text[riscv64] to TextTarget and return nil in createTargetIfuzzConfig
for riscv64 to ensure generateText and mutateText work correctly.
This patch also adds support for KVM_GET_ONE_REG ioctl.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the following KVM ioctls:
- KVM_SET_GSI_ROUTING
- KVM_SET_SIGNAL_MASK
- KVM_SET_MSRS
- KVM_SET_CPUID
- KVM_SET_CPUID2
syzkaller is generating squashed blobs, which are less likely to provoke
any interesting behaviors.
Apply the no_squash attribute to these ioctls to have better understanding
of these ioctls' inputs.
|
| |
|
|
|
|
|
|
|
|
| |
This ioctl accepts an arch-specific struct as an argument, so better split it
into several arch-specific ioctls.
To avoid compilation errors on exotic arches like MIPS, this patch also adds
sys/linux/dev_kvm_extra.txt that takes care of them.
While at it, also define KVM_GUESTDBG_USE_HW.
|
| |
|
|
|
| |
This is mostly for the sake of completeness, other KVM ioctls do not
interact with the created FD anyway.
|
| |
|
|
|
|
|
|
| |
For certain ioctls https://www.kernel.org/doc/Documentation/virt/kvm/api.txt
lists their parameters as "in/out".
Change their descriptions to reflect that.
Also define KVM_GET_MSR_FEATURE_INDEX_LIST and KVM_GET_SUPPORTED_HV_CPUID
|
| |
|
|
| |
This should increase SEV coverage on AMD, also reach some dusty corners on ARM.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
|
| |
This commit moves the various x86/amd64 ioctl descriptions and their
relevant structs/flags to the architecture-specific file and updates
the corresponding const files.
|
| |
|
|
| |
Remove constants that are already covered by arm64_bitmap and arm64_fw in kvm_one_reg.
|
| |
|
|
|
|
| |
Declare register classes for Bitmap, FW, SVE registers.
Also move generation of CCSIDR, FP and core registers from registers.go
to the text description.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done to solve a particular test failure running:
$ tools/syz-env go test ./prog -run TestSpecialStructs
, which failed on PPC64, because prog/rand.go instanciated a call to
syz_kvm_setup_syzos_vm(), which requested too much memory (1024 pages)
from the allocator (PPC64 uses 64k pages, so the number of available pages
is lower).
On the other hand, factoring out syzos-related descriptions is probably
a nice thing to do anyway.
|
| |
|
|
|
|
|
| |
Pass 1024 pages of memory to both syz_kvm_setup_syzos_vm() and
syz_kvm_setup_cpu$arm64() to make sure that:
- there is enough memory for guest allocations (e.g. ITS pages)
- host can tamper with that memory, provoking more bugs
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
In addition to random offsets passed to SYZOS_API_MEMWRITE, use VGICv3
distributor/redistributor base and offsets of the corresponding registers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz_kvm_add_vcpu
The old syz_kvm_setup_cpu() API mixed together VM and VCPU setup, making it
harder to create and fuzz two VCPUs in the same VM.
Introduce two new pseudo-syscalls, syz_kvm_setup_syzos_vm() and syz_kvm_add_vcpu(),
that will simplify this task.
syz_kvm_setup_syzos_vm() takes a VM file descriptor, performs VM setup
(allocates guest memory and installs SYZOS code into it) and returns a
new kvm_syz_vm resource, which is in fact a pointer to `struct kvm_syz_vm`
encapsulating VM-specific data in the C code.
syz_kvm_add_vcpu() takes the VM ID denoted by kvm_syz_vm and creates a
new VCPU within that VM with a proper CPU number. It then stores the
fuzzer-supplied SYZOS API sequence into the corresponding part (indexed by
CPU number) of the VM memory slot, and sets up the CPU registers to interpret
that sequence.
The new pseudo-syscall let the fuzzer create independent CPUs that run different
code sequences without interfering with each other.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-irqfd for more details.
|
| |
|
|
|
| |
- use specific flags in kvm_msi and kvm_irq_routing_entry
- add KVM_IRQ_ROUTING_XEN_EVTCHN to kvm_irq_routing_entry_type
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-clock for more info.
|
| |
|
|
| |
KVM_IRQ_LINE_STATUS is declared as _IOWR(), so it should be able to return values.
|
| |
|
|
|
|
| |
Both kvm_device_attr_generic and kvm_device_attr_arm64 are passed to
ioctl$KVM_SET_DEVICE_ATTR and ioctl$KVM_GET_DEVICE_ATTR as read-only,
but the `addr` parameter should be marked as inout.
|
| |
|
|
|
|
| |
Despite it only reads data from the kernel, and CPU creation is anyway
handled by syz_kvm_setup_cpu(), adding this ioctl will increase coverage
and potentially trigger interactions with KVM_ARM_VCPU_INIT.
|
| |
|
|
|
|
| |
This ioctl is mentioned at
https://docs.kernel.org/virt/kvm/api.html#kvm-cap-dirty-log-ring-kvm-cap-dirty-log-ring-acq-rel,
but doesn't have its own doc entry.
|
| |
|
|
| |
This is an x86-only ioctl: https://docs.kernel.org/virt/kvm/api.html#kvm-get-xsave2
|
| |
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/api.html#kvm-set-memory-attributes,
this is an x86-only ioctl.
|
| |
|
|
|
|
| |
Certain ioctls accept CPU features as numbers in the range 0..6
(aka KVM_ARM_VCPU_POWER_OFF..KVM_ARM_VCPU_SVE), whereas other
ioctls accept them as a bit mask.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add the capabilities described in https://docs.kernel.org/virt/kvm/api.html,
but previously missing from the descriptions.
Most of these are VM capabilities for x86 and arm64, apart from KVM_CAP_SYNC_REGS,
which is a VCPU capability.
VM/VCPU attribution is poorly documented, so I referred to LXR to figure that out.
|
| |
|
|
|
|
| |
KVM provides a number of vendor-specific hypercall functions that are
hard to discover without explicitly listing their IDs in the descriptions
file.
|
| |
|
|
|
|
|
|
|
| |
According to
https://elixir.bootlin.com/linux/v6.10.9/source/include/uapi/linux/kvm.h,
the third member of `struct kvm_coalesced_mmio_zone` is a union of
`__u32 pad` and `__u32 pio`, where `pio` can be 0 or 1, depending on whether
the user wants to use KVM_MMIO_BUS or KVM_PIO_BUS (see also
https://elixir.bootlin.com/linux/v6.10.9/source/virt/kvm/coalesced_mmio.c#L137)
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-set-user-memory-region2
for more details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-create-guest-memfd
for more details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-pre-fault-memory
for details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-arm-set-counter-offset
for more details.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-arm-vcpu-finalize for details
|
| |
|
|
|
| |
Add KVM_ARM_VCPU_PTRAUTH_ADDRESS, KVM_ARM_VCPU_PTRAUTH_GENERIC, KVM_ARM_VCPU_SVE
from https://docs.kernel.org/virt/kvm/api.html#kvm-arm-vcpu-init
|
| | |
|
| |
|
|
|
| |
Add KVM_GUESTDBG_EXIT_PENDING (s390) and KVM_GUESTDBG_BLOCKIRQ (x86)
that were previously missing.
|
| |
|
|
| |
As per https://docs.kernel.org/virt/kvm/api.html#kvm-get-vcpu-events
|
| |
|
|
|
|
|
|
| |
The new API call will be used to write values to guest memory specified
by base+offset.
Writing to e.g. MMIO registers for VGIC (or any other MMIO ranges) may
result in new coverage.
|
| |
|
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/api.html#kvm-ioeventfd,
datam should be the optional expected data value written by
the guest (we keep it random for now), whereas addr is the MMIO address.
|
| |
|
|
| |
Do not specify the attribute input types for now.
|
| |
|
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/devices/vcpu.html,
VCPUs also have device attributes. Add descriptions for ioctls that
manipulate those attributes.
|
| |
|
|
|
|
|
|
| |
Implement basic IRQ controller setup for VMs with a single CPU.
SYZOS_API_IRQ_SETUP sets up the VGICv3 distributor/redistributor and
enables the specified number of SPIs starting from 32.
The default IRQ handler is set up to perform a uexit(-2).
|
| |
|
|
|
| |
The new pseudo-syscall sets up VGICv3 IRQ controller on the host.
That still requires guest setup code, which will be submitted separately.
|
| |
|
|
|
| |
Make the necessary changes to support HVC in addition to SMC.
These two may subtly differ, so they are handled separately.
|
| |
|
|
|
| |
As suggested by Dmitry, use a template to avoid duplication in various syzos types.
Also adjust the existing tests.
|
| |
|
|
|
|
|
|
| |
Provide an API call to invoke the ARM64 Secure Monitor Call instruction
with user-supplied function id and 5 parameters passed in registers x1-x5.
For now only `smc #0` is invoked, although in the future we may want to
pass other (reserved) immediate values to SMC.
|
