| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
Enable some previously disabled syscalls in snapshot mode that look safe for snapshot mode.
In snapshot mode we don't rely on the actual networking, and should be able to survive
runner process kills, and disk shutdown.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BSG is a block layer version of SG driver with its own devices,
which can be found in /dev/bsg/*. Currently, syzkaller barely touches
related code in block/ and drivers/scsi/ source directories,
so update the descriptions to nudge the fuzzer in the right direction.
Specifically,
- create a separate description file dev_bsg.txt;
- move openat$bsg from sys.txt and fix the way devices
in question are accessed;
- describe necessary syscalls and structs, most importantly, sg_io_v4.
- add a few TODOs to address later.
A few words about flaws in sq_io_v4 description:
Some fields were left more ambigious than desired. Once more research
into the way bsg operates is done, as well as related coverage is
gathered, those flaws will be corrected.
|
| |
|
|
| |
syz-declextract
|
| |
|
|
|
|
|
|
| |
syz_create_resource allows to turn any value into a resource.
Improve binfmt descriptions using syz_create_resource:
we need to pass the same file name to write syscalls and execve.
Use syz_create_resource to improve binfmt descriptions.
|
| | |
|
| |
|
|
|
| |
Add automatic_helper attribute and enable it for system calls that are required to properly run automatically generated
descriptions. Enable these system calls when descriptions_mode = `Auto`.
|
| |
|
|
|
|
|
|
|
| |
Disable the syscall in descriptions rather than in the code.
This makes it more visible for users that it's disabled,
and makes it less special (will not need to move this logic to host).
Also change the condition in syz-sysgen to be more precise,
otherwise syz_execute_func becomes unused function.
|
| |
|
|
|
| |
Split out deprecated descriptions from socket_netlink_route_sched.txt.
Adjust outdated descriptions.
|
| |
|
|
|
|
|
|
|
|
|
| |
This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.
Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.
We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All flags that are subset of other flags were identified with the
following Bash script [1]. Only a small set of flags identified by the
script were rewritten to use nested flag definitions, after manually
checking if it makes sense (based on syzkaller context and man pages).
For example, msgget_flags was rewritten as follows:
-msgget_flags = IPC_CREAT, IPC_EXCL, S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH
+msgget_flags = IPC_CREAT, IPC_EXCL, open_mode
According to the msgget(2) man page:
Upon creation, the least significant bits of the argument msgflg
define the permissions of the message queue. These permission bits
have the same format and semantics as the permissions specified for
the mode argument of open(2).
So it is correct to use open_mode directly in the definition of the
flags for msgget(2).
1 -
#!/bin/bash
regexp_flags="^(\w+)\s*=\s+([a-zA-Z\"][^=]*)$"
is_subset() {
local -n subset=$1
local -n superset=$2
for element in "${subset[@]}"; do
if [[ ! " ${superset[@]} " =~ " $element " ]]; then
return 1
fi
done
return 0
}
declare -A parsed_lines
while IFS= read -r line; do
if [[ ! "$line" =~ $regexp_flags ]]; then
continue
fi
list_name="${BASH_REMATCH[1]}"
values="${BASH_REMATCH[2]}"
IFS=',' read -r -a values_array <<< "$(echo "$values" | sed 's/ //g' | tr ',' '\n' | sort | tr '\n' ',')"
# Skip flags with too few value.
if [ "${#values_array[@]}" -lt 3 ]; then
continue
fi
# Skip the syz0, syz1, etc. lists.
if [ "${values_array[0]}" = "\"syz0\"" ]; then
continue
fi
parsed_lines["${list_name}"]="${values_array[@]}"
done
for list_name in "${!parsed_lines[@]}"; do
values_array=(${parsed_lines["$list_name"]})
for other_list_name in "${!parsed_lines[@]}"; do
other_values_array=(${parsed_lines["$other_list_name"]})
if [ "$list_name" = "$other_list_name" ]; then
continue
fi
if is_subset values_array other_values_array; then
if [ "${#values_array[@]}" -eq "${#other_values_array[@]}" ]; then
echo "$list_name EQUALS $other_list_name"
else
echo "$list_name is a SUBET of $other_list_name"
fi
fi
done
done
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Some includes got obsolete over time.
|
| |
|
|
|
|
|
| |
Handle torvalds/linux@96b2b072ee62 ("exportfs: allow exporting
non-decodeable file handles to userspace").
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
|
| |
|
|
|
|
|
| |
Handle torvalds/linux@99668f618062 ("fs: expose LOOKUP_CACHED through
openat2() RESOLVE_CACHED")
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
|
| |
|
|
|
|
| |
Handle torvalds/linux@cf264e1329fb ("cachestat: implement cachestat syscall")
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
|
| |
|
|
|
|
| |
New netlink command has been added to MPTCP as well as a few getsockopt.
Add the necessary syskaller instructions.
|
| |
|
|
| |
The syscall sets PKRU register which is part of protection keys (pkey).
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
MADV_COLLAPSE was added to Linux in 6.1.
|
| |
|
|
| |
Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
|
| |
|
|
|
| |
Generate very long file names once in a while to provoke bugs like:
https://github.com/google/gvisor/commit/f857f268eceb1cdee0b2bdfa218c969c84033fcd
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Currently mkdirat requires fd_dir as an input resource,
which means it cannot be enabled in "enable_syscalls" on its own
as it requires some other syscall that creates fd_dir
(a syscall cannot create input resources for itself).
Mark fd_dir as opt so that mkdirat can be enabled on it's own.
The default value for fd_dir is AT_FDCWD, which is a good value that works.
|
| |
|
|
|
|
|
| |
The interface has significantly changed since the first version.
Update to the upstreammed interface.
Fixes #3030
|
| | |
|
| |
|
|
|
|
| |
It seems we had a bogus signature for sigaltstack for all that time.
It accepts 2 sigaltstack structs according to the kernel code:
https://elixir.bootlin.com/linux/v5.16/source/kernel/signal.c#L4217
|
| |
|
|
| |
Update #590
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| |
|
|
|
|
|
|
|
| |
Move existing bits of /dev/media descriptions from sys.txt and dev_video4linux.txt
and complete the descriptions.
Also provide more concrete specialization of VIDIOC_QUERYBUF ioctl.
Add ioctl specialization that serves as fd_v4l2_buffer resource constructor
(returns it outside of a union).
|
| | |
|
| |
|
|
|
|
|
|
|
| |
It's a somewhat common mistake to write comments instead of directives:
#include <foo>
#define FOO BAR
because that's how it's done in C.
In preparation for warning about such cases remove all existing
comments that fake directives.
|
| | |
|
| |
|
|
| |
See: https://elixir.bootlin.com/linux/v5.15-rc6/source/mm/secretmem.c#L194
|
| |
|
|
| |
See: https://elixir.bootlin.com/linux/v5.15-rc6/source/fs/eventpoll.c#L2279
|
| |
|
|
| |
See: https://elixir.bootlin.com/linux/v5.15-rc6/source/mm/oom_kill.c#L1146
|
| |
|
|
|
|
| |
Regenerate const files on the latest upstream tree.
Remove IPX support since it was removed from the kernel
in 7a2e838d28 ("staging: ipx: delete it from the tree").
|
| |
|
|
|
|
| |
O_RDONLY is not really a flag. Not providing O_WRONLY means O_RDONLY.
Signed-off-by: Denis Efremov <efremov@linux.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: add new typename dirname
The current way to check files under sysfs or proc is:
- define a string to represent each file
- open the file
- pass the fd to write / read / close
The issues above are:
- Need to know what file present on target device
- Need to write openat for each file
With dirname added, which will open one file
in the directory randomly and then pass the fd to
write/read/close.
* all: use typename glob to match filename
Fixes #481
|
| | |
|
| |
|
|
|
|
| |
Duplicate mknod$loop() for architectures without mknod().
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
Add a variant to create a /dev/null character device.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
fork() is useful for Landlock fuzzing.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
