| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the USB audio fuzzing support by adding syzlang
descriptions for:
- UAC2 (USB Audio Class 2.0) devices with clock management units,
interface association descriptors, and extended format types.
- UAC3 (USB Audio Class 3.0) devices including power domain
descriptors and cluster information segments.
- USB MIDI devices with jack descriptors and streaming endpoints.
A new generateAudioDeviceDescriptor function patches in both
auto-extracted USB IDs from the kernel driver matching rules and
hardcoded quirk IDs from the USB audio driver sources (sound/usb/).
This approach follows the pattern established for the HID and printer
classes, allowing exercising driver quirks that cannot be automatically
extracted.
The config descriptor template now includes an EXTRA field to support
Interface Association Descriptors required by UAC2/UAC3. This also
requires adjusting the interface field index in patchUsbDeviceID.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables syzos for riscv64 and implements
the corresponding pseudo syscalls.
Pseudo syscalls:
- syz_kvm_setup_syzos_vm
- syz_kvm_add_vcpu
- syz_kvm_assert_syzos_uexit
Syzos guest support:
- guest_uexit
- guest_execute_code
- guest_handle_csrr and guest_handle_csrw
Test seeds:
- riscv64-syz_kvm_setup_syzos_vm
- riscv64-syz_kvm_setup_syzos_vm-csrr
- riscv64-syz_kvm_setup_syzos_vm-csrw
|
| |
|
|
|
|
|
|
|
| |
Add two new SYZOS test cases to verify the persistence of
Guest Physical Registers (GPRs) in nested virtualization scenario.
These tests ensure that the hypervisor correctly saves and restores
L2 GPRs during nested VM-exits and VM-entries, preventing register
state corruption.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sys/linux/test/amd64-syz_kvm_nested_load_syzos-vmresume to verify the
state preservation and resumption capabilities of the
SYZOS_API_NESTED_LOAD_SYZOS primitive.
The test deploys an L2 guest with a sequential multi-step payload:
1. `uexit(1)`
2. `uexit(2)`
The L1 hypervisor first executes `nested_vmlaunch`, causing L2 to run
until the first uexit. L1 then executes `nested_vmresume` to continue
L2 execution.
|
| |
|
|
|
|
|
|
|
|
|
| |
The new test checks the following scenario:
- L0 VM launches L1 VM (SYZOS)
- L1 VM launches L2 VM (nested SYZOS)
- L2 VM issues a UEXIT
- L1 VM catches the UEXIT and forwards it to L0
- L0 VM checks the UEXIT code and resumes L1 VM
- L1 VM finishes its work and issues another UEXIT
- L0 VM checks the UEXIT code
|
| |
|
|
|
|
|
| |
The syz_kvm_assert_syzos_uexit$x86 function expects a 64-bit value
for the exit code.
Update the test cases to use 0xffffffffffffffff instead of 0xffffffff
to reflect the -1 value used to indicate the end of the test.
|
| |
|
|
|
|
|
| |
- Enables syz_kvm_assert_reg for riscv64.
- Updates kvm_one_reg according to the latest definition in
https://github.com/torvalds/linux/blob/master/arch/riscv/include/uapi/asm/kvm.h.
- Adds a test case: riscv64-kvm-reg.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces SYZOS_API_NESTED_AMD_VMLOAD and
SYZOS_API_NESTED_AMD_VMSAVE.
These primitives allow the L1 guest to execute the VMLOAD and VMSAVE
instructions, which load/store additional guest state (FS, GS, TR, LDTR,
etc.) to/from the VMCB specified by the 'vm_id' argument.
This stresses the KVM L0 instruction emulator, which must validate the
L1-provided physical address in RAX and perform the state transfer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements syz_kvm_setup_cpu for riscv64 architecture.
The pseudo-syscall accepts VM fd, vCPU fd, host memory, and guest code
as parameters. Additional parameters (ntext, flags, opts, nopt) are
included for interface consistency with other architectures but are
currently unused on riscv64.
Implementation:
- Set up guest memory via KVM_SET_USER_MEMORY_REGION
- Copy guest code to guest memory
- Initialize guest registers to enable code execution in S-mode
- Return 0 on success, -1 on failure
Testing:
A test file syz_kvm_setup_cpu_riscv64 is included in sys/linux/test/
to verify basic functionality.
Known limitations:
- ifuzz is not yet compatible with riscv64. Temporary workaround: set
text[riscv64] to TextTarget and return nil in createTargetIfuzzConfig
for riscv64 to ensure generateText and mutateText work correctly.
This patch also adds support for KVM_GET_ONE_REG ioctl.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces SYZOS_API_NESTED_AMD_SET_INTERCEPT to SYZOS.
This primitive enables the fuzzer to surgically modify intercept vectors
in the AMD VMCB (Virtual Machine Control Block) Control Area.
It implements a read-modify-write operation on 32-bit VMCB offsets,
allowing the L1 hypervisor (SYZOS) to deterministically set or clear
specific intercept bits (e.g., for RDTSC, HLT, or exceptions) for the L2
guest.
This capability allows syzkaller to systematically explore KVM's nested
SVM emulation logic by toggling intercepts on and off, rather than
relying on static defaults or random memory corruption.
|
| |
|
|
|
|
|
| |
This patch updates all relevant regression tests in sys/linux/test/ to
align with the API change introduced in syz_kvm_assert_syzos_uexit.
The syz_kvm_assert_syzos_uexit syscall now requires the VCPU file
descriptor as its first argument.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Implement SYZOS_API_NESTED_AMD_INJECT_EVENT to allow the L1 guest to
inject events (Interrupts, NMIs, Exceptions) into L2 via the VMCB EVENTINJ
field.
This primitive abstracts the VMCB bit-packing logic
(Vector, Type, Valid, Error Code) into a high-level API, enabling the fuzzer
to semantically mutate event injection parameters.
This targets KVM's nested event merging logic, specifically where L0 must
reconcile L1-injected events with Host-pending events.
|
| |
|
|
|
|
|
|
|
| |
Implement the SYZOS_API_NESTED_AMD_STGI and SYZOS_API_NESTED_AMD_CLGI
primitives to toggle the Global Interrupt Flag (GIF). These commands
execute the stgi and clgi instructions respectively and require no
arguments.
Also add a test checking that CLGI correctly masks NMI injection from L0.
|
| |
|
|
|
|
|
|
|
|
| |
Implement the SYZOS_API_NESTED_AMD_INVLPGA primitive to execute the
INVLPGA instruction in the L1 guest.
This allows the fuzzer to target KVM's Shadow MMU and Nested Paging (NPT)
logic by invalidating TLB entries for specific ASIDs.
Also add a simple syzlang seed/regression test.
|
| |
|
|
|
|
|
|
|
|
|
| |
Test access through disconnected directory.
This test should trigger a warning without this patch:
https://lore.kernel.org/r/20251128172200.760753-2-mic@digikod.net
The fix is in linux-next and should be merged in the master branch soon.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
Rename amd64-syz_kvm_nested_vmwrite_mask to
amd64-syz_kvm_nested_intel_vmwrite_mask
No functional change.
|
| |
|
|
|
|
|
|
|
|
|
| |
The new command allows mutation of AMD VMCB block with plain 64-bit writes.
In addition to VM ID and VMCB offset, @nested_amd_vmcb_write_mask takes
three 64-bit numbers: the set mask, the unset mask, and the flip mask.
This allows to make bitwise modifications to VMCB without disturbing
the execution too much.
Also add sys/linux/test/amd64-syz_kvm_nested_amd_vmcb_write_mask to test the
new command behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The new command allows mutation of Intel VMCS fields with the help
of vmwrite instruction.
In addition to VM ID and field ID, @nested_intel_vmwrite_mask takes
three 64-bit numbers: the set mask, the unset mask, and the flip mask.
This allows to make bitwise modifications to VMCS without disturbing
the execution too much.
Also add sys/linux/test/amd64-syz_kvm_nested_vmwrite_mask to test the
new command behavior.
|
| |
|
|
|
|
|
| |
Enable basic RDTSCP handling. Ensure that Intel hosts exit on RDTSCP
in L2, and that both Intel and AMD can handle RDTSCP exits.
Add amd64-syz_kvm_nested_vmresume-rdtscp to test that.
|
| |
|
|
|
|
|
| |
Enable basic RDTSC handling. Ensure that Intel hosts exit on RDTSC
in L2, and that both Intel and AMD can handle RDTSC exits.
Add amd64-syz_kvm_nested_vmresume-rdtsc to test that.
|
| |
|
|
|
| |
Ensure L2 correctly exits to L1 on CPUID and resumes properly.
Add a test.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide the SYZOS API command to resume L2 execution after a VM exit,
using VMRESUME on Intel and VMRUN on AMD.
For testing purpose, implement basic handling of the INVD instruction:
- enable INVD interception on AMD (set all bits in VMCB 00Ch);
- map EXIT_REASON_INVD and VMEXIT_INVD into SYZOS_NESTED_EXIT_REASON_INVD;
- advance L2 RIP to skip to the next instruction.
While at it, perform minor refactorings of L2 exit reason handling.
sys/linux/test/amd64-syz_kvm_nested_vmresume tests the new command by
executing two instructions, INVD and HLT, in the nested VM.
|
| |
|
|
|
| |
Basic SYZOS test for NV that ensures an L2 VM is correctly created
and executed.
|
| |
|
|
|
|
|
|
|
|
| |
The new API call allows to initialize the handler with one of the
three possible values:
- NULL (should cause a page fault)
- dummy_null_handler (should call iret)
- uexit_irq_handler (should perform guest_uexit(UEXIT_IRQ))
Also add a test for uexit_irq_handler()
|
| |
|
|
|
|
| |
Now that we handle interrupts in the guest code, this program does
not shutdown anymore. Make sure it finishes correctly, and
rename the test case to avoid confusion.
|
| |
|
|
|
| |
Verify that the default IRQ handler correctly handles an injected
interrupt.
|
| |
|
|
| |
Otherwise the two instances can't communicate.
|
| |
|
|
|
| |
The new test validates that KVM exits with KVM_EXIT_HLT when
encountering the x86 HLT instruction.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add SYZOS calls that correspond to the IN and OUT x86 instructions
that perform port I/O.
These instructions have different variants, for now we just implement
the one that takes the port number from DX instead of encoding it in
the opcode.
|
| |
|
|
|
| |
Not strictly necessary, because syz_kvm_assert_syzos_uexit() is checking
the exit reason, but should test the pseudo-syscall itself.
|
| |
|
|
|
| |
This is a best-effort attempt to fix the tests passing ANY arguments
to the syz_kvm_add_vcpu$arm64() syscall.
|
| |
|
|
|
| |
Transform the hard-coded list of feature combinations in to individual
groups of features.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change is the first step in addressing issue [1].
Despite syzkaller's best efforts, some usb drivers are proving
resistant to attempts to probe them. Specifically, crafted
devices are not accurate enough to bypass checks in probe().
These checks mostly deal with usb interfaces and endpoints.
One way to address this issue is to define syz_connect_* calls
variants to help syzkaller succeed probing by describing in detail
various device attributes.
Start by describing such calls for select drivers, each representing
its own category of sorts. At the moment, code coverage for these
drivers is unimpressive:
- rtl8150
Used to succeed probing until a better usb endpoint check was implemented.
- sierra_net
Same as rtl8150. Depends on usbnet API for bind() and usb ep checks.
- lan78xx
Requires numerous control requests between driver and device DURING probe.
Extra descriptions are helpful but are not enough to fully complete
probing process.
Also, add a seed for each such example.
This is only a stepping stone to improve usb fuzzing results and most
likely will be subject to change in the future.
[1] https://github.com/google/syzkaller/issues/6206
|
| |
|
|
|
|
| |
Use the latest version of bcachefs-tools.
See the discussion at https://groups.google.com/g/syzkaller/c/Vek7-974kJI/m/8TrKOiz6AgAJ
|
| |
|
|
|
| |
amd64-syz_kvm_setup_syzos_vm-wrmsr-rdmsr is a test executing SYZOS_API_WRMSR
and SYZOS_API_RDMSR on x86.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_ptrace -debug
we get this result:
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=0
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=3
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
Because this test spawns two threads, the ptrace(2) returned code may be
different according to the calling thread.
Set the common EPERM errnos for all three threads (EINTR is unknown to
syzkaller). The other returned codes cannot be fixed because we cannot
have a set of valid errno for the same call.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_fs_ioctl -debug
we get this result:
#0 [1300ms] -> ioctl(0x4, 0x5460, 0x0)
#0 [1300ms] <- ioctl=0xffffffffffffffff errno=14
#0 [1300ms] -> ioctl(0x4, 0x5451, 0x0)
#0 [1300ms] <- ioctl=0x0
[...]
landlock_fs_ioctl none : FAIL: run 0: wrong call 5 result 14, want 13
The ioctl call returns EFAULT instead of EACCES.
Change this test to create a /dev/null device and use a valid device
IOCTL.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
| |
The setuid sandboxes are not correct because some tests require mount.
Let's make it simple and remove them. After all, Landlock is available
to any user.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
This commit adds support for CPUID instructions on AMD64. It also adds a
relevant test.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
| |
This commit prepares adding the X86-64 SYZOS by declaring the relevant
functions, updating their ARM64 versions and adding placeholders.
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfe and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfet, two seeds that exercise the
WFxT path in KVM.
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfi and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfit, two seeds that
exercise the WFxT path in KVM.
|
| |
|
|
|
|
|
| |
When using QEMU full emulation mode, the majority of the system
registers (as defined in sys/linux/dev_kvm.txt:kvm_regs_arm64_sys) are
not accessible (i.e. only 77/592 trigger kvm_handle_sys_reg()). This series of
tests perform MSR accesses to the accessible registers.
|
| |
|
|
| |
Add support for the MRS instruction in a similar manner to MSR.
|
