| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Implement SYZOS_API_NESTED_AMD_INJECT_EVENT to allow the L1 guest to
inject events (Interrupts, NMIs, Exceptions) into L2 via the VMCB EVENTINJ
field.
This primitive abstracts the VMCB bit-packing logic
(Vector, Type, Valid, Error Code) into a high-level API, enabling the fuzzer
to semantically mutate event injection parameters.
This targets KVM's nested event merging logic, specifically where L0 must
reconcile L1-injected events with Host-pending events.
|
| |
|
|
|
|
|
|
|
| |
Implement the SYZOS_API_NESTED_AMD_STGI and SYZOS_API_NESTED_AMD_CLGI
primitives to toggle the Global Interrupt Flag (GIF). These commands
execute the stgi and clgi instructions respectively and require no
arguments.
Also add a test checking that CLGI correctly masks NMI injection from L0.
|
| |
|
|
|
|
|
|
|
|
| |
Implement the SYZOS_API_NESTED_AMD_INVLPGA primitive to execute the
INVLPGA instruction in the L1 guest.
This allows the fuzzer to target KVM's Shadow MMU and Nested Paging (NPT)
logic by invalidating TLB entries for specific ASIDs.
Also add a simple syzlang seed/regression test.
|
| |
|
|
|
|
|
|
|
|
|
| |
Test access through disconnected directory.
This test should trigger a warning without this patch:
https://lore.kernel.org/r/20251128172200.760753-2-mic@digikod.net
The fix is in linux-next and should be merged in the master branch soon.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
Rename amd64-syz_kvm_nested_vmwrite_mask to
amd64-syz_kvm_nested_intel_vmwrite_mask
No functional change.
|
| |
|
|
|
|
|
|
|
|
|
| |
The new command allows mutation of AMD VMCB block with plain 64-bit writes.
In addition to VM ID and VMCB offset, @nested_amd_vmcb_write_mask takes
three 64-bit numbers: the set mask, the unset mask, and the flip mask.
This allows to make bitwise modifications to VMCB without disturbing
the execution too much.
Also add sys/linux/test/amd64-syz_kvm_nested_amd_vmcb_write_mask to test the
new command behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The new command allows mutation of Intel VMCS fields with the help
of vmwrite instruction.
In addition to VM ID and field ID, @nested_intel_vmwrite_mask takes
three 64-bit numbers: the set mask, the unset mask, and the flip mask.
This allows to make bitwise modifications to VMCS without disturbing
the execution too much.
Also add sys/linux/test/amd64-syz_kvm_nested_vmwrite_mask to test the
new command behavior.
|
| |
|
|
|
|
|
| |
Enable basic RDTSCP handling. Ensure that Intel hosts exit on RDTSCP
in L2, and that both Intel and AMD can handle RDTSCP exits.
Add amd64-syz_kvm_nested_vmresume-rdtscp to test that.
|
| |
|
|
|
|
|
| |
Enable basic RDTSC handling. Ensure that Intel hosts exit on RDTSC
in L2, and that both Intel and AMD can handle RDTSC exits.
Add amd64-syz_kvm_nested_vmresume-rdtsc to test that.
|
| |
|
|
|
| |
Ensure L2 correctly exits to L1 on CPUID and resumes properly.
Add a test.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide the SYZOS API command to resume L2 execution after a VM exit,
using VMRESUME on Intel and VMRUN on AMD.
For testing purpose, implement basic handling of the INVD instruction:
- enable INVD interception on AMD (set all bits in VMCB 00Ch);
- map EXIT_REASON_INVD and VMEXIT_INVD into SYZOS_NESTED_EXIT_REASON_INVD;
- advance L2 RIP to skip to the next instruction.
While at it, perform minor refactorings of L2 exit reason handling.
sys/linux/test/amd64-syz_kvm_nested_vmresume tests the new command by
executing two instructions, INVD and HLT, in the nested VM.
|
| |
|
|
|
| |
Basic SYZOS test for NV that ensures an L2 VM is correctly created
and executed.
|
| |
|
|
|
|
|
|
|
|
| |
The new API call allows to initialize the handler with one of the
three possible values:
- NULL (should cause a page fault)
- dummy_null_handler (should call iret)
- uexit_irq_handler (should perform guest_uexit(UEXIT_IRQ))
Also add a test for uexit_irq_handler()
|
| |
|
|
|
|
| |
Now that we handle interrupts in the guest code, this program does
not shutdown anymore. Make sure it finishes correctly, and
rename the test case to avoid confusion.
|
| |
|
|
|
| |
Verify that the default IRQ handler correctly handles an injected
interrupt.
|
| |
|
|
| |
Otherwise the two instances can't communicate.
|
| |
|
|
|
| |
The new test validates that KVM exits with KVM_EXIT_HLT when
encountering the x86 HLT instruction.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add SYZOS calls that correspond to the IN and OUT x86 instructions
that perform port I/O.
These instructions have different variants, for now we just implement
the one that takes the port number from DX instead of encoding it in
the opcode.
|
| |
|
|
|
| |
Not strictly necessary, because syz_kvm_assert_syzos_uexit() is checking
the exit reason, but should test the pseudo-syscall itself.
|
| |
|
|
|
| |
This is a best-effort attempt to fix the tests passing ANY arguments
to the syz_kvm_add_vcpu$arm64() syscall.
|
| |
|
|
|
| |
Transform the hard-coded list of feature combinations in to individual
groups of features.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change is the first step in addressing issue [1].
Despite syzkaller's best efforts, some usb drivers are proving
resistant to attempts to probe them. Specifically, crafted
devices are not accurate enough to bypass checks in probe().
These checks mostly deal with usb interfaces and endpoints.
One way to address this issue is to define syz_connect_* calls
variants to help syzkaller succeed probing by describing in detail
various device attributes.
Start by describing such calls for select drivers, each representing
its own category of sorts. At the moment, code coverage for these
drivers is unimpressive:
- rtl8150
Used to succeed probing until a better usb endpoint check was implemented.
- sierra_net
Same as rtl8150. Depends on usbnet API for bind() and usb ep checks.
- lan78xx
Requires numerous control requests between driver and device DURING probe.
Extra descriptions are helpful but are not enough to fully complete
probing process.
Also, add a seed for each such example.
This is only a stepping stone to improve usb fuzzing results and most
likely will be subject to change in the future.
[1] https://github.com/google/syzkaller/issues/6206
|
| |
|
|
|
|
| |
Use the latest version of bcachefs-tools.
See the discussion at https://groups.google.com/g/syzkaller/c/Vek7-974kJI/m/8TrKOiz6AgAJ
|
| |
|
|
|
| |
amd64-syz_kvm_setup_syzos_vm-wrmsr-rdmsr is a test executing SYZOS_API_WRMSR
and SYZOS_API_RDMSR on x86.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_ptrace -debug
we get this result:
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=0
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=3
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
Because this test spawns two threads, the ptrace(2) returned code may be
different according to the calling thread.
Set the common EPERM errnos for all three threads (EINTR is unknown to
syzkaller). The other returned codes cannot be fixed because we cannot
have a set of valid errno for the same call.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_fs_ioctl -debug
we get this result:
#0 [1300ms] -> ioctl(0x4, 0x5460, 0x0)
#0 [1300ms] <- ioctl=0xffffffffffffffff errno=14
#0 [1300ms] -> ioctl(0x4, 0x5451, 0x0)
#0 [1300ms] <- ioctl=0x0
[...]
landlock_fs_ioctl none : FAIL: run 0: wrong call 5 result 14, want 13
The ioctl call returns EFAULT instead of EACCES.
Change this test to create a /dev/null device and use a valid device
IOCTL.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
| |
The setuid sandboxes are not correct because some tests require mount.
Let's make it simple and remove them. After all, Landlock is available
to any user.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
This commit adds support for CPUID instructions on AMD64. It also adds a
relevant test.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
| |
This commit prepares adding the X86-64 SYZOS by declaring the relevant
functions, updating their ARM64 versions and adding placeholders.
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfe and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfet, two seeds that exercise the
WFxT path in KVM.
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfi and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfit, two seeds that
exercise the WFxT path in KVM.
|
| |
|
|
|
|
|
| |
When using QEMU full emulation mode, the majority of the system
registers (as defined in sys/linux/dev_kvm.txt:kvm_regs_arm64_sys) are
not accessible (i.e. only 77/592 trigger kvm_handle_sys_reg()). This series of
tests perform MSR accesses to the accessible registers.
|
| |
|
|
| |
Add support for the MRS instruction in a similar manner to MSR.
|
| |
|
|
|
|
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-enable-pmu, a seed that
enables PMU and touches PMEVCNTR0_EL0.
It was inspired by https://github.com/google/syzkaller/pull/5582
and led to a notable (+500) coverage increase, as the fuzzer couldn't
previously guess that it should pass KVM_ARM_VCPU_PMU_V3 when creating
the vCPU and set the KVM_ARM_VCPU_PMU_V3_INIT attribute at the same time.
|
| |
|
|
| |
Make sure SyzOS test correctly set the value of VBAR_EL1.
|
| | |
|
| |
|
|
|
| |
Provide a test case that replaces syz_kvm_vgic_v3_setup() with a sequence
of 5 KVM ioctls.
|
| | |
|
| |
|
|
|
| |
Syscalls that initialize KVM and set up syzos have to be executed in the
particular order, there's no point in running them concurrently.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
arm64-syz_kvm_setup_syzos_vm-vgicv3-its
Make sure the test actually performs guest-side ITS setup and invokes an LPI.
|
| |
|
|
|
|
|
| |
Pass 1024 pages of memory to both syz_kvm_setup_syzos_vm() and
syz_kvm_setup_cpu$arm64() to make sure that:
- there is enough memory for guest allocations (e.g. ITS pages)
- host can tamper with that memory, provoking more bugs
|
| |
|
|
|
|
|
| |
Reserve SYZOS address for the ITS redistributor at 0x08080000, add it to the
list of kvm_guest_addrs.
Also implement a syzlang test for the host part of ITS configuration as per
https://www.kernel.org/doc/html/v6.1/virt/kvm/devices/arm-vgic-its.html
|
| |
|
|
|
| |
The test has become too big (>40 calls).
Split off dev_iommu_vfio and remove the overlap with dev_iommu_hwpt.
|
| |
|
|
|
|
|
|
|
|
| |
Add new the landlock_ruleset_attr's "scoped" field and related flags for
Linux 6.12: LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET and
LANDLOCK_SCOPE_SIGNAL.
Update tests with the new landlock_ruleset_attr's field.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
| |
Add a seed that creates and execs something that resembles an ELF binary.
|
| |
|
|
|
| |
In addition to random offsets passed to SYZOS_API_MEMWRITE, use VGICv3
distributor/redistributor base and offsets of the corresponding registers.
|
