| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| |
|
|
|
|
|
| |
Remove all uses of direction attributes on union fields
and use out_overlay attribute instead.
The attribute actually does what was the intention behind
use of direction attribute on unions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced a new way to reference BPF maps in eBPF
instructions. An array of BPF map fds is passed at program load time.
Instructions can then reference fds in this array instead of carrying
the fds directly. The goal is to allow BPF instructions to be immutable
after compilation.
Since we don't yet have a good way to reference indexes in an array, we
define a new type map_fd_id for that purpose, with indexes between 0 and
16 only.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=387544bfa291
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
| |
Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.
Keep descriptions compatible with the legacy mode (when devices are
created at boot time).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets up a page table to map the text in order to exercise
more code paths in the KVM.
This defines flags to control the MMU state. When enabled, this
creates a simple page table at the 64K offset and maps all the RAM.
The fuzzer code is placed right after the table.
The flags are:
IR - enables MMU for instruction fetches
DR - enables MMU for data loads/stores
PR - "problem state", i.e. userspace (implies DR and IR)
PID1 - initializes a process table for PID>0 (PID#0 is used by the VM OS
normally)
This adds a simple "syz_kvm_setup_cpu_ppc64" syz-test with MSR=IR|DR|LE
which is a typical Linux kernel mode.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Represent array[const[X, int8], N] as string["XX...X"].
This replaces potentially huge number of:
NONFAILING(*(uint8_t*)0x2000126c = 0);
NONFAILING(*(uint8_t*)0x2000126d = 0);
NONFAILING(*(uint8_t*)0x2000126e = 0);
with a single memcpy. In one reproducer we had 3991 such lines.
Also replace memcpy's with memset's when possible.
Update #1070
|
| |
|
|
|
|
|
| |
This test covers mount namespace manipulation forbidden in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
This test helps cover most types of access checks in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/ptrace.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/fs.c:check_access_path()
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/fs.c:hook_sb_delete()
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
If rfkill is enabled by the fuzzer, wifi setup will fail.
Disable rfkill to initial state during setup.
|
| |
|
|
|
|
|
|
|
|
| |
We used to use our own netlink socket and then fail
on any errors. But commit "sys/linux: add ieee802154 descriptions"
made it possible to use fuzzer-provided socket,
and fuzzer can pass any invalid fd.
So don't fail on errors now.
Fixes #2444
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* sys/linux: add description for mali bifrost driver
* sys/linux: regenerate dev_bifrost.txt.const
* sys/linux/dev_bifrost: separate BASE_*_GROUP_ID_* to individual bits
* sys/linux/dev_bifrost: format code
|
| |
|
|
|
|
| |
- Add a test for BPF_PROG_TYPE_CGROUP_SYSCTL. This could be used as a
corpus.
- Remove an unnecessary file sys/linux/bpf_lsm.txt.const.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With fscrypt (a.k.a. ext4, f2fs, and ubifs encryption), several steps
are required to get to a properly set-up encrypted directory:
- Mount a filesystem that supports encryption.
- Call FS_IOC_ADD_ENCRYPTION_KEY on the mountpoint.
- Create a directory in the filesystem.
- Call FS_IOC_SET_ENCRYPTION_POLICY on the directory, specifying the
encryption key that was added earlier.
- Then actually create stuff in the directory.
It may be too hard for syzkaller to generate all these steps, which may
explain why syzbot isn't yet properly covering the fscrypt code; see
https://storage.googleapis.com/syzkaller/cover/ci-upstream-kasan-gce.html
which currently shows only 5% coverage of the fs/crypto/ directory.
Therefore add some test programs which do this setup on ext4 and f2fs.
Note that ubifs support can't be included yet because syzkaller doesn't
yet know how to mount an ubifs filesystem (which would likely require
using block2mtd, as ubifs uses MTD devices rather than block devices).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://lore.kernel.org/linuxppc-dev/20190418100218.0a4afd51@mschwideX1/
The test triggers this bug:
[ 224.294341] ==================================================================
[ 224.294389] BUG: KASAN: stack-out-of-bounds in gup_pgd_range+0x124a/0x1398
[ 224.294405] Read of size 8 at addr 000003e002e8f3d8 by task gup_fast_regr-s/633
[ 224.294417]
[ 224.294431] CPU: 0 PID: 633 Comm: gup_fast_regr-s Not tainted 5.9.0-rc6 #1
[ 224.294443] Hardware name: IBM 8561 T01 701 (KVM/Linux)
[ 224.294454] Call Trace:
[ 224.294470] [<0000000047708384>] show_stack+0x174/0x220
[ 224.294488] [<000000004bbcfb9c>] dump_stack+0x274/0x2f8
[ 224.294506] [<0000000047f4e8e6>] print_address_description.constprop.0+0x5e/0x550
[ 224.294523] [<0000000047f4e4ea>] kasan_report+0x11a/0x168
[ 224.294538] [<0000000047e4a77a>] gup_pgd_range+0x124a/0x1398
[ 224.294554] [<0000000047e4cbea>] internal_get_user_pages_fast+0x212/0x460
[ 224.294571] [<0000000047e4cf10>] get_user_pages_fast+0x70/0xb0
[ 224.294588] [<0000000049886cee>] iov_iter_get_pages+0x2d6/0xdf0
[ 224.294605] [<000000004974aaca>] bio_iov_iter_get_pages+0x2ca/0x1088
[ 224.294623] [<0000000048210282>] iomap_dio_bio_actor+0x8e2/0x1118
[ 224.294638] [<0000000048210b64>] iomap_dio_actor+0xac/0x550
[ 224.294655] [<000000004820212a>] iomap_apply+0x21a/0x9d0
[ 224.294670] [<00000000482118ae>] iomap_dio_rw+0x7c6/0x11e8
[ 224.294689] [<0000000048374ca8>] ext4_file_read_iter+0x4b0/0x638
[ 224.294707] [<0000000047fd85ec>] new_sync_read+0x444/0x6d0
[ 224.294722] [<0000000047fde212>] vfs_read+0x2c2/0x4e0
[ 224.294737] [<0000000047fdf3ba>] ksys_read+0x16a/0x298
[ 224.294754] [<000000004bc37ee8>] system_call+0xdc/0x298
[ 224.294794]
[ 224.294800]
[ 224.294809] addr 000003e002e8f3d8 is located in stack of task gup_fast_regr-s/633 at offset 72 in frame:
[ 224.294827] gup_pgd_range+0x0/0x1398
[ 224.294837]
[ 224.294844] this frame has 3 objects:
[ 224.294854] [32, 40) 'pgd'
[ 224.294858] [64, 72) 'p4d'
[ 224.294867] [96, 104) 'pud'
[ 224.294874]
[ 224.294885] Memory state around the buggy address:
[ 224.294900] 000003e002e8f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294915] 000003e002e8f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294930] >000003e002e8f380: 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3
[ 224.294943] ^
[ 224.294957] 000003e002e8f400: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294972] 000003e002e8f480: 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 00 00
[ 224.294984] ==================================================================
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
80211_setup_station is extended with frame injections and delays that
are arranged in such a way that the device successuflly joins an
access point.
80211_scan is a new test that starts a channel scan and then injects a
beacon and a probe response.
These additions were tested manually and were observed to fulfill
their purpose.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit enables accurate generation of 802.11 frames for
injection. The descriptions only include frames/fields/elements that
are supported by mac80211.
Also, this commit includes fixes to tests that were affected by
modification of the existing descriptions.
The validity of the frames was verified by capturing the generated
packets and examining them in Wirehark.
|
| |
|
|
|
|
| |
1. A runtest that sets up an access point.
2. A runtest that configures a station.
3. A runtest that configures a mesh device.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
|
|
|
|
| |
And populate images with some files,
which should make both mounting and resulting dir more interesting.
Note: this adds 100MB of image files into the repo...
Maybe we need to think of some other way of string these images...
|
| |
|
|
| |
Add flexible_inline_xattr, inode_checksum, inode_crtime, project_quota features.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tools/create_{f2fs,btrfs}_image.sh are... well, shell scripts.
It's hard to scale this appraoch to more file systems
avoiding duplication and stupid errors while doing proper
error handling and parallelization.
Upgrade syz-imagegen to generate full test files and replace
the shell scripts.
f2fs -O=compression options is removed, it does not seem to be
supported by mkfs.f2fs, it always says:
Error: Wrong features
The shell script used it, but it seems that the way it passed
arguments (in a single '-quoted string) just made mkfs misparse
the arguments (use only the first one?) and so -O=compression
and most other arguments were simply ignored.
|
| |
|
|
|
|
| |
The previous commit did not get all intended changes.
Follow up to 2066
|
| |
|
|
|
|
|
|
|
| |
1. Use set -eu
2. Use consistent name of the generated files
3. Add "requires: manual"
4. Fix some option combinations that lead to errors
Follow up to 2066
|
| |
|
|
|
| |
Add several unit tests that mount different versions of btrfs images, and
the .sh file that generates these tests.
|
| |
|
|
|
|
| |
Make things consistent.
Follow up to #2032
|
| |
|
|
|
|
|
|
|
| |
Currently we only test parsing in tools/syz-runtest
and for test OS in pkg/runtest tests.
This means errors in tests for other OSes won't be
noticed until somebody runs tests manually.
Test parsing of all tests in pkg/runtest tests.
Fix up 2 broken tests.
|
| |
|
|
|
|
|
| |
Introduce "manual" requirement for tests (only run if explicitly selected)
and mark f2fs tests as manual. There are too many of them.
Follow up to #2032
|
| |
|
|
|
| |
Add several unit tests that mount different versions of f2fs image, and
the .sh file that generates these tests.
|
| |
|
|
|
|
|
| |
- Rename bpf_lsm to bpf_trace and put all bpf program types
that use BPF_RAW_TRACEPOINT_OPEN here.
- Add descriptions for types RAW_TRACEPOINT(_WRITABLE), BPF_TRACING and
BPF_EXT.
- Add the hook names for RAW_TRACEPOINT(_WRITABLE).
|
| |
|
|
|
|
| |
Add syzkaller program which correctly handles a getdents64() syscall
on a FUSE directory. Here the related comment/discussion
https://github.com/google/syzkaller/pull/2001#issuecomment-671185292.
|
| |
|
|
|
|
|
|
|
|
| |
Refactor syz_mount_image() to support filesystems not requiring a
backing device and filesystem image (e.g. FUSE). To do that, we check for
the presence of the pointer to the array of struct fs_image_segment: if
missingi, there is no need to setup the loop device and we can proceed
directly with the mount() syscall.
Add syz_mount_image$fuse() (specialization for FUSE) inside
sys/linux/fs_fuse.txt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment syzkaller is able to respond to FUSE with a syntactically
correct response using the specific write$FUSE_*() syscalls, but most of
the times these responses are not related to the type of request that
was received.
With this pseudo-syscall we are able to provide the correct response
type while still allowing the fuzzer to fuzz its content. This is done
by requiring each type of response as an input parameter and then
choosing the correct one based on the request opcode.
Notice that the fuzzer is still free to mix write$FUSE_*() and
syz_fuse_handle_req() syscalls, so it is not losing any degree of
freedom.
syz_fuse_handle_req() retrieves the FUSE request and resource
fuse_unique internally (by performing a read() on the /dev/fuse file
descriptor provided as input). For this reason, a new template argument has
been added to fuse_out (renamed to _fuse_out) so that the unique field
can be both an int64 (used by syz_fuse_handle_req()) and a fuse_unique
resource (used by the write$FUSE_*() syscalls) without any code
duplication.
|
| |
|
|
|
|
|
|
|
|
| |
Currently fuse_in.unique and fuse_out.unique are not linked by any
dependency chain. This causes the majority of the replies to the kernel
to be dropped because not referring to a previously sent request.
By defining them as a resource, we push the fuzzer in the right
direction (i.e., try to respond using a previously issued unique value).
The read syscall has been updated accordingly, it now expects and parses
a fuse_in header and some additional data.
|
| |
|
|
|
| |
Fix the io_uring test by adding some blank lines after comments. This
commit changes nothing beside that.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit includes the following changes:
* executor: add a new syz_btf_id_by_name psuedo-syscall
* sys/linux: add descriptions for BPF LSM subsystem
* sys/linux: add instructions on how to dump vmlinux and install
bpftool
* sys/linux/test: add tests for the new psuedo-syscall
* pkg/host: add support detection for the new psuedo-syscall
* pkg/runtest: skip the coverage test when invoking the new
psuedo-syscall
Update #533.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: initialize vhci in linux
* executor/common_linux.h: improve vhci initialization
* pkg/repro/repro.go: add missing vhci options
* executor/common_linux.h: fix type and add missing header
* executor, pkg: do it like NetInjection
* pkg/csource/csource.go: do not emit syz_emit_vhci if vhci is not enabled
* executor/common_linux.h: fix format string
* executor/common_linux.h: initialize with memset
For som reason {0} gets complains about missing braces...
* executor/common_linux.h: simplify vhci init
* executor/common_linux.h: try to bring all available hci devices up
* executor/common_linux.h: find which hci device has been registered
* executor/common_linux.h: use HCI_VENDOR_PKT response to retrieve device id
* sys/linux/dev_vhci.txt: fix structs of inquiry and report packets
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* sys/linux/dev_vhci.txt: pack extended_inquiry_info_t
* sys/linux/l2cap.txt: add l2cap_conf_opt struct
* executor/common_linux.h: just fill bd addr will 0xaa
* executor/common_linux.h: just fill bd addr will 0xaa
|
| |
|
|
|
|
| |
It is hard for the fuzzer to generate correct programs using mmap calls
with fuzzer-provided mmap length. This wrapper ensures correct length
computation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sys/linux: enhanced descs for io_uring
Introduced pseudo-call "syz_io_uring_put_sqes_on_ring()" for writing
submission queue entries (sqes) on sq_ring, which was obtained by
mmap'ping the offsets obtained from io_uring_setup().
Added descriptions for io_ring_register operations that were missing
earlier.
Did misc changes to adapt the descriptions for the updates on the
io_uring subsystem.
* pkg/host: add io_uring pseudo-syscall
* executor/common_linux.h: fix issues with io_uring pseudo-syscall
* executor: fixed io_uring offset computation
* executor: fixes and refactorings in syz_io_uring_submit()
* executor: added syz_io_uring_complete() pseudo-syscall for io_uring
* sys/linux: added descriptions for io_uring operations
Each operation requires a different struct io_uring_sqe set up. Those
are described to be submitted to the sq ring.
* executor: use uint32 instead of uint32_t
* executor: remove nonfailing from pseudo-calls
* sys/linux: fix io_uring epoll_ctl sqe
* prog: fix TestTransitivelyEnabledCallsLinux()
The newly introduced syscall, syz_io_uring_submit$IORING_OP_EPOLL_CTL,
uses fd_epoll. Adapt TestTransitivelyEnabledCallsLinux() to account for
this.
* sys/linux: add IORING_OP_PROVIDE_BUFFERS and IORING_OP_REMOVE_BUFFERS
* sys/linux: fix IORING_OP_WRITE_FIXED and IORING_OP_READ_FIXED
addr and len are for the buffer located at buf_index
* sys/linux: io_uring: use reg. bufs for READ, READV, RECV, RECVMSG
As a result, IOSQE_BUFFER_SELECT_BIT is included in the iosqe_flags.
* sys/linux: io_uring: misc fixes
* sys/linux: io_uring: add IORING_SETUP_ATTACH_WQ
* executor: refactorings on io_uring pseudo syscalls
* sys/linux: io_uring: fix desc for params.cq_entries
* executor: fix SQ_ARRAY_OFFSET computation
This is required with the fix in io_uring kernel code.
https://lore.kernel.org/io-uring/CACT4Y+bgTCMXi3eU7xV+W0ZZNceZFUWRTkngojdr0G_yuY8w9w@mail.gmail.com/T/#t
* executor: added pseudosyscall syz_io_uring_cq_eventfd_toggle()
The usage of cq_ring->flags is only for manipulating
IORING_CQ_EVENTFD_DISABLED bit. This is achieved by a pseudo-syscall,
which toggles the bit.
* executor: added pseudocall syz_io_uring_put_ring_metadata
Removed syz_io_uring_cq_eventfd_toggle() and introduced
syz_io_uring_put_ring_metadata() instead. We have many pieces of
metadata for both sq_ring and cq_ring, for which we are given the
offsets, and some of are not supposed to be manipulated by the
application. Among them, both sq and cq flags can be changed. Both valid
and invalid cases might cause interesting outcomes. Use the newly
introduced pseudo syscall to manipulate them randomly while also
manipulating the flags to their special values.
* executor: added pseudo-syscall syz_memcpy_off
Removed syz_io_uring_put_ring_metadata() and instead added a much more
generic pseudo systemcall to achieve the task. This should benefit other
subsystems as well.
* sys/linux: refactored io_uring descriptions
syz_io_uring_submit() is called with a union of sqes to reduce
duplication of other parameters of the function.
io_uring_sqe is templated with io_uring_sqe_t, and this template type is
used to describe sqes for different ops.
The organization of io_uring.txt is changed.
* sys/linux: io_uring: improved descs to utilize registered files
The files are registered using
io_uring_register$IORING_REGISTER_FILES(). When IOSQE_FIXED_FILE_BIT is
enabled in iosqe_flags in sqe, a variety of operations can use those
registered files using the index of the file instead of fd.
Changed the sqe descriptions for the eligible operations to utilize
this.
* sys/linux: io_uring: improved the descs to utilize personality_id in sqes
A personality_id can be registered for a io_uring fd using
io_uring_register$IORING_REGISTER_PERSONALITY(). This id can be utilized
within sqes. This commit improves the descs for io_uring to utilize it.
In addition, the descriptions for the misc field in io_uring_sqe_t is
refactored as most are shared among sqes.
* sys/linux: io_uring: utilized cqe.res
io_uring_cqe.res is used to carry the return value of operations
achieved through io_uring. The only operations with meaningful return
values (in terms of their possible usage) are openat and openat2. The
pseudo-syscall syz_io_uring_complete() is modified to account for this
and return those fds. The description for sqe_user_data is splitted into
two to identify openat and non-openat io_uring ops.
IORING_OP_IOCTL was suggested but never supported in io_uring. Thus, the
note on this is removed in the descriptions.
tee() expects pipefds, thus, IORING_OP_TEE. The descriptions for the
pipe r/w fds are written as ordinary fd. Thus, in the description for
IORING_OP_TEE, which is io_uring_sqe_tee, fd is used in the place where
pipefds are expected. The note on this is removed in the descriptions.
* sys/linux/test: added test for io_uring
This is not tested yet.
* sys/linux/test: fixed the test for io_uring
The changes successfully pass the sys/linux/test/io_uring test.
sys/linux/io_uring.txt: sq_ring_ptr and cq_ring_ptr are really the same.
Thus, they are replaced with ring_ptr.
executor/common_linux.h: thanks to io_uring test, a bug is found in
where the sq_array's address is computed in syz_io_uring_submit().
Fixed. In addition, similar to the descriptions, the naming for the
ring_ptr is changed from {sq,cq}_ring_ptr to ring_ptr.
* sys/linux: io_uring: misc fixes
* sys/linux: io_uring: changed the sqe_user_data enum
Used a smaller range to ease the collisions. Used comperatively unique
and magic numbers for openat user_data to avoid thinking as if the cqe
belongs to openat while the user_data is coming from some random
location.
* pkg/host: added checks for io_uring syscall
* pkg/host: fixed checks for io_uring syscall
* sys/linux: fixed io_uring test
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mmap syscall is special on Linux s390x because
the parameters for this syscall are passed as a struct
on user stack instead of registers.
* Introduce the SyscallTrampolines table into targets.Target
to address the above problem.
* There is a bug in Linux kernel s390x which causes QEMU TCG
to hang when KASAN is enabled. The bug has been fixed
in the forthcoming Linux 5.8 version. Until then do not enable
KASAN when using QEMU TCG, QEMU KVM shall have no problems with
KASAN.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
| |
This patch changes syz_usb_ep_read/write pseudo-syscalls to accept endpoint
address as specified in its endpoint descriptor, instead of endpoint index.
|
| | |
|
| |
|
|
|
|
|
| |
Among other things this changes timeout for USB programs from 2 to 3 seconds.
ath9k fuzzing also requires ath9k firmware to be present, so system images
need to be regenerated with the updated script.
|
| | |
|
| |
|
|
|
|
|
|
| |
Fix the packet injection in udp test.
Now we know how to do it!
And without IFF_NAPI_FRAGS it actually reaches the socket.
Update #1594
|
| |
|
|
| |
Update #1594
|
| |
|
|
|
|
|
|
| |
String value enforcement broke a number of tests
where we use different values.
Be more string as to what string values we use in tests.
Required to add tmpfs descriptions to test syz_mount_image.
Also special-casing AF_ALG algorithms as these are auto-generated.
|
