| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Otherwise the two instances can't communicate.
|
| |
|
|
|
| |
The new test validates that KVM exits with KVM_EXIT_HLT when
encountering the x86 HLT instruction.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add SYZOS calls that correspond to the IN and OUT x86 instructions
that perform port I/O.
These instructions have different variants, for now we just implement
the one that takes the port number from DX instead of encoding it in
the opcode.
|
| |
|
|
|
| |
Not strictly necessary, because syz_kvm_assert_syzos_uexit() is checking
the exit reason, but should test the pseudo-syscall itself.
|
| |
|
|
|
| |
This is a best-effort attempt to fix the tests passing ANY arguments
to the syz_kvm_add_vcpu$arm64() syscall.
|
| |
|
|
|
| |
Transform the hard-coded list of feature combinations in to individual
groups of features.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change is the first step in addressing issue [1].
Despite syzkaller's best efforts, some usb drivers are proving
resistant to attempts to probe them. Specifically, crafted
devices are not accurate enough to bypass checks in probe().
These checks mostly deal with usb interfaces and endpoints.
One way to address this issue is to define syz_connect_* calls
variants to help syzkaller succeed probing by describing in detail
various device attributes.
Start by describing such calls for select drivers, each representing
its own category of sorts. At the moment, code coverage for these
drivers is unimpressive:
- rtl8150
Used to succeed probing until a better usb endpoint check was implemented.
- sierra_net
Same as rtl8150. Depends on usbnet API for bind() and usb ep checks.
- lan78xx
Requires numerous control requests between driver and device DURING probe.
Extra descriptions are helpful but are not enough to fully complete
probing process.
Also, add a seed for each such example.
This is only a stepping stone to improve usb fuzzing results and most
likely will be subject to change in the future.
[1] https://github.com/google/syzkaller/issues/6206
|
| |
|
|
|
|
| |
Use the latest version of bcachefs-tools.
See the discussion at https://groups.google.com/g/syzkaller/c/Vek7-974kJI/m/8TrKOiz6AgAJ
|
| |
|
|
|
| |
amd64-syz_kvm_setup_syzos_vm-wrmsr-rdmsr is a test executing SYZOS_API_WRMSR
and SYZOS_API_RDMSR on x86.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_ptrace -debug
we get this result:
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=0
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=3
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
Because this test spawns two threads, the ptrace(2) returned code may be
different according to the calling thread.
Set the common EPERM errnos for all three threads (EINTR is unknown to
syzkaller). The other returned codes cannot be fixed because we cannot
have a set of valid errno for the same call.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_fs_ioctl -debug
we get this result:
#0 [1300ms] -> ioctl(0x4, 0x5460, 0x0)
#0 [1300ms] <- ioctl=0xffffffffffffffff errno=14
#0 [1300ms] -> ioctl(0x4, 0x5451, 0x0)
#0 [1300ms] <- ioctl=0x0
[...]
landlock_fs_ioctl none : FAIL: run 0: wrong call 5 result 14, want 13
The ioctl call returns EFAULT instead of EACCES.
Change this test to create a /dev/null device and use a valid device
IOCTL.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
| |
The setuid sandboxes are not correct because some tests require mount.
Let's make it simple and remove them. After all, Landlock is available
to any user.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
This commit adds support for CPUID instructions on AMD64. It also adds a
relevant test.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
| |
This commit prepares adding the X86-64 SYZOS by declaring the relevant
functions, updating their ARM64 versions and adding placeholders.
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfe and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfet, two seeds that exercise the
WFxT path in KVM.
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfi and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfit, two seeds that
exercise the WFxT path in KVM.
|
| |
|
|
|
|
|
| |
When using QEMU full emulation mode, the majority of the system
registers (as defined in sys/linux/dev_kvm.txt:kvm_regs_arm64_sys) are
not accessible (i.e. only 77/592 trigger kvm_handle_sys_reg()). This series of
tests perform MSR accesses to the accessible registers.
|
| |
|
|
| |
Add support for the MRS instruction in a similar manner to MSR.
|
| |
|
|
|
|
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-enable-pmu, a seed that
enables PMU and touches PMEVCNTR0_EL0.
It was inspired by https://github.com/google/syzkaller/pull/5582
and led to a notable (+500) coverage increase, as the fuzzer couldn't
previously guess that it should pass KVM_ARM_VCPU_PMU_V3 when creating
the vCPU and set the KVM_ARM_VCPU_PMU_V3_INIT attribute at the same time.
|
| |
|
|
| |
Make sure SyzOS test correctly set the value of VBAR_EL1.
|
| | |
|
| |
|
|
|
| |
Provide a test case that replaces syz_kvm_vgic_v3_setup() with a sequence
of 5 KVM ioctls.
|
| | |
|
| |
|
|
|
| |
Syscalls that initialize KVM and set up syzos have to be executed in the
particular order, there's no point in running them concurrently.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
arm64-syz_kvm_setup_syzos_vm-vgicv3-its
Make sure the test actually performs guest-side ITS setup and invokes an LPI.
|
| |
|
|
|
|
|
| |
Pass 1024 pages of memory to both syz_kvm_setup_syzos_vm() and
syz_kvm_setup_cpu$arm64() to make sure that:
- there is enough memory for guest allocations (e.g. ITS pages)
- host can tamper with that memory, provoking more bugs
|
| |
|
|
|
|
|
| |
Reserve SYZOS address for the ITS redistributor at 0x08080000, add it to the
list of kvm_guest_addrs.
Also implement a syzlang test for the host part of ITS configuration as per
https://www.kernel.org/doc/html/v6.1/virt/kvm/devices/arm-vgic-its.html
|
| |
|
|
|
| |
The test has become too big (>40 calls).
Split off dev_iommu_vfio and remove the overlap with dev_iommu_hwpt.
|
| |
|
|
|
|
|
|
|
|
| |
Add new the landlock_ruleset_attr's "scoped" field and related flags for
Linux 6.12: LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET and
LANDLOCK_SCOPE_SIGNAL.
Update tests with the new landlock_ruleset_attr's field.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
| |
Add a seed that creates and execs something that resembles an ELF binary.
|
| |
|
|
|
| |
In addition to random offsets passed to SYZOS_API_MEMWRITE, use VGICv3
distributor/redistributor base and offsets of the corresponding registers.
|
| |
|
|
|
| |
This is a variant of arm64-syz_kvm_setup_syzos_vm-vgicv3 running on a
secondary CPU.
|
| |
|
|
| |
Rewrite existing tests using syz_kvm_setup_cpu to use the new pseudo-syscall API
|
| |
|
|
|
|
|
|
| |
syz_create_resource allows to turn any value into a resource.
Improve binfmt descriptions using syz_create_resource:
we need to pass the same file name to write syscalls and execve.
Use syz_create_resource to improve binfmt descriptions.
|
| |
|
|
|
|
|
|
| |
Which attach types are available to a BPF program depends on its type.
We can encode this using conditional fields to reduce the time syzkaller
loses on unsupported combinations of (program type; attach type).
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The id_or_fd union was introduced before we had conditional fields to
represent IDs or fds for BPF programs or links. The union was
overapproximating those specific types.
With conditional fields, we can now use information from other fields to
determine precisely which type from the union is expected. For example,
with BPF_PROG_ATTACH, if BPF_F_ID is the only flag, then the relative_fd
field should be interpreted as a program ID.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new BPF_TOKEN_CREATE bpf(2) command was introduced in commit [1]
upstream. This command takes a BPF filesystem fd and returns a BPF
token [2]. This token can then be passed to commands BPF_PROG_LOAD,
BPF_MAP_CREATE, and BPF_BTF_LOAD and the kernel will use it to check if
the operation is allowed. What operations a token allows is defined by
the mount options of the BPF filesystem.
No flags are currently supported for the BPF_TOKEN_CREATE command.
The fd should point to the BPF filesystem, but we don't have a specific
resource for this yet so just point to a generic fd. This command also
doesn't add support for the new mount options.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=35f96de04127
2 - https://lwn.net/Articles/947173/
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This new field for the bpf(2) command BPF_MAP_CREATE was introduced in
[1] upstream. It is conditioned on both the map type and its flags
(BPF_F_VTYPE_BTF_OBJ_FD).
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fcc2c1fb0651
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
The new API call will be used to write values to guest memory specified
by base+offset.
Writing to e.g. MMIO registers for VGIC (or any other MMIO ranges) may
result in new coverage.
|
| | |
|
| |
|
|
|
| |
Make the necessary changes to support HVC in addition to SMC.
These two may subtly differ, so they are handled separately.
|
| |
|
|
|
| |
As suggested by Dmitry, use a template to avoid duplication in various syzos types.
Also adjust the existing tests.
|
| |
|
|
|
|
|
|
| |
Provide an API call to invoke the ARM64 Secure Monitor Call instruction
with user-supplied function id and 5 parameters passed in registers x1-x5.
For now only `smc #0` is invoked, although in the future we may want to
pass other (reserved) immediate values to SMC.
|
| |
|
|
|
| |
Reduce the number of hand-rolled constants in syz_kvm_setup_cpu_arm64
by using AUTO
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
MSR is an ARM64 instruction that writes a value from a GP register to
one of the system CPU registers. Exposing those registers to a fuzzer will
let us trigger unexpected behavior in handling them on the kernel side.
The SYZOS_API_MSR call has two int64 arguments, register ID and value.
Register IDs are 64-bit values obtained from ARM64_SYS_REG() in the Linux asm/kvm.h
UAPI header. Same register IDs are used by ioctl$KVM_GET_ONE_REG and
ioctl$KVM_SET_ONE_REG.
Also add sys/linux/test/syz_kvm_setup_cpu_arm64-msr
|
| |
|
|
|
| |
This is the initial test to help seed syzos program generation.
We'll need to add assertions to it once we implement them.
|
