| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Based on Linux kernel iommufd_test.h line 68 struct check_refs:
https://github.com/torvalds/linux/blob/master/drivers/iommu/iommufd/iommufd_test.h
correct the md_check_refs variable length and uptr in correct position.
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream, and subsequent patches, extended the
BPF_PROG_DETACH command to support a new multi-prog object in the BPF
subsystem. It now supports the same fields as its BPF_PROG_ATTACH, with
one exception, replace_bpf_fd, which must stay NULL. The reference to
the relative object is supported, as well as the expected revision
number and a set of flags.
1 - 053c8e1f235dc ("bpf: Add generic attach/detach/query API for multi-progs")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream, and subsequent patches, extended the
BPF_PROG_ATTACH command to support a new multi-prog object in the BPF
subsystem. In particular, programs can now be attached relative to
another object (relative_obj), a BPF program or link, referenced via
either an fd or a BPF ID (id_or_fd). In addition, a new concept of BPF
revision number was introduced and a revision number can be passed, to
be checked at attach time. Finally, the attachment target can now also
be an ifindex.
1 - 053c8e1f235dc ("bpf: Add generic attach/detach/query API for multi-progs")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added a new mode for the BPF command BPF_PROG_RUN
when used with XDP program (type BPF_PROG_TYPE_XDP). This new mode
allows injecting packets to the network stack after they have been
processed by the test BPF program.
This new mode expects specific arguments. Specifically, only the
BPF_F_TEST_XDP_LIVE_FRAMES flag is accepted and data_out & ctx_out must
be NULL.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b530e9e1063ed
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added a new field to the bpf(2) PROG_LOAD command
for the kernel to return the buffer size that would be required to store
all logs. This is an output-only field so probably not much point in
fuzzing it, so let's fix it to 0.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47a71c1f9af0
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added support via the bpf(2) PROG_LOAD command to
load BTF CO-RE relocation data. This commit adds basic support for
loading the same data in syzkaller. As usual with BTF, we are pretty
limited in what we can efficiently describe :-(
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fbd94c7afcf9
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
This parameter barely increases coverage since the tail is always set
to the entry that is written, but it does increase the complexity of
the api and seems to reduce coverage when I run it locally.
Remove it.
|
| |
|
|
|
|
|
|
|
|
| |
In Linux 6.4+ it is not allowed to provide a vma to mmap(2) [1]. Change
the API to request the address from the Kernel.
Note I do not know why this was done in the first place, but it seems
not to be useful.
[1]: https://github.com/torvalds/linux/commit/d808459b2e31bd5123a14258a7a529995db974c8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SHSTK(Shadow Stack) test file
CET(Control-flow Enforcement Technology) is a security feature that includes
shadow stack and end branch to prevent ROP(Return Oriented programming)/JOP
(Jump Oriented Programming) attack from the root cause.
User space SHSTK which prevents ROP attack for user space process is in Linux
tip repo:
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/shstk
Add CET user space SHSTK test file in syzkaller to cover related fuzzing
tests.
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| |
|
|
|
| |
Add a regression test for:
https://github.com/torvalds/linux/commit/1c5950fc6fe996235f1d18539b9c6b64b597f50f
|
| |
|
|
|
|
|
| |
Add test program for ioctl$IOMMU_TEST_OP_MD_CHECK_MAP and
ioctl$IOMMU_TEST_OP_MD_CHECK_REFS to hit them quickly.
Signed-off-by: yantingj <yanting.jiang@intel.com>
|
| |
|
|
| |
The syscall sets PKRU register which is part of protection keys (pkey).
|
| |
|
|
|
|
|
|
| |
We already try as hard as possible to not generate escaping (global) filenames.
However, it's possible we read them from the corpus if it happens to contain some.
Also check for escaping filenames during deserialization.
Fixes #3678
|
| |
|
|
|
| |
Fill fake images with unique 4-byte values.
This allows hints mutation to easily guess magic numbers and checksums.
|
| |
|
|
|
| |
afs is not image-based filesystems.
It accepts some server/cell as source argument.
|
| |
|
|
| |
It's not image-based filesystem.
|
| |
|
|
|
| |
Since syz_mount_image calls are no_generate we need to add at least some
empty seeds for all for filesystems.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update seeds to account for the new pseudo-syscall prototype and the new
compressed Base64 syntax. This reduces `syz-imagegen` seed image space
requirements from 127 MB to 43 MB (measured using `du -ch syz_mount_image_*`).
Note that some filesystems are pathological for deflate, e.g. for `f2fs`
seed image space has increased from 320 KB to 2.1 MB. This discrepancy
should not be observed in corpuses after performing various filesystem
operations and image mutations - the previous ad-hoc compression is
highly efficient for near-empty images, but once images are modified deflate
should surpass it.
Tools/versions used are as in google@0d24140 and google@356d821.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This test covers file truncation with path and file descriptor checks
handled in security/landlock/fs.c .
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| | |
|
| |
|
|
|
|
| |
Add the missing boolean argument for changing directory to
`syz_mount_image` calls which are not generated by `syz-imagegen`. Set
it to false to ensure behaviour is as before.
|
| |
|
|
|
|
| |
Now with the ability to change directory.
Regenerate on a VM which supports NTFS, using the same versions as
google/syzkaller@356d821720a2d24a4cc96f8c0b2b7a11c8882190.
|
| |
|
|
|
|
| |
Now including the ability to change directory. Using the same
tools/versions as google/syzkaller@0d2414047943397599e7cfc12d40f4582d008726.
N.B. in particular, NTFS3 will be updated in the next commit.
|
| |
|
|
|
|
| |
Regenerate on a VM which supports NTFS, using:
mkntfs libntfs-3g v2022.5.17
kernel v5.19.0
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Regenerate using the following versions:
mkfs.f2fs 1.14.0 (2020-08-24)
mkfs.btrfs btrfs-progs v5.18.1
mkfs.fat 4.2 (2021-01-31)
mkexfatfs 1.3.0
mkfs.bfs util-linux 2.38
mkfs.xfs 5.19.0
mkfs.minix util-linux 2.38
mkfs.reiserfs 3.6.27
mkfs.jfs 1.1.15 (2011-03-04)
mkntfs libntfs-3g v2022.5.17
mke2fs 1.46.5 (2021-12-30)
mkfs.gfs2 3.4.1
mkfs.ocfs2 1.8.7
mkfs.cramfs util-linux 2.38
genromfs 0.5.2
mkfs.erofs 1.5
makefs 20190105-3
mkudffs udftools 2.3
mkfs.jffs2 mtd-utils 2.1.4
mkfs.nilfs2 nilfs-utils 2.2.8
mksquashfs sqaushfs-tools 4.5.1
genisomage 1.1.11
NB: NTFS3 is not included here as my kernel does not seem to be compiled
with it.
No errors appear (except for failure to find NTFS3).
This commit also updates a comment in `imagegen.go` listing dependencies.
|
| |
|
|
|
|
|
|
|
|
| |
net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.
Note: don't set it for setuid sandbox since it's "low privilege".
|
| |
|
|
|
|
|
| |
This test covers linking, renaming and exchanging (RENAME_EXCHANGE) checks
handled in security/landlock/fs.c .
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
| |
5.15 kernel get new filesystem driver for ntfs called ntfs3. Old driver
is still in use so we do not delete it yet.
Generated test images are made with mkntfs v2021.8.22 (libntfs-3g) and
ntfs3 version from 5.17-rc7. For some reason I did not manage to
generate images with "-s 256" due some ntfs3 error. We can add those
later when we work out what is going on with those.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| |
|
|
|
|
|
| |
Remove all uses of direction attributes on union fields
and use out_overlay attribute instead.
The attribute actually does what was the intention behind
use of direction attribute on unions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced a new way to reference BPF maps in eBPF
instructions. An array of BPF map fds is passed at program load time.
Instructions can then reference fds in this array instead of carrying
the fds directly. The goal is to allow BPF instructions to be immutable
after compilation.
Since we don't yet have a good way to reference indexes in an array, we
define a new type map_fd_id for that purpose, with indexes between 0 and
16 only.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=387544bfa291
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
| |
Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.
Keep descriptions compatible with the legacy mode (when devices are
created at boot time).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets up a page table to map the text in order to exercise
more code paths in the KVM.
This defines flags to control the MMU state. When enabled, this
creates a simple page table at the 64K offset and maps all the RAM.
The fuzzer code is placed right after the table.
The flags are:
IR - enables MMU for instruction fetches
DR - enables MMU for data loads/stores
PR - "problem state", i.e. userspace (implies DR and IR)
PID1 - initializes a process table for PID>0 (PID#0 is used by the VM OS
normally)
This adds a simple "syz_kvm_setup_cpu_ppc64" syz-test with MSR=IR|DR|LE
which is a typical Linux kernel mode.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Represent array[const[X, int8], N] as string["XX...X"].
This replaces potentially huge number of:
NONFAILING(*(uint8_t*)0x2000126c = 0);
NONFAILING(*(uint8_t*)0x2000126d = 0);
NONFAILING(*(uint8_t*)0x2000126e = 0);
with a single memcpy. In one reproducer we had 3991 such lines.
Also replace memcpy's with memset's when possible.
Update #1070
|
| |
|
|
|
|
|
| |
This test covers mount namespace manipulation forbidden in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
This test helps cover most types of access checks in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/ptrace.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/fs.c:check_access_path()
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/fs.c:hook_sb_delete()
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
If rfkill is enabled by the fuzzer, wifi setup will fail.
Disable rfkill to initial state during setup.
|
| |
|
|
|
|
|
|
|
|
| |
We used to use our own netlink socket and then fail
on any errors. But commit "sys/linux: add ieee802154 descriptions"
made it possible to use fuzzer-provided socket,
and fuzzer can pass any invalid fd.
So don't fail on errors now.
Fixes #2444
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* sys/linux: add description for mali bifrost driver
* sys/linux: regenerate dev_bifrost.txt.const
* sys/linux/dev_bifrost: separate BASE_*_GROUP_ID_* to individual bits
* sys/linux/dev_bifrost: format code
|
