| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
This test covers regular file IOCTL checks handled in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
Add new pseudo-syscall for creating a socket in init netns and connecting to
NVMe-oF/TCP server on 127.0.0.1:4420. Also add descriptions for NVMe-oF/TCP.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Our test programs with BPF helper calls are used to verify that the
syzkaller descriptions for BPF helpers are correct. We don't really need
to run those BPF programs to check that the descriptions are correct;
the real test is to pass the verifier, which happens at load time.
This commit therefore removes syscalls to run the BPF programs. We are
limited in how many syscalls we can have per syzkaller programs so we
might as well make the most of it.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
This commit adds more complex format modifiers for the bpf_snprintf BPF
helper. Those correspond to a bunch of cases that are uncovered in
syzbot's coverage of bpf_bprintf_prepare.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
The bpf_trace_printk helper supports a limited set of format specifiers
[1]. This commit ensures they are all covered in the union.
1 - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
These occurences were found with the command:
git grep -lP "{(AUTO,\s)*AUTO}"
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
BPF helpers bpf_ringbuf_{discard,submit,output} take a set of flags.
This commit describes those flags.
The default is a zero value, but the kernel doesn't have a macro for
that. Thus, "0" is simply added to the flag definition.
Note bpf_ringbuf_reserve also has a flags argument, but it is currently
unused on the kernel side.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This helper has the prototype:
bpf_ringbuf_output(void *ringbuf, void *data, u64 size, u64 flags)
We need to prepare the second argument (R2) on the stack. We use an
8 bytes data value initialized to some random value on the stack and
pointed to by R2. The third argument therefore needs to be 8 (for 8
bytes).
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
This BPF helper has the prototype:
bpf_ringbuf_query(void *ringbuf, u64 flags)
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
Including this helper call in our descriptions is trivial since it takes
the same arguments and returns the same (void) as the already described
bpf_ringbuf_submit helper call.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new struct with two BPF instructions to perform a
null check on a given pointer. It is then used to update our small ringbuf
program to null check the ringbuf reserved data pointer as follows.
u64 *e;
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
if (!e) return 0;
[...]
bpf_ringbuf_submit(e, 0);
return 0;
With this null check, our test case corresponding to this program now
passes the verifier and is successfully loaded.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This helper has the verifier prototype:
.ret_type = RET_VOID,
.arg1_type = ARG_PTR_TO_RINGBUF_MEM | OBJ_RELEASE,
.arg2_type = ARG_ANYTHING,
We therefore need to pass the pointer retrieved with bpf_ringbuf_reserve
via R2. We saved that pointer to R9 so we can retrieve it from there.
Since bpf_ringbuf_submit doesn't return anything, we need to write
something in R0 before we exit the program.
Our BPF program now looks like:
u64 *e;
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
[...]
bpf_ringbuf_submit(e, 0);
return 0;
It will still fail, but with EACCES instead of EINVAL, due to the
following verifier error:
0: R1=ctx(off=0,imm=0) R10=fp0
0: (18) r0 = 0x0 ; R0_w=0
2: (18) r1 = 0xffff984f66f93600 ; R1_w=map_ptr(off=0,ks=0,vs=0,imm=0)
4: (b7) r2 = 20 ; R2_w=20
5: (b7) r3 = 0 ; R3_w=0
6: (85) call bpf_ringbuf_reserve#131 ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
7: (bf) r9 = r0 ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0)
R9_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
8: (bf) r1 = r9 ; R1_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0)
R9_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
9: (b7) r2 = 0 ; R2_w=0 refs=2
10: (85) call bpf_ringbuf_submit#132
R1 type=ringbuf_mem_or_null expected=ringbuf_mem
In short, we didn't check that the pointer returned by
bpf_ringbug_reserve isn't null.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Describe a full call to bpf_ringbuf_reserve, using the map type created
in the previous commit. The test corresponds to this simple line:
u64 *e;
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
[...]
return e;
The pointer returned by bpf_ringbuf_reserve is kept in R9. The goal is
to keep it around so we can use it in other instructions later; several
other helpers take a pointer to ringbuf data as argument. There's of
course a risk that some instruction in between will clobber R9, but I
don't know another way. R9 is at least safe for calls (only R1--R5 get
clobbered).
We expect the program loading to fail with EINVAL because we never
release the reference to the ringbuf data. The verifier will therefore
reject the program with:
0: R1=ctx(off=0,imm=0) R10=fp0
0: (18) r0 = 0x0 ; R0_w=0
2: (18) r1 = 0xffff984e4b55da00 ; R1_w=map_ptr(off=0,ks=0,vs=0,imm=0)
4: (b7) r2 = 20 ; R2_w=20
5: (b7) r3 = 0 ; R3_w=0
6: (85) call bpf_ringbuf_reserve#131 ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
7: (bf) r9 = r0 ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0)
R9_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
8: (95) exit
Unreleased reference id=2 alloc_insn=6
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The corresponding test does the same as this map declaration:
struct {
__uint(type, BPF_MAP_TYPE_RINGBUF);
__uint(max_entries, 256 * 1024);
} rb SEC(".maps");
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test case corresponds to the BPF program below (bcc syntax for the
map).
BPF_PROG_ARRAY(prog_array, 10);
int tail_call_prog(void *ctx) {
char str[8] = {0};
u64 data = 0x1234;
bpf_snprintf(str, sizeof(str), "%d ", &data, sizeof(data));
return 0;
}
int do_tail_call(void *ctx) {
prog_array.call(ctx, 0);
return 0;
}
It reuses the program defined to test bpf_snprintf, as the target of the
tail call.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new test case for the bpf_snprintf description
introduced in the previous commit. It corresponds to the BPF code:
char str[8] = {0};
u64 data = 0x1234;
bpf_snprintf(str, sizeof(str), "%d ", &data, sizeof(data));
exit 0;
The fmt (3rd) argument must be stored in a read-only array map which is
prepared with the first three syscalls. Once loaded, the program is
executed with BPF_PROG_TEST_RUN.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new test case for the bpf_trace_printk description
introduced in the previous commit. It corresponds to the code:
bpf_trace_printk("%d ", 8, 0x1234);
exit 0;
in a BPF program that is then executed via BPF_PROG_TEST_RUN.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the new lanlock_net_port_attr struct and related
LANDLOCK_ACCESS_NET_{BIND,CONNECT}_TCP flags for TCP access control.
Add landlock_ruleset_attr's handled_access_net field and fix
handled_access_fs name.
Update tests with the new landlock_ruleset_attr's handled_access_net
field.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
| |
Based on Linux kernel iommufd_test.h line 68 struct check_refs:
https://github.com/torvalds/linux/blob/master/drivers/iommu/iommufd/iommufd_test.h
correct the md_check_refs variable length and uptr in correct position.
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream, and subsequent patches, extended the
BPF_PROG_DETACH command to support a new multi-prog object in the BPF
subsystem. It now supports the same fields as its BPF_PROG_ATTACH, with
one exception, replace_bpf_fd, which must stay NULL. The reference to
the relative object is supported, as well as the expected revision
number and a set of flags.
1 - 053c8e1f235dc ("bpf: Add generic attach/detach/query API for multi-progs")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream, and subsequent patches, extended the
BPF_PROG_ATTACH command to support a new multi-prog object in the BPF
subsystem. In particular, programs can now be attached relative to
another object (relative_obj), a BPF program or link, referenced via
either an fd or a BPF ID (id_or_fd). In addition, a new concept of BPF
revision number was introduced and a revision number can be passed, to
be checked at attach time. Finally, the attachment target can now also
be an ifindex.
1 - 053c8e1f235dc ("bpf: Add generic attach/detach/query API for multi-progs")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added a new mode for the BPF command BPF_PROG_RUN
when used with XDP program (type BPF_PROG_TYPE_XDP). This new mode
allows injecting packets to the network stack after they have been
processed by the test BPF program.
This new mode expects specific arguments. Specifically, only the
BPF_F_TEST_XDP_LIVE_FRAMES flag is accepted and data_out & ctx_out must
be NULL.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b530e9e1063ed
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added a new field to the bpf(2) PROG_LOAD command
for the kernel to return the buffer size that would be required to store
all logs. This is an output-only field so probably not much point in
fuzzing it, so let's fix it to 0.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47a71c1f9af0
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added support via the bpf(2) PROG_LOAD command to
load BTF CO-RE relocation data. This commit adds basic support for
loading the same data in syzkaller. As usual with BTF, we are pretty
limited in what we can efficiently describe :-(
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fbd94c7afcf9
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
This parameter barely increases coverage since the tail is always set
to the entry that is written, but it does increase the complexity of
the api and seems to reduce coverage when I run it locally.
Remove it.
|
| |
|
|
|
|
|
|
|
|
| |
In Linux 6.4+ it is not allowed to provide a vma to mmap(2) [1]. Change
the API to request the address from the Kernel.
Note I do not know why this was done in the first place, but it seems
not to be useful.
[1]: https://github.com/torvalds/linux/commit/d808459b2e31bd5123a14258a7a529995db974c8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SHSTK(Shadow Stack) test file
CET(Control-flow Enforcement Technology) is a security feature that includes
shadow stack and end branch to prevent ROP(Return Oriented programming)/JOP
(Jump Oriented Programming) attack from the root cause.
User space SHSTK which prevents ROP attack for user space process is in Linux
tip repo:
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/shstk
Add CET user space SHSTK test file in syzkaller to cover related fuzzing
tests.
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| |
|
|
|
| |
Add a regression test for:
https://github.com/torvalds/linux/commit/1c5950fc6fe996235f1d18539b9c6b64b597f50f
|
| |
|
|
|
|
|
| |
Add test program for ioctl$IOMMU_TEST_OP_MD_CHECK_MAP and
ioctl$IOMMU_TEST_OP_MD_CHECK_REFS to hit them quickly.
Signed-off-by: yantingj <yanting.jiang@intel.com>
|
| |
|
|
| |
The syscall sets PKRU register which is part of protection keys (pkey).
|
| |
|
|
|
|
|
|
| |
We already try as hard as possible to not generate escaping (global) filenames.
However, it's possible we read them from the corpus if it happens to contain some.
Also check for escaping filenames during deserialization.
Fixes #3678
|
| |
|
|
|
| |
Fill fake images with unique 4-byte values.
This allows hints mutation to easily guess magic numbers and checksums.
|
| |
|
|
|
| |
afs is not image-based filesystems.
It accepts some server/cell as source argument.
|
| |
|
|
| |
It's not image-based filesystem.
|
| |
|
|
|
| |
Since syz_mount_image calls are no_generate we need to add at least some
empty seeds for all for filesystems.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update seeds to account for the new pseudo-syscall prototype and the new
compressed Base64 syntax. This reduces `syz-imagegen` seed image space
requirements from 127 MB to 43 MB (measured using `du -ch syz_mount_image_*`).
Note that some filesystems are pathological for deflate, e.g. for `f2fs`
seed image space has increased from 320 KB to 2.1 MB. This discrepancy
should not be observed in corpuses after performing various filesystem
operations and image mutations - the previous ad-hoc compression is
highly efficient for near-empty images, but once images are modified deflate
should surpass it.
Tools/versions used are as in google@0d24140 and google@356d821.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This test covers file truncation with path and file descriptor checks
handled in security/landlock/fs.c .
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| | |
|
| |
|
|
|
|
| |
Add the missing boolean argument for changing directory to
`syz_mount_image` calls which are not generated by `syz-imagegen`. Set
it to false to ensure behaviour is as before.
|
| |
|
|
|
|
| |
Now with the ability to change directory.
Regenerate on a VM which supports NTFS, using the same versions as
google/syzkaller@356d821720a2d24a4cc96f8c0b2b7a11c8882190.
|
| |
|
|
|
|
| |
Now including the ability to change directory. Using the same
tools/versions as google/syzkaller@0d2414047943397599e7cfc12d40f4582d008726.
N.B. in particular, NTFS3 will be updated in the next commit.
|
| |
|
|
|
|
| |
Regenerate on a VM which supports NTFS, using:
mkntfs libntfs-3g v2022.5.17
kernel v5.19.0
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Regenerate using the following versions:
mkfs.f2fs 1.14.0 (2020-08-24)
mkfs.btrfs btrfs-progs v5.18.1
mkfs.fat 4.2 (2021-01-31)
mkexfatfs 1.3.0
mkfs.bfs util-linux 2.38
mkfs.xfs 5.19.0
mkfs.minix util-linux 2.38
mkfs.reiserfs 3.6.27
mkfs.jfs 1.1.15 (2011-03-04)
mkntfs libntfs-3g v2022.5.17
mke2fs 1.46.5 (2021-12-30)
mkfs.gfs2 3.4.1
mkfs.ocfs2 1.8.7
mkfs.cramfs util-linux 2.38
genromfs 0.5.2
mkfs.erofs 1.5
makefs 20190105-3
mkudffs udftools 2.3
mkfs.jffs2 mtd-utils 2.1.4
mkfs.nilfs2 nilfs-utils 2.2.8
mksquashfs sqaushfs-tools 4.5.1
genisomage 1.1.11
NB: NTFS3 is not included here as my kernel does not seem to be compiled
with it.
No errors appear (except for failure to find NTFS3).
This commit also updates a comment in `imagegen.go` listing dependencies.
|
