| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
dev_kvm_amd64: TDX_ATTR_* were renamed to TDX_TD_ATTR_*.
landlock: LANDLOCK_ACCESS_NET_*_UDP and LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET are no longer present.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
usb_device_descriptor
|
| | |
|
| |
|
|
|
| |
Remove duplicate vendor and product ID pairs from quirksIDs and add new
unique pairs in init_vusb.go.
|
| |
|
|
|
|
|
|
| |
The vendorID and productID pairs in syz_usb_connect$midi descriptor
are now patched by init_vusb.go.
Remove syz_usb_control_io$midi since it didn't produce meaningful
coverage.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the USB audio fuzzing support by adding syzlang
descriptions for:
- UAC2 (USB Audio Class 2.0) devices with clock management units,
interface association descriptors, and extended format types.
- UAC3 (USB Audio Class 3.0) devices including power domain
descriptors and cluster information segments.
- USB MIDI devices with jack descriptors and streaming endpoints.
A new generateAudioDeviceDescriptor function patches in both
auto-extracted USB IDs from the kernel driver matching rules and
hardcoded quirk IDs from the USB audio driver sources (sound/usb/).
This approach follows the pattern established for the HID and printer
classes, allowing exercising driver quirks that cannot be automatically
extracted.
The config descriptor template now includes an EXTRA field to support
Interface Association Descriptors required by UAC2/UAC3. This also
requires adjusting the interface field index in patchUsbDeviceID.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables syzos for riscv64 and implements
the corresponding pseudo syscalls.
Pseudo syscalls:
- syz_kvm_setup_syzos_vm
- syz_kvm_add_vcpu
- syz_kvm_assert_syzos_uexit
Syzos guest support:
- guest_uexit
- guest_execute_code
- guest_handle_csrr and guest_handle_csrw
Test seeds:
- riscv64-syz_kvm_setup_syzos_vm
- riscv64-syz_kvm_setup_syzos_vm-csrr
- riscv64-syz_kvm_setup_syzos_vm-csrw
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Add two new SYZOS test cases to verify the persistence of
Guest Physical Registers (GPRs) in nested virtualization scenario.
These tests ensure that the hypervisor correctly saves and restores
L2 GPRs during nested VM-exits and VM-entries, preventing register
state corruption.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add sys/linux/test/amd64-syz_kvm_nested_load_syzos-vmresume to verify the
state preservation and resumption capabilities of the
SYZOS_API_NESTED_LOAD_SYZOS primitive.
The test deploys an L2 guest with a sequential multi-step payload:
1. `uexit(1)`
2. `uexit(2)`
The L1 hypervisor first executes `nested_vmlaunch`, causing L2 to run
until the first uexit. L1 then executes `nested_vmresume` to continue
L2 execution.
|
| |
|
|
|
|
|
|
|
|
|
| |
The new test checks the following scenario:
- L0 VM launches L1 VM (SYZOS)
- L1 VM launches L2 VM (nested SYZOS)
- L2 VM issues a UEXIT
- L1 VM catches the UEXIT and forwards it to L0
- L0 VM checks the UEXIT code and resumes L1 VM
- L1 VM finishes its work and issues another UEXIT
- L0 VM checks the UEXIT code
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit introduces the `SYZOS_API_NESTED_LOAD_SYZOS` command to
enable running full SYZOS programs within a nested L2 guest, enhancing
fuzzing capabilities for nested virtualization.
Key changes include:
- Nested SYZOS Execution: The new command loads a SYZOS program into an
L2 VM, setting up its execution environment.
- ABI Refinement: Program size is now passed via the shared `syzos_globals`
memory region instead of registers, standardizing the ABI for L1 and L2.
- L2 State Management: Improved saving and restoring of L2 guest GPRs
across VM-exits using inline assembly wrappers for Intel and AMD.
- Nested UEXIT Propagation: Intercepts EPT/NPT faults on the exit page to
capture the L2 exit code from saved registers and forward it to L0 with
an incremented nesting level.
- L2 Memory Management: Updates to L2 page table setup, including skipping
NO_HOST_MEM regions to force exits, and a new `l2_gpa_to_pa` helper.
|
| | |
|
| |
|
|
|
|
| |
Drop a FS_XFLAG_VERITY const (it was only present in a few linux-next
tags).
Run make extract on the latest linux-next
|
| |
|
|
| |
Also, regenerate consts on the latest linux-next.
|
| |
|
|
|
| |
Signed-off-by: Justin Leung <justin.leung@arm.com>
Signed-off-by: Lukas Zapolskas <lukas.zapolskas@arm.com>
|
| |
|
|
| |
Closes #6627.
|
| |
|
|
|
|
|
| |
This patch adds more riscv64 specific registers to improve the KVM support
for RISC-V architecture.
Signed-off-by: 6eanut <jiakaiPeanut@gmail.com>
|
| |
|
|
|
|
|
| |
The syz_kvm_assert_syzos_uexit$x86 function expects a 64-bit value
for the exit code.
Update the test cases to use 0xffffffffffffffff instead of 0xffffffff
to reflect the -1 value used to indicate the end of the test.
|
| |
|
|
|
|
|
|
| |
Add the new LANDLOCK_ACCESS_NET_BIND_UDP,
LANDLOCK_ACCESS_NET_CONNECT_UDP, and LANDLOCK_ACCESS_NET_SENDTO_UDP
access rights.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
| |
|
|
|
|
|
| |
Add the new LANDLOCK_RESTRICT_SELF_TSYNC flag for
landlock_restrict_self(2).
Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
| |
|
|
|
|
| |
Add the new LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET scope right.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
| |
|
|
|
|
|
| |
- Enables syz_kvm_assert_reg for riscv64.
- Updates kvm_one_reg according to the latest definition in
https://github.com/torvalds/linux/blob/master/arch/riscv/include/uapi/asm/kvm.h.
- Adds a test case: riscv64-kvm-reg.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces SYZOS_API_NESTED_AMD_VMLOAD and
SYZOS_API_NESTED_AMD_VMSAVE.
These primitives allow the L1 guest to execute the VMLOAD and VMSAVE
instructions, which load/store additional guest state (FS, GS, TR, LDTR,
etc.) to/from the VMCB specified by the 'vm_id' argument.
This stresses the KVM L0 instruction emulator, which must validate the
L1-provided physical address in RAX and perform the state transfer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements syz_kvm_setup_cpu for riscv64 architecture.
The pseudo-syscall accepts VM fd, vCPU fd, host memory, and guest code
as parameters. Additional parameters (ntext, flags, opts, nopt) are
included for interface consistency with other architectures but are
currently unused on riscv64.
Implementation:
- Set up guest memory via KVM_SET_USER_MEMORY_REGION
- Copy guest code to guest memory
- Initialize guest registers to enable code execution in S-mode
- Return 0 on success, -1 on failure
Testing:
A test file syz_kvm_setup_cpu_riscv64 is included in sys/linux/test/
to verify basic functionality.
Known limitations:
- ifuzz is not yet compatible with riscv64. Temporary workaround: set
text[riscv64] to TextTarget and return nil in createTargetIfuzzConfig
for riscv64 to ensure generateText and mutateText work correctly.
This patch also adds support for KVM_GET_ONE_REG ioctl.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces SYZOS_API_NESTED_AMD_SET_INTERCEPT to SYZOS.
This primitive enables the fuzzer to surgically modify intercept vectors
in the AMD VMCB (Virtual Machine Control Block) Control Area.
It implements a read-modify-write operation on 32-bit VMCB offsets,
allowing the L1 hypervisor (SYZOS) to deterministically set or clear
specific intercept bits (e.g., for RDTSC, HLT, or exceptions) for the L2
guest.
This capability allows syzkaller to systematically explore KVM's nested
SVM emulation logic by toggling intercepts on and off, rather than
relying on static defaults or random memory corruption.
|
| |
|
|
|
|
|
| |
This patch updates all relevant regression tests in sys/linux/test/ to
align with the API change introduced in syz_kvm_assert_syzos_uexit.
The syz_kvm_assert_syzos_uexit syscall now requires the VCPU file
descriptor as its first argument.
|
| |
|
|
|
|
|
|
| |
Enhance the debugging capabilities of C reproducers by passing the VCPU
file descriptor to the syz_kvm_assert_syzos_uexit function. With access to
the VCPU fd, the function can now dump the VCPU's register state upon
assertion failure, providing critical context for debugging guest execution
issues.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Implement SYZOS_API_NESTED_AMD_INJECT_EVENT to allow the L1 guest to
inject events (Interrupts, NMIs, Exceptions) into L2 via the VMCB EVENTINJ
field.
This primitive abstracts the VMCB bit-packing logic
(Vector, Type, Valid, Error Code) into a high-level API, enabling the fuzzer
to semantically mutate event injection parameters.
This targets KVM's nested event merging logic, specifically where L0 must
reconcile L1-injected events with Host-pending events.
|
| |
|
|
|
|
|
|
|
| |
Implement the SYZOS_API_NESTED_AMD_STGI and SYZOS_API_NESTED_AMD_CLGI
primitives to toggle the Global Interrupt Flag (GIF). These commands
execute the stgi and clgi instructions respectively and require no
arguments.
Also add a test checking that CLGI correctly masks NMI injection from L0.
|
| |
|
|
|
|
|
|
|
|
| |
Implement the SYZOS_API_NESTED_AMD_INVLPGA primitive to execute the
INVLPGA instruction in the L1 guest.
This allows the fuzzer to target KVM's Shadow MMU and Nested Paging (NPT)
logic by invalidating TLB entries for specific ASIDs.
Also add a simple syzlang seed/regression test.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
It seems that consts for the file were generated for a single file only,
or manually written. I can't find any upstream/linux-next revision
where all consts can be regenered. On next-20251111 where we last generated
all consts, some of these MALI consts are not present yet. On newer revisions
make extract is broken.
Add manual defines so that descriptions can be at least re-generated on next-20251111.
|
| |
|
|
|
|
| |
Enable some previously disabled syscalls in snapshot mode that look safe for snapshot mode.
In snapshot mode we don't rely on the actual networking, and should be able to survive
runner process kills, and disk shutdown.
|
| | |
|
