| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Accounted for added command and added fields in gtp_policy and
gtp_genl_policy. Users can create GTP devices without providing
IFLA_GTP_FD0 and IFLA_GTP_FD1 arguments, if IFLA_GTP_CREATE_SOCKETS
field is set.
|
| |
|
|
|
| |
These two constants are not used anywhere.
No functional change.
|
| |
|
|
|
|
|
| |
Now that we chroot into tmpfs with sandbox=none, it should be safe to allow
using these ioctls, because they won't break the whole VM.
Update #971.
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
| |
Update the descriptions to mark calls that cause remote coverage
collection.
Remote some hacky code from the executor.
|
| |
|
|
| |
Update the list of device type flags to match that of Linux 6.9
|
| |
|
|
|
|
|
|
|
| |
Make the following changes for extraction to succeed:
- drop the KVM API constants for features removed in 6.9;
- hardcode the three TUNNEL_*_OPT constants that cannot be extracted due to a header change;
- hardcode the HCI_OP_* constants removed in 99fca36c8b412 ("Bluetooth: HCI: Remove HCI_AMP support");
- hardcode the L2CAP_* constants removed in e7b02296fb40 ("Bluetooth: Remove BT_HS");
- hardcode LANDLOCK_ACCESS_FS_IOCTL_DEV until it hits upstream.
|
| |
|
|
| |
Use the parameters as discussed in https://groups.google.com/g/syzkaller/c/h002HJplxP0/m/ypISQYYpAwAJ
|
| | |
|
| |
|
|
|
|
|
| |
We renamed LANDLOCK_ACCESS_FS_IOCTL to LANDLOCK_ACCESS_FS_IOCTL_DEV, but the
value is still the same.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
Raw deserialization mode does not do any program sanitization
and allows to use global file names, prohibited ioctl's, etc.
This will be useful for moving syscall/feature checking code
to the host, we will need to probe opening global files, etc.
|
| |
|
|
|
|
|
|
|
| |
Disable the syscall in descriptions rather than in the code.
This makes it more visible for users that it's disabled,
and makes it less special (will not need to move this logic to host).
Also change the condition in syz-sysgen to be more precise,
otherwise syz_execute_func becomes unused function.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 3 issues:
1. We intended to squash only 'in' pointer elems,
but we looked at the pointer direction rather than elem direction.
Since pointers themselves are always 'in' we squashed a number of
types we didn't want to squash.
2. We can squash filenames, which can lead to generation of escaping filenames,
e.g. fuzzer managed to create "/" filename for blockdev_filename as:
mount(&(0x7f0000000000)=ANY=[@ANYBLOB='/'], ...)
Don't squash filenames.
3. We analyzed a concrete arg to see if it contains something
we don't want to squash (e.g. pointers). But the whole type
can still contain unsupported things in inactive union options,
or in 0-sized arrays. E.g. this happened in the mount case above.
Analyze the whole type to check for unsupported things.
This also moves most of the analysis to the compiler,
so mutation will be a bit faster.
This removes the following linux types from squashing.
1. These are not 'in':
btrfs_ioctl_search_args_v2
btrfs_ioctl_space_args
ethtool_cmd_u
fscrypt_add_key_arg
fscrypt_get_policy_ex_arg
fsverity_digest
hiddev_ioctl_string_arg
hidraw_report_descriptor
ifreq_dev_t[devnames, ptr[inout, ethtool_cmd_u]]
ifreq_dev_t[ipv4_tunnel_names, ptr[inout, ip_tunnel_parm]]
ifreq_dev_t["sit0", ptr[inout, ip_tunnel_prl]]
io_uring_probe
ip_tunnel_parm
ip_tunnel_prl
poll_cq_resp
query_port_cmd
query_qp_resp
resize_cq_resp
scsi_ioctl_probe_host_out_buffer
sctp_assoc_ids
sctp_authchunks
sctp_getaddrs
sctp_getaddrs_old
2. These contain pointers:
binder_objects
iovec[in, netlink_msg_route_sched]
iovec[in, netlink_msg_route_sched_retired]
msghdr_netlink[netlink_msg_route_sched]
msghdr_netlink[netlink_msg_route_sched_retired]
nvme_of_msg
3. These contain filenames:
binfmt_script
blockdev_filename
netlink_msg_route_sched
netlink_msg_route_sched_retired
selinux_create_req
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
New ioctl to create hwpt objects directly with two forms.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should run without any errno returns. A number of problems have crept
in:
The kernel changed the size of the test ioctl from 0x38 to 0x48. The
generated description picked this up but the hardwired constant in the
test did not. Update all cases.
Fix TEST_OP_MOCK_DOMAIN to use the kernel changed ID layout and new
destruction sequence.
Move TEST_OP_MD_CHECK_* up into a region with a MOCK_DOMAIN and fix their
arguments so they work properly.
The test now passes on v6.8-rc3 with no error failures.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some small mistakes have crept into here and the definitions are not
working quite right
The kernel changed the layout of the mock_domain test command to have
three handles and moved the device_handl to the end. A new handle - the
"selftest_device" was returned instead.
check_map/check_refs takes in a hwpt_handle not an fd_access
domain_replace takes in the selftest_device_handle and an ioas/pt
access_replace_ioas uses the ioas_handle not a naked int32.
|
| |
|
|
|
|
|
|
| |
Not cloning the argument results in replaceArg() replacing a union
argument with itself, which may lead to inconsistent resource
references.
Add an assertion to detect such cases in the future.
|
| |
|
|
| |
This reverts commit 4097c8d7a8596ddbc9a9db7b7f39c5cbdb1bd742.
|
| |
|
|
|
|
|
|
| |
Not cloning the argument results in replaceArg() replacing a union
argument with itself, which may lead to inconsistent resource
references.
Add an assertion to detect such cases in the future.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add 3 new system calls available with Linux 6.8:
* lsm_set_self_attr()
* lsm_get_self_attr()
* lsm_list_modules()
This helped find these bugs:
https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net/
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
The descriptions benefit from syzkaller being able to include fields
conditionally.
|
| | |
|
| |
|
|
|
| |
Split out deprecated descriptions from socket_netlink_route_sched.txt.
Adjust outdated descriptions.
|
| |
|
|
| |
Descriptions are used in addition to dev_bifrost ioctls.
|
| | |
|
| |
|
|
|
| |
Double tagging is used in 802.1ad, which is identified by TPID=0x88a8.
We were using an incorrect const.
|
| |
|
|
|
|
|
|
|
|
|
| |
This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.
Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.
We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
|
| |
|
|
|
|
|
| |
This test covers regular file IOCTL checks handled in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
| |
Add the new LANDLOCK_ACCESS_FS_IOCTL right.
Sort access rights according to their value to ease tracking of new
access rights.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
Add new pseudo-syscall for creating a socket in init netns and connecting to
NVMe-oF/TCP server on 127.0.0.1:4420. Also add descriptions for NVMe-oF/TCP.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All flags that are subset of other flags were identified with the
following Bash script [1]. Only a small set of flags identified by the
script were rewritten to use nested flag definitions, after manually
checking if it makes sense (based on syzkaller context and man pages).
For example, msgget_flags was rewritten as follows:
-msgget_flags = IPC_CREAT, IPC_EXCL, S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH
+msgget_flags = IPC_CREAT, IPC_EXCL, open_mode
According to the msgget(2) man page:
Upon creation, the least significant bits of the argument msgflg
define the permissions of the message queue. These permission bits
have the same format and semantics as the permissions specified for
the mode argument of open(2).
So it is correct to use open_mode directly in the definition of the
flags for msgget(2).
1 -
#!/bin/bash
regexp_flags="^(\w+)\s*=\s+([a-zA-Z\"][^=]*)$"
is_subset() {
local -n subset=$1
local -n superset=$2
for element in "${subset[@]}"; do
if [[ ! " ${superset[@]} " =~ " $element " ]]; then
return 1
fi
done
return 0
}
declare -A parsed_lines
while IFS= read -r line; do
if [[ ! "$line" =~ $regexp_flags ]]; then
continue
fi
list_name="${BASH_REMATCH[1]}"
values="${BASH_REMATCH[2]}"
IFS=',' read -r -a values_array <<< "$(echo "$values" | sed 's/ //g' | tr ',' '\n' | sort | tr '\n' ',')"
# Skip flags with too few value.
if [ "${#values_array[@]}" -lt 3 ]; then
continue
fi
# Skip the syz0, syz1, etc. lists.
if [ "${values_array[0]}" = "\"syz0\"" ]; then
continue
fi
parsed_lines["${list_name}"]="${values_array[@]}"
done
for list_name in "${!parsed_lines[@]}"; do
values_array=(${parsed_lines["$list_name"]})
for other_list_name in "${!parsed_lines[@]}"; do
other_values_array=(${parsed_lines["$other_list_name"]})
if [ "$list_name" = "$other_list_name" ]; then
continue
fi
if is_subset values_array other_values_array; then
if [ "${#values_array[@]}" -eq "${#other_values_array[@]}" ]; then
echo "$list_name EQUALS $other_list_name"
else
echo "$list_name is a SUBET of $other_list_name"
fi
fi
done
done
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
On the Linux, Darwin, and FreeBSD targets,
sockopt_opt_ip_group_source_req and sockopt_opt_ipv6_group_source_req
are equal. This commit consolidates those flag definitions to use a
single one and renames it to sockopt_opt_group_source_req.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
| |
The two string flags are the same.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Our test programs with BPF helper calls are used to verify that the
syzkaller descriptions for BPF helpers are correct. We don't really need
to run those BPF programs to check that the descriptions are correct;
the real test is to pass the verifier, which happens at load time.
This commit therefore removes syscalls to run the BPF programs. We are
limited in how many syscalls we can have per syzkaller programs so we
might as well make the most of it.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bpf.txt file is becoming huge as it contains the descriptions for
all the bpf(2) commands. The most complex command to describe is
currently BPF_PROG_LOAD has it contains the whole BPF program
description. Those descriptions are also likely to grow significantly as
we add more BPF helper descriptions.
This commit therefore moves the descriptions pertaining to BPF programs
(attributes for BPF_PROG_LOAD, eBPF instructions, and BPF helpers) to
their own file, bpf_prog.txt.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
This commit adds more complex format modifiers for the bpf_snprintf BPF
helper. Those correspond to a bunch of cases that are uncovered in
syzbot's coverage of bpf_bprintf_prepare.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
The bpf_trace_printk helper supports a limited set of format specifiers
[1]. This commit ensures they are all covered in the union.
1 - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
| |
The comments for the two strings in bpf_insn_mov_printk_str_hex are
inverted. "%p" is 0x257000 in hexa.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
These occurences were found with the command:
git grep -lP "{(AUTO,\s)*AUTO}"
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
BPF helpers bpf_ringbuf_{discard,submit,output} take a set of flags.
This commit describes those flags.
The default is a zero value, but the kernel doesn't have a macro for
that. Thus, "0" is simply added to the flag definition.
Note bpf_ringbuf_reserve also has a flags argument, but it is currently
unused on the kernel side.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This helper has the prototype:
bpf_ringbuf_output(void *ringbuf, void *data, u64 size, u64 flags)
We need to prepare the second argument (R2) on the stack. We use an
8 bytes data value initialized to some random value on the stack and
pointed to by R2. The third argument therefore needs to be 8 (for 8
bytes).
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
This BPF helper has the prototype:
bpf_ringbuf_query(void *ringbuf, u64 flags)
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
