| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Add recvmsg$unix() and recvmmsg$unix().
Update sendmmsg$unix to use the correct type, the old description was using
an array of struct msghdr instead of struct mmsghdr.
Set addr field of msghdr structs to optional.
|
| |
|
|
|
|
|
| |
Update dev_vhci consts as they were updated to use inclusive language in
commit 3d4f9c00492b and 6397729bb74d.
Remove caif_hsi consts as they were removed in commit ca75bcf0a83b.
Remove raw driver ioctls as they were removed in commit 603e4922f1c8.
|
| |
|
|
| |
Syscall `openat$random` should open /dev/random device.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets up a page table to map the text in order to exercise
more code paths in the KVM.
This defines flags to control the MMU state. When enabled, this
creates a simple page table at the 64K offset and maps all the RAM.
The fuzzer code is placed right after the table.
The flags are:
IR - enables MMU for instruction fetches
DR - enables MMU for data loads/stores
PR - "problem state", i.e. userspace (implies DR and IR)
PID1 - initializes a process table for PID>0 (PID#0 is used by the VM OS
normally)
This adds a simple "syz_kvm_setup_cpu_ppc64" syz-test with MSR=IR|DR|LE
which is a typical Linux kernel mode.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Turns out the ifuzz on powerpc did not ever properly work. This fixes
syz_kvm_setup_cpu$ppc64:
Enable the PAPR KVM capability (otherwise KVM_RUN fails right away).
Finish generated sequences with the software debug breakpoint as
there is no x86's "hlt" variant on POWER and otherwise KVM won't exit.
Add exception handlers, use the software debug breakpoint instruction
to trigger immediate exit from KVM with the only exception of
the decrementer interrupt handler (timer) to recharge the timer and
continue.
Define and use endianness selection flag (Big vs. Little endian).
Define the code generator similar to kvm_gen.cc which for now contains
2 simple tests and the decrementer interrupt handler code.
Add test cases to the executor so "bin/linux_ppc64le/syz-executor test"
can run some sensible tests. The tests copy 0xbadc0de around similar
to x86 and uses gpr[3] is a return value register (similar to EAX).
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
"make generate" produces this diff when go 1.17 (go1.17-c95464f0ea3f==upstream)
is used. Seems compatible with >=1.16.
https://github.com/golang/go/commit/4d2d89ff42ca documents the syntax.
https://github.com/golang/go/commit/eeadce2d8713 enforces "ignore" for
unsatisfiable tags hence the pkg/csource/gen.go change.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: add new typename dirname
The current way to check files under sysfs or proc is:
- define a string to represent each file
- open the file
- pass the fd to write / read / close
The issues above are:
- Need to know what file present on target device
- Need to write openat for each file
With dirname added, which will open one file
in the directory randomly and then pass the fd to
write/read/close.
* all: use typename glob to match filename
Fixes #481
|
| | |
|
| |
|
|
|
| |
* sys/linux: support syncobjs in dev_msm
* sys/linux: describe syncpoints and dma fences for dev_dri
|
| |
|
|
|
| |
Updates perf_event_attr (perf events subsystem) to be in sync with
latest linux-next.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Represent array[const[X, int8], N] as string["XX...X"].
This replaces potentially huge number of:
NONFAILING(*(uint8_t*)0x2000126c = 0);
NONFAILING(*(uint8_t*)0x2000126d = 0);
NONFAILING(*(uint8_t*)0x2000126e = 0);
with a single memcpy. In one reproducer we had 3991 such lines.
Also replace memcpy's with memset's when possible.
Update #1070
|
| |
|
|
|
|
| |
Commit empty files into generated packages,
so that the tree is buildable even w/o generated files
and Go tools continue to work.
|
| | |
|
| |
|
|
| |
Add VSYSCALL_ADDR, PAGE_OFFSET, VMEMMAP addresses.
|
| |
|
|
| |
Add some arm/arm64 algs + some missing x86 algs.
|
| |
|
|
|
|
|
| |
This test covers mount namespace manipulation forbidden in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
This test helps cover most types of access checks in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/ptrace.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/fs.c:check_access_path()
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/fs.c:hook_sb_delete()
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
| |
Based on Linux next-20210319:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f00397ee41c79b6155b9b44abd0055b2c0621349
Co-developed-by: Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr>
Signed-off-by: Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because there is not a proper prctl syscall but only variants, it happens that
the logic to infer the number of syscall argument doesn't work (cf.
callArgSizes in pkg/compiler/gen.go). As a result, the kernel rejects multiple
prctl calls by returning -EINVAL because the fifth argument is not zero:
* PR_MCE_KILL
* PR_MCE_KILL_GET
* PR_SET_MM
* PR_SET_NO_NEW_PRIVS
* PR_GET_NO_NEW_PRIVS
* PR_GET_THP_DISABLE
* PR_SET_THP_DISABLE
* PR_GET_SPECULATION_CTRL
* PR_SET_SPECULATION_CTRL
Fix this by adding a new dummy prctl variant with all 5 arguments.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
If rfkill is enabled by the fuzzer, wifi setup will fail.
Disable rfkill to initial state during setup.
|
| |
|
|
|
|
| |
Add a description for the FS_IOC_READ_VERITY_METADATA ioctl,
which is new in Linux v5.12-rc1. See
https://www.kernel.org/doc/html/latest/filesystems/fsverity.html#fs-ioc-read-verity-metadata
|
| |
|
|
|
| |
Update consts on upstream 7a7fd0de4a9804299793e564a555a49c1fc924cb.
Remove termiox ioctls, they were removed in commit e0efb3168d34.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
I've moved the idmapped mount patchset into my for-next branch and plan
to send it for the v5.12 merge window in ~2.5 weeks. It comes with a
large xfstest but I would also like to get some syzkaller coverage.
With-help-from: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
|
| |
|
|
|
|
|
|
|
|
| |
We used to use our own netlink socket and then fail
on any errors. But commit "sys/linux: add ieee802154 descriptions"
made it possible to use fuzzer-provided socket,
and fuzzer can pass any invalid fd.
So don't fail on errors now.
Fixes #2444
|
| |
|
|
|
|
| |
Duplicate mknod$loop() for architectures without mknod().
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
Add a variant to create a /dev/null character device.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| | |
|
| |
|
|
| |
Update consts on upstream 825b5991a46ef28a05a4646c8fe1ae5cef7c7828.
|
| |
|
|
|
|
| |
Simplify and align mount$tmpfs() with other mount variants.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
mount$tmpfs() is useful for Landlock fuzzing.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
mount$bind() is useful for Landlock fuzzing.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
fork() is useful for Landlock fuzzing.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
| |
* sys/linux: add description for mali bifrost driver
* sys/linux: regenerate dev_bifrost.txt.const
* sys/linux/dev_bifrost: separate BASE_*_GROUP_ID_* to individual bits
* sys/linux/dev_bifrost: format code
|
| |
|
|
| |
Based on 5.11-rc1 and upstream-usb.config.
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
|
|
|
| |
FUTEX_WAIT_MULTIPLE was added before it was merged, and nowadays we have
other plans for futex. Remove all WAIT_MULTIPLE references so futex
fuzzing can be re-enabled.
Signed-off-by: André Almeida <andrealmeid@collabora.com>
|
| | |
|
| | |
|
| |
|
|
| |
Both are ChromeOS-specific.
|
| |
|
|
|
|
|
|
|
|
| |
Also flip these:
/proc/sys/net/ipv4/tcp_dsack
/proc/sys/net/ipv4/tcp_recovery
/proc/sys/net/ipv4/tcp_mtu_probing
/proc/sys/net/ipv4/tcp_rfc1337
/proc/sys/net/ipv4/tcp_rmem
/proc/sys/net/ipv4/tcp_wmem
|
| |
|
|
|
|
| |
- Add a test for BPF_PROG_TYPE_CGROUP_SYSCTL. This could be used as a
corpus.
- Remove an unnecessary file sys/linux/bpf_lsm.txt.const.
|
