| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
This is a system ioctl
|
| |
|
|
|
|
|
| |
Use output parameter instead of an input one.
Use a KVM constant for array size.
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-lapic
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-xcrs
|
| |
|
|
|
| |
This is mostly for the sake of completeness, other KVM ioctls do not
interact with the created FD anyway.
|
| |
|
|
| |
KVM_GET_MSRS can be both a system and a vcpu ioctl
|
| |
|
|
| |
Both KVM_SET_TSC_KHZ and KVM_GET_TSC_KHZ are vcpu and vm ioctls.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-sregs2
|
| |
|
|
|
|
| |
KVM_MEMORY_ENCRYPT_UNREG_REGION
See https://docs.kernel.org/virt/kvm/api.html#kvm-memory-encrypt-reg-region
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-x86-set-msr-filter
|
| |
|
|
|
|
|
|
| |
For certain ioctls https://www.kernel.org/doc/Documentation/virt/kvm/api.txt
lists their parameters as "in/out".
Change their descriptions to reflect that.
Also define KVM_GET_MSR_FEATURE_INDEX_LIST and KVM_GET_SUPPORTED_HV_CPUID
|
| |
|
|
| |
This should increase SEV coverage on AMD, also reach some dusty corners on ARM.
|
| |
|
|
| |
make sev_handle a resource
|
| |
|
|
| |
This is equivalent to errors=panic.
|
| |
|
|
|
| |
This patch adds the necessary descriptions for KVM_MEMORY_ENCRYPT_OP
that currently is not supported.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_ptrace -debug
we get this result:
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=0
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=3
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
Because this test spawns two threads, the ptrace(2) returned code may be
different according to the calling thread.
Set the common EPERM errnos for all three threads (EINTR is unknown to
syzkaller). The other returned codes cannot be fixed because we cannot
have a set of valid errno for the same call.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_fs_ioctl -debug
we get this result:
#0 [1300ms] -> ioctl(0x4, 0x5460, 0x0)
#0 [1300ms] <- ioctl=0xffffffffffffffff errno=14
#0 [1300ms] -> ioctl(0x4, 0x5451, 0x0)
#0 [1300ms] <- ioctl=0x0
[...]
landlock_fs_ioctl none : FAIL: run 0: wrong call 5 result 14, want 13
The ioctl call returns EFAULT instead of EACCES.
Change this test to create a /dev/null device and use a valid device
IOCTL.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add 2 regular missing ioctl syscalls:
- UFFDIO_MOVE
- UFFDIO_POISON
Add USERFAULTFD_IOC_NEW ioctl that allows to procure userfaultfds
by way of accessing /dev/userfaultfd.
No other descriptions are touched, neither are any config options.
Tested on local x86_64 syzkaller instance with enabled_syscalls[]
option turned on.
|
| |
|
|
|
|
|
|
| |
The setuid sandboxes are not correct because some tests require mount.
Let's make it simple and remove them. After all, Landlock is available
to any user.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, only usb COMEDI drivers are covered thanks to external usb
fuzzing approach. However, that still leaves /dev/comedi# devices
untested, thus this change.
There are 2 ways to make kernel spawn comedi devices. First, it seems
that one is created once driver identifies available hardware. Second,
provided a kernel paramater comedi.comedi_num_legacy_minors=N is set,
the same number of manually configurable devices are created,
allowing for configuration using one of the IOCTLs. Both scenarios do
not allow for particularly deep fuzzing as lack of necessary hardware
will inevitably stop any exploration short. Still, it is a start.
What is added:
- Descriptions for all COMEDI-related IOCTLs and structures.
Some arbitrary limits were set on array and list sizes, otherwise
numerous, overly greedy kmallocs slow down fuzzing with constant
warnings.
- List COMEDI devices to open.
A hardcoded list of device names is the best we can do at this point.
First few devs are for manual configuration (see
comedi_num_legacy_minors=N), others - for dynamic ones (N+1, N+2 etc).
- List manually configurable drivers.
COMEDI_DEVCONFIG ioctl takes a driver name from a list of those that
supposedly can be set up that way. No reason to try others.
Tested on a local x86_64 syzkaller instance with enabled_syscalls[].
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BSG is a block layer version of SG driver with its own devices,
which can be found in /dev/bsg/*. Currently, syzkaller barely touches
related code in block/ and drivers/scsi/ source directories,
so update the descriptions to nudge the fuzzer in the right direction.
Specifically,
- create a separate description file dev_bsg.txt;
- move openat$bsg from sys.txt and fix the way devices
in question are accessed;
- describe necessary syscalls and structs, most importantly, sg_io_v4.
- add a few TODOs to address later.
A few words about flaws in sq_io_v4 description:
Some fields were left more ambigious than desired. Once more research
into the way bsg operates is done, as well as related coverage is
gathered, those flaws will be corrected.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few things done here:
- Add new block device ioctls (and structs) related to encryption,
added in 1ebd4a3c095c ("blk-crypto: add ioctls to create and
prepare hardware-wrapped keys"):
BLKCRYPTOIMPORTKEY
BLKCRYPTOGENERATEKEY
BLKCRYPTOPREPAREKEY
Deviate slightly from original keys-related structs to ensure that
ioctl syscalls have preallocated buffers to work with, not merely
pointers that go nowhere.
- Add and update new/missing syscalls related to zoned block devices:
BLKGETZONESZ
BLKGETNRZONES
BLKOPENZONE
BLKCLOSEZONE
BLKFINISHZONE
- Add a few other missing syscalls, such as BLKRASET.
- Fix some syscalls' directions (mostly, to 'inout').
|
| | |
|
| |
|
|
|
| |
Somehow syz-extract is unable to infer KVM_MAX_IRQ_ROUTES on x86,
hardcode it.
|
| |
|
|
| |
Let bare-metal instances with EL2 support take advantage of NV.
|
| |
|
|
| |
We expect these commands to reach some NV coverage
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few things done here:
- Add new userspace-driven ioctls (and necessary structs as well):
SNDRV_TIMER_IOCTL_CREATE
SNDRV_TIMER_IOCTL_TRIGGER
- Change a few object pointers' directions to better reflect their
intent (mostly inout).
- Split old SNDRV_TIMER_IOCTL_TREAD into two:
SNDRV_TIMER_IOCTL_TREAD_OLD and SNDRV_TIMER_IOCTL_TREAD64 the way
it is done in the kernel.
- Remove TODO descriptions concerning SNDCTL_TMR_START etc. as they
are described elsewhere, and as far as I can tell, are not necessary
here.
|
| |
|
|
| |
/dev/rnullb{} is the Rust implementation of the null block driver.
|
| |
|
|
|
| |
This commit adds support for CPUID instructions on AMD64. It also adds a
relevant test.
|
| |
|
|
|
|
|
|
|
| |
When compiling SYZOS into the executor binary, the compiler often
attempts to emit a jump table, putting it into the data section
of the executor. SYZOS is unable to access that data and crashes.
Use primes multiplied by 10 to defeat the compiler's heuristics
for jump table emission.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
|
| |
This commit moves the various x86/amd64 ioctl descriptions and their
relevant structs/flags to the architecture-specific file and updates
the corresponding const files.
|
| |
|
|
|
| |
This commit prepares adding the X86-64 SYZOS by declaring the relevant
functions, updating their ARM64 versions and adding placeholders.
|
| |
|
|
|
|
| |
$ wc -l sys/linux/auto.*.info
4680 sys/linux/auto.txt.info
8471 sys/linux/auto.allyes.txt.info
|
| |
|
|
|
|
| |
Add open callback if there are no other unique callbacks.
This happens for e.g. seq files which only have unique open,
while read is a common seq_read callback.
|
| |
|
|
|
|
| |
Use resolved Function references instead of string names for fileops
callback resolution. Function names are not unique, a number of callbacks
have the same names.
|
| |
|
|
|
|
| |
Currently we misparse some function references, e.g. for:
.write = (foo) ? bar : baz,
we extract "foo". Extract first function reference from such expressions.
|
| |
|
|
|
| |
Some ioctls are declared inconsistently using enums rather than macros.
Extract these as well.
|
| | |
|
| |
|
|
|
|
| |
Add coverage percent for kernel interfaces.
The current data is generated with Mar coverage report
on kernel commit 1e7857b28020ba57ca7fdafae7ac855ba326c697.
|
| |
|
|
|
|
| |
Export each syscall variant (e.g. fcnt$*) as a separate interface.
Effectively these are separate syscalls. We will want this for
ioctl as well (it's not 1 interface).
|
| |
|
|
|
|
| |
Use scope-based dataflow analysis for syscall variants (including ioctls).
As the result we only consider code that relates to a partiuclar command/ioctl,
and can infer arguments/return types for each command/ioctl independently.
|
| |
|
|
| |
Update auto.txt and consts on v6.15-rc1.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Definitions for attribute `NBD_ATTR_SOCKETS`, `NL80211_ATTR_BSS_SELECT`,
`NL80211_ATTR_PEER_MEASUREMENTS`, and `NL80211_ATTR_SCHED_SCAN_MATCH`
have some errors.
Fix them carefully, Check related parse functions: nbd_genl_reconfigure,
parse_bss_select, nl80211_pmsr_start and nl80211_parse_sched_scan for
details.
Signed-off-by: Lin Ma <linma@zju.edu.cn>
|
| |
|
|
|
|
|
| |
This commit removes CRYPTO_ALG_TYPE_COMPRESS from socket_alg.txt since
it was recently removed from the kernel source tree
(fce8b8d crypto: remove obsolete 'comp' compression API). It also
updates a number of other consts that make extract detected.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the new LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, and
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_ON flags for landlock_restrict_self(2)
from Linux 6.15 (audit support for Landlock).
Also add the LANDLOCK_CREATE_RULESET_VERSION and
LANDLOCK_CREATE_RULESET_ERRATA flags for landlock_create_ruleset(2).
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfe and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfet, two seeds that exercise the
WFxT path in KVM.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of generating Go files with descriptions
serialize them as gob and compress with flate.
This significantly reduces build time, go vet time,
and solves scalability problems with some static analysis tools.
Reference times (all after rm -rf ~/.cache/go-build) before:
TIME="%e %P %M" time go install ./syz-manager
48.29 577% 4824820
TIME="%e %P %M" time go test -c ./prog
56.28 380% 6973292
After:
TIME="%e %P %M" time go install ./syz-manager
22.81 865% 859788
TIME="%e %P %M" time go test -c ./prog
12.74 565% 267760
syz-manager size before/after: 194712597 -> 83418407
-57% even provided we now embed all descriptions
instead of just a single arch.
Deflate/decoding time for a single Linux arch is ~330ms.
Fixes #5542
|
| |
|
|
|
|
|
|
| |
Use function scope information extracted in the previous commit
to infer multiplexed syscalls (fcntl, prctl, ...) and infer
their arguments.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extract info about function scopes formed by switch'es on function arguments.
For example if we have:
void foo(..., int cmd, ...)
{
...
switch (cmd) {
case FOO:
... block 1 ...
case BAR:
... block 2 ...
}
...
}
We record that any data flow within block 1 is only relevant
when foo's arg cmd has value FOO, similarly for block 2 and BAR.
This allows to do 3 things:
1. Locate ioctl commands that are switched on within transitively
called functions.
2. Infer return value for each ioctl command.
3. Infer argument type when it's not specified in _IO macro.
This will also allow to infer other multiplexed syscalls.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
| |
This is nice on its own, but this will also help to prevent
lots of problems when we export more info from the clang tool in future.
The clang tool does not know what will end up in the final descriptions,
so it exports info about all consts that it encounters.
As the result we pull in lots of includes/defines, and lots of kernel
includes/defines are broken or create problems.
So the fewer we have, the better.
|
