| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Add a description for the FS_IOC_READ_VERITY_METADATA ioctl,
which is new in Linux v5.12-rc1. See
https://www.kernel.org/doc/html/latest/filesystems/fsverity.html#fs-ioc-read-verity-metadata
|
| |
|
|
|
| |
Update consts on upstream 7a7fd0de4a9804299793e564a555a49c1fc924cb.
Remove termiox ioctls, they were removed in commit e0efb3168d34.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
I've moved the idmapped mount patchset into my for-next branch and plan
to send it for the v5.12 merge window in ~2.5 weeks. It comes with a
large xfstest but I would also like to get some syzkaller coverage.
With-help-from: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
|
| |
|
|
|
|
|
|
|
|
| |
We used to use our own netlink socket and then fail
on any errors. But commit "sys/linux: add ieee802154 descriptions"
made it possible to use fuzzer-provided socket,
and fuzzer can pass any invalid fd.
So don't fail on errors now.
Fixes #2444
|
| |
|
|
|
|
| |
Duplicate mknod$loop() for architectures without mknod().
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
Add a variant to create a /dev/null character device.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| | |
|
| |
|
|
| |
Update consts on upstream 825b5991a46ef28a05a4646c8fe1ae5cef7c7828.
|
| |
|
|
|
|
| |
Simplify and align mount$tmpfs() with other mount variants.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
mount$tmpfs() is useful for Landlock fuzzing.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
mount$bind() is useful for Landlock fuzzing.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
fork() is useful for Landlock fuzzing.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
| |
* sys/linux: add description for mali bifrost driver
* sys/linux: regenerate dev_bifrost.txt.const
* sys/linux/dev_bifrost: separate BASE_*_GROUP_ID_* to individual bits
* sys/linux/dev_bifrost: format code
|
| |
|
|
| |
Based on 5.11-rc1 and upstream-usb.config.
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
|
|
|
| |
FUTEX_WAIT_MULTIPLE was added before it was merged, and nowadays we have
other plans for futex. Remove all WAIT_MULTIPLE references so futex
fuzzing can be re-enabled.
Signed-off-by: André Almeida <andrealmeid@collabora.com>
|
| | |
|
| | |
|
| |
|
|
| |
Both are ChromeOS-specific.
|
| |
|
|
|
|
|
|
|
|
| |
Also flip these:
/proc/sys/net/ipv4/tcp_dsack
/proc/sys/net/ipv4/tcp_recovery
/proc/sys/net/ipv4/tcp_mtu_probing
/proc/sys/net/ipv4/tcp_rfc1337
/proc/sys/net/ipv4/tcp_rmem
/proc/sys/net/ipv4/tcp_wmem
|
| |
|
|
|
|
| |
- Add a test for BPF_PROG_TYPE_CGROUP_SYSCTL. This could be used as a
corpus.
- Remove an unnecessary file sys/linux/bpf_lsm.txt.const.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Apply ignore_return to semctl$GETVAL which produces random errno
values on linux and freebsd.
2. Apply ignore_return to prctl and remove the custom code in executor.
3. Remove the custom errno ignoring code in fuchsia executor.
The calls are already marked as ignore_return, so this is just a leftover.
4. Only reset errno for ignore_return.
The syscall can still return a resource (maybe).
We only need to reset errno for fallback coverage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With fscrypt (a.k.a. ext4, f2fs, and ubifs encryption), several steps
are required to get to a properly set-up encrypted directory:
- Mount a filesystem that supports encryption.
- Call FS_IOC_ADD_ENCRYPTION_KEY on the mountpoint.
- Create a directory in the filesystem.
- Call FS_IOC_SET_ENCRYPTION_POLICY on the directory, specifying the
encryption key that was added earlier.
- Then actually create stuff in the directory.
It may be too hard for syzkaller to generate all these steps, which may
explain why syzbot isn't yet properly covering the fscrypt code; see
https://storage.googleapis.com/syzkaller/cover/ci-upstream-kasan-gce.html
which currently shows only 5% coverage of the fs/crypto/ directory.
Therefore add some test programs which do this setup on ext4 and f2fs.
Note that ubifs support can't be included yet because syzkaller doesn't
yet know how to mount an ubifs filesystem (which would likely require
using block2mtd, as ubifs uses MTD devices rather than block devices).
|
| |
|
|
|
|
|
| |
These have some non-trivial effects like compacting memory
or changing TCP parameters in realistic ways.
Fixes #1671
|
| |
|
|
|
|
| |
Add per-field direction attributes to the fields in fscrypt ioctl
argument structs, where the struct is marked as "inout" but the
individual fields should be either "in" or "out" (not both).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add some sample keys with their precomputed fscrypt key identifiers, and
add some sample fscrypt key descriptors.
This hopefully makes it much more likely that syzkaller will generate
programs that both add an encryption key to the kernel
(FS_IOC_ADD_ENCRYPTION_KEY or add_key$fscrypt_v1) *and* create a
directory that is encrypted using that key (mkdir() +
FS_IOC_SET_ENCRYPTION_POLICY). Doing this requires matching up the
value of the fscrypt key identifier or the fscrypt key descriptor.
|
| |
|
|
|
|
|
| |
Add a syscall "add_key$fscrypt_v1" which describes the old way of adding
fscrypt keys. Previously only the new way (FS_IOC_ADD_ENCRYPTION_KEY)
was described. Keys added by "add_key$fscrypt_v1" can be referred to
later in the fscrypt_policy_v1 passed to FS_IOC_SET_ENCRYPTION_POLICY.
|
| |
|
|
|
|
|
| |
Make ioctls take fd_dir rather than fd when they are primarily intended
to be used on directories. Especially for FS_IOC_SET_ENCRYPTION_POLICY,
this should increase the chance that syzkaller does something useful
with these ioctls.
|
| | |
|
| |
|
|
|
| |
Regenerate consts on upstream 585e5b17b92dead8a3aca4e3c9876fbca5f7e0ba.
These consts were removed from txt files recently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds KVM's syz_kvm_setup_cpu pseudo syscall. This adds placeholder
for options (none implemented yet).
This adds instruction generator for ifuzz; this also adds a few pseudo
instructions to simulate super/hyper/ultracalls
(a PPC64/pseries platform thing).
The insns.go is generated from PowerISA_public.v3.0B.pdf [1] by
a horrendous python3 script on top of pdftotext. The ISA covers POWER9
which is the latest available POWER CPU at the moment. The next ISA
for POWER10 is quite different and we will deal with it later.
The // comment after every instruction is a fixed opcode list for
verification purposes.
This does not define DecodeExt as there is no obvious replacement of
the Intel XED library for POWERPC (gapstone-capstone, later, may be).
[1] https://openpowerfoundation.org/?resource_lib=power-isa-version-3-0
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
| |
There is no point in having flags when values are equal.
This can only mean a typo or other bug. Check for such cases
and fix 3 existing precedents.
|
| |
|
|
|
| |
Regenerate consts on upstream 585e5b17b92dead8a3aca4e3c9876fbca5f7e0ba.
Fix vmw_vmci.txt const extraction.
|
| |
|
|
|
|
|
| |
These new fields were introduced in commit 1b4d60e ("bpf: Enable
BPF_PROG_TEST_RUN for raw_tracepoint") upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
| |
These two fields are not used in the BPF_PROG_GET_FD_BY_ID bpf(2) command.
See BPF_PROG_GET_FD_BY_ID_LAST_FIELD upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
| |
This new ld_imm instruction was introduced in commit 4976b71 ("bpf:
Introduce pseudo_btf_id") upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
|
| |
This new command was introduced in commit ef15314 ("bpf: Add
BPF_PROG_BIND_MAP syscall") upstream. The flags field is not currently
used.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
| |
This new command was introduced in commit 73b11c2 ("bpf: Add support for
forced LINK_DETACH command") upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://lore.kernel.org/linuxppc-dev/20190418100218.0a4afd51@mschwideX1/
The test triggers this bug:
[ 224.294341] ==================================================================
[ 224.294389] BUG: KASAN: stack-out-of-bounds in gup_pgd_range+0x124a/0x1398
[ 224.294405] Read of size 8 at addr 000003e002e8f3d8 by task gup_fast_regr-s/633
[ 224.294417]
[ 224.294431] CPU: 0 PID: 633 Comm: gup_fast_regr-s Not tainted 5.9.0-rc6 #1
[ 224.294443] Hardware name: IBM 8561 T01 701 (KVM/Linux)
[ 224.294454] Call Trace:
[ 224.294470] [<0000000047708384>] show_stack+0x174/0x220
[ 224.294488] [<000000004bbcfb9c>] dump_stack+0x274/0x2f8
[ 224.294506] [<0000000047f4e8e6>] print_address_description.constprop.0+0x5e/0x550
[ 224.294523] [<0000000047f4e4ea>] kasan_report+0x11a/0x168
[ 224.294538] [<0000000047e4a77a>] gup_pgd_range+0x124a/0x1398
[ 224.294554] [<0000000047e4cbea>] internal_get_user_pages_fast+0x212/0x460
[ 224.294571] [<0000000047e4cf10>] get_user_pages_fast+0x70/0xb0
[ 224.294588] [<0000000049886cee>] iov_iter_get_pages+0x2d6/0xdf0
[ 224.294605] [<000000004974aaca>] bio_iov_iter_get_pages+0x2ca/0x1088
[ 224.294623] [<0000000048210282>] iomap_dio_bio_actor+0x8e2/0x1118
[ 224.294638] [<0000000048210b64>] iomap_dio_actor+0xac/0x550
[ 224.294655] [<000000004820212a>] iomap_apply+0x21a/0x9d0
[ 224.294670] [<00000000482118ae>] iomap_dio_rw+0x7c6/0x11e8
[ 224.294689] [<0000000048374ca8>] ext4_file_read_iter+0x4b0/0x638
[ 224.294707] [<0000000047fd85ec>] new_sync_read+0x444/0x6d0
[ 224.294722] [<0000000047fde212>] vfs_read+0x2c2/0x4e0
[ 224.294737] [<0000000047fdf3ba>] ksys_read+0x16a/0x298
[ 224.294754] [<000000004bc37ee8>] system_call+0xdc/0x298
[ 224.294794]
[ 224.294800]
[ 224.294809] addr 000003e002e8f3d8 is located in stack of task gup_fast_regr-s/633 at offset 72 in frame:
[ 224.294827] gup_pgd_range+0x0/0x1398
[ 224.294837]
[ 224.294844] this frame has 3 objects:
[ 224.294854] [32, 40) 'pgd'
[ 224.294858] [64, 72) 'p4d'
[ 224.294867] [96, 104) 'pud'
[ 224.294874]
[ 224.294885] Memory state around the buggy address:
[ 224.294900] 000003e002e8f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294915] 000003e002e8f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294930] >000003e002e8f380: 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3
[ 224.294943] ^
[ 224.294957] 000003e002e8f400: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294972] 000003e002e8f480: 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 00 00
[ 224.294984] ==================================================================
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
80211_setup_station is extended with frame injections and delays that
are arranged in such a way that the device successuflly joins an
access point.
80211_scan is a new test that starts a channel scan and then injects a
beacon and a probe response.
These additions were tested manually and were observed to fulfill
their purpose.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit enables accurate generation of 802.11 frames for
injection. The descriptions only include frames/fields/elements that
are supported by mac80211.
Also, this commit includes fixes to tests that were affected by
modification of the existing descriptions.
The validity of the frames was verified by capturing the generated
packets and examining them in Wirehark.
|
| | |
|
| |
|
|
|
|
| |
1. A runtest that sets up an access point.
2. A runtest that configures a station.
3. A runtest that configures a mesh device.
|
| |
|
|
|
| |
Completed netlink descriptions for nl80211. Verified by executing
syzkaller locally and exploring coverage of the corresponding code.
|
| | |
|
| |
|
|
|
| |
This modification allows to remove [opt] modified for all uses of
ifreq_dev_t and ifreq_t
|
