| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Otherwise the two instances can't communicate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the generated KFuzzTest programs were reusing the address of
the top-level input struct. A problem could arise when the encoded blob
is large and overflows into another allocated region - this certainly
happens in the case where the input struct points to some large char
buffer, for example.
While this wasn't directly a problem, it could lead to racy behavior
when running KFuzzTest targets concurrently.
To fix this, we now introduce an additional buffer parameter into
syz_kfuzztest_run that is as big as the maximum accepted input size in
the KFuzzTest kernel code. When this buffer is allocated, we ensure that
we have some allocated space in the program that can hold the entire
encoded input.
This works in practice, but has not been tested with concurrent
KFuzzTest executions yet.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add syz_kfuzztest_run pseudo-syscall, KFuzzTest attribute, and encoding
logic.
KFuzzTest targets, which are invoked in the executor with the new
syz_kfuzztest_run pseudo-syscall, require specialized encoding. To
differentiate KFuzzTest calls from standard syzkaller calls, we
introduce a new attribute called KFuzzTest or "kfuzz_test" in syzkaller
descriptions that can be used to annotate calls.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
| |
This is the proper level for TLS_RX/TLS_TX opts.
|
| |
|
|
| |
The syscall expects non-zero terminated strings.
|
| |
|
|
|
| |
The new test validates that KVM exits with KVM_EXIT_HLT when
encountering the x86 HLT instruction.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This ioctl accepts an arch-specific struct as an argument, so better split it
into several arch-specific ioctls.
To avoid compilation errors on exotic arches like MIPS, this patch also adds
sys/linux/dev_kvm_extra.txt that takes care of them.
While at it, also define KVM_GUESTDBG_USE_HW.
|
| |
|
|
|
|
|
|
| |
Add SYZOS calls that correspond to the IN and OUT x86 instructions
that perform port I/O.
These instructions have different variants, for now we just implement
the one that takes the port number from DX instead of encoding it in
the opcode.
|
| |
|
|
|
| |
Add a SYZOS call to write to one of the debug registers
(DR0-DR7).
|
| |
|
|
|
| |
Not strictly necessary, because syz_kvm_assert_syzos_uexit() is checking
the exit reason, but should test the pseudo-syscall itself.
|
| |
|
|
| |
Implement a pseudo-syscall to check the value of kvm_run.exit_reason
|
| |
|
|
|
| |
This is a best-effort attempt to fix the tests passing ANY arguments
to the syz_kvm_add_vcpu$arm64() syscall.
|
| |
|
|
|
|
| |
Not passing flattened arguments to syz_kvm_add_vcpu() serves two purposes:
- makes it easier to reason about the SYZOS program contents;
- prevents nonsensial mutations of them.
|
| |
|
|
|
| |
Transform the hard-coded list of feature combinations in to individual
groups of features.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some USB drivers contain quirks (special handling code) for USB devices
with specific USB IDs. Sometimes the IDs for these quirks are encoded in
the driver matching rules (and thus are auto-extracted into
sys/linux/init_vusb_ids.go), but sometimes these IDs are hardcoded in
the driver itself.
This patch extends the generateUsbPrinterDeviceDescriptor function to
also sometimes generate USB IDs to exercise the hardcoded quirks for the
USB printer class.
Similar functionality can be implemented for other USB drivers later.
|
| |
|
|
|
|
|
|
|
|
| |
This allows exercising driver quirks that might be defined in the matching
rules (the printer driver does not actually define any yet, but this
change serves as a reference for doing this for other drivers).
Only patch in the IDs that are used in the matching rules of the printer
driver in the kernel. Patching other IDs might subvert the kernel into
matching the emulated device to a different driver.
|
| |
|
|
|
|
| |
Introduce a helper function to make the following changes cleaner.
No functional changes.
|
| |
|
|
|
|
|
|
|
|
| |
Change the kernel patch and the syz-usbgen tool to split the extracted
USB IDs by the driver they belong to.
This will allow for a more precise patching of class/driver-specific
USB descriptors.
Also update USB IDs with Linux kernel 6.16.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change is the first step in addressing issue [1].
Despite syzkaller's best efforts, some usb drivers are proving
resistant to attempts to probe them. Specifically, crafted
devices are not accurate enough to bypass checks in probe().
These checks mostly deal with usb interfaces and endpoints.
One way to address this issue is to define syz_connect_* calls
variants to help syzkaller succeed probing by describing in detail
various device attributes.
Start by describing such calls for select drivers, each representing
its own category of sorts. At the moment, code coverage for these
drivers is unimpressive:
- rtl8150
Used to succeed probing until a better usb endpoint check was implemented.
- sierra_net
Same as rtl8150. Depends on usbnet API for bind() and usb ep checks.
- lan78xx
Requires numerous control requests between driver and device DURING probe.
Extra descriptions are helpful but are not enough to fully complete
probing process.
Also, add a seed for each such example.
This is only a stepping stone to improve usb fuzzing results and most
likely will be subject to change in the future.
[1] https://github.com/google/syzkaller/issues/6206
|
| |
|
|
|
|
| |
Use the latest version of bcachefs-tools.
See the discussion at https://groups.google.com/g/syzkaller/c/Vek7-974kJI/m/8TrKOiz6AgAJ
|
| |
|
|
|
| |
Add a SYZOS call to write to one of the system registers
(CR0, CR2, CR3, CR4, CR8).
|
| |
|
|
|
| |
amd64-syz_kvm_setup_syzos_vm-wrmsr-rdmsr is a test executing SYZOS_API_WRMSR
and SYZOS_API_RDMSR on x86.
|
| |
|
|
| |
Let SYZOS execute RDMSR and WRMSR on x86.
|
| |
|
|
|
|
| |
Like we already do on ARM, use prime numbers multiplied by 10 for
SYZOS API IDs to prevent the compiler from emitting a jump table in
guest_main().
|
| |
|
|
| |
This is a system ioctl
|
| |
|
|
|
|
|
| |
Use output parameter instead of an input one.
Use a KVM constant for array size.
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-lapic
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-xcrs
|
| |
|
|
|
| |
This is mostly for the sake of completeness, other KVM ioctls do not
interact with the created FD anyway.
|
| |
|
|
| |
KVM_GET_MSRS can be both a system and a vcpu ioctl
|
| |
|
|
| |
Both KVM_SET_TSC_KHZ and KVM_GET_TSC_KHZ are vcpu and vm ioctls.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-sregs2
|
| |
|
|
|
|
| |
KVM_MEMORY_ENCRYPT_UNREG_REGION
See https://docs.kernel.org/virt/kvm/api.html#kvm-memory-encrypt-reg-region
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-x86-set-msr-filter
|
| |
|
|
|
|
|
|
| |
For certain ioctls https://www.kernel.org/doc/Documentation/virt/kvm/api.txt
lists their parameters as "in/out".
Change their descriptions to reflect that.
Also define KVM_GET_MSR_FEATURE_INDEX_LIST and KVM_GET_SUPPORTED_HV_CPUID
|
| |
|
|
| |
This should increase SEV coverage on AMD, also reach some dusty corners on ARM.
|
| |
|
|
| |
make sev_handle a resource
|
| |
|
|
| |
This is equivalent to errors=panic.
|
| |
|
|
|
| |
This patch adds the necessary descriptions for KVM_MEMORY_ENCRYPT_OP
that currently is not supported.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_ptrace -debug
we get this result:
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=0
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=3
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
Because this test spawns two threads, the ptrace(2) returned code may be
different according to the calling thread.
Set the common EPERM errnos for all three threads (EINTR is unknown to
syzkaller). The other returned codes cannot be fixed because we cannot
have a set of valid errno for the same call.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_fs_ioctl -debug
we get this result:
#0 [1300ms] -> ioctl(0x4, 0x5460, 0x0)
#0 [1300ms] <- ioctl=0xffffffffffffffff errno=14
#0 [1300ms] -> ioctl(0x4, 0x5451, 0x0)
#0 [1300ms] <- ioctl=0x0
[...]
landlock_fs_ioctl none : FAIL: run 0: wrong call 5 result 14, want 13
The ioctl call returns EFAULT instead of EACCES.
Change this test to create a /dev/null device and use a valid device
IOCTL.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add 2 regular missing ioctl syscalls:
- UFFDIO_MOVE
- UFFDIO_POISON
Add USERFAULTFD_IOC_NEW ioctl that allows to procure userfaultfds
by way of accessing /dev/userfaultfd.
No other descriptions are touched, neither are any config options.
Tested on local x86_64 syzkaller instance with enabled_syscalls[]
option turned on.
|
| |
|
|
|
|
|
|
| |
The setuid sandboxes are not correct because some tests require mount.
Let's make it simple and remove them. After all, Landlock is available
to any user.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, only usb COMEDI drivers are covered thanks to external usb
fuzzing approach. However, that still leaves /dev/comedi# devices
untested, thus this change.
There are 2 ways to make kernel spawn comedi devices. First, it seems
that one is created once driver identifies available hardware. Second,
provided a kernel paramater comedi.comedi_num_legacy_minors=N is set,
the same number of manually configurable devices are created,
allowing for configuration using one of the IOCTLs. Both scenarios do
not allow for particularly deep fuzzing as lack of necessary hardware
will inevitably stop any exploration short. Still, it is a start.
What is added:
- Descriptions for all COMEDI-related IOCTLs and structures.
Some arbitrary limits were set on array and list sizes, otherwise
numerous, overly greedy kmallocs slow down fuzzing with constant
warnings.
- List COMEDI devices to open.
A hardcoded list of device names is the best we can do at this point.
First few devs are for manual configuration (see
comedi_num_legacy_minors=N), others - for dynamic ones (N+1, N+2 etc).
- List manually configurable drivers.
COMEDI_DEVCONFIG ioctl takes a driver name from a list of those that
supposedly can be set up that way. No reason to try others.
Tested on a local x86_64 syzkaller instance with enabled_syscalls[].
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BSG is a block layer version of SG driver with its own devices,
which can be found in /dev/bsg/*. Currently, syzkaller barely touches
related code in block/ and drivers/scsi/ source directories,
so update the descriptions to nudge the fuzzer in the right direction.
Specifically,
- create a separate description file dev_bsg.txt;
- move openat$bsg from sys.txt and fix the way devices
in question are accessed;
- describe necessary syscalls and structs, most importantly, sg_io_v4.
- add a few TODOs to address later.
A few words about flaws in sq_io_v4 description:
Some fields were left more ambigious than desired. Once more research
into the way bsg operates is done, as well as related coverage is
gathered, those flaws will be corrected.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few things done here:
- Add new block device ioctls (and structs) related to encryption,
added in 1ebd4a3c095c ("blk-crypto: add ioctls to create and
prepare hardware-wrapped keys"):
BLKCRYPTOIMPORTKEY
BLKCRYPTOGENERATEKEY
BLKCRYPTOPREPAREKEY
Deviate slightly from original keys-related structs to ensure that
ioctl syscalls have preallocated buffers to work with, not merely
pointers that go nowhere.
- Add and update new/missing syscalls related to zoned block devices:
BLKGETZONESZ
BLKGETNRZONES
BLKOPENZONE
BLKCLOSEZONE
BLKFINISHZONE
- Add a few other missing syscalls, such as BLKRASET.
- Fix some syscalls' directions (mostly, to 'inout').
|
| | |
|
| |
|
|
|
| |
Somehow syz-extract is unable to infer KVM_MAX_IRQ_ROUTES on x86,
hardcode it.
|
| |
|
|
| |
Let bare-metal instances with EL2 support take advantage of NV.
|
| |
|
|
| |
We expect these commands to reach some NV coverage
|
