| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few things done here:
- Add new block device ioctls (and structs) related to encryption,
added in 1ebd4a3c095c ("blk-crypto: add ioctls to create and
prepare hardware-wrapped keys"):
BLKCRYPTOIMPORTKEY
BLKCRYPTOGENERATEKEY
BLKCRYPTOPREPAREKEY
Deviate slightly from original keys-related structs to ensure that
ioctl syscalls have preallocated buffers to work with, not merely
pointers that go nowhere.
- Add and update new/missing syscalls related to zoned block devices:
BLKGETZONESZ
BLKGETNRZONES
BLKOPENZONE
BLKCLOSEZONE
BLKFINISHZONE
- Add a few other missing syscalls, such as BLKRASET.
- Fix some syscalls' directions (mostly, to 'inout').
|
| | |
|
| |
|
|
|
| |
Somehow syz-extract is unable to infer KVM_MAX_IRQ_ROUTES on x86,
hardcode it.
|
| |
|
|
| |
Let bare-metal instances with EL2 support take advantage of NV.
|
| |
|
|
| |
We expect these commands to reach some NV coverage
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few things done here:
- Add new userspace-driven ioctls (and necessary structs as well):
SNDRV_TIMER_IOCTL_CREATE
SNDRV_TIMER_IOCTL_TRIGGER
- Change a few object pointers' directions to better reflect their
intent (mostly inout).
- Split old SNDRV_TIMER_IOCTL_TREAD into two:
SNDRV_TIMER_IOCTL_TREAD_OLD and SNDRV_TIMER_IOCTL_TREAD64 the way
it is done in the kernel.
- Remove TODO descriptions concerning SNDCTL_TMR_START etc. as they
are described elsewhere, and as far as I can tell, are not necessary
here.
|
| |
|
|
| |
/dev/rnullb{} is the Rust implementation of the null block driver.
|
| |
|
|
|
| |
This commit adds support for CPUID instructions on AMD64. It also adds a
relevant test.
|
| |
|
|
|
|
|
|
|
| |
When compiling SYZOS into the executor binary, the compiler often
attempts to emit a jump table, putting it into the data section
of the executor. SYZOS is unable to access that data and crashes.
Use primes multiplied by 10 to defeat the compiler's heuristics
for jump table emission.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
|
| |
This commit moves the various x86/amd64 ioctl descriptions and their
relevant structs/flags to the architecture-specific file and updates
the corresponding const files.
|
| |
|
|
|
| |
This commit prepares adding the X86-64 SYZOS by declaring the relevant
functions, updating their ARM64 versions and adding placeholders.
|
| |
|
|
|
|
| |
$ wc -l sys/linux/auto.*.info
4680 sys/linux/auto.txt.info
8471 sys/linux/auto.allyes.txt.info
|
| |
|
|
|
|
| |
Add open callback if there are no other unique callbacks.
This happens for e.g. seq files which only have unique open,
while read is a common seq_read callback.
|
| |
|
|
|
|
| |
Use resolved Function references instead of string names for fileops
callback resolution. Function names are not unique, a number of callbacks
have the same names.
|
| |
|
|
|
|
| |
Currently we misparse some function references, e.g. for:
.write = (foo) ? bar : baz,
we extract "foo". Extract first function reference from such expressions.
|
| |
|
|
|
| |
Some ioctls are declared inconsistently using enums rather than macros.
Extract these as well.
|
| | |
|
| |
|
|
|
|
| |
Add coverage percent for kernel interfaces.
The current data is generated with Mar coverage report
on kernel commit 1e7857b28020ba57ca7fdafae7ac855ba326c697.
|
| |
|
|
|
|
| |
Export each syscall variant (e.g. fcnt$*) as a separate interface.
Effectively these are separate syscalls. We will want this for
ioctl as well (it's not 1 interface).
|
| |
|
|
|
|
| |
Use scope-based dataflow analysis for syscall variants (including ioctls).
As the result we only consider code that relates to a partiuclar command/ioctl,
and can infer arguments/return types for each command/ioctl independently.
|
| |
|
|
| |
Update auto.txt and consts on v6.15-rc1.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Definitions for attribute `NBD_ATTR_SOCKETS`, `NL80211_ATTR_BSS_SELECT`,
`NL80211_ATTR_PEER_MEASUREMENTS`, and `NL80211_ATTR_SCHED_SCAN_MATCH`
have some errors.
Fix them carefully, Check related parse functions: nbd_genl_reconfigure,
parse_bss_select, nl80211_pmsr_start and nl80211_parse_sched_scan for
details.
Signed-off-by: Lin Ma <linma@zju.edu.cn>
|
| |
|
|
|
|
|
| |
This commit removes CRYPTO_ALG_TYPE_COMPRESS from socket_alg.txt since
it was recently removed from the kernel source tree
(fce8b8d crypto: remove obsolete 'comp' compression API). It also
updates a number of other consts that make extract detected.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the new LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, and
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_ON flags for landlock_restrict_self(2)
from Linux 6.15 (audit support for Landlock).
Also add the LANDLOCK_CREATE_RULESET_VERSION and
LANDLOCK_CREATE_RULESET_ERRATA flags for landlock_create_ruleset(2).
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfe and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfet, two seeds that exercise the
WFxT path in KVM.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of generating Go files with descriptions
serialize them as gob and compress with flate.
This significantly reduces build time, go vet time,
and solves scalability problems with some static analysis tools.
Reference times (all after rm -rf ~/.cache/go-build) before:
TIME="%e %P %M" time go install ./syz-manager
48.29 577% 4824820
TIME="%e %P %M" time go test -c ./prog
56.28 380% 6973292
After:
TIME="%e %P %M" time go install ./syz-manager
22.81 865% 859788
TIME="%e %P %M" time go test -c ./prog
12.74 565% 267760
syz-manager size before/after: 194712597 -> 83418407
-57% even provided we now embed all descriptions
instead of just a single arch.
Deflate/decoding time for a single Linux arch is ~330ms.
Fixes #5542
|
| |
|
|
|
|
|
|
| |
Use function scope information extracted in the previous commit
to infer multiplexed syscalls (fcntl, prctl, ...) and infer
their arguments.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extract info about function scopes formed by switch'es on function arguments.
For example if we have:
void foo(..., int cmd, ...)
{
...
switch (cmd) {
case FOO:
... block 1 ...
case BAR:
... block 2 ...
}
...
}
We record that any data flow within block 1 is only relevant
when foo's arg cmd has value FOO, similarly for block 2 and BAR.
This allows to do 3 things:
1. Locate ioctl commands that are switched on within transitively
called functions.
2. Infer return value for each ioctl command.
3. Infer argument type when it's not specified in _IO macro.
This will also allow to infer other multiplexed syscalls.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
| |
This is nice on its own, but this will also help to prevent
lots of problems when we export more info from the clang tool in future.
The clang tool does not know what will end up in the final descriptions,
so it exports info about all consts that it encounters.
As the result we pull in lots of includes/defines, and lots of kernel
includes/defines are broken or create problems.
So the fewer we have, the better.
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfi and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfit, two seeds that
exercise the WFxT path in KVM.
|
| |
|
|
|
|
|
| |
When using QEMU full emulation mode, the majority of the system
registers (as defined in sys/linux/dev_kvm.txt:kvm_regs_arm64_sys) are
not accessible (i.e. only 77/592 trigger kvm_handle_sys_reg()). This series of
tests perform MSR accesses to the accessible registers.
|
| |
|
|
| |
Add support for the MRS instruction in a similar manner to MSR.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
sys/linux: run make extract
sys/linux: add Descriptions for Mali GPU Driver
sys/linux: add Descriptions for Mali GPU Driver
sys/linux: add descriptions for Mali Driver
sys/linux: add descriptions for Mali Driver
|
| |
|
|
|
|
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-enable-pmu, a seed that
enables PMU and touches PMEVCNTR0_EL0.
It was inspired by https://github.com/google/syzkaller/pull/5582
and led to a notable (+500) coverage increase, as the fuzzer couldn't
previously guess that it should pass KVM_ARM_VCPU_PMU_V3 when creating
the vCPU and set the KVM_ARM_VCPU_PMU_V3_INIT attribute at the same time.
|
| |
|
|
| |
Make sure SyzOS test correctly set the value of VBAR_EL1.
|
| |
|
|
| |
Add a pseudo-syscall to assert on register values.
|
| |
|
|
|
|
| |
Use data flow analysis to infer syscall argument, return value,
and struct field types.
See the comment in pkg/declextract/typing.go for more details.
|
| |
|
|
|
| |
The check did not actually match any header files.
Fix the check.
|
| |
|
|
| |
Remove constants that are already covered by arm64_bitmap and arm64_fw in kvm_one_reg.
|
| |
|
|
|
|
| |
We use auto_todo type as an element of array for void*.
array[int8] is lowered to the buffer type, which is much
better handled by the fuzzer engine + closer resembles real blobs.
|
| | |
|
| |
|
|
|
|
| |
Declare register classes for Bitmap, FW, SVE registers.
Also move generation of CCSIDR, FP and core registers from registers.go
to the text description.
|
| |
|
|
|
| |
This is a side-effect of making auto descriptions use sockaddr
(it contains nfc_dev_id).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Emit descriptions for special files in /dev, /sys, /proc, and ./.
pkg/declextract combines file_operations info produced by the clang tool
with the dynamic probing info produced by pkg/ifaceprobe in order
to produce complete descriptions for special files.
|
| |
|
|
| |
Emit families w/o policy, emit duplicate commands.
|
| | |
|
