| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Some ioctls are declared inconsistently using enums rather than macros.
Extract these as well.
|
| | |
|
| |
|
|
|
|
| |
Add coverage percent for kernel interfaces.
The current data is generated with Mar coverage report
on kernel commit 1e7857b28020ba57ca7fdafae7ac855ba326c697.
|
| |
|
|
|
|
| |
Export each syscall variant (e.g. fcnt$*) as a separate interface.
Effectively these are separate syscalls. We will want this for
ioctl as well (it's not 1 interface).
|
| |
|
|
|
|
| |
Use scope-based dataflow analysis for syscall variants (including ioctls).
As the result we only consider code that relates to a partiuclar command/ioctl,
and can infer arguments/return types for each command/ioctl independently.
|
| |
|
|
| |
Update auto.txt and consts on v6.15-rc1.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Definitions for attribute `NBD_ATTR_SOCKETS`, `NL80211_ATTR_BSS_SELECT`,
`NL80211_ATTR_PEER_MEASUREMENTS`, and `NL80211_ATTR_SCHED_SCAN_MATCH`
have some errors.
Fix them carefully, Check related parse functions: nbd_genl_reconfigure,
parse_bss_select, nl80211_pmsr_start and nl80211_parse_sched_scan for
details.
Signed-off-by: Lin Ma <linma@zju.edu.cn>
|
| |
|
|
|
|
|
| |
This commit removes CRYPTO_ALG_TYPE_COMPRESS from socket_alg.txt since
it was recently removed from the kernel source tree
(fce8b8d crypto: remove obsolete 'comp' compression API). It also
updates a number of other consts that make extract detected.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the new LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, and
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_ON flags for landlock_restrict_self(2)
from Linux 6.15 (audit support for Landlock).
Also add the LANDLOCK_CREATE_RULESET_VERSION and
LANDLOCK_CREATE_RULESET_ERRATA flags for landlock_create_ruleset(2).
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfe and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfet, two seeds that exercise the
WFxT path in KVM.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of generating Go files with descriptions
serialize them as gob and compress with flate.
This significantly reduces build time, go vet time,
and solves scalability problems with some static analysis tools.
Reference times (all after rm -rf ~/.cache/go-build) before:
TIME="%e %P %M" time go install ./syz-manager
48.29 577% 4824820
TIME="%e %P %M" time go test -c ./prog
56.28 380% 6973292
After:
TIME="%e %P %M" time go install ./syz-manager
22.81 865% 859788
TIME="%e %P %M" time go test -c ./prog
12.74 565% 267760
syz-manager size before/after: 194712597 -> 83418407
-57% even provided we now embed all descriptions
instead of just a single arch.
Deflate/decoding time for a single Linux arch is ~330ms.
Fixes #5542
|
| |
|
|
|
|
|
|
| |
Use function scope information extracted in the previous commit
to infer multiplexed syscalls (fcntl, prctl, ...) and infer
their arguments.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extract info about function scopes formed by switch'es on function arguments.
For example if we have:
void foo(..., int cmd, ...)
{
...
switch (cmd) {
case FOO:
... block 1 ...
case BAR:
... block 2 ...
}
...
}
We record that any data flow within block 1 is only relevant
when foo's arg cmd has value FOO, similarly for block 2 and BAR.
This allows to do 3 things:
1. Locate ioctl commands that are switched on within transitively
called functions.
2. Infer return value for each ioctl command.
3. Infer argument type when it's not specified in _IO macro.
This will also allow to infer other multiplexed syscalls.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
| |
This is nice on its own, but this will also help to prevent
lots of problems when we export more info from the clang tool in future.
The clang tool does not know what will end up in the final descriptions,
so it exports info about all consts that it encounters.
As the result we pull in lots of includes/defines, and lots of kernel
includes/defines are broken or create problems.
So the fewer we have, the better.
|
| |
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfi and
sys/linux/test/arm64-syz_kvm_setup_syzos_vm-wfit, two seeds that
exercise the WFxT path in KVM.
|
| |
|
|
|
|
|
| |
When using QEMU full emulation mode, the majority of the system
registers (as defined in sys/linux/dev_kvm.txt:kvm_regs_arm64_sys) are
not accessible (i.e. only 77/592 trigger kvm_handle_sys_reg()). This series of
tests perform MSR accesses to the accessible registers.
|
| |
|
|
| |
Add support for the MRS instruction in a similar manner to MSR.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
sys/linux: run make extract
sys/linux: add Descriptions for Mali GPU Driver
sys/linux: add Descriptions for Mali GPU Driver
sys/linux: add descriptions for Mali Driver
sys/linux: add descriptions for Mali Driver
|
| |
|
|
|
|
|
|
|
|
| |
Add sys/linux/test/arm64-syz_kvm_setup_syzos_vm-enable-pmu, a seed that
enables PMU and touches PMEVCNTR0_EL0.
It was inspired by https://github.com/google/syzkaller/pull/5582
and led to a notable (+500) coverage increase, as the fuzzer couldn't
previously guess that it should pass KVM_ARM_VCPU_PMU_V3 when creating
the vCPU and set the KVM_ARM_VCPU_PMU_V3_INIT attribute at the same time.
|
| |
|
|
| |
Make sure SyzOS test correctly set the value of VBAR_EL1.
|
| |
|
|
| |
Add a pseudo-syscall to assert on register values.
|
| |
|
|
|
|
| |
Use data flow analysis to infer syscall argument, return value,
and struct field types.
See the comment in pkg/declextract/typing.go for more details.
|
| |
|
|
|
| |
The check did not actually match any header files.
Fix the check.
|
| |
|
|
| |
Remove constants that are already covered by arm64_bitmap and arm64_fw in kvm_one_reg.
|
| |
|
|
|
|
| |
We use auto_todo type as an element of array for void*.
array[int8] is lowered to the buffer type, which is much
better handled by the fuzzer engine + closer resembles real blobs.
|
| | |
|
| |
|
|
|
|
| |
Declare register classes for Bitmap, FW, SVE registers.
Also move generation of CCSIDR, FP and core registers from registers.go
to the text description.
|
| |
|
|
|
| |
This is a side-effect of making auto descriptions use sockaddr
(it contains nfc_dev_id).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Emit descriptions for special files in /dev, /sys, /proc, and ./.
pkg/declextract combines file_operations info produced by the clang tool
with the dynamic probing info produced by pkg/ifaceprobe in order
to produce complete descriptions for special files.
|
| |
|
|
| |
Emit families w/o policy, emit duplicate commands.
|
| | |
|
| |
|
|
|
|
|
| |
Emit all information related to a single netlink family close to each other.
Previously we emitted them scattered and grouped by info type.
That was both inconvinient to emit and inconvinient to read.
NFC.
|
| |
|
|
|
|
| |
Currently we append "$auto", or "$auto_record", or prepend "auto_",
or insert "auto" somewhere in the middle.
Use more consistent naming: always append "$auto".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz-declextract accumulated a bunch of code health problems
so that now it's hard to change/extend it, lots of new features
can only be added in in hacky ways and cause lots of code duplication.
It's also completly untested. Rewrite the tool to:
- move as much code as possible to Go (working with the clang tool
is painful for a number of reasons)
- allow testing and add unit tests (first layer of tests test
what information is produced by the clang tool, second layer
of tests test how that information is transformed to descriptions)
- allow extending the clang tool output to export arbitrary info
in non-hacky way (now it produces arbitrary JSON instead of a mix
of incomplete descriptions and interfaces)
- remove code duplication in the clang tool and provide common
infrastructure to add new analysis w/o causing more duplication
- provide more convinient primitives in the clang tool
- improve code style consistency and stick to the LLVM code style
(in particular, variable names must start with a capital letter,
single-statement blocks are not surrounded with {})
- remove intermixing of code that works on different levels
(currently we have AST analysis + busness logic + printfs
all intermixed with each other)
- provide several helper Go packages for better code structuring
(e.g. pkg/clangtool just runs the tool on source files in parallel
and returns results, this already separates a bunch of low-level
logic from the rest of the code under a simple abstraction)
I've tried to make the output match the current output as much as possible
so that the diff is managable (in some cases at the cost of code quality,
this should be fixed in future commits). There are still some differences,
but hopefully they are managable for review (more includes/defines,
reordered some netlink attributes).
Fixed minor bugs are fixed along the way, but mostly NFC:
1. Some unions were incorrectly emitted as [varlen]
(C unions are never varlen).
2. Only a of [packed], [align[N]] attributes was emitted
for struct (both couldn't be emitted).
|
| |
|
|
|
|
| |
Mark the whole file with "meta automatic" instead of marking each syscall.
This reduces size of descriptions + allows to do special things
with the whole file (e.g. we already treat auto consts specially).
|
| | |
|
| |
|
|
|
| |
The new pseudo-syscall will serve as a test assertion, checking the uexit
return value. This is going to help us validate SyzOS code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syscall attributes are extended with a fsck command field which lets
file system mount definitions specify a fsck-like command to run. This
is required because all file systems have a custom fsck command
invokation style.
When uploading a compressed image asset to the dashboard, syz-manager
also runs the fsck command and logs its output over the dashapi.
The dashboard logs these fsck logs into the database.
This has been requested by fs maintainer Ted Tso who would like to
quickly understand whether a filesystem is corrupted or not before
looking at a reproducer in more details. Ultimately, this could be used
as an early triage sign to determine whether a bug is obviously
critical.
|
| |
|
|
|
| |
Provide a test case that replaces syz_kvm_vgic_v3_setup() with a sequence
of 5 KVM ioctls.
|
| | |
|
| |
|
|
|
| |
Syscalls that initialize KVM and set up syzos have to be executed in the
particular order, there's no point in running them concurrently.
|
| | |
|
| |
|
|
| |
Now that we include linux/irqchip/arm-gic-v3.h, we don't need them anymore.
|
| |
|
|
| |
Hint syzkaller that it can write to ITS registers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done to solve a particular test failure running:
$ tools/syz-env go test ./prog -run TestSpecialStructs
, which failed on PPC64, because prog/rand.go instanciated a call to
syz_kvm_setup_syzos_vm(), which requested too much memory (1024 pages)
from the allocator (PPC64 uses 64k pages, so the number of available pages
is lower).
On the other hand, factoring out syzos-related descriptions is probably
a nice thing to do anyway.
|
| | |
|
| |
|
|
|
|
| |
arm64-syz_kvm_setup_syzos_vm-vgicv3-its
Make sure the test actually performs guest-side ITS setup and invokes an LPI.
|
