| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Pass 1024 pages of memory to both syz_kvm_setup_syzos_vm() and
syz_kvm_setup_cpu$arm64() to make sure that:
- there is enough memory for guest allocations (e.g. ITS pages)
- host can tamper with that memory, provoking more bugs
|
| | |
|
| | |
|
| |
|
|
| |
They can clash with our manual flags names.
|
| |
|
|
|
|
|
| |
Update to upstream commit 228a1157fb9f.
VFIO_TYPE1_NESTING_IOMMU const was removed in 35890f85573c.
Remove it from descriptions.
|
| | |
|
| |
|
|
| |
These are not accepted as inputs (NLA_REJECT is usually used in dump operation).
|
| |
|
|
|
| |
It was needed to work around restriction on recursion via arrays.
Since we permit it now, we can remove the hack.
|
| | |
|
| | |
|
| |
|
|
|
| |
Test that if we enable only auto descriptions, nothing gets disabled.
Currently nothing can create fd_cgroup which is used by the descriptions.
|
| |
|
|
|
|
|
|
|
|
| |
One line per interface allows to use all power of unix utilities
to process these files. For example the following command
allow to select all unpriviledged interfaces present in one kernel
but not in another:
comm -23 <(cat auto1.info | grep access:user | cut -f -2 | sort) \
<(cat auto2.info | cut -f -2 | sort)
|
| | |
|
| |
|
|
|
|
|
|
|
| |
We already do this in most cases except for template structs (nlattr notably).
Add consts that are used in template structs to all files that use them.
This helps to avoid flakiness, and allows to replace descriptions files
with other descriptions files without regenerating all const files.
This also fixes check for presence of descriptions for sys/linux/auto.txt.json.
|
| | |
|
| |
|
|
|
|
|
| |
Extracting declaration name is trickier than removing casts.
If the initialized type is a union, then the expression may
also contain InitListExpr and other nodes.
Remove all of them in a more robust way.
|
| | |
|
| | |
|
| |
|
|
| |
For now for netlink only.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Currently syscall selection is non-deterministic and we frequently
choose wrond ones. This leads to flaky argument names/types,
and wrong argument types (e.g. int16 instead of uid,
old_utimbuf32 instead of utimbuf, etc).
Make syscall selection robust and correct.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Replace socket_$bt_{bnep, cmtp, hidp, rfcomm} to syz_init_net_socket.
Fixes: https://github.com/google/syzkaller/issues/4729
|
| | |
|
| |
|
|
|
|
|
|
| |
Produce both descriptions and interface list in one run
(it's slow, we don't want/need to run the tool twice).
Produce output in json format.
Later we will add more properties, and will do more processing of the list.
|
| |
|
|
| |
Combine all fixed header parts in a single raw string literal.
|
| |
|
|
| |
Regenerate descriptions on kernel commit 715ca9dd687f89ddaac8ec8ccb3b5e5a30311a99.
|
| | |
|
| |
|
|
|
|
|
| |
Reserve SYZOS address for the ITS redistributor at 0x08080000, add it to the
list of kvm_guest_addrs.
Also implement a syzlang test for the host part of ITS configuration as per
https://www.kernel.org/doc/html/v6.1/virt/kvm/devices/arm-vgic-its.html
|
| | |
|
| |
|
|
|
| |
The test has become too big (>40 calls).
Split off dev_iommu_vfio and remove the overlap with dev_iommu_hwpt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Describe four new BTF types introduced in commits [1, 2, 3, 4]
upstream. Note BTF_KIND_TAG was later renamed to BTF_KIND_DECL_TAG.
These four types are also described in the documentation at [5].
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b1828f0b04828
2 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b5ea834dde6b6
3 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c42d2fa4eeab
4 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6089fb325cf73
5 - https://docs.kernel.org/bpf/btf.html#btf-kind-float
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
The linkage field of BTF type BTF_KIND_VAR isn't actually a boolean,
but a flag. Given it can now take three different values [1], it
doesn't match the boolean type and needs to be fixed. This commit
defines it as a proper flags type.
1 - https://docs.kernel.org/bpf/btf.html#btf-kind-var
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
syz-declextract
|
| |
|
|
|
|
|
|
|
|
| |
Add new the landlock_ruleset_attr's "scoped" field and related flags for
Linux 6.12: LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET and
LANDLOCK_SCOPE_SIGNAL.
Update tests with the new landlock_ruleset_attr's field.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
| |
Add a seed that creates and execs something that resembles an ELF binary.
|
| | |
|
| |
|
|
|
|
|
| |
We create 2 binfmt_misc formats:
":syz0:M:0:\x01::./file0:"
":syz1:M:1:\x02::./file0:POC"
They don't require syz0/1 prefix in the fix. syz0/1 is just name of the format.
|
| |
|
|
|
| |
In addition to random offsets passed to SYZOS_API_MEMWRITE, use VGICv3
distributor/redistributor base and offsets of the corresponding registers.
|
| | |
|
| |
|
|
|
| |
This is a variant of arm64-syz_kvm_setup_syzos_vm-vgicv3 running on a
secondary CPU.
|
| |
|
|
| |
Rewrite existing tests using syz_kvm_setup_cpu to use the new pseudo-syscall API
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz_kvm_add_vcpu
The old syz_kvm_setup_cpu() API mixed together VM and VCPU setup, making it
harder to create and fuzz two VCPUs in the same VM.
Introduce two new pseudo-syscalls, syz_kvm_setup_syzos_vm() and syz_kvm_add_vcpu(),
that will simplify this task.
syz_kvm_setup_syzos_vm() takes a VM file descriptor, performs VM setup
(allocates guest memory and installs SYZOS code into it) and returns a
new kvm_syz_vm resource, which is in fact a pointer to `struct kvm_syz_vm`
encapsulating VM-specific data in the C code.
syz_kvm_add_vcpu() takes the VM ID denoted by kvm_syz_vm and creates a
new VCPU within that VM with a proper CPU number. It then stores the
fuzzer-supplied SYZOS API sequence into the corresponding part (indexed by
CPU number) of the VM memory slot, and sets up the CPU registers to interpret
that sequence.
The new pseudo-syscall let the fuzzer create independent CPUs that run different
code sequences without interfering with each other.
|
| |
|
|
|
|
|
|
| |
syz_create_resource allows to turn any value into a resource.
Improve binfmt descriptions using syz_create_resource:
we need to pass the same file name to write syscalls and execve.
Use syz_create_resource to improve binfmt descriptions.
|
| | |
|
