| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
|
| |
Make the necessary changes to support HVC in addition to SMC.
These two may subtly differ, so they are handled separately.
|
| |
|
|
|
| |
As suggested by Dmitry, use a template to avoid duplication in various syzos types.
Also adjust the existing tests.
|
| |
|
|
|
|
|
|
| |
Provide an API call to invoke the ARM64 Secure Monitor Call instruction
with user-supplied function id and 5 parameters passed in registers x1-x5.
For now only `smc #0` is invoked, although in the future we may want to
pass other (reserved) immediate values to SMC.
|
| |
|
|
|
|
|
| |
In addition to device FDs, certain arches (s390 and ARM64) allow applying
device attributes to VM FDs (https://docs.kernel.org/virt/kvm/devices/vm.html)
Add descriptions for the corresponding ioctls on ARM64, including support
for setting SMCCC filters via struct kvm_smccc_filter.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Reduce the number of hand-rolled constants in syz_kvm_setup_cpu_arm64
by using AUTO
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
MSR is an ARM64 instruction that writes a value from a GP register to
one of the system CPU registers. Exposing those registers to a fuzzer will
let us trigger unexpected behavior in handling them on the kernel side.
The SYZOS_API_MSR call has two int64 arguments, register ID and value.
Register IDs are 64-bit values obtained from ARM64_SYS_REG() in the Linux asm/kvm.h
UAPI header. Same register IDs are used by ioctl$KVM_GET_ONE_REG and
ioctl$KVM_SET_ONE_REG.
Also add sys/linux/test/syz_kvm_setup_cpu_arm64-msr
|
| |
|
|
|
|
|
| |
Split the definition of kvm_one_reg into ARM-specific and non-ARM-specific
parts. For the ARM-specific ones, use the result of
go run tools/arm64/registers.go tools/arm64/msr_mrs.txt
as the new list of constants.
|
| |
|
|
|
| |
This is the initial test to help seed syzos program generation.
We'll need to add assertions to it once we implement them.
|
| |
|
|
|
| |
Instead of guessing the size of the mmap area for struct vcpu_run,
always obtain it from ioctl(KVM_GET_VCPU_MMAP_SIZE).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow guest payload to call syzos API functions. The available calls
are enumerated by SYZOS_API_* constants, and have a form of:
struct api_call {
uint64 call;
uint64 struct_size;
/* arbitrary call-related data here */
};
Complex instruction sequences are too easy to break, so most of the time
fuzzer won't be able to efficiently mutate them.
We replace kvm_text_arm64 with a sequence of `struct api_call`, making it
possible to intermix assembly instructions (SYZOS_API_CODE) with
higher-level constructs.
Right now the supported calls are:
- SYZOS_API_UEXIT - abort from KVM_RUN (1 argument: exit code, uint64)
- SYZOS_API_CODE - execute an ARM64 assembly blob
(1 argument: inline array of int32's)
|
| |
|
|
| |
Based on v6.10-rc4 and new upstream-usb.config.
|
| |
|
|
|
|
|
| |
Accounted for added command and added fields in gtp_policy and
gtp_genl_policy. Users can create GTP devices without providing
IFLA_GTP_FD0 and IFLA_GTP_FD1 arguments, if IFLA_GTP_CREATE_SOCKETS
field is set.
|
| |
|
|
|
| |
These two constants are not used anywhere.
No functional change.
|
| |
|
|
|
|
|
| |
Now that we chroot into tmpfs with sandbox=none, it should be safe to allow
using these ioctls, because they won't break the whole VM.
Update #971.
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
| |
Update the descriptions to mark calls that cause remote coverage
collection.
Remote some hacky code from the executor.
|
| |
|
|
| |
Update the list of device type flags to match that of Linux 6.9
|
| |
|
|
|
|
|
|
|
| |
Make the following changes for extraction to succeed:
- drop the KVM API constants for features removed in 6.9;
- hardcode the three TUNNEL_*_OPT constants that cannot be extracted due to a header change;
- hardcode the HCI_OP_* constants removed in 99fca36c8b412 ("Bluetooth: HCI: Remove HCI_AMP support");
- hardcode the L2CAP_* constants removed in e7b02296fb40 ("Bluetooth: Remove BT_HS");
- hardcode LANDLOCK_ACCESS_FS_IOCTL_DEV until it hits upstream.
|
| |
|
|
| |
Use the parameters as discussed in https://groups.google.com/g/syzkaller/c/h002HJplxP0/m/ypISQYYpAwAJ
|
| | |
|
| |
|
|
|
|
|
| |
We renamed LANDLOCK_ACCESS_FS_IOCTL to LANDLOCK_ACCESS_FS_IOCTL_DEV, but the
value is still the same.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
Raw deserialization mode does not do any program sanitization
and allows to use global file names, prohibited ioctl's, etc.
This will be useful for moving syscall/feature checking code
to the host, we will need to probe opening global files, etc.
|
| |
|
|
|
|
|
|
|
| |
Disable the syscall in descriptions rather than in the code.
This makes it more visible for users that it's disabled,
and makes it less special (will not need to move this logic to host).
Also change the condition in syz-sysgen to be more precise,
otherwise syz_execute_func becomes unused function.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 3 issues:
1. We intended to squash only 'in' pointer elems,
but we looked at the pointer direction rather than elem direction.
Since pointers themselves are always 'in' we squashed a number of
types we didn't want to squash.
2. We can squash filenames, which can lead to generation of escaping filenames,
e.g. fuzzer managed to create "/" filename for blockdev_filename as:
mount(&(0x7f0000000000)=ANY=[@ANYBLOB='/'], ...)
Don't squash filenames.
3. We analyzed a concrete arg to see if it contains something
we don't want to squash (e.g. pointers). But the whole type
can still contain unsupported things in inactive union options,
or in 0-sized arrays. E.g. this happened in the mount case above.
Analyze the whole type to check for unsupported things.
This also moves most of the analysis to the compiler,
so mutation will be a bit faster.
This removes the following linux types from squashing.
1. These are not 'in':
btrfs_ioctl_search_args_v2
btrfs_ioctl_space_args
ethtool_cmd_u
fscrypt_add_key_arg
fscrypt_get_policy_ex_arg
fsverity_digest
hiddev_ioctl_string_arg
hidraw_report_descriptor
ifreq_dev_t[devnames, ptr[inout, ethtool_cmd_u]]
ifreq_dev_t[ipv4_tunnel_names, ptr[inout, ip_tunnel_parm]]
ifreq_dev_t["sit0", ptr[inout, ip_tunnel_prl]]
io_uring_probe
ip_tunnel_parm
ip_tunnel_prl
poll_cq_resp
query_port_cmd
query_qp_resp
resize_cq_resp
scsi_ioctl_probe_host_out_buffer
sctp_assoc_ids
sctp_authchunks
sctp_getaddrs
sctp_getaddrs_old
2. These contain pointers:
binder_objects
iovec[in, netlink_msg_route_sched]
iovec[in, netlink_msg_route_sched_retired]
msghdr_netlink[netlink_msg_route_sched]
msghdr_netlink[netlink_msg_route_sched_retired]
nvme_of_msg
3. These contain filenames:
binfmt_script
blockdev_filename
netlink_msg_route_sched
netlink_msg_route_sched_retired
selinux_create_req
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
New ioctl to create hwpt objects directly with two forms.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should run without any errno returns. A number of problems have crept
in:
The kernel changed the size of the test ioctl from 0x38 to 0x48. The
generated description picked this up but the hardwired constant in the
test did not. Update all cases.
Fix TEST_OP_MOCK_DOMAIN to use the kernel changed ID layout and new
destruction sequence.
Move TEST_OP_MD_CHECK_* up into a region with a MOCK_DOMAIN and fix their
arguments so they work properly.
The test now passes on v6.8-rc3 with no error failures.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some small mistakes have crept into here and the definitions are not
working quite right
The kernel changed the layout of the mock_domain test command to have
three handles and moved the device_handl to the end. A new handle - the
"selftest_device" was returned instead.
check_map/check_refs takes in a hwpt_handle not an fd_access
domain_replace takes in the selftest_device_handle and an ioas/pt
access_replace_ioas uses the ioas_handle not a naked int32.
|
| |
|
|
|
|
|
|
| |
Not cloning the argument results in replaceArg() replacing a union
argument with itself, which may lead to inconsistent resource
references.
Add an assertion to detect such cases in the future.
|
| |
|
|
| |
This reverts commit 4097c8d7a8596ddbc9a9db7b7f39c5cbdb1bd742.
|
| |
|
|
|
|
|
|
| |
Not cloning the argument results in replaceArg() replacing a union
argument with itself, which may lead to inconsistent resource
references.
Add an assertion to detect such cases in the future.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add 3 new system calls available with Linux 6.8:
* lsm_set_self_attr()
* lsm_get_self_attr()
* lsm_list_modules()
This helped find these bugs:
https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net/
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
The descriptions benefit from syzkaller being able to include fields
conditionally.
|
| | |
|
| |
|
|
|
| |
Split out deprecated descriptions from socket_netlink_route_sched.txt.
Adjust outdated descriptions.
|
| |
|
|
| |
Descriptions are used in addition to dev_bifrost ioctls.
|
| | |
|
| |
|
|
|
| |
Double tagging is used in 802.1ad, which is identified by TPID=0x88a8.
We were using an incorrect const.
|
| |
|
|
|
|
|
|
|
|
|
| |
This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.
Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.
We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
|
| |
|
|
|
|
|
| |
This test covers regular file IOCTL checks handled in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
| |
Add the new LANDLOCK_ACCESS_FS_IOCTL right.
Sort access rights according to their value to ease tracking of new
access rights.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
