| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Implement a pseudo-syscall to check the value of kvm_run.exit_reason
|
| |
|
|
|
| |
This is a best-effort attempt to fix the tests passing ANY arguments
to the syz_kvm_add_vcpu$arm64() syscall.
|
| |
|
|
|
|
| |
Not passing flattened arguments to syz_kvm_add_vcpu() serves two purposes:
- makes it easier to reason about the SYZOS program contents;
- prevents nonsensial mutations of them.
|
| |
|
|
|
| |
Transform the hard-coded list of feature combinations in to individual
groups of features.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some USB drivers contain quirks (special handling code) for USB devices
with specific USB IDs. Sometimes the IDs for these quirks are encoded in
the driver matching rules (and thus are auto-extracted into
sys/linux/init_vusb_ids.go), but sometimes these IDs are hardcoded in
the driver itself.
This patch extends the generateUsbPrinterDeviceDescriptor function to
also sometimes generate USB IDs to exercise the hardcoded quirks for the
USB printer class.
Similar functionality can be implemented for other USB drivers later.
|
| |
|
|
|
|
|
|
|
|
| |
This allows exercising driver quirks that might be defined in the matching
rules (the printer driver does not actually define any yet, but this
change serves as a reference for doing this for other drivers).
Only patch in the IDs that are used in the matching rules of the printer
driver in the kernel. Patching other IDs might subvert the kernel into
matching the emulated device to a different driver.
|
| |
|
|
|
|
| |
Introduce a helper function to make the following changes cleaner.
No functional changes.
|
| |
|
|
|
|
|
|
|
|
| |
Change the kernel patch and the syz-usbgen tool to split the extracted
USB IDs by the driver they belong to.
This will allow for a more precise patching of class/driver-specific
USB descriptors.
Also update USB IDs with Linux kernel 6.16.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change is the first step in addressing issue [1].
Despite syzkaller's best efforts, some usb drivers are proving
resistant to attempts to probe them. Specifically, crafted
devices are not accurate enough to bypass checks in probe().
These checks mostly deal with usb interfaces and endpoints.
One way to address this issue is to define syz_connect_* calls
variants to help syzkaller succeed probing by describing in detail
various device attributes.
Start by describing such calls for select drivers, each representing
its own category of sorts. At the moment, code coverage for these
drivers is unimpressive:
- rtl8150
Used to succeed probing until a better usb endpoint check was implemented.
- sierra_net
Same as rtl8150. Depends on usbnet API for bind() and usb ep checks.
- lan78xx
Requires numerous control requests between driver and device DURING probe.
Extra descriptions are helpful but are not enough to fully complete
probing process.
Also, add a seed for each such example.
This is only a stepping stone to improve usb fuzzing results and most
likely will be subject to change in the future.
[1] https://github.com/google/syzkaller/issues/6206
|
| |
|
|
|
|
| |
Use the latest version of bcachefs-tools.
See the discussion at https://groups.google.com/g/syzkaller/c/Vek7-974kJI/m/8TrKOiz6AgAJ
|
| |
|
|
|
| |
Add a SYZOS call to write to one of the system registers
(CR0, CR2, CR3, CR4, CR8).
|
| |
|
|
|
| |
amd64-syz_kvm_setup_syzos_vm-wrmsr-rdmsr is a test executing SYZOS_API_WRMSR
and SYZOS_API_RDMSR on x86.
|
| |
|
|
| |
Let SYZOS execute RDMSR and WRMSR on x86.
|
| |
|
|
|
|
| |
Like we already do on ARM, use prime numbers multiplied by 10 for
SYZOS API IDs to prevent the compiler from emitting a jump table in
guest_main().
|
| |
|
|
| |
This is a system ioctl
|
| |
|
|
|
|
|
| |
Use output parameter instead of an input one.
Use a KVM constant for array size.
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-lapic
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-xcrs
|
| |
|
|
|
| |
This is mostly for the sake of completeness, other KVM ioctls do not
interact with the created FD anyway.
|
| |
|
|
| |
KVM_GET_MSRS can be both a system and a vcpu ioctl
|
| |
|
|
| |
Both KVM_SET_TSC_KHZ and KVM_GET_TSC_KHZ are vcpu and vm ioctls.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-sregs2
|
| |
|
|
|
|
| |
KVM_MEMORY_ENCRYPT_UNREG_REGION
See https://docs.kernel.org/virt/kvm/api.html#kvm-memory-encrypt-reg-region
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-x86-set-msr-filter
|
| |
|
|
|
|
|
|
| |
For certain ioctls https://www.kernel.org/doc/Documentation/virt/kvm/api.txt
lists their parameters as "in/out".
Change their descriptions to reflect that.
Also define KVM_GET_MSR_FEATURE_INDEX_LIST and KVM_GET_SUPPORTED_HV_CPUID
|
| |
|
|
| |
This should increase SEV coverage on AMD, also reach some dusty corners on ARM.
|
| |
|
|
| |
make sev_handle a resource
|
| |
|
|
| |
This is equivalent to errors=panic.
|
| |
|
|
|
| |
This patch adds the necessary descriptions for KVM_MEMORY_ENCRYPT_OP
that currently is not supported.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_ptrace -debug
we get this result:
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=0
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=3
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
executing program
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=0
### call=4 errno=3
### call=5 errno=0
### call=6 errno=0
### call=7 errno=0
### call=8 errno=1
### call=9 errno=0
### call=10 errno=0
### call=11 errno=3
### call=12 errno=0
### call=13 errno=0
### call=14 errno=1
### call=15 errno=3
### call=16 errno=1
### call=17 errno=0
### call=18 errno=3
Because this test spawns two threads, the ptrace(2) returned code may be
different according to the calling thread.
Set the common EPERM errnos for all three threads (EINTR is unknown to
syzkaller). The other returned codes cannot be fixed because we cannot
have a set of valid errno for the same call.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running syz-manager with -mode run-tests --tests landlock_fs_ioctl -debug
we get this result:
#0 [1300ms] -> ioctl(0x4, 0x5460, 0x0)
#0 [1300ms] <- ioctl=0xffffffffffffffff errno=14
#0 [1300ms] -> ioctl(0x4, 0x5451, 0x0)
#0 [1300ms] <- ioctl=0x0
[...]
landlock_fs_ioctl none : FAIL: run 0: wrong call 5 result 14, want 13
The ioctl call returns EFAULT instead of EACCES.
Change this test to create a /dev/null device and use a valid device
IOCTL.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add 2 regular missing ioctl syscalls:
- UFFDIO_MOVE
- UFFDIO_POISON
Add USERFAULTFD_IOC_NEW ioctl that allows to procure userfaultfds
by way of accessing /dev/userfaultfd.
No other descriptions are touched, neither are any config options.
Tested on local x86_64 syzkaller instance with enabled_syscalls[]
option turned on.
|
| |
|
|
|
|
|
|
| |
The setuid sandboxes are not correct because some tests require mount.
Let's make it simple and remove them. After all, Landlock is available
to any user.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, only usb COMEDI drivers are covered thanks to external usb
fuzzing approach. However, that still leaves /dev/comedi# devices
untested, thus this change.
There are 2 ways to make kernel spawn comedi devices. First, it seems
that one is created once driver identifies available hardware. Second,
provided a kernel paramater comedi.comedi_num_legacy_minors=N is set,
the same number of manually configurable devices are created,
allowing for configuration using one of the IOCTLs. Both scenarios do
not allow for particularly deep fuzzing as lack of necessary hardware
will inevitably stop any exploration short. Still, it is a start.
What is added:
- Descriptions for all COMEDI-related IOCTLs and structures.
Some arbitrary limits were set on array and list sizes, otherwise
numerous, overly greedy kmallocs slow down fuzzing with constant
warnings.
- List COMEDI devices to open.
A hardcoded list of device names is the best we can do at this point.
First few devs are for manual configuration (see
comedi_num_legacy_minors=N), others - for dynamic ones (N+1, N+2 etc).
- List manually configurable drivers.
COMEDI_DEVCONFIG ioctl takes a driver name from a list of those that
supposedly can be set up that way. No reason to try others.
Tested on a local x86_64 syzkaller instance with enabled_syscalls[].
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BSG is a block layer version of SG driver with its own devices,
which can be found in /dev/bsg/*. Currently, syzkaller barely touches
related code in block/ and drivers/scsi/ source directories,
so update the descriptions to nudge the fuzzer in the right direction.
Specifically,
- create a separate description file dev_bsg.txt;
- move openat$bsg from sys.txt and fix the way devices
in question are accessed;
- describe necessary syscalls and structs, most importantly, sg_io_v4.
- add a few TODOs to address later.
A few words about flaws in sq_io_v4 description:
Some fields were left more ambigious than desired. Once more research
into the way bsg operates is done, as well as related coverage is
gathered, those flaws will be corrected.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few things done here:
- Add new block device ioctls (and structs) related to encryption,
added in 1ebd4a3c095c ("blk-crypto: add ioctls to create and
prepare hardware-wrapped keys"):
BLKCRYPTOIMPORTKEY
BLKCRYPTOGENERATEKEY
BLKCRYPTOPREPAREKEY
Deviate slightly from original keys-related structs to ensure that
ioctl syscalls have preallocated buffers to work with, not merely
pointers that go nowhere.
- Add and update new/missing syscalls related to zoned block devices:
BLKGETZONESZ
BLKGETNRZONES
BLKOPENZONE
BLKCLOSEZONE
BLKFINISHZONE
- Add a few other missing syscalls, such as BLKRASET.
- Fix some syscalls' directions (mostly, to 'inout').
|
| | |
|
| |
|
|
|
| |
Somehow syz-extract is unable to infer KVM_MAX_IRQ_ROUTES on x86,
hardcode it.
|
| |
|
|
| |
Let bare-metal instances with EL2 support take advantage of NV.
|
| |
|
|
| |
We expect these commands to reach some NV coverage
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few things done here:
- Add new userspace-driven ioctls (and necessary structs as well):
SNDRV_TIMER_IOCTL_CREATE
SNDRV_TIMER_IOCTL_TRIGGER
- Change a few object pointers' directions to better reflect their
intent (mostly inout).
- Split old SNDRV_TIMER_IOCTL_TREAD into two:
SNDRV_TIMER_IOCTL_TREAD_OLD and SNDRV_TIMER_IOCTL_TREAD64 the way
it is done in the kernel.
- Remove TODO descriptions concerning SNDCTL_TMR_START etc. as they
are described elsewhere, and as far as I can tell, are not necessary
here.
|
| |
|
|
| |
/dev/rnullb{} is the Rust implementation of the null block driver.
|
| |
|
|
|
| |
This commit adds support for CPUID instructions on AMD64. It also adds a
relevant test.
|
| |
|
|
|
|
|
|
|
| |
When compiling SYZOS into the executor binary, the compiler often
attempts to emit a jump table, putting it into the data section
of the executor. SYZOS is unable to access that data and crashes.
Use primes multiplied by 10 to defeat the compiler's heuristics
for jump table emission.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
|
| |
This commit moves the various x86/amd64 ioctl descriptions and their
relevant structs/flags to the architecture-specific file and updates
the corresponding const files.
|
| |
|
|
|
| |
This commit prepares adding the X86-64 SYZOS by declaring the relevant
functions, updating their ARM64 versions and adding placeholders.
|
| |
|
|
|
|
| |
$ wc -l sys/linux/auto.*.info
4680 sys/linux/auto.txt.info
8471 sys/linux/auto.allyes.txt.info
|
| |
|
|
|
|
| |
Add open callback if there are no other unique callbacks.
This happens for e.g. seq files which only have unique open,
while read is a common seq_read callback.
|
| |
|
|
|
|
| |
Use resolved Function references instead of string names for fileops
callback resolution. Function names are not unique, a number of callbacks
have the same names.
|
| |
|
|
|
|
| |
Currently we misparse some function references, e.g. for:
.write = (foo) ? bar : baz,
we extract "foo". Extract first function reference from such expressions.
|
