| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Add a syscall "add_key$fscrypt_v1" which describes the old way of adding
fscrypt keys. Previously only the new way (FS_IOC_ADD_ENCRYPTION_KEY)
was described. Keys added by "add_key$fscrypt_v1" can be referred to
later in the fscrypt_policy_v1 passed to FS_IOC_SET_ENCRYPTION_POLICY.
|
| |
|
|
|
|
|
| |
Make ioctls take fd_dir rather than fd when they are primarily intended
to be used on directories. Especially for FS_IOC_SET_ENCRYPTION_POLICY,
this should increase the chance that syzkaller does something useful
with these ioctls.
|
| | |
|
| |
|
|
|
| |
Regenerate consts on upstream 585e5b17b92dead8a3aca4e3c9876fbca5f7e0ba.
These consts were removed from txt files recently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds KVM's syz_kvm_setup_cpu pseudo syscall. This adds placeholder
for options (none implemented yet).
This adds instruction generator for ifuzz; this also adds a few pseudo
instructions to simulate super/hyper/ultracalls
(a PPC64/pseries platform thing).
The insns.go is generated from PowerISA_public.v3.0B.pdf [1] by
a horrendous python3 script on top of pdftotext. The ISA covers POWER9
which is the latest available POWER CPU at the moment. The next ISA
for POWER10 is quite different and we will deal with it later.
The // comment after every instruction is a fixed opcode list for
verification purposes.
This does not define DecodeExt as there is no obvious replacement of
the Intel XED library for POWERPC (gapstone-capstone, later, may be).
[1] https://openpowerfoundation.org/?resource_lib=power-isa-version-3-0
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
| |
There is no point in having flags when values are equal.
This can only mean a typo or other bug. Check for such cases
and fix 3 existing precedents.
|
| |
|
|
|
| |
Regenerate consts on upstream 585e5b17b92dead8a3aca4e3c9876fbca5f7e0ba.
Fix vmw_vmci.txt const extraction.
|
| |
|
|
|
|
|
| |
These new fields were introduced in commit 1b4d60e ("bpf: Enable
BPF_PROG_TEST_RUN for raw_tracepoint") upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
| |
These two fields are not used in the BPF_PROG_GET_FD_BY_ID bpf(2) command.
See BPF_PROG_GET_FD_BY_ID_LAST_FIELD upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
| |
This new ld_imm instruction was introduced in commit 4976b71 ("bpf:
Introduce pseudo_btf_id") upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
|
| |
This new command was introduced in commit ef15314 ("bpf: Add
BPF_PROG_BIND_MAP syscall") upstream. The flags field is not currently
used.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
| |
This new command was introduced in commit 73b11c2 ("bpf: Add support for
forced LINK_DETACH command") upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://lore.kernel.org/linuxppc-dev/20190418100218.0a4afd51@mschwideX1/
The test triggers this bug:
[ 224.294341] ==================================================================
[ 224.294389] BUG: KASAN: stack-out-of-bounds in gup_pgd_range+0x124a/0x1398
[ 224.294405] Read of size 8 at addr 000003e002e8f3d8 by task gup_fast_regr-s/633
[ 224.294417]
[ 224.294431] CPU: 0 PID: 633 Comm: gup_fast_regr-s Not tainted 5.9.0-rc6 #1
[ 224.294443] Hardware name: IBM 8561 T01 701 (KVM/Linux)
[ 224.294454] Call Trace:
[ 224.294470] [<0000000047708384>] show_stack+0x174/0x220
[ 224.294488] [<000000004bbcfb9c>] dump_stack+0x274/0x2f8
[ 224.294506] [<0000000047f4e8e6>] print_address_description.constprop.0+0x5e/0x550
[ 224.294523] [<0000000047f4e4ea>] kasan_report+0x11a/0x168
[ 224.294538] [<0000000047e4a77a>] gup_pgd_range+0x124a/0x1398
[ 224.294554] [<0000000047e4cbea>] internal_get_user_pages_fast+0x212/0x460
[ 224.294571] [<0000000047e4cf10>] get_user_pages_fast+0x70/0xb0
[ 224.294588] [<0000000049886cee>] iov_iter_get_pages+0x2d6/0xdf0
[ 224.294605] [<000000004974aaca>] bio_iov_iter_get_pages+0x2ca/0x1088
[ 224.294623] [<0000000048210282>] iomap_dio_bio_actor+0x8e2/0x1118
[ 224.294638] [<0000000048210b64>] iomap_dio_actor+0xac/0x550
[ 224.294655] [<000000004820212a>] iomap_apply+0x21a/0x9d0
[ 224.294670] [<00000000482118ae>] iomap_dio_rw+0x7c6/0x11e8
[ 224.294689] [<0000000048374ca8>] ext4_file_read_iter+0x4b0/0x638
[ 224.294707] [<0000000047fd85ec>] new_sync_read+0x444/0x6d0
[ 224.294722] [<0000000047fde212>] vfs_read+0x2c2/0x4e0
[ 224.294737] [<0000000047fdf3ba>] ksys_read+0x16a/0x298
[ 224.294754] [<000000004bc37ee8>] system_call+0xdc/0x298
[ 224.294794]
[ 224.294800]
[ 224.294809] addr 000003e002e8f3d8 is located in stack of task gup_fast_regr-s/633 at offset 72 in frame:
[ 224.294827] gup_pgd_range+0x0/0x1398
[ 224.294837]
[ 224.294844] this frame has 3 objects:
[ 224.294854] [32, 40) 'pgd'
[ 224.294858] [64, 72) 'p4d'
[ 224.294867] [96, 104) 'pud'
[ 224.294874]
[ 224.294885] Memory state around the buggy address:
[ 224.294900] 000003e002e8f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294915] 000003e002e8f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294930] >000003e002e8f380: 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3
[ 224.294943] ^
[ 224.294957] 000003e002e8f400: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294972] 000003e002e8f480: 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 00 00
[ 224.294984] ==================================================================
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
80211_setup_station is extended with frame injections and delays that
are arranged in such a way that the device successuflly joins an
access point.
80211_scan is a new test that starts a channel scan and then injects a
beacon and a probe response.
These additions were tested manually and were observed to fulfill
their purpose.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit enables accurate generation of 802.11 frames for
injection. The descriptions only include frames/fields/elements that
are supported by mac80211.
Also, this commit includes fixes to tests that were affected by
modification of the existing descriptions.
The validity of the frames was verified by capturing the generated
packets and examining them in Wirehark.
|
| | |
|
| |
|
|
|
|
| |
1. A runtest that sets up an access point.
2. A runtest that configures a station.
3. A runtest that configures a mesh device.
|
| |
|
|
|
| |
Completed netlink descriptions for nl80211. Verified by executing
syzkaller locally and exploring coverage of the corresponding code.
|
| | |
|
| |
|
|
|
| |
This modification allows to remove [opt] modified for all uses of
ifreq_dev_t and ifreq_t
|
| |
|
|
|
|
|
| |
nl80211 descriptions depend on a variety of parameters specific to the
wireless devices/networks that we act upon. This patch adjusts these
values to match the hard-coded parameters of the pre-created virtual
wireless devices.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
|
|
|
|
| |
And populate images with some files,
which should make both mounting and resulting dir more interesting.
Note: this adds 100MB of image files into the repo...
Maybe we need to think of some other way of string these images...
|
| | |
|
| |
|
|
| |
Add flexible_inline_xattr, inode_checksum, inode_crtime, project_quota features.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tools/create_{f2fs,btrfs}_image.sh are... well, shell scripts.
It's hard to scale this appraoch to more file systems
avoiding duplication and stupid errors while doing proper
error handling and parallelization.
Upgrade syz-imagegen to generate full test files and replace
the shell scripts.
f2fs -O=compression options is removed, it does not seem to be
supported by mkfs.f2fs, it always says:
Error: Wrong features
The shell script used it, but it seems that the way it passed
arguments (in a single '-quoted string) just made mkfs misparse
the arguments (use only the first one?) and so -O=compression
and most other arguments were simply ignored.
|
| |
|
|
|
|
| |
The previous commit did not get all intended changes.
Follow up to 2066
|
| |
|
|
|
|
|
|
|
| |
1. Use set -eu
2. Use consistent name of the generated files
3. Add "requires: manual"
4. Fix some option combinations that lead to errors
Follow up to 2066
|
| |
|
|
|
| |
Add several unit tests that mount different versions of btrfs images, and
the .sh file that generates these tests.
|
| |
|
|
|
|
| |
Make things consistent.
Follow up to #2032
|
| |
|
|
|
|
|
|
|
| |
Currently we only test parsing in tools/syz-runtest
and for test OS in pkg/runtest tests.
This means errors in tests for other OSes won't be
noticed until somebody runs tests manually.
Test parsing of all tests in pkg/runtest tests.
Fix up 2 broken tests.
|
| |
|
|
|
|
|
| |
Introduce "manual" requirement for tests (only run if explicitly selected)
and mark f2fs tests as manual. There are too many of them.
Follow up to #2032
|
| |
|
|
|
| |
Add several unit tests that mount different versions of f2fs image, and
the .sh file that generates these tests.
|
| |
|
|
|
|
|
| |
- Rename bpf_lsm to bpf_trace and put all bpf program types
that use BPF_RAW_TRACEPOINT_OPEN here.
- Add descriptions for types RAW_TRACEPOINT(_WRITABLE), BPF_TRACING and
BPF_EXT.
- Add the hook names for RAW_TRACEPOINT(_WRITABLE).
|
| |
|
|
|
| |
Add descriptions for qat_adf_ctl. It might need an intel qat device.
Update #533.
|
| |
|
|
|
|
|
|
|
| |
The fsinfo() system call is under heavy discussion upstream, and it
might be totally changed. As a result it was dropped from linux-next
starting in next-20200819, and the pull request for 5.9
(https://lkml.kernel.org/r/1845353.1596469795@warthog.procyon.org.uk/)
wasn't accepted. Therefore revert the syscall description (commit
4b0871d) for now.
|
| |
|
|
|
|
|
|
|
|
|
| |
Pull request #1971 add the resource bpf_lsm_btf_id and make that a
required resource for bpf$BPF_LSM_PROG_LOAD. However, we need #2035
merged to get a bpf_lsm_btf_id, and the pull request is currently
blocked by a pahole issue. Thus, bpf$BPF_LSM_PROG_LOAD will be disabled
for now.
This pull request makes bpf_lsm_btf_id optional for
bpf$BPF_LSM_PROG_LOAD, so we can test this syscall before the issue is
resolved.
|
| |
|
|
|
| |
Add desciptions for testing /dev/vga_arbiter.
Update #533
|
| |
|
|
| |
Add the ioctls specific to BTRFS (linux v5.8).
|
| |
|
|
|
| |
Uncommented because the kernel fixed the seg6_iptunnel.h uapi header
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=88fab21c691bb1ff164e540735237a385e3afeaf
|
| |
|
|
|
|
| |
Add syzkaller program which correctly handles a getdents64() syscall
on a FUSE directory. Here the related comment/discussion
https://github.com/google/syzkaller/pull/2001#issuecomment-671185292.
|
| |
|
|
|
|
|
|
|
|
| |
Refactor syz_mount_image() to support filesystems not requiring a
backing device and filesystem image (e.g. FUSE). To do that, we check for
the presence of the pointer to the array of struct fs_image_segment: if
missingi, there is no need to setup the loop device and we can proceed
directly with the mount() syscall.
Add syz_mount_image$fuse() (specialization for FUSE) inside
sys/linux/fs_fuse.txt.
|
| |
|
|
|
| |
Use the type bytelen instead of len to express the length of the data
structure being pointed by the pointer passed to read$FUSE().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment syzkaller is able to respond to FUSE with a syntactically
correct response using the specific write$FUSE_*() syscalls, but most of
the times these responses are not related to the type of request that
was received.
With this pseudo-syscall we are able to provide the correct response
type while still allowing the fuzzer to fuzz its content. This is done
by requiring each type of response as an input parameter and then
choosing the correct one based on the request opcode.
Notice that the fuzzer is still free to mix write$FUSE_*() and
syz_fuse_handle_req() syscalls, so it is not losing any degree of
freedom.
syz_fuse_handle_req() retrieves the FUSE request and resource
fuse_unique internally (by performing a read() on the /dev/fuse file
descriptor provided as input). For this reason, a new template argument has
been added to fuse_out (renamed to _fuse_out) so that the unique field
can be both an int64 (used by syz_fuse_handle_req()) and a fuse_unique
resource (used by the write$FUSE_*() syscalls) without any code
duplication.
|
| |
|
|
|
| |
Instead of using a generic int32 for fuse_attr.mode, use the expected
file mode flags.
|
| |
|
|
|
|
|
|
|
|
| |
Currently fuse_in.unique and fuse_out.unique are not linked by any
dependency chain. This causes the majority of the replies to the kernel
to be dropped because not referring to a previously sent request.
By defining them as a resource, we push the fuzzer in the right
direction (i.e., try to respond using a previously issued unique value).
The read syscall has been updated accordingly, it now expects and parses
a fuse_in header and some additional data.
|
| |
|
|
|
|
|
| |
This reduces number of const files/lines from 1288/96599 to 158/11603.
Const files are generated on next-20200813.
Update #1983
|
| | |
|
