From 22b866596bd7ad15273e24db02a0ef693737eae8 Mon Sep 17 00:00:00 2001 From: Alexey Kardashevskiy Date: Wed, 11 Aug 2021 12:20:35 +1000 Subject: executor/common_linux: fuzz kvm_run Syzkaller runs KVM until it exits and this is considered the end of the KVM_RUN syscall. We can do a bit more with a VM if the exit was legit (for example MMIO access or a hypercall). In such cases the userspace emulates the request and stores the result in the kvm_run struct (mmaped from vcpu_fd) which the next KVM_RUN checks. This defines specialized mmap and syz_memcpy_off to allow Syzkaller fuzz the kvm_run struct with focus on the part where the huge union is. Signed-off-by: Alexey Kardashevskiy --- Changes: v4: * defined offset/size constants * re-autogenerated dev_kvm.txt.const v3: * fixed syz_memcpy_off's src size v2: * limited changes to dev_kvm.txt instead of defining all new syz_kvm_run. --- pkg/host/syscalls_linux.go | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'pkg/host/syscalls_linux.go') diff --git a/pkg/host/syscalls_linux.go b/pkg/host/syscalls_linux.go index c69ccd82f..1d305b4e0 100644 --- a/pkg/host/syscalls_linux.go +++ b/pkg/host/syscalls_linux.go @@ -253,6 +253,14 @@ func isSyzIoUringSupported(c *prog.Syscall, target *prog.Target, sandbox string) return isSupportedSyscall(ioUringSyscall, target) } +func isSyzMemcpySupported(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) { + ret, msg := isSyzIoUringSupported(c, target, sandbox) + if ret { + return ret, msg + } + return isSyzKvmSetupCPUSupported(c, target, sandbox) +} + func isBtfVmlinuxSupported(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) { if err := osutil.IsAccessible("/sys/kernel/btf/vmlinux"); err != nil { return false, err.Error() @@ -299,14 +307,12 @@ var syzkallSupport = map[string]func(*prog.Syscall, *prog.Target, string) (bool, "syz_io_uring_submit": isSyzIoUringSupported, "syz_io_uring_complete": isSyzIoUringSupported, "syz_io_uring_setup": isSyzIoUringSupported, - // syz_memcpy_off is only used for io_uring descriptions, thus, enable it - // only if io_uring syscalls are enabled. - "syz_memcpy_off": isSyzIoUringSupported, - "syz_btf_id_by_name": isBtfVmlinuxSupported, - "syz_fuse_handle_req": isSyzFuseSupported, - "syz_80211_inject_frame": isWifiEmulationSupported, - "syz_80211_join_ibss": isWifiEmulationSupported, - "syz_usbip_server_init": isSyzUsbIPSupported, + "syz_memcpy_off": isSyzMemcpySupported, + "syz_btf_id_by_name": isBtfVmlinuxSupported, + "syz_fuse_handle_req": isSyzFuseSupported, + "syz_80211_inject_frame": isWifiEmulationSupported, + "syz_80211_join_ibss": isWifiEmulationSupported, + "syz_usbip_server_init": isSyzUsbIPSupported, } func isSupportedSyzkall(c *prog.Syscall, target *prog.Target, sandbox string) (bool, string) { -- cgit mrf-deployment