From e2d17597c5c0f0be4b4b6e992d9434edef02c2f0 Mon Sep 17 00:00:00 2001 From: Alexander Potapenko Date: Mon, 19 Jan 2026 09:38:53 +0100 Subject: executor: sys/linux: SYZOS: add AMD SET_INTERCEPT primitive This patch introduces SYZOS_API_NESTED_AMD_SET_INTERCEPT to SYZOS. This primitive enables the fuzzer to surgically modify intercept vectors in the AMD VMCB (Virtual Machine Control Block) Control Area. It implements a read-modify-write operation on 32-bit VMCB offsets, allowing the L1 hypervisor (SYZOS) to deterministically set or clear specific intercept bits (e.g., for RDTSC, HLT, or exceptions) for the L2 guest. This capability allows syzkaller to systematically explore KVM's nested SVM emulation logic by toggling intercepts on and off, rather than relying on static defaults or random memory corruption. --- sys/linux/dev_kvm_amd64.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'sys/linux/dev_kvm_amd64.txt') diff --git a/sys/linux/dev_kvm_amd64.txt b/sys/linux/dev_kvm_amd64.txt index acd80540c..0d90ceeab 100644 --- a/sys/linux/dev_kvm_amd64.txt +++ b/sys/linux/dev_kvm_amd64.txt @@ -160,6 +160,13 @@ syzos_api_nested_amd_inject_event { flags int64[0:3] } +syzos_api_nested_amd_set_intercept { + vm_id syzos_api_vm_id + offset int64 + bit_mask int64 + action int64[0:1] +} + # IDs here must match those in executor/common_kvm_amd64_syzos.h. syzos_api_call$x86 [ uexit syzos_api$x86[0, intptr] @@ -183,6 +190,7 @@ syzos_api_call$x86 [ nested_amd_stgi syzos_api$x86[382, void] nested_amd_clgi syzos_api$x86[383, void] nested_amd_inject_event syzos_api$x86[384, syzos_api_nested_amd_inject_event] + nested_amd_set_intercept syzos_api$x86[385, syzos_api_nested_amd_set_intercept] ] [varlen] kvm_text_x86 [ -- cgit mrf-deployment