# Copyright 2015 syzkaller project authors. All rights reserved. # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. include include include include include include include include resource fd_tty[fd] # UNIX 98 pseudoterminal pairs (see man pts and man pty): openat$ptmx(fd const[AT_FDCWD], file ptr[in, string["/dev/ptmx"]], flags flags[open_flags], mode const[0]) fd_tty syz_open_pts(fd fd_tty, flags flags[open_flags]) fd_tty # BSD pseudoterminal pair (see man pty): syz_open_dev$ttys(dev const[0xc], major const[2], minor proc[20, 2]) fd_tty syz_open_dev$ptys(dev const[0xc], major const[3], minor proc[20, 2]) fd_tty # Some special tty devices. # Note /dev/{tty,tty1,tty2,tty7} seem to be of different types. openat$tty(fd const[AT_FDCWD], file ptr[in, string["/dev/tty"]], flags flags[open_flags], mode const[0]) fd_tty syz_open_dev$tty1(dev const[0xc], major const[4], minor intptr[1:4]) fd_tty syz_open_dev$tty20(dev const[0xc], major const[4], minor proc[20, 2]) fd_tty openat$ttyS3(fd const[AT_FDCWD], file ptr[in, string["/dev/ttyS3"]], flags flags[open_flags], mode const[0]) fd_tty openat$ttynull(fd const[AT_FDCWD], file ptr[in, string["/dev/ttynull"]], flags flags[open_flags], mode const[0]) fd_tty openat$ttyprintk(fd const[AT_FDCWD], file ptr[in, string["/dev/ttyprintk"]], flags flags[open_flags], mode const[0]) fd_tty ioctl$TCGETS(fd fd_tty, cmd const[TCGETS], arg ptr[out, termios]) ioctl$TCSETS(fd fd_tty, cmd const[TCSETS], arg ptr[in, termios]) ioctl$TCSETSW(fd fd_tty, cmd const[TCSETSW], arg ptr[in, termios]) ioctl$TCSETSF(fd fd_tty, cmd const[TCSETSF], arg ptr[in, termios]) ioctl$TCGETA(fd fd_tty, cmd const[TCGETA], arg ptr[out, termio]) ioctl$TCSETA(fd fd_tty, cmd const[TCSETA], arg ptr[in, termio]) ioctl$TCSETAW(fd fd_tty, cmd const[TCSETAW], arg ptr[in, termio]) ioctl$TCSETAF(fd fd_tty, cmd const[TCSETAF], arg ptr[in, termio]) ioctl$TIOCGLCKTRMIOS(fd fd_tty, cmd const[TIOCGLCKTRMIOS], arg ptr[in, termios]) ioctl$TIOCSLCKTRMIOS(fd fd_tty, cmd const[TIOCSLCKTRMIOS], arg ptr[out, termios]) ioctl$TIOCGWINSZ(fd fd_tty, cmd const[TIOCGWINSZ], arg ptr[out, winsize]) ioctl$TIOCSWINSZ(fd fd_tty, cmd const[TIOCSWINSZ], arg ptr[in, winsize]) ioctl$TCSBRK(fd fd_tty, cmd const[TCSBRK], arg intptr) ioctl$TCSBRKP(fd fd_tty, cmd const[TCSBRKP], arg intptr) ioctl$TIOCSBRK(fd fd_tty, cmd const[TIOCSBRK]) ioctl$TIOCCBRK(fd fd_tty, cmd const[TIOCCBRK]) ioctl$TCXONC(fd fd_tty, cmd const[TCXONC], arg flags[tcxonc_arg]) ioctl$FIONREAD(fd fd_tty, cmd const[FIONREAD], arg ptr[out, int32]) ioctl$TIOCOUTQ(fd fd_tty, cmd const[TIOCOUTQ], arg ptr[out, int32]) ioctl$TCFLSH(fd fd_tty, cmd const[TCFLSH], arg intptr[TCIFLUSH:TCIOFLUSH]) ioctl$TIOCGPTPEER(fd fd_tty, cmd const[TIOCGPTPEER], arg intptr) fd_tty ioctl$TIOCSTI(fd fd_tty, cmd const[TIOCSTI], arg ptr[in, int8]) ioctl$TIOCCONS(fd fd_tty, cmd const[TIOCCONS]) ioctl$TIOCSCTTY(fd fd_tty, cmd const[TIOCSCTTY], arg intptr) ioctl$TIOCNOTTY(fd fd_tty, cmd const[TIOCNOTTY]) ioctl$TIOCGPGRP(fd fd_tty, cmd const[TIOCGPGRP], arg ptr[out, pid]) ioctl$TIOCSPGRP(fd fd_tty, cmd const[TIOCSPGRP], arg ptr[in, pid]) ioctl$TIOCGSID(fd fd_tty, cmd const[TIOCGSID], arg ptr[out, pid]) ioctl$TIOCEXCL(fd fd_tty, cmd const[TIOCEXCL]) ioctl$TIOCNXCL(fd fd_tty, cmd const[TIOCNXCL]) ioctl$TIOCGETD(fd fd_tty, cmd const[TIOCGETD], arg ptr[out, int32]) ioctl$TIOCSETD(fd fd_tty, cmd const[TIOCSETD], arg ptr[in, int32[N_TTY:N_NULL]]) ioctl$TIOCPKT(fd fd_tty, cmd const[TIOCPKT], arg ptr[in, int32]) ioctl$TIOCMGET(fd fd_tty, cmd const[TIOCMGET], arg ptr[out, int32]) ioctl$TIOCMSET(fd fd_tty, cmd const[TIOCMSET], arg ptr[in, int32]) ioctl$TIOCMBIC(fd fd_tty, cmd const[TIOCMBIC], arg ptr[in, int32]) ioctl$TIOCMBIS(fd fd_tty, cmd const[TIOCMBIS], arg ptr[in, int32]) ioctl$TIOCGSOFTCAR(fd fd_tty, cmd const[TIOCGSOFTCAR], arg ptr[out, int32]) ioctl$TIOCSSOFTCAR(fd fd_tty, cmd const[TIOCSSOFTCAR], arg ptr[in, int32]) ioctl$KDGETLED(fd fd_tty, cmd const[KDGETLED], arg ptr[out, int8]) ioctl$KDSETLED(fd fd_tty, cmd const[KDSETLED], arg intptr) ioctl$KDGKBLED(fd fd_tty, cmd const[KDGKBLED], arg ptr[out, int8]) ioctl$KDSKBLED(fd fd_tty, cmd const[KDSKBLED], arg intptr) ioctl$KDGKBTYPE(fd fd_tty, cmd const[KDGKBTYPE], arg ptr[out, int8]) ioctl$KDADDIO(fd fd_tty, cmd const[KDADDIO], arg intptr) ioctl$KDDELIO(fd fd_tty, cmd const[KDDELIO], arg intptr) ioctl$KDENABIO(fd fd_tty, cmd const[KDENABIO]) ioctl$KDDISABIO(fd fd_tty, cmd const[KDDISABIO]) ioctl$KDSETMODE(fd fd_tty, cmd const[KDSETMODE], arg intptr[KD_TEXT:KD_GRAPHICS]) ioctl$KDGETMODE(fd fd_tty, cmd const[KDGETMODE], arg ptr[out, intptr]) ioctl$KDMKTONE(fd fd_tty, cmd const[KDMKTONE], arg intptr) ioctl$KIOCSOUND(fd fd_tty, cmd const[KIOCSOUND], arg intptr) ioctl$GIO_CMAP(fd fd_tty, cmd const[GIO_CMAP], arg ptr[out, io_cmap]) ioctl$PIO_CMAP(fd fd_tty, cmd const[PIO_CMAP], arg ptr[in, io_cmap]) ioctl$GIO_FONT(fd fd_tty, cmd const[GIO_FONT], arg buffer[out]) ioctl$GIO_FONTX(fd fd_tty, cmd const[GIO_FONTX], arg ptr[in, consolefontdesc[out]]) ioctl$PIO_FONT(fd fd_tty, cmd const[PIO_FONT], arg buffer[in]) ioctl$PIO_FONTX(fd fd_tty, cmd const[PIO_FONTX], arg ptr[in, consolefontdesc[in]]) ioctl$PIO_FONTRESET(fd fd_tty, cmd const[PIO_FONTRESET], arg const[0]) ioctl$KDFONTOP_SET(fd fd_tty, cmd const[KDFONTOP], arg ptr[in, console_font_op[KD_FONT_OP_SET, in]]) ioctl$KDFONTOP_GET(fd fd_tty, cmd const[KDFONTOP], arg ptr[in, console_font_op[KD_FONT_OP_GET, out]]) ioctl$KDFONTOP_SET_DEF(fd fd_tty, cmd const[KDFONTOP], arg ptr[in, console_font_op[KD_FONT_OP_SET_DEFAULT, in]]) ioctl$KDFONTOP_COPY(fd fd_tty, cmd const[KDFONTOP], arg ptr[in, console_font_op[KD_FONT_OP_COPY, out]]) ioctl$GIO_SCRNMAP(fd fd_tty, cmd const[GIO_SCRNMAP], arg buffer[out]) ioctl$GIO_UNISCRNMAP(fd fd_tty, cmd const[GIO_UNISCRNMAP], arg buffer[out]) ioctl$PIO_SCRNMAP(fd fd_tty, cmd const[PIO_SCRNMAP], arg buffer[in]) ioctl$PIO_UNISCRNMAP(fd fd_tty, cmd const[PIO_UNISCRNMAP], arg buffer[in]) ioctl$GIO_UNIMAP(fd fd_tty, cmd const[GIO_UNIMAP], arg ptr[in, unimapdesc_out]) ioctl$PIO_UNIMAP(fd fd_tty, cmd const[PIO_UNIMAP], arg ptr[in, unimapdesc_in]) ioctl$PIO_UNIMAPCLR(fd fd_tty, cmd const[PIO_UNIMAPCLR], arg ptr[in, unimapinit]) ioctl$KDGKBMODE(fd fd_tty, cmd const[KDGKBMODE], arg ptr[out, intptr]) ioctl$KDSKBMODE(fd fd_tty, cmd const[KDSKBMODE], arg ptr[in, intptr[K_RAW:K_OFF]]) ioctl$KDGKBMETA(fd fd_tty, cmd const[KDGKBMETA], arg ptr[out, intptr]) ioctl$KDSKBMETA(fd fd_tty, cmd const[KDSKBMETA], arg ptr[in, intptr[K_METABIT:K_ESCPREFIX]]) ioctl$KDGKBENT(fd fd_tty, cmd const[KDGKBENT], arg ptr[in, kbentry]) ioctl$KDSKBENT(fd fd_tty, cmd const[KDSKBENT], arg ptr[in, kbentry]) ioctl$KDGKBSENT(fd fd_tty, cmd const[KDGKBSENT], arg ptr[in, kbsentry]) ioctl$KDSKBSENT(fd fd_tty, cmd const[KDSKBSENT], arg ptr[in, kbsentry]) ioctl$KDGKBDIACR(fd fd_tty, cmd const[KDGKBDIACR], arg buffer[out]) ioctl$KDGETKEYCODE(fd fd_tty, cmd const[KDGETKEYCODE], arg ptr[in, kbkeycode]) ioctl$KDSETKEYCODE(fd fd_tty, cmd const[KDSETKEYCODE], arg ptr[in, kbkeycode]) ioctl$KDSIGACCEPT(fd fd_tty, cmd const[KDSIGACCEPT], arg signalnoptr) ioctl$VT_OPENQRY(fd fd_tty, cmd const[VT_OPENQRY], arg ptr[out, int32]) ioctl$VT_GETMODE(fd fd_tty, cmd const[VT_GETMODE], arg ptr[out, vt_mode]) ioctl$VT_SETMODE(fd fd_tty, cmd const[VT_SETMODE], arg ptr[in, vt_mode]) ioctl$VT_GETSTATE(fd fd_tty, cmd const[VT_GETSTATE], arg ptr[in, vt_stat]) ioctl$VT_RELDISP(fd fd_tty, cmd const[VT_RELDISP]) ioctl$VT_ACTIVATE(fd fd_tty, cmd const[VT_ACTIVATE], arg intptr) ioctl$VT_WAITACTIVE(fd fd_tty, cmd const[VT_WAITACTIVE]) ioctl$VT_DISALLOCATE(fd fd_tty, cmd const[VT_DISALLOCATE]) ioctl$VT_RESIZE(fd fd_tty, cmd const[VT_RESIZE], arg ptr[in, vt_sizes]) ioctl$VT_RESIZEX(fd fd_tty, cmd const[VT_RESIZEX], arg ptr[in, vt_consize]) # For the TIOCLINUX ioctl, see console_ioctl(4). ioctl$TIOCL_SETSEL(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, tiocl_selection_arg]) ioctl$TIOCL_PASTESEL(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[TIOCL_PASTESEL, int8]]) ioctl$TIOCL_UNBLANKSCREEN(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[TIOCL_UNBLANKSCREEN, int8]]) ioctl$TIOCL_SELLOADLUT(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, loadlut]) ioctl$TIOCL_GETSHIFTSTATE(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, tiocl_shift_state]) ioctl$TIOCL_GETMOUSEREPORTING(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[TIOCL_GETMOUSEREPORTING, int8]]) ioctl$TIOCL_SETVESABLANK(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[TIOCL_SETVESABLANK, int8]]) ioctl$TIOCL_GETKMSGREDIRECT(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[TIOCL_GETKMSGREDIRECT, int8]]) ioctl$TIOCL_SCROLLCONSOLE(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, tioctl_scroll_console]) ioctl$TIOCL_BLANKSCREEN(fd fd_tty, cmd const[TIOCLINUX], arg ptr[in, const[TIOCL_BLANKSCREEN, int8]]) # TIOCSSERIAL can do nasty things under root, like causing writes to random memory # pretty much like /dev/mem, but this is also working as intended. # For details see: # https://groups.google.com/g/syzkaller-bugs/c/1rVENJf9P4U/m/QtGpapRxAgAJ # https://syzkaller.appspot.com/bug?extid=f4f1e871965064ae689e # TODO: TIOCSSERIAL does some other things that are not dangerous # and would be nice to test, if/when we can neutralize based on sandbox value # we could prohibit it only under sandbox=none. ioctl$TIOCSSERIAL(fd fd, cmd const[TIOCSSERIAL], arg ptr[in, serial_struct]) (disabled) ioctl$TIOCGSERIAL(fd fd_tty, cmd const[TIOCGSERIAL], arg ptr[out, serial_struct]) ioctl$TCGETS2(fd fd_tty, cmd const[TCGETS2], arg ptr[out, termios2]) ioctl$TCSETS2(fd fd_tty, cmd const[TCSETS2], arg ptr[in, termios2]) ioctl$TCSETSF2(fd fd_tty, cmd const[TCSETSF2], arg ptr[in, termios2]) ioctl$TCSETSW2(fd fd_tty, cmd const[TCSETSW2], arg ptr[in, termios2]) ioctl$TIOCSERGETLSR(fd fd_tty, cmd const[TIOCSERGETLSR], arg ptr[out, int32]) ioctl$TIOCGRS485(fd fd_tty, cmd const[TIOCGRS485], arg ptr[out, serial_rs485]) ioctl$TIOCSRS485(fd fd_tty, cmd const[TIOCSRS485], arg ptr[in, serial_rs485]) ioctl$TIOCGISO7816(fd fd_tty, cmd const[TIOCGISO7816], arg ptr[out, serial_iso7816]) ioctl$TIOCSISO7816(fd fd_tty, cmd const[TIOCSISO7816], arg ptr[in, serial_iso7816]) ioctl$TIOCSPTLCK(fd fd_tty, cmd const[TIOCSPTLCK], arg ptr[in, bool32]) ioctl$TIOCGPTLCK(fd fd_tty, cmd const[TIOCGPTLCK], arg ptr[out, int32]) ioctl$TIOCGPKT(fd fd_tty, cmd const[TIOCGPKT], arg ptr[out, int32]) ioctl$TIOCSIG(fd fd_tty, cmd const[TIOCSIG], arg signalnoptr) ioctl$TIOCVHANGUP(fd fd_tty, cmd const[TIOCVHANGUP], arg const[0]) ioctl$TIOCGDEV(fd fd_tty, cmd const[TIOCGDEV], arg ptr[out, int32]) ioctl$TIOCMIWAIT(fd fd_tty, cmd const[TIOCMIWAIT], arg const[0]) ioctl$TIOCGICOUNT(fd fd_tty, cmd const[TIOCGICOUNT], arg const[0]) # See tty_mode_ioctl. ioctl$TIOCGETP(fd fd_tty, cmd const[TIOCGETP], arg ptr[out, sgttyb]) ioctl$TIOCSETP(fd fd_tty, cmd const[TIOCSETP], arg ptr[in, sgttyb]) ioctl$TIOCGETC(fd fd_tty, cmd const[TIOCGETC], arg ptr[out, array[int8]]) ioctl$TIOCSETC(fd fd_tty, cmd const[TIOCSETC], arg ptr[in, array[int8]]) ioctl$TIOCGLTC(fd fd_tty, cmd const[TIOCGLTC], arg ptr[out, array[int8]]) ioctl$TIOCSLTC(fd fd_tty, cmd const[TIOCSLTC], arg ptr[in, array[int8]]) sgttyb { sg_ispeed int8 sg_ospeed int8 sg_erase int8 sg_kill int8 sg_flags int16 } tcxonc_arg = TCOOFF, TCOON, TCIOFF, TCION termios { c_iflag int32 c_oflag int32 c_cflag int32 c_lflag int32 c_line int8[N_TTY:N_NULL] c_cc array[int8, NCCS] } termios2 { c_iflag int32 c_oflag int32 c_cflag int32 c_lflag int32 c_line int8 c_cc array[int8, NCCS] c_ispeed int32 c_ospeed int32 } termio { c_iflag int16 c_oflag int16 c_cflag int16 c_lflag int16 c_line int8[N_TTY:N_NULL] c_cc array[int8, NCC] } winsize { row int16 col int16 xpix int16 upix int16 } io_cmap { map0 int64 map1 int64 map2 int64 map3 int64 map4 int64 map5 int64 } unimapdesc_in { cnt len[entries, int16] entries ptr[in, array[unipair]] } unimapdesc_out { cnt len[entries, int16] entries ptr[out, array[unipair]] } unipair { unicode int16 fontpos int16 } unimapinit { size int16 step int16 level int16 } kbentry { table int8 index int8 value int16 } kbsentry { kb_func int8 kb_string array[int8, 512] } kbkeycode { scan int32 key int32 } vt_mode { mode int8 waitv int8 relsig int16 acqsig int16 frsig int16 } vt_stat { active int16 signal int16 state int16 } vt_sizes { rows int16 cols int16 scroll int16 } vt_consize { rows int16 cols int16 vlin int16 clin int16 vcol int16 ccol int16 } tiocl_selection_arg { subcode const[TIOCL_SETSEL, int8] data tiocl_selection } [packed] tiocl_selection { subcode const[TIOCL_SETSEL, int8] xs int16 ys int16 xe int16 ye int16 mode flags[tiocl_selection_mode, int16] } [packed] tiocl_selection_mode = TIOCL_SELCHAR, TIOCL_SELWORD, TIOCL_SELLINE, TIOCL_SELPOINTER, TIOCL_SELCLEAR, TIOCL_SELMOUSEREPORT, TIOCL_SELBUTTONMASK loadlut { submode const[TIOCL_SELLOADLUT, int8] tab0 int64 tab1 int64 tab2 int64 tab3 int64 } [packed] tiocl_shift_state { subcode const[TIOCL_GETSHIFTSTATE, int8] shift int8 } [packed] tioctl_scroll_console { subcode const[TIOCL_SCROLLCONSOLE, int8] lines int32 } serial_struct { type int32 line int32 port int32 irq int32 flags int32 xmit_fifo_size int32 custom_divisor int32 baud_base int32 close_delay int16 io_type int8 reserved_char int8 hub6 int32 closing_wait int16 closing_wait2 int16 iomem_base ptr[out, array[int8]] iomem_reg_shift int16 port_high int32 iomap_base intptr } serial_rs485 { flags int32 delay_rts_before_send int32 delay_rts_after_send int32 padding array[const[0, int32], 5] } serial_iso7816 { flags int32 tg int32 sc_fi int32 sc_di int32 clk int32 reserved array[const[0, int32], 5] } type consolefontdesc[DIR] { charcount int16[0:512] charheight int16[0:32] chardata ptr[DIR, array[int8, 1024]] } type console_font_op[OP, DIR] { op const[OP, int32] flags bool32 width int32[0:32] height int32[0:32] charcount int32[0:512] data ptr[DIR, array[int8, 1024]] }