# Copyright 2017 syzkaller project authors. All rights reserved. # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. # TODO: due to autobind a socket can bind to port 0, that will result in a random port which is not reproducible include include include include include include include include resource sock[fd] socket(domain flags[socket_domain], type flags[socket_type], proto int8) sock socketpair(domain flags[socket_domain], type flags[socket_type], proto int8, fds ptr[out, pipefd]) bind(fd sock, addr ptr[in, sockaddr_storage], addrlen len[addr]) connect(fd sock, addr ptr[in, sockaddr_storage], addrlen len[addr]) accept(fd sock, peer ptr[out, sockaddr_storage, opt], peerlen ptr[inout, len[peer, int32]]) sock accept4(fd sock, peer ptr[out, sockaddr_storage, opt], peerlen ptr[inout, len[peer, int32]], flags flags[accept_flags]) sock sendto(fd sock, buf buffer[in], len len[buf], f flags[send_flags], addr ptr[in, sockaddr_storage, opt], addrlen len[addr]) recvfrom(fd sock, buf buffer[out], len len[buf], f flags[recv_flags], addr ptr[in, sockaddr_storage, opt], addrlen len[addr]) getsockname(fd sock, addr ptr[out, sockaddr_storage], addrlen ptr[inout, len[addr, int32]]) getpeername(fd sock, peer ptr[out, sockaddr_storage], peerlen ptr[inout, len[peer, int32]]) sendmsg(fd sock, msg ptr[in, send_msghdr], f flags[send_flags]) sendmmsg(fd sock, mmsg ptr[in, array[send_mmsghdr]], vlen len[mmsg], f flags[send_flags]) recvmsg(fd sock, msg ptr[in, recv_msghdr], f flags[recv_flags]) recvmmsg(fd sock, mmsg ptr[in, array[recv_mmsghdr]], vlen len[mmsg], f flags[recv_flags]) listen(fd sock, backlog int32) shutdown(fd sock, how flags[shutdown_flags]) getsockopt(fd sock, level int32, optname int32, optval buffer[out], optlen ptr[inout, len[optval, int32]]) setsockopt(fd sock, level int32, optname int32, optval buffer[in], optlen len[optval]) socket_domain = AF_UNIX, AF_INET, AF_INET6, AF_IPX, AF_NETLINK, AF_X25, AF_AX25, AF_ATMPVC, AF_APPLETALK, AF_PACKET socket_type = SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_RDM, SOCK_SEQPACKET, SOCK_DCCP, SOCK_PACKET, SOCK_NONBLOCK, SOCK_CLOEXEC accept_flags = SOCK_NONBLOCK, SOCK_CLOEXEC shutdown_flags = SHUT_RD, SHUT_WR send_flags = MSG_CONFIRM, MSG_DONTROUTE, MSG_DONTWAIT, MSG_EOR, MSG_MORE, MSG_NOSIGNAL, MSG_OOB, MSG_PROBE, MSG_BATCH, MSG_FASTOPEN recv_flags = MSG_CMSG_CLOEXEC, MSG_DONTWAIT, MSG_ERRQUEUE, MSG_OOB, MSG_PEEK, MSG_TRUNC, MSG_WAITALL, MSG_WAITFORONE cmsg_levels = SOL_SOCKET, IPPROTO_ICMP, SOL_IP, SOL_TCP, SOL_UDP, SOL_IPV6, SOL_ICMPV6, SOL_SCTP, SOL_UDPLITE, SOL_RAW, SOL_IPX, SOL_AX25, SOL_ATALK, SOL_NETROM, SOL_ROSE, SOL_DECNET, SOL_PACKET, SOL_ATM, SOL_AAL, SOL_IRDA, SOL_NETBEUI, SOL_LLC, SOL_DCCP, SOL_NETLINK, SOL_TIPC, SOL_RXRPC, SOL_PPPOL2TP, SOL_BLUETOOTH, SOL_PNPIPE, SOL_RDS, SOL_IUCV, SOL_CAIF, SOL_ALG, SOL_NFC, SOL_KCM # This sockaddr type corresponds to the struct sockaddr and is 16 bytes or less. sockaddr [ # AF_UNIX sockaddr in bigger than 16 bytes in sockaddr_in ax25 sockaddr_ax25 ipx sockaddr_ipx # TODO: AF_APPLETALK # AF_NETROM sockaddr is the same as AF_AX25 # TODO: AF_BRIDGE # TODO: AF_ATMPVC # TODO: AF_X25 # AF_INET6 sockaddr is bigger than 16 bytes # TODO: AF_ROSE # TODO: AF_DECnet nl sockaddr_nl # AF_PACKET sockaddr is bigger than 16 bytes # TODO: AF_ATMSVC # TODO: AF_RDS # TODO: AF_IRDA # TODO: AF_PPPOX llc sockaddr_llc # TODO: AF_IB # TODO: AF_MPLS # TODO: AF_CAN # TODO: AF_TIPC sco sockaddr_sco l2 sockaddr_l2 hci sockaddr_hci rc sockaddr_rc # TODO: AF_IUCV # TODO: AF_RXRPC # TODO: AF_ISDN # TODO: AF_PHONET # TODO: AF_IEEE802154 # TODO: AF_CAIF # AF_ALG sockaddr is bigger than 16 bytes nfc sockaddr_nfc # TODO: AF_VSOCK # TODO: AF_QIPCRTR ethernet sockaddr_ethernet generic sockaddr_generic ] # This sockaddr type corresponds to the sockaddr_storage type and is 128 bytes size. sockaddr_storage [ un sockaddr_un in sockaddr_in ax25 sockaddr_ax25 ipx sockaddr_ipx # TODO: AF_APPLETALK # AF_NETROM sockaddr is the same as AF_AX25 # TODO: AF_BRIDGE # TODO: AF_ATMPVC # TODO: AF_X25 in6 sockaddr_in6 # TODO: AF_ROSE # TODO: AF_DECnet nl sockaddr_nl # TODO: AF_PACKET # TODO: AF_ATMSVC # TODO: AF_RDS # TODO: AF_IRDA # TODO: AF_PPPOX llc sockaddr_llc # TODO: AF_IB # TODO: AF_MPLS # TODO: AF_CAN # TODO: AF_TIPC sco sockaddr_sco l2 sockaddr_l2 hci sockaddr_hci rc sockaddr_rc # TODO: AF_IUCV # TODO: AF_RXRPC # TODO: AF_ISDN # TODO: AF_PHONET # TODO: AF_IEEE802154 # TODO: AF_CAIF alg sockaddr_alg nfc sockaddr_nfc nfc_llcp sockaddr_nfc_llcp # TODO: AF_VSOCK # TODO: AF_QIPCRTR ethernet sockaddr_ethernet generic sockaddr_storage_generic ] [varlen] sockaddr_generic { sa_family flags[socket_domain, int16] sa_data array[int8, 14] } sockaddr_storage_generic { sa_family flags[socket_domain, int16] sa_data array[int8, 126] } send_msghdr { msg_name ptr[in, sockaddr_storage, opt] msg_namelen len[msg_name, int32] msg_iov ptr[in, array[iovec_in]] msg_iovlen len[msg_iov, intptr] msg_control ptr[in, array[cmsghdr]] msg_controllen len[msg_control, intptr] msg_flags flags[send_flags, int32] } send_mmsghdr { msg_hdr send_msghdr msg_len int32 } recv_msghdr { msg_name ptr[out, sockaddr_storage, opt] msg_namelen len[msg_name, int32] msg_iov ptr[in, array[iovec_out]] msg_iovlen len[msg_iov, intptr] msg_control buffer[out] msg_controllen len[msg_control, intptr] msg_flags int32 } recv_mmsghdr { msg_hdr recv_msghdr msg_len int32 } cmsghdr { cmsg_len len[parent, intptr] cmsg_level flags[cmsg_levels, int32] cmsg_type int32 data array[int8] } [align_ptr] # Socket options # http://lxr.free-electrons.com/source/include/uapi/asm-generic/socket.h setsockopt$sock_void(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_void], optval const[0], optlen const[0]) getsockopt$sock_int(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_int], optval ptr[out, int32], optlen ptr[inout, len[optval, int32]]) setsockopt$sock_int(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_int], optval ptr[in, int32], optlen len[optval]) setsockopt$sock_str(fd sock, level const[SOL_SOCKET], optname const[SO_BINDTODEVICE], optval ptr[in, string], optlen len[optval]) getsockopt$sock_linger(fd sock, level const[SOL_SOCKET], optname const[SO_LINGER], optval ptr[out, linger], optlen ptr[inout, len[optval, int32]]) setsockopt$sock_linger(fd sock, level const[SOL_SOCKET], optname const[SO_LINGER], optval ptr[in, linger], optlen len[optval]) getsockopt$sock_cred(fd sock, level const[SOL_SOCKET], optname const[SO_PEERCRED], optval ptr[out, ucred], optlen ptr[inout, len[optval, int32]]) setsockopt$sock_cred(fd sock, level const[SOL_SOCKET], optname const[SO_PEERCRED], optval ptr[in, ucred], optlen len[optval]) getsockopt$sock_timeval(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_timeval], optval ptr[out, timeval], optlen ptr[inout, len[optval, int32]]) setsockopt$sock_timeval(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_timeval], optval ptr[in, timeval], optlen len[optval]) setsockopt$sock_attach_bpf(fd sock, level const[SOL_SOCKET], optname const[SO_ATTACH_BPF], optval ptr[in, fd_bpf_prog], optlen len[optval]) setsockopt$SO_TIMESTAMPING(fd sock, level const[SOL_SOCKET], optname const[SO_TIMESTAMPING], optval ptr[in, flags[sockopt_so_timestamping, int32]], optlen len[optval]) getsockopt$SO_TIMESTAMPING(fd sock, level const[SOL_SOCKET], optname const[SO_TIMESTAMPING], optval ptr[out, int32], optlen ptr[inout, len[optval, int32]]) setsockopt$SO_ATTACH_FILTER(fd sock, level const[SOL_SOCKET], optname const[SO_ATTACH_FILTER], optval ptr[in, sock_fprog], optlen len[optval]) setsockopt$SO_BINDTODEVICE(fd sock, level const[SOL_SOCKET], optname const[SO_BINDTODEVICE], optval ptr[in, devname], optlen len[optval]) getsockopt$SO_BINDTODEVICE(fd sock, level const[SOL_SOCKET], optname const[SO_BINDTODEVICE], optval ptr[out, devname], optlen len[optval]) getsockopt$SO_PEERCRED(fd sock, level const[SOL_SOCKET], optname const[SO_PEERCRED], optval ptr[out, ucred], optlen len[optval]) getsockopt$sock_buf(fd sock, level const[SOL_SOCKET], optname flags[sockopt_opt_sock_buf], optval buffer[out], optlen ptr[inout, len[optval, int32]]) sockopt_opt_sock_void = SO_DETACH_FILTER, SO_MARK sockopt_opt_sock_int = SO_ACCEPTCONN, SO_BROADCAST, SO_DEBUG, SO_DOMAIN, SO_ERROR, SO_DONTROUTE, SO_KEEPALIVE, SO_PEEK_OFF, SO_PRIORITY, SO_PROTOCOL, SO_RCVBUF, SO_RCVBUFFORCE, SO_RCVLOWAT, SO_SNDLOWAT, SO_REUSEADDR, SO_SNDBUF, SO_SNDBUFFORCE, SO_TIMESTAMP, SO_TYPE, SO_REUSEPORT, SO_OOBINLINE, SO_NO_CHECK, SO_PASSCRED, SO_TIMESTAMPNS, SO_LOCK_FILTER, SO_PASSSEC, SO_RXQ_OVFL, SO_WIFI_STATUS, SO_NOFCS, SO_SELECT_ERR_QUEUE, SO_BUSY_POLL, SO_MAX_PACING_RATE sockopt_opt_sock_timeval = SO_RCVTIMEO, SO_SNDTIMEO sockopt_opt_sock_buf = SO_PEERNAME, SO_PEERSEC, SO_GET_FILTER sockopt_so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE, SOF_TIMESTAMPING_TX_SOFTWARE, SOF_TIMESTAMPING_RX_HARDWARE, SOF_TIMESTAMPING_RX_SOFTWARE, SOF_TIMESTAMPING_SOFTWARE, SOF_TIMESTAMPING_SYS_HARDWARE, SOF_TIMESTAMPING_RAW_HARDWARE, SOF_TIMESTAMPING_OPT_ID, SOF_TIMESTAMPING_TX_SCHED, SOF_TIMESTAMPING_TX_ACK, SOF_TIMESTAMPING_OPT_CMSG, SOF_TIMESTAMPING_OPT_TSONLY # Socket ioctls # Since some socket ioctls are forwarded to the network device, adding device ioctls here as well. # http://lxr.free-electrons.com/source/include/uapi/linux/sockios.h # http://lxr.free-electrons.com/source/include/uapi/asm-generic/sockios.h # TODO: SIOCADDRT, SIOCDELRT, SIOCRTMSG # TODO: ETHTOOL commands (SIOCETHTOOL, ...) # TODO: SIOCDRARP, SIOCGRARP, SIOCSRARP # TODO: SIOCGIFVLAN, SIOCSIFVLAN # TODO: SIOCGSTAMP, SIOCGSTAMPNS ioctl$sock_SIOCOUTQ(fd sock, cmd const[SIOCOUTQ], arg ptr[out, int32]) ioctl$sock_SIOCINQ(fd sock, cmd const[SIOCINQ], arg ptr[out, int32]) ioctl$sock_SIOCGIFCONF(fd sock, cmd const[SIOCGIFNAME], arg ptr[inout, ifconf]) ifreq_ioctls = SIOCGIFNAME, SIOCSIFLINK, SIOCGIFFLAGS, SIOCSIFFLAGS, SIOCGIFADDR, SIOCSIFADDR, SIOCGIFDSTADDR, SIOCSIFDSTADDR, SIOCGIFBRDADDR, SIOCSIFBRDADDR, SIOCGIFNETMASK, SIOCSIFNETMASK, SIOCGIFMETRIC, SIOCSIFMETRIC, SIOCGIFMEM, SIOCSIFMEM, SIOCGIFMTU, SIOCSIFMTU, SIOCSIFNAME, SIOCSIFHWADDR, SIOCGIFENCAP, SIOCSIFENCAP, SIOCGIFHWADDR, SIOCGIFSLAVE, SIOCSIFSLAVE, SIOCADDMULTI, SIOCDELMULTI, SIOCGIFINDEX, SIOCSIFPFLAGS, SIOCGIFPFLAGS, SIOCDIFADDR, SIOCSIFHWBROADCAST, SIOCGIFCOUNT, SIOCGIFTXQLEN, SIOCSIFTXQLEN, SIOCETHTOOL, SIOCGMIIPHY, SIOCGMIIREG, SIOCSMIIREG, SIOCWANDEV, SIOCGIFMAP, SIOCSIFMAP, SIOCBONDENSLAVE, SIOCBONDRELEASE, SIOCBONDSETHWADDR, SIOCBONDSLAVEINFOQUERY, SIOCBONDINFOQUERY, SIOCBONDCHANGEACTIVE, SIOCBRADDIF, SIOCBRDELIF, SIOCSHWTSTAMP, SIOCGHWTSTAMP ioctl$sock_ifreq(fd sock, cmd flags[ifreq_ioctls], arg ptr[inout, ifreq]) ioctl$sock_SIOCGIFINDEX(fd sock, cmd const[SIOCGIFINDEX], arg ptr[inout, ifreq_SIOCGIFINDEX]) ioctl$sock_SIOCGIFBR(fd sock, cmd const[SIOCGIFBR], arg ptr[inout, brctl_arg]) ioctl$sock_SIOCSIFBR(fd sock, cmd const[SIOCGIFBR], arg ptr[inout, brctl_arg]) ioctl$sock_SIOCOUTQNSD(fd sock, cmd const[SIOCOUTQNSD], arg ptr[out, int32]) ioctl$sock_SIOCGSKNS(fd sock, cmd const[SIOCGSKNS], arg ptr[inout, int32]) ioctl$sock_SIOCADDDLCI(fd sock, cmd const[SIOCADDDLCI], arg ptr[inout, dlci_add]) ioctl$sock_SIOCDELDLCI(fd sock, cmd const[SIOCDELDLCI], arg ptr[in, dlci_add]) ioctl$sock_SIOCBRADDBR(fd sock, cmd const[SIOCBRADDBR], arg ptr[in, devname]) ioctl$sock_SIOCBRDELBR(fd sock, cmd const[SIOCBRDELBR], arg ptr[in, devname]) define SIOCDEVPRIVATE_BEG (SIOCDEVPRIVATE) define SIOCDEVPRIVATE_END (SIOCDEVPRIVATE + 15) define SIOCPROTOPRIVATE_BEG (SIOCPROTOPRIVATE) define SIOCPROTOPRIVATE_END (SIOCPROTOPRIVATE + 15) ioctl$sock_netdev_private(fd sock, cmd int16[SIOCDEVPRIVATE_BEG:SIOCDEVPRIVATE_END], arg ptr[in, array[int8]]) ioctl$sock_proto_private(fd sock, cmd int16[SIOCPROTOPRIVATE_BEG:SIOCPROTOPRIVATE_END], arg ptr[in, array[int8]]) ioctl$sock_FIOSETOWN(fd sock, cmd const[FIOSETOWN], arg ptr[in, pid]) ioctl$sock_SIOCSPGRP(fd sock, cmd const[SIOCSPGRP], arg ptr[in, pid]) ioctl$sock_FIOGETOWN(fd sock, cmd const[FIOGETOWN], arg ptr[out, pid]) ioctl$sock_SIOCGPGRP(fd sock, cmd const[SIOCGPGRP], arg ptr[out, pid]) resource ifindex[int32] ifreq_SIOCGIFINDEX { ifr_ifrn devname ifr_ifru ifindex pad array[const[0, int8], 20] } [packed] ifreq { ifr_ifrn devname ifr_ifru ifr_ifru } syzn_devname { s const[115, int8] y const[121, int8] z const[122, int8] N proc[int8, 48, 1] 0 const[0, int8] } # We could add "eth0" to this list as well, but this will affect the connection between fuzzer and manager and produce lots of "no output" crashes. devnames = "lo", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "sit0", "ip6tnl0", "ip6gre0", "bond0", "dummy0", "eql", "ifb0", "ipddp0", "yam0", "bcsf0", "bcsh0", "teql0", "nr0", "rose0", "irlan0", "bpq0" devname [ generic array[int8, IFNAMSIZ] common string[devnames, IFNAMSIZ] syzn syzn_devname ] ifr_ifru [ ifru_addrs sockaddr ifru_flags flags[ifru_flags, int16] ifru_ivalue int32 ifru_mtu int32 ifru_map ifmap ifru_names devname ifru_data ptr[in, array[int8, 32]] ifru_settings if_settings ] ifru_flags = IFF_TUN, IFF_TAP, IFF_NO_PI, IFF_ONE_QUEUE, IFF_VNET_HDR, IFF_TUN_EXCL, IFF_MULTI_QUEUE, IFF_ATTACH_QUEUE, IFF_DETACH_QUEUE, IFF_PERSIST, IFF_NOFILTER ifmap { mem_start int64 mem_end int64 base_addr int16 irq int8 dma int8 port int8 } if_settings { type int32 size int32 ifs_ifsu ifs_ifsu } ifs_ifsu [ raw_hdlc ptr[in, raw_hdlc_proto] cisco ptr[in, cisco_proto] fr ptr[in, fr_proto] fr_pvc ptr[in, fr_proto_pvc] fr_pvc_info ptr[in, fr_proto_pvc_info] sync ptr[in, sync_serial_settings] te1 ptr[in, te1_settings] ] raw_hdlc_proto { encode int16 parity int16 } cisco_proto { val int32 timeout int32 } fr_proto { t391 int32 t392 int32 n391 int32 n392 int32 n393 int32 lmi int16 dce int16 } fr_proto_pvc { dlcl int32 } fr_proto_pvc_info { dlci int32 master devname } sync_serial_settings { rate int32 type int32 loop int16 } te1_settings { rate int32 type int32 loop int16 slot int32 } ifconf [ buf ifconf_buf req ifconf_req ] ifconf_buf { ifc_len len[ifcu_buf, int32] ifcu_buf ptr[inout, array[int8], opt] } ifconf_req { ifc_len len[ifcu_req, int32] ifcu_req ptr[inout, ifreq, opt] } brctl_cmds = BRCTL_GET_VERSION, BRCTL_GET_BRIDGES, BRCTL_ADD_BRIDGE, BRCTL_DEL_BRIDGE brctl_arg [ get brctl_arg_get add_del brctl_arg_add_del generic brctl_arg_generic ] brctl_arg_get { cmd const[BRCTL_GET_BRIDGES, int64] buf ptr[out, array[int8]] indices int64 } brctl_arg_add_del { cmd const[BRCTL_ADD_BRIDGE, int64] devname ptr[in, devname] pad int64 } brctl_arg_generic { a0 int64 a1 int64 a2 int64 } dlci_add { devname devname dlci int16 }