1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
# Copyright 2018 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
# Proper fuzzing of floppy device requires:
# 1) CONFIG_BLK_DEV_FD in your kernel configuration
# 2) "cmdline": " -fda FLOPPY.img " in syzkaller configuration
include <uapi/linux/fd.h>
resource fd_floppy[fd]
syz_open_dev$floppy(dev ptr[in, string["/dev/fd#"]], id intptr, flags flags[open_flags]) fd_floppy
ioctl$FLOPPY_FDEJECT(fd fd_floppy, cmd const[FDEJECT])
ioctl$FLOPPY_FDCLRPRM(fd fd_floppy, cmd const[FDCLRPRM])
ioctl$FLOPPY_FDSETPRM(fd fd_floppy, cmd const[FDSETPRM], arg ptr[in, floppy_struct])
ioctl$FLOPPY_FDDEFPRM(fd fd_floppy, cmd const[FDDEFPRM], arg ptr[in, floppy_struct])
ioctl$FLOPPY_FDGETPRM(fd fd_floppy, cmd const[FDGETPRM], arg ptr[out, floppy_struct])
ioctl$FLOPPY_FDMSGON(fd fd_floppy, cmd const[FDMSGON])
ioctl$FLOPPY_FDMSGOFF(fd fd_floppy, cmd const[FDMSGOFF])
ioctl$FLOPPY_FDFMTBEG(fd fd_floppy, cmd const[FDFMTBEG])
ioctl$FLOPPY_FDFMTTRK(fd fd_floppy, cmd const[FDFMTTRK], arg ptr[in, format_descr])
ioctl$FLOPPY_FDFMTEND(fd fd_floppy, cmd const[FDFMTEND])
ioctl$FLOPPY_FDFLUSH(fd fd_floppy, cmd const[FDFLUSH])
ioctl$FLOPPY_FDSETEMSGTRESH(fd fd_floppy, cmd const[FDSETEMSGTRESH], arg intptr[0:0xf])
ioctl$FLOPPY_FDGETMAXERRS(fd fd_floppy, cmd const[FDGETMAXERRS], arg ptr[out, floppy_max_errors])
ioctl$FLOPPY_FDSETMAXERRS(fd fd_floppy, cmd const[FDSETMAXERRS], arg ptr[in, floppy_max_errors])
ioctl$FLOPPY_FDGETDRVTYP(fd fd_floppy, cmd const[FDGETDRVTYP], arg ptr[out, floppy_drive_name])
ioctl$FLOPPY_FDSETDRVPRM(fd fd_floppy, cmd const[FDSETDRVPRM], arg ptr[in, floppy_drive_params])
ioctl$FLOPPY_FDGETDRVPRM(fd fd_floppy, cmd const[FDGETDRVPRM], arg ptr[out, floppy_drive_params])
ioctl$FLOPPY_FDPOLLDRVSTAT(fd fd_floppy, cmd const[FDPOLLDRVSTAT], arg ptr[out, floppy_drive_struct])
ioctl$FLOPPY_FDGETDRVSTAT(fd fd_floppy, cmd const[FDGETDRVSTAT], arg ptr[out, floppy_drive_struct])
ioctl$FLOPPY_FDRESET(fd fd_floppy, cmd const[FDRESET], arg flags[floppy_reset_mode])
ioctl$FLOPPY_FDGETFDCSTAT(fd fd_floppy, cmd const[FDGETFDCSTAT], arg ptr[out, floppy_fdc_state])
ioctl$FLOPPY_FDWERRORCLR(fd fd_floppy, cmd const[FDWERRORCLR])
ioctl$FLOPPY_FDWERRORGET(fd fd_floppy, cmd const[FDWERRORGET], arg ptr[out, floppy_write_errors])
ioctl$FLOPPY_FDRAWCMD(fd fd_floppy, cmd const[FDRAWCMD], arg ptr[inout, floppy_raw_cmd])
ioctl$FLOPPY_FDTWADDLE(fd fd_floppy, cmd const[FDTWADDLE])
floppy_struct {
size int32
sect int32
head int32
track int32
stretch int32
gap int8
rate int8
spec1 int8
fmt_gap int8
name ptr[inout, string]
}
format_descr {
device int32
head int32
track int32
}
floppy_max_errors {
abort int32
read_track int32
reset int32
recal int32
reporting int32
}
type floppy_drive_name array[int8, 16]
floppy_drive_params {
cmos int8
max_dtr intptr
hlt intptr
hut intptr
srt intptr
spinup intptr
spindown intptr
spindown_offset int8
select_delay int8
rps int8
tracks int8
timeout intptr
intreleave_sect int8
max_errors floppy_max_errors
flags flags[floppy_drive_params_flags, int8]
read_track int8
autodetect array[int16, 8]
checkfreq int32
native_format int32
}
floppy_drive_struct {
flags flags[floppy_drive_struct_flags, intptr]
spinup_date intptr
select_date intptr
first_read_date intptr
probed_format int16
track int16
maxblock int16
maxtrack int16
generation int32
keep_data int32
fd_ref int32
fd_device int32
last_checked intptr
dmabuf ptr[out, int8]
bufblocks len[dmabuf, int32]
}
floppy_fdc_state {
spec1 int32
spec2 int32
dtr int32
version int8
dor int8
address intptr
rawcmd int32:2
reset int32:1
need_configure int32:1
perp_mode int32:2
has_fifo int32:1
driver_version int32
track array[int8, 4]
}
floppy_write_errors {
write_errors int32
first_error_sector intptr
first_error_generation int32
last_error_sector intptr
lsat_error_generation int32
badness int32
}
floppy_raw_cmd {
flags flags[floppy_raw_cmd_flags, int32]
data buffer[inout]
# kernel only. zerroed after copy_from_user. Maybe need to use const[0, intptr]
kernel_data ptr[in, int8]
next const[0, intptr]
length len[data, intptr]
# output value
phys_length const[0, intptr]
# output value. kernel only
buffer_length const[0, int32]
rate int8
cmd_count int8
cmd array[int8, 16]
# output
reply_count const[0, int8]
reply array[const[0, int8], 16]
track int32
# output
resultcode const[0, int32]
reserved1 const[0, int32]
reserved2 const[0, int32]
}
floppy_reset_mode = FD_RESET_IF_NEEDED, FD_RESET_IF_RAWCMD, FD_RESET_ALWAYS
floppy_drive_struct_flags = FD_NEED_TWADDLE_BIT, FD_VERIFY_BIT, FD_DISK_NEWCHANGE_BIT, FD_UNUSED_BIT, FD_DISK_CHANGED_BIT, FD_DISK_WRITABLE_BIT, FD_OPEN_SHOULD_FAIL_BIT
floppy_drive_params_flags = FTD_MSG, FD_BROKEN_DCL, FD_DEBUG, FD_SILENT_DCL_CLEAR, FD_INVERTED_DCL
floppy_raw_cmd_flags = FD_RAW_READ, FD_RAW_WRITE, FD_RAW_NO_MOTOR, FD_RAW_DISK_CHANGE, FD_RAW_INTR, FD_RAW_SPIN, FD_RAW_NO_MOTOR_AFTER, FD_RAW_NEED_DISK, FD_RAW_NEED_SEEK, FD_RAW_MORE, FD_RAW_STOP_IF_FAILURE, FD_RAW_STOP_IF_SUCCESS, FD_RAW_SOFTFAILURE, FD_RAW_FAILURE, FD_RAW_HARDFAILURE
|
