1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
# Copyright 2015 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
include <asm/ioctls.h>
include <linux/stat.h>
include <uapi/linux/fuse.h>
resource fd_fuse[fd]
syz_fuse_mount(target ptr[in, filename], mode flags[fuse_mode], uid uid, gid gid, maxread intptr, flags flags[mount_flags]) fd_fuse
syz_fuseblk_mount(target ptr[in, filename], blkdev ptr[in, filename], mode flags[fuse_mode], uid uid, gid gid, maxread intptr, blksize intptr, flags flags[mount_flags]) fd_fuse
ioctl$FUSE_DEV_IOC_CLONE(fd fd_fuse, cmd const[FUSE_DEV_IOC_CLONE], arg ptr[in, fd_fuse])
write$fuse_init(fd fd_fuse, arg ptr[in, fuse_init_out], len len[arg])
write$fuse_interrupt(fd fd_fuse, arg ptr[in, fuse_interrupt_out], len len[arg])
write$fuse_bmap(fd fd_fuse, arg ptr[in, fuse_bmap_out], len len[arg])
write$fuse_ioctl(fd fd_fuse, arg ptr[in, fuse_ioctl_out], len len[arg])
write$fuse_poll(fd fd_fuse, arg ptr[in, fuse_poll_out], len len[arg])
write$fuse_notify_poll_wakeup(fd fd_fuse, arg ptr[in, fuse_notify_poll_wakeup_out], len len[arg])
write$fuse_notify_inval_inode(fd fd_fuse, arg ptr[in, fuse_notify_inval_inode_out], len len[arg])
write$fuse_notify_inval_entry(fd fd_fuse, arg ptr[in, fuse_notify_inval_entry_out], len len[arg])
write$fuse_notify_delete(fd fd_fuse, arg ptr[in, fuse_notify_delete_out], len len[arg])
write$fuse_notify_store(fd fd_fuse, arg ptr[in, fuse_notify_store_out], len len[arg])
write$fuse_notify_retrieve(fd fd_fuse, arg ptr[in, fuse_notify_retrieve_out], len len[arg])
# 1 stands for default_permissions, 2 - allow_other
fuse_mode = 1, 2, S_IFREG, S_IFCHR, S_IFBLK, S_IFIFO, S_IFSOCK, S_IFLNK, S_IFDIR
fuse_init_out {
len len[parent, int32]
err int32
unique int64
maj int32
min int32
readah int32
flags int32
backg int16
congest int16
maxwr int32
timegr int32
unused0 const[0, int32]
unused1 const[0, int32]
unused2 const[0, int32]
unused3 const[0, int32]
unused4 const[0, int32]
unused5 const[0, int32]
unused6 const[0, int32]
unused7 const[0, int32]
unused8 const[0, int32]
}
fuse_interrupt_out {
len len[parent, int32]
err int32
unique int64
}
fuse_bmap_out {
len len[parent, int32]
err int32
unique int64
block int64
}
fuse_ioctl_out {
len len[parent, int32]
err int32
unique int64
res int32
flags int32
iniovs int32
outiovs int32
}
fuse_poll_out {
len len[parent, int32]
err int32
unique int64
revents int32
}
fuse_notify_poll_wakeup_out {
len len[parent, int32]
err int32
unique const[0, int64]
kh int16
}
fuse_notify_inval_inode_out {
len1 len[parent, int32]
err int32
unique const[0, int64]
ino int64
off int64
len2 int16
}
fuse_notify_inval_entry_out {
len len[parent, int32]
err int32
unique const[0, int64]
par int64
namelen int32
}
fuse_notify_delete_out {
len len[parent, int32]
err int32
unique const[0, int64]
par int64
child int64
namelen int32
}
fuse_notify_store_out {
len len[parent, int32]
err int32
unique const[0, int64]
nodeid int64
off int64
size int32
}
fuse_notify_retrieve_out {
len len[parent, int32]
err int32
unique1 const[0, int64]
unique2 int64
nodeid int64
off int64
size int32
}
|
