1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
# Copyright 2018 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
include <linux/errno.h>
include <linux/pid.h>
include <linux/sched/coredump.h>
include <uapi/linux/prctl.h>
include <uapi/linux/seccomp.h>
include <uapi/linux/capability.h>
include <uapi/linux/securebits.h>
include <asm/prctl.h>
# Use this variant (which will always return -EINVAL) to explicitly set the 5
# syscall arguments that will enable to properly infer callArgSizes for all
# prctl variants.
prctl$0(option const[0], arg2 const[0], arg3 const[0], arg4 const[0], arg5 const[0]) (disabled)
# Only some commands break return values.
# PR_GET_TIMERSLACK and maybe more produce random errno's.
# When/if we have stricter enforcement of arguments for syscall variants, we may remove some of breaks_returns attributes.
prctl$PR_SET_PDEATHSIG(option const[PR_SET_PDEATHSIG], arg signalnoptr) (breaks_returns, ignore_return)
prctl$PR_GET_PDEATHSIG(option const[PR_GET_PDEATHSIG], arg ptr[out, int32]) (breaks_returns, ignore_return)
prctl$PR_GET_DUMPABLE(option const[PR_GET_DUMPABLE]) (breaks_returns, ignore_return)
prctl$PR_SET_DUMPABLE(option const[PR_SET_DUMPABLE], arg flags[prctl_dump_mode]) (breaks_returns, ignore_return)
prctl_dump_mode = SUID_DUMP_USER, SUID_DUMP_ROOT
prctl$PR_GET_UNALIGN(option const[PR_GET_UNALIGN], arg ptr[out, int32]) (breaks_returns, ignore_return)
prctl$PR_SET_UNALIGN(option const[PR_SET_UNALIGN], arg flags[prctl_align_mode]) (breaks_returns, ignore_return)
prctl_align_mode = PR_UNALIGN_NOPRINT, PR_UNALIGN_SIGBUS
prctl$PR_GET_KEEPCAPS(option const[PR_GET_KEEPCAPS]) (breaks_returns, ignore_return)
prctl$PR_SET_KEEPCAPS(option const[PR_SET_KEEPCAPS], arg boolptr) (breaks_returns, ignore_return)
prctl$PR_GET_FPEMU(option const[PR_GET_FPEMU], arg ptr[out, int32]) (breaks_returns, ignore_return)
prctl$PR_SET_FPEMU(option const[PR_SET_FPEMU], arg flags[prctl_fpemu_mode]) (breaks_returns, ignore_return)
prctl_fpemu_mode = PR_FPEMU_NOPRINT, PR_FPEMU_SIGFPE
prctl$PR_GET_FPEXC(option const[PR_GET_FPEXC], arg ptr[out, int32]) (breaks_returns, ignore_return)
prctl$PR_SET_FPEXC(option const[PR_SET_FPEXC], arg flags[prctl_fpexc_mode]) (breaks_returns, ignore_return)
prctl_fpexc_mode = PR_FP_EXC_SW_ENABLE, PR_FP_EXC_DIV, PR_FP_EXC_OVF, PR_FP_EXC_UND, PR_FP_EXC_RES, PR_FP_EXC_INV, PR_FP_EXC_DISABLED, PR_FP_EXC_NONRECOV, PR_FP_EXC_ASYNC, PR_FP_EXC_PRECISE
# These are not implemented.
_ = PR_GET_TIMING, PR_SET_TIMING
prctl$PR_SET_NAME(option const[PR_SET_NAME], name ptr[in, string]) (breaks_returns, ignore_return)
prctl$PR_GET_NAME(option const[PR_GET_NAME], name ptr[out, array[int8]]) (breaks_returns, ignore_return)
prctl$PR_GET_ENDIAN(option const[PR_GET_ENDIAN], arg ptr[out, int32]) (breaks_returns, ignore_return)
prctl$PR_SET_ENDIAN(option const[PR_SET_ENDIAN], arg flags[prctl_endian_mode]) (breaks_returns, ignore_return)
prctl_endian_mode = PR_ENDIAN_BIG, PR_ENDIAN_LITTLE, PR_ENDIAN_PPC_LITTLE
prctl$PR_GET_SECCOMP(option const[PR_GET_SECCOMP]) (breaks_returns, ignore_return)
prctl$PR_SET_SECCOMP(option const[PR_SET_SECCOMP], mode flags[prctl_seccomp_mode], prog ptr[in, sock_fprog]) (breaks_returns, ignore_return)
prctl_seccomp_mode = SECCOMP_MODE_DISABLED, SECCOMP_MODE_STRICT, SECCOMP_MODE_FILTER
prctl$PR_CAPBSET_READ(option const[PR_CAPBSET_READ], arg intptr[0:CAP_LAST_CAP]) (breaks_returns, ignore_return)
prctl$PR_CAPBSET_DROP(option const[PR_CAPBSET_DROP], arg intptr[0:CAP_LAST_CAP]) (breaks_returns, ignore_return)
prctl$PR_GET_TSC(option const[PR_GET_TSC], arg ptr[out, int32]) (breaks_returns, ignore_return)
prctl$PR_SET_TSC(option const[PR_SET_TSC], arg flags[prctl_tsc_mode]) (breaks_returns, ignore_return)
prctl_tsc_mode = PR_TSC_ENABLE, PR_TSC_SIGSEGV
prctl$PR_GET_SECUREBITS(option const[PR_GET_SECUREBITS]) (breaks_returns, ignore_return)
prctl$PR_SET_SECUREBITS(option const[PR_SET_SECUREBITS], arg flags[prctl_securebits]) (breaks_returns, ignore_return)
prctl_securebits = SECBIT_NOROOT, SECBIT_NOROOT_LOCKED, SECBIT_NO_SETUID_FIXUP, SECBIT_NO_SETUID_FIXUP_LOCKED, SECBIT_KEEP_CAPS, SECBIT_KEEP_CAPS_LOCKED
prctl$PR_SET_TIMERSLACK(option const[PR_SET_TIMERSLACK], arg intptr) (breaks_returns, ignore_return)
prctl$PR_GET_TIMERSLACK(option const[PR_GET_TIMERSLACK]) (breaks_returns, ignore_return)
prctl$PR_TASK_PERF_EVENTS_DISABLE(option const[PR_TASK_PERF_EVENTS_DISABLE]) (breaks_returns, ignore_return)
prctl$PR_TASK_PERF_EVENTS_ENABLE(option const[PR_TASK_PERF_EVENTS_ENABLE]) (breaks_returns, ignore_return)
prctl$PR_MCE_KILL(option const[PR_MCE_KILL], arg2 flags[prctl_mce_kill_mode], arg3 flags[prctl_mce_kill_submode]) (breaks_returns, ignore_return)
prctl$PR_MCE_KILL_GET(option const[PR_MCE_KILL_GET]) (breaks_returns, ignore_return)
prctl_mce_kill_mode = PR_MCE_KILL_CLEAR, PR_MCE_KILL_SET
prctl_mce_kill_submode = PR_MCE_KILL_LATE, PR_MCE_KILL_EARLY, PR_MCE_KILL_DEFAULT
prctl$PR_SET_MM(option const[PR_SET_MM], opt flags[prctl_mm_option], arg vma) (breaks_returns, ignore_return)
prctl$PR_SET_MM_EXE_FILE(option const[PR_SET_MM], opt const[PR_SET_MM_EXE_FILE], arg fd) (breaks_returns, ignore_return)
prctl$PR_SET_MM_AUXV(option const[PR_SET_MM], opt const[PR_SET_MM_AUXV], arg ptr[in, array[int8]], len bytesize[arg]) (breaks_returns, ignore_return)
prctl$PR_SET_MM_MAP(option const[PR_SET_MM], opt const[PR_SET_MM_MAP], arg ptr[in, prctl_mm_map], len bytesize[arg]) (breaks_returns, ignore_return)
prctl$PR_SET_MM_MAP_SIZE(option const[PR_SET_MM], opt const[PR_SET_MM_MAP_SIZE], arg ptr[out, int32]) (breaks_returns, ignore_return)
prctl_mm_option = PR_SET_MM_START_CODE, PR_SET_MM_END_CODE, PR_SET_MM_START_DATA, PR_SET_MM_END_DATA, PR_SET_MM_START_STACK, PR_SET_MM_START_BRK, PR_SET_MM_BRK, PR_SET_MM_ARG_START, PR_SET_MM_ARG_END, PR_SET_MM_ENV_START, PR_SET_MM_ENV_END
prctl_mm_map {
start_code vma64
end_code vma64
start_data vma64
end_data vma64
start_brk vma64
brk vma64
start_stack vma64
arg_start vma64
arg_end vma64
env_start vma64
env_end vma64
auxv ptr[in, array[int8]]
auxv_size bytesize[auxv, int32]
exe_fd fd
}
prctl$PR_SET_PTRACER(option const[PR_SET_PTRACER], pid pid) (breaks_returns, ignore_return)
prctl$PR_SET_CHILD_SUBREAPER(option const[PR_SET_CHILD_SUBREAPER], arg boolptr) (breaks_returns, ignore_return)
prctl$PR_GET_CHILD_SUBREAPER(option const[PR_GET_CHILD_SUBREAPER]) (breaks_returns, ignore_return)
prctl$PR_SET_NO_NEW_PRIVS(option const[PR_SET_NO_NEW_PRIVS], arg const[1]) (breaks_returns, ignore_return)
prctl$PR_GET_NO_NEW_PRIVS(option const[PR_GET_NO_NEW_PRIVS]) (breaks_returns, ignore_return)
prctl$PR_GET_TID_ADDRESS(option const[PR_GET_TID_ADDRESS], arg ptr[out, intptr]) (breaks_returns, ignore_return)
prctl$PR_SET_THP_DISABLE(option const[PR_SET_THP_DISABLE], arg boolptr) (breaks_returns, ignore_return)
prctl$PR_GET_THP_DISABLE(option const[PR_GET_THP_DISABLE]) (breaks_returns, ignore_return)
prctl$PR_MPX_ENABLE_MANAGEMENT(option const[PR_MPX_ENABLE_MANAGEMENT]) (breaks_returns, ignore_return)
prctl$PR_MPX_DISABLE_MANAGEMENT(option const[PR_MPX_DISABLE_MANAGEMENT]) (breaks_returns, ignore_return)
prctl$PR_SET_FP_MODE(option const[PR_SET_FP_MODE], arg flags[prctl_fp_mode]) (breaks_returns, ignore_return)
prctl$PR_GET_FP_MODE(option const[PR_GET_FP_MODE]) (breaks_returns, ignore_return)
prctl_fp_mode = PR_FP_MODE_FR, PR_FP_MODE_FRE
prctl$PR_CAP_AMBIENT(option const[PR_CAP_AMBIENT], arg2 flags[prctl_cap_ambient], arg3 intptr[0:CAP_LAST_CAP]) (breaks_returns, ignore_return)
prctl_cap_ambient = PR_CAP_AMBIENT_IS_SET, PR_CAP_AMBIENT_RAISE, PR_CAP_AMBIENT_LOWER, PR_CAP_AMBIENT_CLEAR_ALL
prctl$PR_SVE_SET_VL(option const[PR_SVE_SET_VL], arg intptr[0:PR_SVE_SET_VL_ONEXEC]) (breaks_returns, ignore_return)
prctl$PR_SVE_GET_VL(option const[PR_SVE_GET_VL], arg intptr[0:PR_SVE_VL_INHERIT]) (breaks_returns, ignore_return)
prctl$PR_GET_SPECULATION_CTRL(option const[PR_GET_SPECULATION_CTRL], arg2 const[PR_SPEC_STORE_BYPASS], arg3 flags[pr_spec_mode]) (breaks_returns, ignore_return)
prctl$PR_SET_SPECULATION_CTRL(option const[PR_SET_SPECULATION_CTRL], arg2 const[PR_SPEC_STORE_BYPASS]) (breaks_returns, ignore_return)
pr_spec_mode = PR_SPEC_ENABLE, PR_SPEC_DISABLE, PR_SPEC_FORCE_DISABLE
prctl$PR_PAC_RESET_KEYS(option const[PR_PAC_RESET_KEYS], arg2 flags[prctl_pac_keys]) (breaks_returns, ignore_return)
prctl_pac_keys = PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY, PR_PAC_APGAKEY
prctl$PR_SET_TAGGED_ADDR_CTRL(option const[PR_SET_TAGGED_ADDR_CTRL], arg2 flags[prctl_mte_ctl]) (breaks_returns, ignore_return)
prctl$PR_GET_TAGGED_ADDR_CTRL(option const[PR_GET_TAGGED_ADDR_CTRL]) (breaks_returns, ignore_return)
prctl_mte_ctl = PR_TAGGED_ADDR_ENABLE, PR_MTE_TCF_NONE, PR_MTE_TCF_SYNC, PR_MTE_TCF_ASYNC, PR_MTE_TAG_MASK
prctl$PR_SET_IO_FLUSHER(option const[PR_SET_IO_FLUSHER], arg2 boolptr) (breaks_returns, ignore_return)
prctl$PR_GET_IO_FLUSHER(option const[PR_GET_IO_FLUSHER]) (breaks_returns, ignore_return)
prctl$PR_SET_SYSCALL_USER_DISPATCH_OFF(option const[PR_SET_SYSCALL_USER_DISPATCH], mode const[PR_SYS_DISPATCH_OFF]) (breaks_returns, ignore_return)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(option const[PR_SET_SYSCALL_USER_DISPATCH], mode const[PR_SYS_DISPATCH_ON], offset intptr, len intptr, selector ptr[in, bool8]) (breaks_returns, ignore_return)
prctl$PR_SCHED_CORE(option const[PR_SCHED_CORE], cmd intptr[0:PR_SCHED_CORE_MAX], pid pid, type flags[pid_type], uaddr ptr[out, int64, opt]) (breaks_returns, ignore_return)
pid_type = PIDTYPE_PID, PIDTYPE_TGID, PIDTYPE_PGID, PIDTYPE_SID
prctl$PR_SET_VMA(option const[PR_SET_VMA], cmd const[PR_SET_VMA_ANON_NAME], addr vma, size bytesize[addr], name ptr[in, string]) (breaks_returns, ignore_return)
arch_prctl$ARCH_GET_FS(code const[ARCH_GET_FS], arg ptr[out, intptr])
arch_prctl$ARCH_GET_GS(code const[ARCH_GET_GS], arg ptr[out, intptr])
arch_prctl$ARCH_SET_GS(code const[ARCH_SET_GS], arg ptr[out, intptr])
arch_prctl$ARCH_GET_CPUID(code const[ARCH_GET_CPUID])
arch_prctl$ARCH_SET_CPUID(code const[ARCH_SET_CPUID], arg boolptr)
arch_prctl$ARCH_GET_XCOMP_SUPP(code const[ARCH_GET_XCOMP_SUPP], arg ptr[out, int64])
arch_prctl$ARCH_GET_XCOMP_PERM(code const[ARCH_GET_XCOMP_PERM], arg ptr[out, int64])
arch_prctl$ARCH_REQ_XCOMP_PERM(code const[ARCH_REQ_XCOMP_PERM], arg intptr[0:XFEATURE_MAX])
arch_prctl$ARCH_GET_XCOMP_GUEST_PERM(code const[ARCH_GET_XCOMP_GUEST_PERM], arg ptr[out, int64])
arch_prctl$ARCH_REQ_XCOMP_GUEST_PERM(code const[ARCH_REQ_XCOMP_GUEST_PERM], arg intptr[0:XFEATURE_MAX])
arch_prctl$ARCH_MAP_VDSO_X32(code const[ARCH_MAP_VDSO_X32], arg intptr)
arch_prctl$ARCH_MAP_VDSO_32(code const[ARCH_MAP_VDSO_32], arg intptr)
arch_prctl$ARCH_MAP_VDSO_64(code const[ARCH_MAP_VDSO_64], arg intptr)
arch_prctl$ARCH_SHSTK_STATUS(cmd const[ARCH_SHSTK_STATUS], res ptr[out, intptr])
arch_prctl$ARCH_SHSTK_LOCK(cmd const[ARCH_SHSTK_LOCK], features flags[shadow_stack_features])
arch_prctl$ARCH_SHSTK_UNLOCK(cmd const[ARCH_SHSTK_UNLOCK], features flags[shadow_stack_features])
arch_prctl$ARCH_SHSTK_ENABLE(cmd const[ARCH_SHSTK_ENABLE], features flags[shadow_stack_features])
arch_prctl$ARCH_SHSTK_DISABLE(cmd const[ARCH_SHSTK_DISABLE], features flags[shadow_stack_features])
arch_prctl$ARCH_GET_UNTAG_MASK(cmd const[ARCH_GET_UNTAG_MASK], arg ptr[out, intptr])
arch_prctl$ARCH_GET_MAX_TAG_BITS(cmd const[ARCH_GET_MAX_TAG_BITS], arg ptr[out, intptr])
arch_prctl$ARCH_ENABLE_TAGGED_ADDR(cmd const[ARCH_ENABLE_TAGGED_ADDR], arg intptr[1:6])
arch_prctl$ARCH_FORCE_TAGGED_SVA(cmd const[ARCH_FORCE_TAGGED_SVA])
_ = ARCH_SET_FS
shadow_stack_features = ARCH_SHSTK_SHSTK, ARCH_SHSTK_WRSS
|
