syzkaller/docs/syscall_descriptions.md

# Syscall descriptions

`syzkaller` uses declarative description of syscalls to generate, mutate, minimize, serialize and deserialize programs (sequences of syscalls).
Below you can see (hopefully self-explanatory) excerpt from the description:

```
open(file filename, flags flags[open_flags], mode flags[open_mode]) fd
read(fd fd, buf buffer[out], count len[buf]) len[buf]
close(fd fd)
open_mode = S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH
```

The description is contained in `sys/linux/*.txt` files.
For example see the [sys/linux/sys.txt](/sys/linux/sys.txt) file.

## Syntax

The description of the syntax can be found [here](syscall_descriptions_syntax.md).

## Code generation

Textual syscall descriptions are translated into code used by `syzkaller`.
This process consists of 2 steps.
The first step is extraction of values of symbolic constants from Linux sources using `syz-extract` utility.
`syz-extract` generates a small C program that includes kernel headers referenced by `include` directives,
defines macros as specified by `define` directives and prints values of symbolic constants.
Results are stored in `.const` files, one per arch.
For example, [sys/linux/dev_ptmx.txt](/sys/linux/dev_ptmx.txt) is translated into [sys/linux/dev_ptmx_amd64.const](/sys/linux/dev_ptmx_amd64.const).

The second step is generation of Go code for syzkaller.
This step uses syscall descriptions and the const files generated during the first step.
You can see a result in [sys/linux/gen/amd64.go](/sys/linux/gen/amd64.go) and in [executor/syscalls.h](/executor/syscalls.h).

## Describing new system calls

This section describes how to extend syzkaller to allow fuzz testing of a new system call;
this is particularly useful for kernel developers who are proposing new system calls.

First, add a declarative description of the new system call to the appropriate file:
 - Various `sys/linux/<subsystem>.txt` files hold system calls for particular kernel
   subsystems, for example `bpf` or `socket`.
 - [sys/linux/sys.txt](/sys/linux/sys.txt) holds descriptions for more general system calls.
 - An entirely new subsystem can be added as a new `sys/linux/<new>.txt` file.

The description of the syntax can be found [here](syscall_descriptions_syntax.md).

If the subsystem is present in the mainline kernel, run `make extract TARGETOS=linux SOURCEDIR=$KSRC`
with `$KSRC` set to the location of a kernel source tree. This will generate const files.
Note, that this will overwrite `.config` file you have in `$KSRC`.

If the subsystem is not present in the mainline kernel, then you need to manually run `syz-extract` binary:
```
make bin/syz-extract
bin/syz-extract -os linux -arch $ARCH -sourcedir "$LINUX" -builddir "$LINUXBLD" <new>.txt
```
`$ARCH` is one of `amd64`, `386` `arm64`, `arm`, `ppc64le`.
If the subsystem is supported on several architectures, then run `syz-extract` for each arch.
`$LINUX` should point to kernel source checkout, which is configured for the corresponding arch (i.e. you need to run `make someconfig && make` there first).
If the kernel was built into a separate directory (with `make O=...`) then also set `$LINUXBLD` to the location of the build directory.

Then, run `make generate` and `make` which will update generated code and rebuild binaries.

Optionally, adjust the `enable_syscalls` configuration value for syzkaller to specifically target the new system calls.

In order to partially auto-generate system call descriptions you can use [headerparser](headerparser_usage.md).
docs: move sys/README.md to docs 2017-06-14 11:23:51 +00:00			`# Syscall descriptions`
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
docs: various improvements 2017-06-14 15:03:53 +00:00			`syzkaller` uses declarative description of syscalls to generate, mutate, minimize, serialize and deserialize programs (sequences of syscalls).
			`Below you can see (hopefully self-explanatory) excerpt from the description:`
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
			```
			`open(file filename, flags flags[open_flags], mode flags[open_mode]) fd`
			`read(fd fd, buf buffer[out], count len[buf]) len[buf]`
			`close(fd fd)`
			`open_mode = S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH`
			```

sys/syz-extract: support fuchsia 2017-09-25 06:47:15 +00:00			The description is contained in `sys/linux/*.txt` files.
			`For example see the [sys/linux/sys.txt](/sys/linux/sys.txt) file.`
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
			`## Syntax`

docs: various improvements 2017-06-14 15:03:53 +00:00			`The description of the syntax can be found [here](syscall_descriptions_syntax.md).`
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
sys: update README to describe the new 2-step generation process 2016-08-26 13:20:36 +00:00			`## Code generation`

			Textual syscall descriptions are translated into code used by `syzkaller`.
docs: various improvements 2017-06-14 15:03:53 +00:00			`This process consists of 2 steps.`
			The first step is extraction of values of symbolic constants from Linux sources using `syz-extract` utility.
			`syz-extract` generates a small C program that includes kernel headers referenced by `include` directives,
			defines macros as specified by `define` directives and prints values of symbolic constants.
			Results are stored in `.const` files, one per arch.
sys/linux: rename dev descriptions files Prefix file names of descriptions of /dev/* files with dev_. And give some of them more appropriate names. 2019-02-01 00:08:17 +00:00			`For example, [sys/linux/dev_ptmx.txt](/sys/linux/dev_ptmx.txt) is translated into [sys/linux/dev_ptmx_amd64.const](/sys/linux/dev_ptmx_amd64.const).`
sys: update README to describe the new 2-step generation process 2016-08-26 13:20:36 +00:00
docs: various improvements 2017-06-14 15:03:53 +00:00			`The second step is generation of Go code for syzkaller.`
			`This step uses syscall descriptions and the const files generated during the first step.`
executor: overhaul Make as much code as possible shared between all OSes. In particular main is now common across all OSes. Make more code shared between executor and csource (in particular, loop function and threaded execution logic). Also make loop and threaded logic shared across all OSes. Make more posix/unix code shared across OSes (e.g. signal handling, pthread creation, etc). Plus other changes along similar lines. Also support test OS in executor (based on portable posix) and add 4 arches that cover all execution modes (fork server/no fork server, shmem/no shmem). This change paves way for testing of executor code and allows to preserve consistency across OSes and executor/csource. 2018-07-20 18:26:05 +00:00			`You can see a result in [sys/linux/gen/amd64.go](/sys/linux/gen/amd64.go) and in [executor/syscalls.h](/executor/syscalls.h).`
sys: update README to describe the new 2-step generation process 2016-08-26 13:20:36 +00:00
			`## Describing new system calls`
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
			`This section describes how to extend syzkaller to allow fuzz testing of a new system call;`
			`this is particularly useful for kernel developers who are proposing new system calls.`

			`First, add a declarative description of the new system call to the appropriate file:`
sys/syz-extract: support fuchsia 2017-09-25 06:47:15 +00:00			- Various `sys/linux/<subsystem>.txt` files hold system calls for particular kernel
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00			subsystems, for example `bpf` or `socket`.
sys/syz-extract: support fuchsia 2017-09-25 06:47:15 +00:00			`- [sys/linux/sys.txt](/sys/linux/sys.txt) holds descriptions for more general system calls.`
			- An entirely new subsystem can be added as a new `sys/linux/<new>.txt` file.
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
docs: various improvements 2017-06-14 15:03:53 +00:00			`The description of the syntax can be found [here](syscall_descriptions_syntax.md).`
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
sys/syz-extract: support fuchsia 2017-09-25 06:47:15 +00:00			If the subsystem is present in the mainline kernel, run `make extract TARGETOS=linux SOURCEDIR=$KSRC`
			with `$KSRC` set to the location of a kernel source tree. This will generate const files.
doc: Not -> Note 2018-09-29 22:09:41 +00:00			Note, that this will overwrite `.config` file you have in `$KSRC`.
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
docs: various improvements 2017-06-14 15:03:53 +00:00			If the subsystem is not present in the mainline kernel, then you need to manually run `syz-extract` binary:
sys: update README to describe the new 2-step generation process 2016-08-26 13:20:36 +00:00			```
			`make bin/syz-extract`
sys/syz-extract: support fuchsia 2017-09-25 06:47:15 +00:00			`bin/syz-extract -os linux -arch $ARCH -sourcedir "$LINUX" -builddir "$LINUXBLD" <new>.txt`
sys: update README to describe the new 2-step generation process 2016-08-26 13:20:36 +00:00			```
sys/syz-extract: support fuchsia 2017-09-25 06:47:15 +00:00			`$ARCH` is one of `amd64`, `386` `arm64`, `arm`, `ppc64le`.
docs: various improvements 2017-06-14 15:03:53 +00:00			If the subsystem is supported on several architectures, then run `syz-extract` for each arch.
			`$LINUX` should point to kernel source checkout, which is configured for the corresponding arch (i.e. you need to run `make someconfig && make` there first).
			If the kernel was built into a separate directory (with `make O=...`) then also set `$LINUXBLD` to the location of the build directory.
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
Update syscall_descriptions.md Clarify that running `make clean` each time is not necessary. 2018-10-28 09:11:22 +00:00			Then, run `make generate` and `make` which will update generated code and rebuild binaries.
overhaul syscall description generation process This splits generation process into two phases: 1. Extract values of constants from linux kernel sources. 2. Generate Go code. Constant values are checked in. The advantage is that the second phase is now completely independent from linux source files, kernel version, presence of headers for particular drivers, etc. This allows to change what Go code we generate any time without access to all kernel headers (which in future won't be limited to only upstream headers). Constant extraction process does require proper kernel sources, but this can be done only once by the person who added the driver and has access to the required sources. Then the constant values are checked in for others to use. Consant extraction process is per-file/per-arch. That is, if I am adding a driver that is not present upstream and that works only on a single arch, I will check in constants only for that driver and for that arch. 2016-08-26 05:09:25 +00:00
docs: various improvements 2017-06-14 15:03:53 +00:00			Optionally, adjust the `enable_syscalls` configuration value for syzkaller to specifically target the new system calls.
tools: add headerparser as a tool to assist in writing system call descriptions The tool can be found inside tools/syz-headerparser. Details on how to use headerparser can be found inside docs/headerparser_usage.md. 2017-08-23 13:01:57 +00:00
			`In order to partially auto-generate system call descriptions you can use [headerparser](headerparser_usage.md).`