The syz-expand tools allows to parse a program and print it including all
the default values. This is mainly useful for debugging, like doing manual
program modifications while trying to come up with a reproducer for some
particular kernel behavior.
- For v5.4: new ioctls FS_IOC_ADD_ENCRYPTION_KEY,
FS_IOC_REMOVE_ENCRYPTION_KEY, FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS,
FS_IOC_GET_ENCRYPTION_KEY_STATUS, and FS_IOC_GET_ENCRYPTION_POLICY_EX.
- For v5.4: FS_IOC_SET_ENCRYPTION_POLICY now accepts an
fscrypt_policy_v2 argument in addition to the original fscrypt_policy
which is now called fscrypt_policy_v1.
- For v5.4: the fscrypt definitions were moved to a new header
<linux/fscrypt.h>, and some constants were given new FSCRYPT_* names
instead of FS_*. Handle this, and to keep things organized similarly
move the syzkaller descriptions to a new file fscrypt.txt.
- For v5.0: remove the removed Speck modes and add Adiantum.
- For v5.0: add the DIRECT_KEY encryption policy flag.
Also fix the argument types for FS_IOC_GET_ENCRYPTION_POLICY and
FS_IOC_GET_ENCRYPTION_PWSALT, which had been mixed up.
The BPF template currently only defines helper calls. BPF function calls
(bpf-to-bpf calls) are however supported in Linux since v4.16.
This patch defines bpf-to-bpf calls in the template.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
A new BPF instruction that allows lookup-free map value accesses was added
in Linux v5.2, with commit d8eca5b ("bpf: implement lookup-free direct
value access for maps"). It enables direct access to map values without
having to call a BPF helper. It is currently used to implement global
variable support.
This commit adds support for that new instruction.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
This commit fixes a handle leak in syz_mmap. The bug was pointed out by
mdempsky during a code review.
The `syz_mmap` function creates a VMO and maps it to a VMAR in the address
specified by the `syz_mmap` parameters. Once a VMO is mapped to a vmar,
the handle to the vmo can be closed without problems.
The new code makes sure that `zx_handle_close(vmo_handle)` gets called before
the `syz_mmap` function returns.
syz_mmap is a pseudo-syscall that can be used by syzkaller in fuzzing
programs, however, it is also used to setup the environment for
syz-executor. syz-executor already checks the return value[0] when it is
used for setting up the environment, so it doesn't make sense for the
function to crash (most probably, in a fuzzing program it will be called
with arguments that would make it fail).
The previous behavior was causing a bunch of "Lost connection to test
machine" syzkaller crashes which were meaningless. An example of a
program in which syz_mmap would crash would be any program in which the
handle to the root vmar is closed before calling syz_mmap.
[0]:
a60cb4cd84/executor/executor_fuchsia.h (L15)
This change reuses the logic for sending the output back from
syz-executor to syz-fuzzer that forkserver oses use: reading it
periodically. This will be useful for debugging issues in Fuchsia that
does not support forkserver yet.
