For now other arches are regenerated on upstream tree.
It does not contain a bunch of consts, so we define them to 1 for now.
arm64 consts are left intact.
video4linux.txt is added to "android" files in syz-extract,
so that future make extract runs don't overwrite arm64 consts.
Also fix VIDIOC_G_FBUF argument direction, currently tests crash with:
panic: call ioctl$VIDIOC_G_FBUF: pointer arg 'buffer' has output direction [recovered]
panic: call ioctl$VIDIOC_G_FBUF: pointer arg 'buffer' has output direction
Update #533
As TC(net sched) is a large group, I separate it from socket_netlink_route.txt.
Currently I only implement the framework with two qdisc/tclass/filters.
I will add the others later.
v2: Fix tcm_handle major and minor order. Add tcm_handle_offsets.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Move generated files to gen subdir. This allows to:
1. Rebuild init.go without rebuilding generated code.
2. Excluding generated files from gometalinter checking.
This makes faster and consume less memory.
Update #538
Also fix RTA_MULTIPATH data type. We only need struct rtnexthop,
no need to use array type.
v1 -> v2:
Use uid and sock_port instead of int32/16. Use flags for FRA_PROTOCOL
and FRA_IP_PROTO.
Add type fib_rule_hdr because even though the structure is same with rtmsg.
The table, action and flags values are not same.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Bridge device is used for forwarding. Bond/team device is used for
load balance and fail over. So it would make more sense to add two
slave interfaces for these devices.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
1. Create ifindex_team, because TEAM_ATTR_TEAM_IFINDEX must
always point to a team device.
2. Remove output only attributes like team_attr_item_port, TEAM_ATTR_LIST_PORT,
TEAM_ATTR_OPTION_CHANGED.
3. Restructure team_nl_option_policy: we always want TEAM_ATTR_OPTION_NAME/TYPE/DATA
+ optionally TEAM_ATTR_OPTION_ARRAY_INDEX and TEAM_ATTR_OPTION_PORT_IFINDEX.
4. Provide specialized team_nl_option_policy_per_port and team_nl_option_policy_array.
5. Make team_attr_option varlen.
6. Remove unnecessary indirection via team_attr_list_option/team_attr_list_port.
7. Fix data type for bpf_hash_func and lb_tx_hash_to_port_mapping.
Now file names become:
string[filename]
with a possibility of using other string features:
stringnoz[filename]
string[filename, CONST_SIZE]
and filename is left as type alias as it is commonly used:
type filename string[filename]
Turns out creating a cgroup per test is too expensive.
Moreover, it leads to hanged tasks as cgroup destruction
is asynchronous and overloads kernel work queues.
Create only a single cgroup per proc, but restrict
descriptions to mess with that single group,
instead test processes create own nested cgroups for messing.
The new pseudo syscall allows opening sockets that can only
be created in init net namespace (BLUETOOTH, NFC, LLC).
Use it to open these sockets.
Unfortunately this only works with sandbox none at the moment.
The problem is that setns of a network namespace requires CAP_SYS_ADMIN
in the target namespace, and we've lost all privs in the init namespace
during creation of a user namespace.
1. Add size attribte on sockaddr.
2. Remove sockaddr's that are larger than 16 bytes from sockaddr.
3. Add size attribute on sockaddr_storage which wasn't actually 128 bytes.
4. Add size attribute to ifreq.
5. Fix ifmap field types as uncovered by the size attributes.
6. Fix sockaddr_storage_tcp from struct to union which is should be.
7. Make sockaddr_un_file fixed size as it should be.
8. Fix some explicit paddings that were only correct for 64 bits.
We now always create net namespace for testing,
so socket ports and other IDs do not overlap between
different test processes.
Proc types play badly with squashing packets to ANYBLOB.
To squash into a block we need concrete value, but it depends
on process id.
Removing proc also makes tun setup and address descriptions simpler.
Squash complex structs into flat byte array and mutate this array
with generic blob mutations. This allows to mutate what we currently
consider as paddings and add/remove paddings from structs, etc.
Fix alignemnt calculation for packed structs with alignment and bitfields.
Amusingly this affected only a single real struct -- ipv6_fragment_ext_header.
1. mmap all memory always, without explicit mmap calls in the program.
This makes lots of things much easier and removes lots of code.
Makes mmap not a special syscall and allows to fuzz without mmap enabled.
2. Change address assignment algorithm.
Current algorithm allocates unmapped addresses too frequently
and allows collisions between arguments of a single syscall.
The new algorithm analyzes actual allocations in the program
and places new arguments at unused locations.
Make Foreach* callback accept the arg and a context struct
that can contain lots of aux info.
This (1) removes lots of unuser base/parent args,
(2) provides foundation for stopping recursion,
(3) allows to merge foreachSubargOffset.
Put the underflow entry at the end.
Entries must end on an unconditional, non-goto entry,
otherwise fallthrough from the last entry is invalid.
Add arp tables support.
Split unspec matches/targets to unspec and inet.
Reset ipv6 and arp tables in executor.
Fix number of counters in tables.
Plus a bunch of assorted fixes for matches/targets.
We currently print unsupported consts to console during make extract.
But this is not very useful as there are too many output now.
This also does not allow to understand what's unsupported
in newly checked-in descriptions, or what's unsupported in all current
decriptions.
Save unsupported consts to the const files instead.
This solves all of the above problems.
mknod$loop contains proc type as dev number.
Current sanitization code truncates 64-bit -1 to 32-bits
which later causes validation failure.
Don't do that, it's unnecessary for proc type.
We test in a new network namespace, which does not have any
devices set up (even lo). Create/up as many devices as possible.
Give them some addresses and use these addresses in descriptions.
Arm was broken on upstream kernel for some time
due to some assembler error. Now it seems to be fixed,
so regenerate consts.
Also fix small issues in new netlink descriptions.
open is not present on arm64, only openat.
accept is not present on 386, only accept4.
Duplicate all open/accept specializations with
corresponding openat/accept4 specializations
to enable testing on 386/arm64.
Hints for data args don't work.
We do all the work, but at the final stage we patch
arg in the _old_ program, not in the _new_ one.
So programs passed to the callback are all the same
and don't contain any mutations.
Tests did not catch this because they work right before that point
(don't test the actual interface function MutateWithHints).
Fix that and add a test that catches this.
For string[N] we successfully deserialize a string of any length.
Similarly for a fixed-size array[T, N] we successfully deserialize
an array of any size.
Such programs later crash in foreachSubargOffset because static size
Type.Size() does not match what we've calculated iterating over fields.
The crash happens only in SerializeForExec in syz-fuzzer,
which is especially bad.
Fix this from both sides:
1. Validate sizes of arrays/buffers in Validate.
2. Repair incorrect sizes in Deserialize.
KEYCTL_DH_COMPUTE used the old fixed list of algorithm names.
Use the new code for algorithm generation.
+ it needs only SHASH algs, but we passed in all alg names.
Pass only SHASH algs.
There is effectively infinite number of possible crypto
algorithm names due to templates. Plus there is tricky
relation between algorithms and algorithm type names.
This change adds custom mutator for sockaddr_alg struct
to improve variance in generated algorithms.
Add a definition for keyctl_dh_compute(), which was added in the v4.7
kernel, then in the v4.12 kernel extended to take in an optional
'keyctl_kdf_params' argument. (Requires CONFIG_KEY_DH_OPERATIONS=y.)
Many functions in the keys API take in an ID parameter that is expected
to refer to a keyring, not to any key. Therefore, define a resource
subtype 'keyring' which can be created by add_key("keyring", ...) or by
using one of the special keyring IDs.
Also define a resource subtype 'user_key', since we'll be adding a
definition for KEYCTL_DH_COMPUTE which takes in a struct containing
"user" key IDs.
Add to key.txt all key types that currently might be present in the
kernel. It was missing a few important ones such as "asymmetric", which
has a significant attack surface since the payloads are run through an
ASN.1 decoder.
A recent linux commit "tun: enable napi_gro_frags() for TUN/TAP driver"
added support for fragmentation when emitting packets via tun.
Support this feature in syz_emit_ethernet.