Commit Graph

1445 Commits

Author SHA1 Message Date
Stefano Duo
aa6107e60d sys/linux/fs_fuse.txt: use bytelen instead of len
Use the type bytelen instead of len to express the length of the data
structure being pointed by the pointer passed to read$FUSE().
2020-08-14 18:55:11 +02:00
Stefano Duo
19b6584f71 executor/common_linux.h: add syz_fuse_handle_req()
At the moment syzkaller is able to respond to FUSE with a syntactically
correct response using the specific write$FUSE_*() syscalls, but most of
the times these responses are not related to the type of request that
was received.
With this pseudo-syscall we are able to provide the correct response
type while still allowing the fuzzer to fuzz its content. This is done
by requiring each type of response as an input parameter and then
choosing the correct one based on the request opcode.
Notice that the fuzzer is still free to mix write$FUSE_*() and
syz_fuse_handle_req() syscalls, so it is not losing any degree of
freedom.

syz_fuse_handle_req() retrieves the FUSE request and resource
fuse_unique internally (by performing a read() on the /dev/fuse file
descriptor provided as input). For this reason, a new template argument has
been added to fuse_out (renamed to _fuse_out) so that the unique field
can be both an int64 (used by syz_fuse_handle_req()) and a fuse_unique
resource (used by the write$FUSE_*() syscalls) without any code
duplication.
2020-08-14 18:55:11 +02:00
Stefano Duo
3d9b8afae8 sys/linux/fs_fuse.txt: use expected flags for fuse_attr.mode
Instead of using a generic int32 for fuse_attr.mode, use the expected
file mode flags.
2020-08-14 18:55:11 +02:00
Stefano Duo
191c0565a1 sys/linux/fs_fuse.txt: define FUSE request id as a resource
Currently fuse_in.unique and fuse_out.unique are not linked by any
dependency chain. This causes the majority of the replies to the kernel
to be dropped because not referring to a previously sent request.
By defining them as a resource, we push the fuzzer in the right
direction (i.e., try to respond using a previously issued unique value).
The read syscall has been updated accordingly, it now expects and parses
a fuse_in header and some additional data.
2020-08-14 18:55:11 +02:00
Anton Lindqvist
872ebc286c sys/openbsd: neutralize sysctl kern.maxthread
Yet another root only knob that can cause the syz-execprog process to
panic[1]. Greg is currently working on sanitizing sysctl integer knobs
in the OpenBSD kernel. This will improve the situation but preventing
fiddling with this knob is a good call anyway.

While here, restructure the code a bit making it easier to add sysctl
neutralizers.

[1] https://syzkaller.appspot.com/bug?id=40bcbbeb244998dfc4eeec90b8f8bce372882211
2020-08-14 13:46:14 +02:00
Necip Fazil Yildiran
5ce135324a prog: fix UnionType mutation for when per-field dir is specified
prog/TestMutateRandom used to fail due to this.
2020-08-14 11:02:10 +02:00
Dmitry Vyukov
54ce1ed6b9 sys/linux: switch to the new .const format
This reduces number of const files/lines from 1288/96599 to 158/11603.
Const files are generated on next-20200813.

Update #1983
2020-08-13 17:22:16 +02:00
Dmitry Vyukov
b6de93e603 pkg/compiler: merge const files into a single file
We now have 8 arches for Linux and .const files
produce lots of noise in PRs and lots of diffs.
If 3 .txt files are touched, the PR will have 24 .const files,
which will be intermixed with .txt files.
Frequently const values are equal across arches,
and even if they don't spreading a single value
across 8 files is inconvinient.

Merge all 8 *_arch.const files into a single .const file.
See the test for details of the new format.
The old format is still parsed for now,
we can't update all OSes at once.

For Linux this reduces number of const files/lines
from 1288/96599 to 158/11603.

Fixes #1983
2020-08-13 17:22:16 +02:00
Necip Fazil Yildiran
cc59e7e4ad sys/linux: use per-field directions in descriptions 2020-08-13 13:50:25 +02:00
Necip Fazil Yildiran
f5442bde55 pkg, prog: add per-field direction attribute 2020-08-13 13:50:25 +02:00
Mark Johnston
b38f46a018 sys/targets: override DataOffset for 32-bit test targets on FreeBSD
freebsd/386 requires a non-default DataOffset value.  Since it is
currently the only platform with this constraint, just add a special
case for that when initializing target parameters.
2020-08-12 18:09:10 +02:00
Ioana-Ruxandra Stăncioi
d3694ffbb1 sys/linux: add tca_flower_key_mpls_opts descritpion
mpls_opts:
https://elixir.bootlin.com/linux/v5.8-rc4/source/net/sched/cls_flower.c#L670
mpls_opts_lse:
https://elixir.bootlin.com/linux/v5.8-rc4/source/net/sched/cls_flower.c#L731
2020-08-10 17:55:15 +02:00
zizizi
7adc7b652a sys/linux: fix make extract on latest linux-next
VIRTIO_F_IOMMU_PLATFORM was renamed to VIRTIO_F_ACCESS_PLATFORM
2020-08-10 12:06:25 +02:00
Albert van der Linde
f721e4a097 sys/linux: add missing flags to rtnexthop 2020-08-08 14:12:06 +02:00
Albert van der Linde
cb9c120a74 sys/linux: add descriptions for RTM_(NEW|DEL|GET)NEXTHOP
https://elixir.bootlin.com/linux/v5.8-rc4/source/net/ipv4/nexthop.c#L1961
2020-08-08 14:12:06 +02:00
Cheng-Min Chiang
28ac5c9e93 sys/linux/test: fix io_uring test
Fix the io_uring test by adding some blank lines after comments. This
commit changes nothing beside that.
2020-08-07 09:44:43 +02:00
Cheng-Min Chiang
20a3465b97 sys/linux: add descriptions for BPF LSM
This commit includes the following changes:
* executor: add a new syz_btf_id_by_name psuedo-syscall
* sys/linux: add descriptions for BPF LSM subsystem
* sys/linux: add instructions on how to dump vmlinux and install
  bpftool
* sys/linux/test: add tests for the new psuedo-syscall
* pkg/host: add support detection for the new psuedo-syscall
* pkg/runtest: skip the coverage test when invoking the new
  psuedo-syscall

Update #533.
2020-08-07 09:28:26 +02:00
Andy Nguyen
9969d2164d sys/linux: add HCI_COMMAND_PKT descriptions 2020-08-05 20:13:16 +02:00
Anton Lindqvist
2cea8f1f89 sys/openbsd: neutralize clock_settime
One of "no output from test machine" report causes[1].

[1] https://syzkaller.appspot.com/text?tag=ReproSyz&x=10b0c7d8900000
2020-08-05 15:05:15 +02:00
Dmitry Vyukov
5ed76afa81 pkg/compiler: check for unused resources
If a resource is never used as an input, it is not useful.
It's effectively the same as using an integer.
Detect such cases, they are quite confusing.
Fix all existing errors in descriptions.
This uncovered some interesting bugs as well,
e.g. use of a completely unrelated fd subtype after copy-paste
(while the resource that was supposed to be used there is completely unused).
2020-08-04 16:53:16 +02:00
Andy Nguyen
196277c403 sys/linux/l2cap.txt: no array for l2cap_cid_le_signaling 2020-08-02 19:34:27 +02:00
Andy Nguyen
2c26f576ae all: fake hci le conn using handle 201 2020-08-02 19:34:27 +02:00
Dmitry Vyukov
55a879802a sys/linux: add more HCI_EV_CMD_COMPLETE types 2020-08-02 13:25:08 +02:00
Dmitry Vyukov
cb435b0c8a sys/linux: refine some l2cap flags 2020-08-02 12:49:26 +02:00
Andy Nguyen
cfd7c91a0a sys/linux: add l2cap_conf_opt options 2020-08-02 11:49:48 +02:00
Ayushi Sharma
8df85ed988
sys/netbsd: Adding syscalls related to mount(2),uname(2) and sockets (#1976)
* sys/netbsd: Adding syscalls related to mount(2),uname(2) and sockets

* sys/netbsd: Adding missing flags for fstatat(2)

* sys/netbsd: reordering rlimit_type

* sys/netbsd: reordering flags for stat(2) and mount(2)
2020-07-30 14:42:32 +02:00
Dmitry Vyukov
056be1b9c8 sys/linux: assorted improvements for vhci
Regenerate const files on next-20200729.

Change conn handle to 200 because it also seems to be matches
against phy_handle fields which are int8 (current 256 does not fit into int8).
Use 200 for all handle's and all phy_handle's.

Remove hci_evt_le_cis_req, it does not seem to be used in the kernel.

Restrict some event types and statuses.

Add rssi field to hci_ev_le_advertising_info.

Use bytesize for some of the data length fields.
2020-07-30 13:31:33 +02:00
TheOfficialFloW
b094755316
all: initialize vhci in linux
* all: initialize vhci in linux

* executor/common_linux.h: improve vhci initialization

* pkg/repro/repro.go: add missing vhci options

* executor/common_linux.h: fix type and add missing header

* executor, pkg: do it like NetInjection

* pkg/csource/csource.go: do not emit syz_emit_vhci if vhci is not enabled

* executor/common_linux.h: fix format string

* executor/common_linux.h: initialize with memset

For som reason {0} gets complains about missing braces...

* executor/common_linux.h: simplify vhci init

* executor/common_linux.h: try to bring all available hci devices up

* executor/common_linux.h: find which hci device has been registered

* executor/common_linux.h: use HCI_VENDOR_PKT response to retrieve device id

* sys/linux/dev_vhci.txt: fix structs of inquiry and report packets

* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size

* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size

* sys/linux/dev_vhci.txt: pack extended_inquiry_info_t

* sys/linux/l2cap.txt: add l2cap_conf_opt struct

* executor/common_linux.h: just fill bd addr will 0xaa

* executor/common_linux.h: just fill bd addr will 0xaa
2020-07-30 11:33:48 +02:00
Nazime Hande Harputluoglu
233283a191 sys/linux: descriptions for /dev/snd/hw* 2020-07-29 15:49:04 +02:00
Necip Fazil Yildiran
cbca8e0f04 executor: added syz_io_uring_setup to wrap both setup and mmap
It is hard for the fuzzer to generate correct programs using mmap calls
with fuzzer-provided mmap length. This wrapper ensures correct length
computation.
2020-07-29 13:44:49 +02:00
Dmitry Vyukov
a3d497bf6c all: fix marking of auto-generated files
Update the copyright checking script and more files
for the standard convention of marking auto-generated files.
2020-07-29 13:36:11 +02:00
Nazime Hande Harputluoglu
002adf19d0 sys/linux: descriptions for /dev/sequencer 2020-07-29 12:24:15 +02:00
Ayushi Sharma
512651955a
Adding ksem family of syscalls (#1972)
* sys/netbsd: adding ksem related syscalls

* sys/netbsd: adding missing header files to lwp.txt

* sys/netbsd: updating descriptions for ksem family syscalls

* sys/netbsd: updating descriptions for ksem family syscalls
2020-07-26 10:19:16 +02:00
Albert van der Linde
1f7cc1ca26 sys/linux: add description for copy_file_range 2020-07-25 07:05:51 +02:00
Necip Fazil Yildiran
0a13649c05
sys/linux: enhanced descs for io_uring
* sys/linux: enhanced descs for io_uring

Introduced pseudo-call "syz_io_uring_put_sqes_on_ring()" for writing
submission queue entries (sqes) on sq_ring, which was obtained by
mmap'ping the offsets obtained from io_uring_setup().

Added descriptions for io_ring_register operations that were missing
earlier.

Did misc changes to adapt the descriptions for the updates on the
io_uring subsystem.

* pkg/host: add io_uring pseudo-syscall

* executor/common_linux.h: fix issues with io_uring pseudo-syscall

* executor: fixed io_uring offset computation

* executor: fixes and refactorings in syz_io_uring_submit()

* executor: added syz_io_uring_complete() pseudo-syscall for io_uring

* sys/linux: added descriptions for io_uring operations

Each operation requires a different struct io_uring_sqe set up. Those
are described to be submitted to the sq ring.

* executor: use uint32 instead of uint32_t

* executor: remove nonfailing from pseudo-calls

* sys/linux: fix io_uring epoll_ctl sqe

* prog: fix TestTransitivelyEnabledCallsLinux()

The newly introduced syscall, syz_io_uring_submit$IORING_OP_EPOLL_CTL,
uses fd_epoll. Adapt TestTransitivelyEnabledCallsLinux() to account for
this.

* sys/linux: add IORING_OP_PROVIDE_BUFFERS and IORING_OP_REMOVE_BUFFERS

* sys/linux: fix IORING_OP_WRITE_FIXED and IORING_OP_READ_FIXED

addr and len are for the buffer located at buf_index

* sys/linux: io_uring: use reg. bufs for READ, READV, RECV, RECVMSG

As a result, IOSQE_BUFFER_SELECT_BIT is included in the iosqe_flags.

* sys/linux: io_uring: misc fixes

* sys/linux: io_uring: add IORING_SETUP_ATTACH_WQ

* executor: refactorings on io_uring pseudo syscalls

* sys/linux: io_uring: fix desc for params.cq_entries

* executor: fix SQ_ARRAY_OFFSET computation

This is required with the fix in io_uring kernel code.
https://lore.kernel.org/io-uring/CACT4Y+bgTCMXi3eU7xV+W0ZZNceZFUWRTkngojdr0G_yuY8w9w@mail.gmail.com/T/#t

* executor: added pseudosyscall syz_io_uring_cq_eventfd_toggle()

The usage of cq_ring->flags is only for manipulating
IORING_CQ_EVENTFD_DISABLED bit. This is achieved by a pseudo-syscall,
which toggles the bit.

* executor: added pseudocall syz_io_uring_put_ring_metadata

Removed syz_io_uring_cq_eventfd_toggle() and introduced
syz_io_uring_put_ring_metadata() instead. We have many pieces of
metadata for both sq_ring and cq_ring, for which we are given the
offsets, and some of are not supposed to be manipulated by the
application. Among them, both sq and cq flags can be changed. Both valid
and invalid cases might cause interesting outcomes. Use the newly
introduced pseudo syscall to manipulate them randomly while also
manipulating the flags to their special values.

* executor: added pseudo-syscall syz_memcpy_off

Removed syz_io_uring_put_ring_metadata() and instead added a much more
generic pseudo systemcall to achieve the task. This should benefit other
subsystems as well.

* sys/linux: refactored io_uring descriptions

syz_io_uring_submit() is called with a union of sqes to reduce
duplication of other parameters of the function.

io_uring_sqe is templated with io_uring_sqe_t, and this template type is
used to describe sqes for different ops.

The organization of io_uring.txt is changed.

* sys/linux: io_uring: improved descs to utilize registered files

The files are registered using
io_uring_register$IORING_REGISTER_FILES(). When IOSQE_FIXED_FILE_BIT is
enabled in iosqe_flags in sqe, a variety of operations can use those
registered files using the index of the file instead of fd.

Changed the sqe descriptions for the eligible operations to utilize
this.

* sys/linux: io_uring: improved the descs to utilize personality_id in sqes

A personality_id can be registered for a io_uring fd using
io_uring_register$IORING_REGISTER_PERSONALITY(). This id can be utilized
within sqes. This commit improves the descs for io_uring to utilize it.

In addition, the descriptions for the misc field in io_uring_sqe_t is
refactored as most are shared among sqes.

* sys/linux: io_uring: utilized cqe.res

io_uring_cqe.res is used to carry the return value of operations
achieved through io_uring. The only operations with meaningful return
values (in terms of their possible usage) are openat and openat2. The
pseudo-syscall syz_io_uring_complete() is modified to account for this
and return those fds. The description for sqe_user_data is splitted into
two to identify openat and non-openat io_uring ops.

IORING_OP_IOCTL was suggested but never supported in io_uring. Thus, the
note on this is removed in the descriptions.

tee() expects pipefds, thus, IORING_OP_TEE. The descriptions for the
pipe r/w fds are written as ordinary fd. Thus, in the description for
IORING_OP_TEE, which is io_uring_sqe_tee, fd is used in the place where
pipefds are expected. The note on this is removed in the descriptions.

* sys/linux/test: added test for io_uring

This is not tested yet.

* sys/linux/test: fixed the test for io_uring

The changes successfully pass the sys/linux/test/io_uring test.

sys/linux/io_uring.txt: sq_ring_ptr and cq_ring_ptr are really the same.
Thus, they are replaced with ring_ptr.

executor/common_linux.h: thanks to io_uring test, a bug is found in
where the sq_array's address is computed in syz_io_uring_submit().
Fixed. In addition, similar to the descriptions, the naming for the
ring_ptr is changed from {sq,cq}_ring_ptr to ring_ptr.

* sys/linux: io_uring: misc fixes

* sys/linux: io_uring: changed the sqe_user_data enum

Used a smaller range to ease the collisions. Used comperatively unique
and magic numbers for openat user_data to avoid thinking as if the cqe
belongs to openat while the user_data is coming from some random
location.

* pkg/host: added checks for io_uring syscall

* pkg/host: fixed checks for io_uring syscall

* sys/linux: fixed io_uring test
2020-07-24 18:51:04 +02:00
Necip Fazil Yildiran
83892305a5 sys/linux: fixed p{read,write}{v,v2} descriptions
The raw system calls have call signatures that differ slightly from
that of the corresponding GNU C library wrapper functions. The descriptions
are fixed to reflect the raw system calls, which unpacks the offset into
two args, off_l and off_h.
2020-07-24 13:20:16 +02:00
Necip Fazil Yildiran
664cf58ee8 sys/linux: added descs for preadv2, pwritev2 2020-07-24 13:20:16 +02:00
Ruxandra Stăncioi
b9a80ab13a sys/linux: add lwtunnel_encap_seg6_local
https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/seg6_local.h#L21
https://elixir.bootlin.com/linux/latest/source/net/ipv6/seg6_local.c#L649
2020-07-24 12:25:04 +02:00
Ruxandra Stăncioi
20595c07c6 sys/linux: add lwtunnel_encap_bpf description
https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/lwtunnel.h#L102
https://elixir.bootlin.com/linux/latest/source/net/core/lwt_bpf.c#L364
2020-07-24 12:25:04 +02:00
Ruxandra Stăncioi
327a211f77 sys/linux: add lwtunnel_encap_seg6 description
https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/seg6_iptunnel.h#L22
TODO: uncomment after the kernel fixes the seg6_iptunnel.h uapi header
2020-07-24 12:25:04 +02:00
Ruxandra Stăncioi
71ff42db4d sys/linux: add lwtunnel_encap_ip6 description
https://elixir.bootlin.com/linux/latest/source/net/ipv4/ip_tunnel_core.c#L713
2020-07-24 12:25:04 +02:00
Ruxandra Stăncioi
3951d78efc sys/linux: add lwtunnel_encap_ila description
https://elixir.bootlin.com/linux/latest/source/net/ipv6/ila/ila_lwt.c#L121
The comment is about their statement in the kernel file:
https://elixir.bootlin.com/linux/latest/source/net/ipv6/ila/ila_lwt.c#L196
2020-07-24 12:25:04 +02:00
Ruxandra Stăncioi
b6d666e5f3 sys/linux: add lwtunnel_encap_ip description
https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/lwtunnel.h#L102
https://elixir.bootlin.com/linux/latest/source/net/ipv4/ip_tunnel_core.c#L219
The policies added have a suffix (_lwt), because they already exist in syzkaller
with the kernel name. An example of a union with the same name described in
sys/linux/socket_netlink_route_sched.txt:
https://elixir.bootlin.com/linux/latest/source/net/sched/cls_flower.c#L709
2020-07-24 12:25:04 +02:00
Ruxandra Stăncioi
6d8002b4d3 sys/linux: add lwtunnel_encap_mpls description
https://elixir.bootlin.com/linux/latest/source/net/mpls/mpls_iptunnel.c#L25
2020-07-24 12:25:04 +02:00
Ruxandra Stăncioi
af21691607 sys/linux: add ipv6_rpl_sr_hdr description
https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/rpl.h#L19
update google#533
2020-07-24 12:25:04 +02:00
Ruxandra Stăncioi
7d947eb36b sys/linux: add netlink encap type LWTUNNEL_ENCAP_RPL
Added a new encap type, from the lwtunnel_encap_types struct, defined in the
include/uapi/linux/lwtunnel.h file.
https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/lwtunnel.h#L16
Update #533.
2020-07-24 12:25:04 +02:00
Dmitry Vyukov
70c104a18f pkg/compiler: fix crash on fmt[flags]
Flags with only 1 value 0 are transformed to ConstType.
Fmt did not expect that.

Fixes #1965
2020-07-23 17:13:55 +02:00
Denis Efremov
340ea5301c sys/linux: remove ioctl$EXT4_IOC_SETFLAGS
It duplicates ioctl$FS_IOC_SETFLAGS. There is no need in a
separate definition.

Signed-off-by: Denis Efremov <efremov@linux.com>
2020-07-22 08:49:14 -07:00
Denis Efremov
38237e24ca sys/linux: make fs flags explicit in ioctl$FS_IOC_SETFLAGS
Make fs flags explicit in FS_IOC_SETFLAGS, FS_IOC_GETFLAGS
ioctls.

Signed-off-by: Denis Efremov <efremov@linux.com>
2020-07-22 08:49:14 -07:00
Denis Efremov
db2522a1a7 sys/linux: change argument type in FS_IOC_[GS]ETFLAGS ioctl
FS_IOC_GETFLAGS, FS_IOC_SETFLAGS ioctls use pointer to int32.

Signed-off-by: Denis Efremov <efremov@linux.com>
2020-07-22 08:49:14 -07:00