mirror of
https://github.com/reactos/syzkaller.git
synced 2024-11-24 03:49:45 +00:00
a4718693a3
The function executes random code. Update #310
690 lines
12 KiB
Plaintext
690 lines
12 KiB
Plaintext
# Copyright 2015 syzkaller project authors. All rights reserved.
|
|
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
|
|
|
# Syscalls used in syzkaller tests.
|
|
|
|
syz_execute_func(text ptr[in, text[target]])
|
|
|
|
test()
|
|
|
|
# Integer types.
|
|
|
|
test$int(a0 intptr, a1 int8, a2 int16, a3 int32, a4 int64)
|
|
|
|
# Opt arguments
|
|
|
|
test$opt0(a0 intptr[opt])
|
|
test$opt1(a0 ptr[in, intptr, opt])
|
|
test$opt2(a0 vma[opt])
|
|
test$opt3(a0 proc[100, 4, opt])
|
|
|
|
# Alignment and padding
|
|
|
|
test$align0(a0 ptr[in, syz_align0])
|
|
test$align1(a0 ptr[in, syz_align1])
|
|
test$align2(a0 ptr[in, syz_align2])
|
|
test$align3(a0 ptr[in, syz_align3])
|
|
test$align4(a0 ptr[in, syz_align4])
|
|
test$align5(a0 ptr[in, syz_align5])
|
|
test$align6(a0 ptr[in, syz_align6])
|
|
test$align7(a0 ptr[in, syz_align7])
|
|
|
|
syz_align0 {
|
|
f0 int16
|
|
f1 int32
|
|
f2 int8
|
|
f3 int16
|
|
f4 int64
|
|
}
|
|
|
|
syz_align1 {
|
|
f0 int16
|
|
f1 int32
|
|
f2 int8
|
|
f3 int16
|
|
f4 int64
|
|
} [packed]
|
|
|
|
syz_align2_packed {
|
|
f0 array[int16, 1]
|
|
} [packed]
|
|
|
|
syz_align2_not_packed {
|
|
f0 array[int16, 1]
|
|
}
|
|
|
|
syz_align2 {
|
|
f0 int8
|
|
f1 syz_align2_packed
|
|
f2 syz_align2_not_packed
|
|
}
|
|
|
|
syz_align3_noalign {
|
|
f0 int8
|
|
}
|
|
|
|
syz_align3_align4 {
|
|
f0 int8
|
|
} [align_4]
|
|
|
|
syz_align3 {
|
|
f0 int8
|
|
f1 syz_align3_noalign
|
|
f2 syz_align3_align4
|
|
}
|
|
|
|
syz_align4_internal {
|
|
f0 int8
|
|
f1 int16
|
|
} [packed, align_4]
|
|
|
|
syz_align4 {
|
|
f0 syz_align4_internal
|
|
f1 int8
|
|
}
|
|
|
|
syz_align5_internal {
|
|
f0 int64
|
|
f1 array[int16, 0:3]
|
|
}
|
|
|
|
syz_align5 {
|
|
f0 syz_align5_internal
|
|
f1 syz_align5_internal
|
|
f2 int8
|
|
} [packed]
|
|
|
|
syz_align6 {
|
|
f0 int8
|
|
f1 array[int32]
|
|
}
|
|
|
|
syz_align7 {
|
|
f0 syz_align8
|
|
f1 int8
|
|
}
|
|
|
|
syz_align8 {
|
|
f0 int8:1
|
|
f1 int8:1
|
|
f2 int8:1
|
|
f3 int16:1
|
|
f4 int16:1
|
|
f5 int16:1
|
|
} [packed, align_8]
|
|
|
|
# Structs
|
|
|
|
test$struct(a0 ptr[in, syz_struct0])
|
|
|
|
syz_struct0 {
|
|
f0 int64
|
|
f1 syz_struct1
|
|
}
|
|
|
|
syz_struct1 {
|
|
f0 int8
|
|
}
|
|
|
|
# Unions
|
|
|
|
test$union0(a0 ptr[in, syz_union0_struct])
|
|
test$union1(a0 ptr[in, syz_union1_struct])
|
|
test$union2(a0 ptr[in, syz_union2_struct])
|
|
|
|
syz_union0 [
|
|
f0 int64
|
|
f1 array[int64, 10]
|
|
f2 int8
|
|
]
|
|
|
|
syz_union0_struct {
|
|
f int64
|
|
u syz_union0
|
|
}
|
|
|
|
syz_union1 [
|
|
f0 int64
|
|
f1 int32
|
|
]
|
|
|
|
syz_union1_struct {
|
|
f0 syz_union1
|
|
f1 int8
|
|
} [packed]
|
|
|
|
syz_union2 [
|
|
f0 int64
|
|
f1 int32
|
|
] [varlen]
|
|
|
|
syz_union2_struct {
|
|
f0 syz_union2
|
|
f1 int8
|
|
} [packed]
|
|
|
|
syz_union3 [
|
|
f0 int32
|
|
]
|
|
|
|
union_arg [
|
|
f1 int8
|
|
f2 int64
|
|
f3 ptr[in, int32]
|
|
f4 fd
|
|
f5 const[1, intptr]
|
|
f6 flags[syz_length_flags, int32]
|
|
f7 proc[0, 1, int16]
|
|
]
|
|
|
|
test$syz_union3(a0 ptr[in, syz_union3])
|
|
test$syz_union4(a0 union_arg)
|
|
|
|
# Arrays
|
|
|
|
test$array0(a0 ptr[in, syz_array_struct])
|
|
test$array1(a0 ptr[in, syz_array_trailing])
|
|
test$array2(a0 ptr[in, syz_array_blob])
|
|
|
|
# Struct with a variable-length array or variable-length unions.
|
|
syz_array_struct {
|
|
f0 int8
|
|
f1 array[syz_array_union, 1:2]
|
|
f2 int64
|
|
} [packed]
|
|
|
|
syz_array_union [
|
|
f0 int16
|
|
f1 int64
|
|
] [varlen]
|
|
|
|
syz_array_trailing {
|
|
f0 int8
|
|
f1 array[int8, 4:8]
|
|
}
|
|
|
|
syz_array_blob {
|
|
f0 int16
|
|
f1 array[int8, 16]
|
|
f2 int16
|
|
}
|
|
|
|
# Length
|
|
|
|
test$length0(a0 ptr[in, syz_length_int_struct])
|
|
test$length1(a0 ptr[in, syz_length_const_struct])
|
|
test$length2(a0 ptr[in, syz_length_flags_struct])
|
|
test$length3(a0 ptr[in, syz_length_len_struct])
|
|
test$length4(a0 ptr[in, syz_length_len2_struct])
|
|
test$length5(a0 ptr[in, syz_length_parent_struct])
|
|
test$length6(a0 ptr[in, syz_length_array_struct])
|
|
test$length7(a0 ptr[in, syz_length_array2_struct])
|
|
test$length8(a0 ptr[in, syz_length_complex_struct])
|
|
test$length9(a0 ptr[in, syz_length_vma_struct])
|
|
|
|
test$length10(a0 vma, a1 len[a0], a2 bytesize[a0], a3 bytesize2[a0], a4 bytesize4[a0])
|
|
test$length11(a0 ptr[in, syz_length_large_struct], a1 len[a0])
|
|
test$length12(a0 ptr[in, syz_length_large_struct, opt], a1 len[a0])
|
|
test$length13(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64]])
|
|
test$length14(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64], opt])
|
|
test$length15(a0 int16, a1 len[a0])
|
|
|
|
test$length16(a0 ptr[in, syz_length_bytesize_struct])
|
|
test$length17(a0 ptr[in, syz_length_bytesize2_struct])
|
|
test$length18(a0 ptr[in, syz_length_bytesize3_struct])
|
|
test$length19(a0 ptr[in, syz_length_bf_struct])
|
|
|
|
test$length20(a0 ptr[in, syz_length_parent2_struct])
|
|
test$length21(a0 ptr[in, int64], a1 bitsize[a0])
|
|
test$length22(a0 ptr[in, array[int8]], a1 bitsize[a0])
|
|
|
|
syz_length_flags = 0, 1
|
|
|
|
syz_length_int_struct {
|
|
f0 int16
|
|
f1 len[f0, int16]
|
|
}
|
|
|
|
syz_length_const_struct {
|
|
f0 const[0, int32]
|
|
f1 len[f0, int32]
|
|
}
|
|
|
|
syz_length_flags_struct {
|
|
f0 flags[syz_length_flags, int64]
|
|
f1 len[f0, int64]
|
|
}
|
|
|
|
syz_length_len_struct {
|
|
f0 int32
|
|
f1 len[f0, int16]
|
|
f2 len[f1, int16]
|
|
}
|
|
|
|
syz_length_len2_struct {
|
|
f0 len[f1, int16]
|
|
f1 len[f0, int16]
|
|
}
|
|
|
|
syz_length_parent_struct {
|
|
f0 int16
|
|
f1 len[parent, int16]
|
|
}
|
|
|
|
syz_length_array_struct {
|
|
f0 array[int16, 4]
|
|
f1 len[f0, int16]
|
|
}
|
|
|
|
syz_length_array2_struct {
|
|
f0 array[int16, 4]
|
|
f1 bytesize[f0, int16]
|
|
}
|
|
|
|
syz_length_complex_inner_struct {
|
|
f0 int8
|
|
f1 len[f0, int8]
|
|
f2 len[parent, int16]
|
|
f3 array[int32, 3]
|
|
}
|
|
|
|
syz_length_complex_struct {
|
|
f0 len[parent, int64]
|
|
f1 syz_length_complex_inner_struct
|
|
f2 array[syz_length_complex_inner_struct, 1]
|
|
f3 len[f1, int32]
|
|
f4 len[f2, int16]
|
|
f5 array[int16]
|
|
}
|
|
|
|
syz_length_vma_struct {
|
|
f0 vma
|
|
f1 len[f0, int64]
|
|
}
|
|
|
|
syz_length_large_struct {
|
|
f0 int64
|
|
f1 int64
|
|
f2 array[int32, 8]
|
|
}
|
|
|
|
syz_length_bytesize_struct {
|
|
f0 array[int64, 2]
|
|
f1 len[f0, int8]
|
|
f2 bytesize[f0, int8]
|
|
f3 bytesize2[f0, int8]
|
|
f4 bytesize4[f0, int8]
|
|
f5 bytesize8[f0, int8]
|
|
}
|
|
|
|
syz_length_bytesize2_struct {
|
|
f0 int64
|
|
f1 bytesize[f0, int8]
|
|
f2 bytesize2[f0, int8]
|
|
f3 bytesize4[f0, int8]
|
|
f4 bytesize8[f0, int8]
|
|
}
|
|
|
|
syz_length_bytesize3_struct {
|
|
f0 int32
|
|
f1 bytesize[parent, int8]
|
|
f2 bytesize2[parent, int8]
|
|
f3 bytesize4[parent, int8]
|
|
f4 bytesize8[parent, int8]
|
|
}
|
|
|
|
syz_length_bf_struct_inner {
|
|
f0 int32:10
|
|
f1 int32:10
|
|
f2 int32:10
|
|
f3 int32:32
|
|
f4 int32:16
|
|
f5 int32:16
|
|
f6 int32:10
|
|
f7 len[parent, int32]
|
|
}
|
|
|
|
syz_length_bf_struct {
|
|
f0 syz_length_bf_struct_inner
|
|
f1 len[f0, int8]
|
|
f2 bytesize[f0, int8]
|
|
f3 bytesize4[f0, int8]
|
|
}
|
|
|
|
syz_length_parent2_struct_inner_inner {
|
|
f1 len[parent, int8]
|
|
f2 len[syz_length_parent2_struct_inner_inner, int8]
|
|
f3 len[syz_length_parent2_struct_inner, int8]
|
|
f4 len[syz_length_parent2_struct, int8]
|
|
}
|
|
|
|
syz_length_parent2_struct_inner {
|
|
f0 syz_length_parent2_struct_inner_inner
|
|
f1 len[parent, int8]
|
|
f2 len[syz_length_parent2_struct_inner, int8]
|
|
f3 len[syz_length_parent2_struct, int8]
|
|
}
|
|
|
|
syz_length_parent2_struct {
|
|
f0 syz_length_parent2_struct_inner
|
|
f1 len[parent, int8]
|
|
f2 len[syz_length_parent2_struct, int8]
|
|
}
|
|
|
|
type len_templ1[DATA1, DATA2] {
|
|
data DATA1
|
|
inner len_temp2[DATA2]
|
|
}
|
|
|
|
type len_temp2[DATA] {
|
|
data DATA
|
|
len len[len_templ1, int8]
|
|
}
|
|
|
|
test$length23(a ptr[in, len_templ1[int8, int16]])
|
|
|
|
type len_temp3[DATA] {
|
|
f1 DATA
|
|
f2 len_nontemp4
|
|
}
|
|
|
|
len_nontemp4 {
|
|
f1 len[len_temp3, int32]
|
|
}
|
|
|
|
len_nontemp5 {
|
|
f1 len_temp3[int8]
|
|
f2 len_temp3[int64]
|
|
}
|
|
|
|
len_unaligned {
|
|
f1 int32
|
|
f2 int8
|
|
}
|
|
|
|
explicitly_sized {
|
|
f1 int8
|
|
} [size[42]]
|
|
|
|
explicitly_sized_union [
|
|
f1 int8
|
|
] [size[42]]
|
|
|
|
static_filename {
|
|
f1 string[filename, 10]
|
|
f2 string[filename, 20]
|
|
f3 bytesize[f1, int8]
|
|
f4 bytesize[f2, int8]
|
|
f5 bytesize[parent, int8]
|
|
}
|
|
|
|
test$length24(a ptr[in, len_nontemp5])
|
|
test$length25(a0 ptr[in, array[array[int8]]], a1 len[a0])
|
|
test$length26(a ptr[in, len_unaligned], b bytesize[a])
|
|
test$length27(a0 ptr[in, explicitly_sized], a1 len[a0])
|
|
test$length28(a0 ptr[in, explicitly_sized_union], a1 len[a0])
|
|
test$length29(a ptr[in, static_filename])
|
|
|
|
# Big endian
|
|
|
|
test$end0(a0 ptr[in, syz_end_int_struct])
|
|
test$end1(a0 ptr[in, syz_end_var_struct])
|
|
|
|
syz_end_flags = 0, 1
|
|
|
|
syz_end_int_struct {
|
|
f0 int8
|
|
f1 int16be
|
|
f2 int32be
|
|
f3 int64be
|
|
} [packed]
|
|
|
|
syz_end_var_struct {
|
|
f0 len[parent, int16be]
|
|
f1 const[0x42, int32be]
|
|
f2 flags[syz_end_flags, int64be]
|
|
} [packed]
|
|
|
|
# Vma type
|
|
|
|
test$vma0(v0 vma, l0 len[v0], v1 vma[5], l1 len[v1], v2 vma[7:9], l2 len[v2])
|
|
|
|
# Text type
|
|
|
|
test$text_x86_real(a0 ptr[in, text[x86_real]], a1 len[a0])
|
|
test$text_x86_16(a0 ptr[in, text[x86_16]], a1 len[a0])
|
|
test$text_x86_32(a0 ptr[in, text[x86_32]], a1 len[a0])
|
|
test$text_x86_64(a0 ptr[in, text[x86_64]], a1 len[a0])
|
|
|
|
# Regression tests
|
|
|
|
test$regression0(a0 ptr[inout, syz_regression0_struct])
|
|
|
|
syz_regression0_struct {
|
|
f0 buffer[out]
|
|
}
|
|
|
|
test$regression1(a1 ptr[in, array[syz_regression1_struct]])
|
|
|
|
syz_regression1_struct {
|
|
f0 array[int8, 4]
|
|
}
|
|
|
|
test$regression2(a1 ptr[in, array[int32, 4]])
|
|
|
|
excessive_fields {
|
|
f1 int8
|
|
}
|
|
|
|
type_confusion [
|
|
f1 int8
|
|
]
|
|
|
|
test$excessive_args1()
|
|
test$excessive_args2(a1 int8)
|
|
test$excessive_fields1(a1 ptr[in, excessive_fields])
|
|
test$type_confusion1(a1 ptr[in, type_confusion])
|
|
|
|
# Bitfields
|
|
|
|
syz_bf_flags = 0, 1, 2
|
|
|
|
syz_bf_struct0 {
|
|
f0 flags[syz_bf_flags, int16:10]
|
|
f1 int64
|
|
f2 const[0x42, int16:5]
|
|
f3 int16:6
|
|
f4 const[0x42, int32:15]
|
|
f5 len[parent, int16:11]
|
|
f6 len[parent, int16be:11]
|
|
f7 int8
|
|
}
|
|
|
|
syz_bf_struct1_internal {
|
|
f0 int32:10
|
|
f1 int32:10
|
|
f2 int32:10
|
|
}
|
|
|
|
syz_bf_struct1 {
|
|
f0 syz_bf_struct1_internal
|
|
f1 int8
|
|
}
|
|
|
|
test$bf0(a0 ptr[in, syz_bf_struct0])
|
|
test$bf1(a0 ptr[in, syz_bf_struct1])
|
|
|
|
# Checksums
|
|
|
|
test$csum_encode(a0 ptr[in, syz_csum_encode])
|
|
test$csum_ipv4(a0 ptr[in, syz_csum_ipv4_header])
|
|
test$csum_ipv4_tcp(a0 ptr[in, syz_csum_ipv4_tcp_packet])
|
|
test$csum_ipv6_tcp(a0 ptr[in, syz_csum_ipv6_tcp_packet])
|
|
test$csum_ipv4_udp(a0 ptr[in, syz_csum_ipv4_udp_packet])
|
|
test$csum_ipv6_udp(a0 ptr[in, syz_csum_ipv6_udp_packet])
|
|
test$csum_ipv6_icmp(a0 ptr[in, syz_csum_ipv6_icmp_packet])
|
|
|
|
syz_csum_encode {
|
|
f0 int16
|
|
f1 int16be
|
|
f2 array[int32, 0:4]
|
|
f3 int8:4
|
|
f4 int8:4
|
|
f5 array[int8, 4]
|
|
} [packed]
|
|
|
|
syz_csum_ipv4_header {
|
|
csum csum[parent, inet, int16]
|
|
src_ip int32be
|
|
dst_ip int32be
|
|
} [packed]
|
|
|
|
syz_csum_tcp_header {
|
|
csum csum[syz_csum_tcp_packet, pseudo, IPPROTO_TCP, int16]
|
|
} [packed]
|
|
|
|
syz_csum_tcp_packet {
|
|
header syz_csum_tcp_header
|
|
payload array[int8]
|
|
} [packed]
|
|
|
|
syz_csum_ipv4_tcp_packet {
|
|
header syz_csum_ipv4_header
|
|
payload syz_csum_tcp_packet
|
|
} [packed]
|
|
|
|
syz_csum_ipv6_header {
|
|
src_ip array[int8, 16]
|
|
dst_ip array[int8, 16]
|
|
} [packed]
|
|
|
|
syz_csum_ipv6_tcp_packet {
|
|
header syz_csum_ipv6_header
|
|
payload syz_csum_tcp_packet
|
|
} [packed]
|
|
|
|
syz_csum_udp_packet {
|
|
csum csum[parent, pseudo, IPPROTO_UDP, int16]
|
|
payload array[int8]
|
|
} [packed]
|
|
|
|
syz_csum_ipv4_udp_packet {
|
|
header syz_csum_ipv4_header
|
|
payload syz_csum_udp_packet
|
|
} [packed]
|
|
|
|
syz_csum_ipv6_udp_packet {
|
|
header syz_csum_ipv6_header
|
|
payload syz_csum_udp_packet
|
|
} [packed]
|
|
|
|
syz_csum_icmp_packet {
|
|
csum csum[parent, pseudo, IPPROTO_ICMPV6, int16]
|
|
payload array[int8]
|
|
} [packed]
|
|
|
|
syz_csum_ipv6_icmp_packet {
|
|
header syz_csum_ipv6_header
|
|
payload syz_csum_icmp_packet
|
|
} [packed]
|
|
|
|
# Recursion
|
|
|
|
syz_recur_0 {
|
|
a0 ptr[in, syz_recur_0, opt]
|
|
}
|
|
|
|
syz_recur_1 {
|
|
a0 ptr[in, syz_recur_1, opt]
|
|
a1 ptr[in, syz_recur_2, opt]
|
|
}
|
|
|
|
syz_recur_2_0 {
|
|
a0 ptr[in, syz_recur_2_0, opt]
|
|
a1 ptr[in, syz_recur_2_0, opt]
|
|
a2 ptr[in, syz_recur_2_0, opt]
|
|
a3 ptr[in, syz_recur_2_0, opt]
|
|
}
|
|
|
|
syz_recur_2 {
|
|
a0 ptr[in, syz_recur_0, opt]
|
|
a1 ptr[in, syz_recur_1, opt]
|
|
a2 ptr[in, syz_recur_2_0, opt]
|
|
a3 ptr[in, syz_recur_2_0, opt]
|
|
a4 ptr[in, syz_recur_2, opt]
|
|
a5 ptr[in, syz_recur_2, opt]
|
|
}
|
|
|
|
test$recur0(a0 ptr[inout, syz_recur_0])
|
|
test$recur1(a0 ptr[inout, syz_recur_1])
|
|
test$recur2(a0 ptr[inout, syz_recur_2])
|
|
|
|
# Resources.
|
|
|
|
resource fd[int32]: 0xffffffffffffffff, 999
|
|
resource syz_res[int32]: 0xffff
|
|
|
|
test$res0() syz_res
|
|
test$res1(a0 syz_res)
|
|
test$res2() fd
|
|
|
|
# ONLY_32BITS_CONST const is not present on all arches.
|
|
# Ensure that it does not break build.
|
|
|
|
resource syz_missing_const_res[int32]: ONLY_32BITS_CONST
|
|
|
|
test$missing_resource() syz_missing_const_res
|
|
test$missing_struct(a ptr[in, syz_use_missing])
|
|
|
|
syz_missing_const_struct {
|
|
a0 const[ONLY_32BITS_CONST, int32]
|
|
}
|
|
|
|
syz_use_missing {
|
|
a0 syz_missing_const_res
|
|
a1 syz_missing_const_struct
|
|
}
|
|
|
|
# Hints tests.
|
|
|
|
test$hint_data(a0 ptr[in, array[int8]])
|
|
|
|
# Mutation tests.
|
|
|
|
mutate0()
|
|
mutate1()
|
|
mutate2()
|
|
mutate3(vec ptr[in, array[int32[0:1]]], vlen len[vec])
|
|
mutate4(data ptr[in, array[int8]], size bytesize[data])
|
|
mutate5(filename ptr[in, filename], flags flags[open_flags]) fd
|
|
mutate6(fd fd, data ptr[in, array[int8]], size bytesize[data])
|
|
mutate7(a0 ptr[in, string], a1 len[a0])
|
|
mutate8(a0 proc[100, 4, opt])
|
|
|
|
open_flags = 0xabababababababab, 0xcdcdcdcdcdcdcdcd
|
|
|
|
# Serialization tests.
|
|
|
|
serialize0(a ptr[in, serialize0_struct])
|
|
serialize1(a ptr[out, array[int8]], b len[a])
|
|
|
|
serialize0_struct {
|
|
a string[serialize_strings, 10]
|
|
b string[serialize_strings, 5]
|
|
}
|
|
|
|
serialize_strings = "aaa", "bbb"
|
|
|
|
# Unsupported syscalls due to resources.
|
|
|
|
resource unsupported[int32]
|
|
|
|
unsupported$0(a unsupported) unsupported
|
|
unsupported$1(a unsupported) unsupported
|
|
|
|
# Fallback coverage.
|
|
|
|
fallback$0() fd
|
|
fallback$1(a fd)
|
|
seccomp()
|