syzkaller/sys/test/test.txt
Dmitry Vyukov a4718693a3 sys/linux: add syz_execute_func
The function executes random code.

Update #310
2018-08-30 21:45:04 -07:00

690 lines
12 KiB
Plaintext

# Copyright 2015 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
# Syscalls used in syzkaller tests.
syz_execute_func(text ptr[in, text[target]])
test()
# Integer types.
test$int(a0 intptr, a1 int8, a2 int16, a3 int32, a4 int64)
# Opt arguments
test$opt0(a0 intptr[opt])
test$opt1(a0 ptr[in, intptr, opt])
test$opt2(a0 vma[opt])
test$opt3(a0 proc[100, 4, opt])
# Alignment and padding
test$align0(a0 ptr[in, syz_align0])
test$align1(a0 ptr[in, syz_align1])
test$align2(a0 ptr[in, syz_align2])
test$align3(a0 ptr[in, syz_align3])
test$align4(a0 ptr[in, syz_align4])
test$align5(a0 ptr[in, syz_align5])
test$align6(a0 ptr[in, syz_align6])
test$align7(a0 ptr[in, syz_align7])
syz_align0 {
f0 int16
f1 int32
f2 int8
f3 int16
f4 int64
}
syz_align1 {
f0 int16
f1 int32
f2 int8
f3 int16
f4 int64
} [packed]
syz_align2_packed {
f0 array[int16, 1]
} [packed]
syz_align2_not_packed {
f0 array[int16, 1]
}
syz_align2 {
f0 int8
f1 syz_align2_packed
f2 syz_align2_not_packed
}
syz_align3_noalign {
f0 int8
}
syz_align3_align4 {
f0 int8
} [align_4]
syz_align3 {
f0 int8
f1 syz_align3_noalign
f2 syz_align3_align4
}
syz_align4_internal {
f0 int8
f1 int16
} [packed, align_4]
syz_align4 {
f0 syz_align4_internal
f1 int8
}
syz_align5_internal {
f0 int64
f1 array[int16, 0:3]
}
syz_align5 {
f0 syz_align5_internal
f1 syz_align5_internal
f2 int8
} [packed]
syz_align6 {
f0 int8
f1 array[int32]
}
syz_align7 {
f0 syz_align8
f1 int8
}
syz_align8 {
f0 int8:1
f1 int8:1
f2 int8:1
f3 int16:1
f4 int16:1
f5 int16:1
} [packed, align_8]
# Structs
test$struct(a0 ptr[in, syz_struct0])
syz_struct0 {
f0 int64
f1 syz_struct1
}
syz_struct1 {
f0 int8
}
# Unions
test$union0(a0 ptr[in, syz_union0_struct])
test$union1(a0 ptr[in, syz_union1_struct])
test$union2(a0 ptr[in, syz_union2_struct])
syz_union0 [
f0 int64
f1 array[int64, 10]
f2 int8
]
syz_union0_struct {
f int64
u syz_union0
}
syz_union1 [
f0 int64
f1 int32
]
syz_union1_struct {
f0 syz_union1
f1 int8
} [packed]
syz_union2 [
f0 int64
f1 int32
] [varlen]
syz_union2_struct {
f0 syz_union2
f1 int8
} [packed]
syz_union3 [
f0 int32
]
union_arg [
f1 int8
f2 int64
f3 ptr[in, int32]
f4 fd
f5 const[1, intptr]
f6 flags[syz_length_flags, int32]
f7 proc[0, 1, int16]
]
test$syz_union3(a0 ptr[in, syz_union3])
test$syz_union4(a0 union_arg)
# Arrays
test$array0(a0 ptr[in, syz_array_struct])
test$array1(a0 ptr[in, syz_array_trailing])
test$array2(a0 ptr[in, syz_array_blob])
# Struct with a variable-length array or variable-length unions.
syz_array_struct {
f0 int8
f1 array[syz_array_union, 1:2]
f2 int64
} [packed]
syz_array_union [
f0 int16
f1 int64
] [varlen]
syz_array_trailing {
f0 int8
f1 array[int8, 4:8]
}
syz_array_blob {
f0 int16
f1 array[int8, 16]
f2 int16
}
# Length
test$length0(a0 ptr[in, syz_length_int_struct])
test$length1(a0 ptr[in, syz_length_const_struct])
test$length2(a0 ptr[in, syz_length_flags_struct])
test$length3(a0 ptr[in, syz_length_len_struct])
test$length4(a0 ptr[in, syz_length_len2_struct])
test$length5(a0 ptr[in, syz_length_parent_struct])
test$length6(a0 ptr[in, syz_length_array_struct])
test$length7(a0 ptr[in, syz_length_array2_struct])
test$length8(a0 ptr[in, syz_length_complex_struct])
test$length9(a0 ptr[in, syz_length_vma_struct])
test$length10(a0 vma, a1 len[a0], a2 bytesize[a0], a3 bytesize2[a0], a4 bytesize4[a0])
test$length11(a0 ptr[in, syz_length_large_struct], a1 len[a0])
test$length12(a0 ptr[in, syz_length_large_struct, opt], a1 len[a0])
test$length13(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64]])
test$length14(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64], opt])
test$length15(a0 int16, a1 len[a0])
test$length16(a0 ptr[in, syz_length_bytesize_struct])
test$length17(a0 ptr[in, syz_length_bytesize2_struct])
test$length18(a0 ptr[in, syz_length_bytesize3_struct])
test$length19(a0 ptr[in, syz_length_bf_struct])
test$length20(a0 ptr[in, syz_length_parent2_struct])
test$length21(a0 ptr[in, int64], a1 bitsize[a0])
test$length22(a0 ptr[in, array[int8]], a1 bitsize[a0])
syz_length_flags = 0, 1
syz_length_int_struct {
f0 int16
f1 len[f0, int16]
}
syz_length_const_struct {
f0 const[0, int32]
f1 len[f0, int32]
}
syz_length_flags_struct {
f0 flags[syz_length_flags, int64]
f1 len[f0, int64]
}
syz_length_len_struct {
f0 int32
f1 len[f0, int16]
f2 len[f1, int16]
}
syz_length_len2_struct {
f0 len[f1, int16]
f1 len[f0, int16]
}
syz_length_parent_struct {
f0 int16
f1 len[parent, int16]
}
syz_length_array_struct {
f0 array[int16, 4]
f1 len[f0, int16]
}
syz_length_array2_struct {
f0 array[int16, 4]
f1 bytesize[f0, int16]
}
syz_length_complex_inner_struct {
f0 int8
f1 len[f0, int8]
f2 len[parent, int16]
f3 array[int32, 3]
}
syz_length_complex_struct {
f0 len[parent, int64]
f1 syz_length_complex_inner_struct
f2 array[syz_length_complex_inner_struct, 1]
f3 len[f1, int32]
f4 len[f2, int16]
f5 array[int16]
}
syz_length_vma_struct {
f0 vma
f1 len[f0, int64]
}
syz_length_large_struct {
f0 int64
f1 int64
f2 array[int32, 8]
}
syz_length_bytesize_struct {
f0 array[int64, 2]
f1 len[f0, int8]
f2 bytesize[f0, int8]
f3 bytesize2[f0, int8]
f4 bytesize4[f0, int8]
f5 bytesize8[f0, int8]
}
syz_length_bytesize2_struct {
f0 int64
f1 bytesize[f0, int8]
f2 bytesize2[f0, int8]
f3 bytesize4[f0, int8]
f4 bytesize8[f0, int8]
}
syz_length_bytesize3_struct {
f0 int32
f1 bytesize[parent, int8]
f2 bytesize2[parent, int8]
f3 bytesize4[parent, int8]
f4 bytesize8[parent, int8]
}
syz_length_bf_struct_inner {
f0 int32:10
f1 int32:10
f2 int32:10
f3 int32:32
f4 int32:16
f5 int32:16
f6 int32:10
f7 len[parent, int32]
}
syz_length_bf_struct {
f0 syz_length_bf_struct_inner
f1 len[f0, int8]
f2 bytesize[f0, int8]
f3 bytesize4[f0, int8]
}
syz_length_parent2_struct_inner_inner {
f1 len[parent, int8]
f2 len[syz_length_parent2_struct_inner_inner, int8]
f3 len[syz_length_parent2_struct_inner, int8]
f4 len[syz_length_parent2_struct, int8]
}
syz_length_parent2_struct_inner {
f0 syz_length_parent2_struct_inner_inner
f1 len[parent, int8]
f2 len[syz_length_parent2_struct_inner, int8]
f3 len[syz_length_parent2_struct, int8]
}
syz_length_parent2_struct {
f0 syz_length_parent2_struct_inner
f1 len[parent, int8]
f2 len[syz_length_parent2_struct, int8]
}
type len_templ1[DATA1, DATA2] {
data DATA1
inner len_temp2[DATA2]
}
type len_temp2[DATA] {
data DATA
len len[len_templ1, int8]
}
test$length23(a ptr[in, len_templ1[int8, int16]])
type len_temp3[DATA] {
f1 DATA
f2 len_nontemp4
}
len_nontemp4 {
f1 len[len_temp3, int32]
}
len_nontemp5 {
f1 len_temp3[int8]
f2 len_temp3[int64]
}
len_unaligned {
f1 int32
f2 int8
}
explicitly_sized {
f1 int8
} [size[42]]
explicitly_sized_union [
f1 int8
] [size[42]]
static_filename {
f1 string[filename, 10]
f2 string[filename, 20]
f3 bytesize[f1, int8]
f4 bytesize[f2, int8]
f5 bytesize[parent, int8]
}
test$length24(a ptr[in, len_nontemp5])
test$length25(a0 ptr[in, array[array[int8]]], a1 len[a0])
test$length26(a ptr[in, len_unaligned], b bytesize[a])
test$length27(a0 ptr[in, explicitly_sized], a1 len[a0])
test$length28(a0 ptr[in, explicitly_sized_union], a1 len[a0])
test$length29(a ptr[in, static_filename])
# Big endian
test$end0(a0 ptr[in, syz_end_int_struct])
test$end1(a0 ptr[in, syz_end_var_struct])
syz_end_flags = 0, 1
syz_end_int_struct {
f0 int8
f1 int16be
f2 int32be
f3 int64be
} [packed]
syz_end_var_struct {
f0 len[parent, int16be]
f1 const[0x42, int32be]
f2 flags[syz_end_flags, int64be]
} [packed]
# Vma type
test$vma0(v0 vma, l0 len[v0], v1 vma[5], l1 len[v1], v2 vma[7:9], l2 len[v2])
# Text type
test$text_x86_real(a0 ptr[in, text[x86_real]], a1 len[a0])
test$text_x86_16(a0 ptr[in, text[x86_16]], a1 len[a0])
test$text_x86_32(a0 ptr[in, text[x86_32]], a1 len[a0])
test$text_x86_64(a0 ptr[in, text[x86_64]], a1 len[a0])
# Regression tests
test$regression0(a0 ptr[inout, syz_regression0_struct])
syz_regression0_struct {
f0 buffer[out]
}
test$regression1(a1 ptr[in, array[syz_regression1_struct]])
syz_regression1_struct {
f0 array[int8, 4]
}
test$regression2(a1 ptr[in, array[int32, 4]])
excessive_fields {
f1 int8
}
type_confusion [
f1 int8
]
test$excessive_args1()
test$excessive_args2(a1 int8)
test$excessive_fields1(a1 ptr[in, excessive_fields])
test$type_confusion1(a1 ptr[in, type_confusion])
# Bitfields
syz_bf_flags = 0, 1, 2
syz_bf_struct0 {
f0 flags[syz_bf_flags, int16:10]
f1 int64
f2 const[0x42, int16:5]
f3 int16:6
f4 const[0x42, int32:15]
f5 len[parent, int16:11]
f6 len[parent, int16be:11]
f7 int8
}
syz_bf_struct1_internal {
f0 int32:10
f1 int32:10
f2 int32:10
}
syz_bf_struct1 {
f0 syz_bf_struct1_internal
f1 int8
}
test$bf0(a0 ptr[in, syz_bf_struct0])
test$bf1(a0 ptr[in, syz_bf_struct1])
# Checksums
test$csum_encode(a0 ptr[in, syz_csum_encode])
test$csum_ipv4(a0 ptr[in, syz_csum_ipv4_header])
test$csum_ipv4_tcp(a0 ptr[in, syz_csum_ipv4_tcp_packet])
test$csum_ipv6_tcp(a0 ptr[in, syz_csum_ipv6_tcp_packet])
test$csum_ipv4_udp(a0 ptr[in, syz_csum_ipv4_udp_packet])
test$csum_ipv6_udp(a0 ptr[in, syz_csum_ipv6_udp_packet])
test$csum_ipv6_icmp(a0 ptr[in, syz_csum_ipv6_icmp_packet])
syz_csum_encode {
f0 int16
f1 int16be
f2 array[int32, 0:4]
f3 int8:4
f4 int8:4
f5 array[int8, 4]
} [packed]
syz_csum_ipv4_header {
csum csum[parent, inet, int16]
src_ip int32be
dst_ip int32be
} [packed]
syz_csum_tcp_header {
csum csum[syz_csum_tcp_packet, pseudo, IPPROTO_TCP, int16]
} [packed]
syz_csum_tcp_packet {
header syz_csum_tcp_header
payload array[int8]
} [packed]
syz_csum_ipv4_tcp_packet {
header syz_csum_ipv4_header
payload syz_csum_tcp_packet
} [packed]
syz_csum_ipv6_header {
src_ip array[int8, 16]
dst_ip array[int8, 16]
} [packed]
syz_csum_ipv6_tcp_packet {
header syz_csum_ipv6_header
payload syz_csum_tcp_packet
} [packed]
syz_csum_udp_packet {
csum csum[parent, pseudo, IPPROTO_UDP, int16]
payload array[int8]
} [packed]
syz_csum_ipv4_udp_packet {
header syz_csum_ipv4_header
payload syz_csum_udp_packet
} [packed]
syz_csum_ipv6_udp_packet {
header syz_csum_ipv6_header
payload syz_csum_udp_packet
} [packed]
syz_csum_icmp_packet {
csum csum[parent, pseudo, IPPROTO_ICMPV6, int16]
payload array[int8]
} [packed]
syz_csum_ipv6_icmp_packet {
header syz_csum_ipv6_header
payload syz_csum_icmp_packet
} [packed]
# Recursion
syz_recur_0 {
a0 ptr[in, syz_recur_0, opt]
}
syz_recur_1 {
a0 ptr[in, syz_recur_1, opt]
a1 ptr[in, syz_recur_2, opt]
}
syz_recur_2_0 {
a0 ptr[in, syz_recur_2_0, opt]
a1 ptr[in, syz_recur_2_0, opt]
a2 ptr[in, syz_recur_2_0, opt]
a3 ptr[in, syz_recur_2_0, opt]
}
syz_recur_2 {
a0 ptr[in, syz_recur_0, opt]
a1 ptr[in, syz_recur_1, opt]
a2 ptr[in, syz_recur_2_0, opt]
a3 ptr[in, syz_recur_2_0, opt]
a4 ptr[in, syz_recur_2, opt]
a5 ptr[in, syz_recur_2, opt]
}
test$recur0(a0 ptr[inout, syz_recur_0])
test$recur1(a0 ptr[inout, syz_recur_1])
test$recur2(a0 ptr[inout, syz_recur_2])
# Resources.
resource fd[int32]: 0xffffffffffffffff, 999
resource syz_res[int32]: 0xffff
test$res0() syz_res
test$res1(a0 syz_res)
test$res2() fd
# ONLY_32BITS_CONST const is not present on all arches.
# Ensure that it does not break build.
resource syz_missing_const_res[int32]: ONLY_32BITS_CONST
test$missing_resource() syz_missing_const_res
test$missing_struct(a ptr[in, syz_use_missing])
syz_missing_const_struct {
a0 const[ONLY_32BITS_CONST, int32]
}
syz_use_missing {
a0 syz_missing_const_res
a1 syz_missing_const_struct
}
# Hints tests.
test$hint_data(a0 ptr[in, array[int8]])
# Mutation tests.
mutate0()
mutate1()
mutate2()
mutate3(vec ptr[in, array[int32[0:1]]], vlen len[vec])
mutate4(data ptr[in, array[int8]], size bytesize[data])
mutate5(filename ptr[in, filename], flags flags[open_flags]) fd
mutate6(fd fd, data ptr[in, array[int8]], size bytesize[data])
mutate7(a0 ptr[in, string], a1 len[a0])
mutate8(a0 proc[100, 4, opt])
open_flags = 0xabababababababab, 0xcdcdcdcdcdcdcdcd
# Serialization tests.
serialize0(a ptr[in, serialize0_struct])
serialize1(a ptr[out, array[int8]], b len[a])
serialize0_struct {
a string[serialize_strings, 10]
b string[serialize_strings, 5]
}
serialize_strings = "aaa", "bbb"
# Unsupported syscalls due to resources.
resource unsupported[int32]
unsupported$0(a unsupported) unsupported
unsupported$1(a unsupported) unsupported
# Fallback coverage.
fallback$0() fd
fallback$1(a fd)
seccomp()