mirror of
https://github.com/reactos/syzkaller.git
synced 2024-11-25 04:19:53 +00:00
9fe4bdc5f1
Make as much code as possible shared between all OSes. In particular main is now common across all OSes. Make more code shared between executor and csource (in particular, loop function and threaded execution logic). Also make loop and threaded logic shared across all OSes. Make more posix/unix code shared across OSes (e.g. signal handling, pthread creation, etc). Plus other changes along similar lines. Also support test OS in executor (based on portable posix) and add 4 arches that cover all execution modes (fork server/no fork server, shmem/no shmem). This change paves way for testing of executor code and allows to preserve consistency across OSes and executor/csource.
683 lines
12 KiB
Plaintext
683 lines
12 KiB
Plaintext
# Copyright 2015 syzkaller project authors. All rights reserved.
|
|
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
|
|
|
# Syscalls used in syzkaller tests.
|
|
|
|
syz_mmap(addr vma, len len[addr])
|
|
test()
|
|
|
|
# Integer types.
|
|
|
|
test$int(a0 intptr, a1 int8, a2 int16, a3 int32, a4 int64)
|
|
|
|
# Opt arguments
|
|
|
|
test$opt0(a0 intptr[opt])
|
|
test$opt1(a0 ptr[in, intptr, opt])
|
|
test$opt2(a0 vma[opt])
|
|
test$opt3(a0 proc[100, 4, opt])
|
|
|
|
# Alignment and padding
|
|
|
|
test$align0(a0 ptr[in, syz_align0])
|
|
test$align1(a0 ptr[in, syz_align1])
|
|
test$align2(a0 ptr[in, syz_align2])
|
|
test$align3(a0 ptr[in, syz_align3])
|
|
test$align4(a0 ptr[in, syz_align4])
|
|
test$align5(a0 ptr[in, syz_align5])
|
|
test$align6(a0 ptr[in, syz_align6])
|
|
test$align7(a0 ptr[in, syz_align7])
|
|
|
|
syz_align0 {
|
|
f0 int16
|
|
f1 int32
|
|
f2 int8
|
|
f3 int16
|
|
f4 int64
|
|
}
|
|
|
|
syz_align1 {
|
|
f0 int16
|
|
f1 int32
|
|
f2 int8
|
|
f3 int16
|
|
f4 int64
|
|
} [packed]
|
|
|
|
syz_align2_packed {
|
|
f0 array[int16, 1]
|
|
} [packed]
|
|
|
|
syz_align2_not_packed {
|
|
f0 array[int16, 1]
|
|
}
|
|
|
|
syz_align2 {
|
|
f0 int8
|
|
f1 syz_align2_packed
|
|
f2 syz_align2_not_packed
|
|
}
|
|
|
|
syz_align3_noalign {
|
|
f0 int8
|
|
}
|
|
|
|
syz_align3_align4 {
|
|
f0 int8
|
|
} [align_4]
|
|
|
|
syz_align3 {
|
|
f0 int8
|
|
f1 syz_align3_noalign
|
|
f2 syz_align3_align4
|
|
}
|
|
|
|
syz_align4_internal {
|
|
f0 int8
|
|
f1 int16
|
|
} [packed, align_4]
|
|
|
|
syz_align4 {
|
|
f0 syz_align4_internal
|
|
f1 int8
|
|
}
|
|
|
|
syz_align5_internal {
|
|
f0 int64
|
|
f1 array[int16, 0:3]
|
|
}
|
|
|
|
syz_align5 {
|
|
f0 syz_align5_internal
|
|
f1 syz_align5_internal
|
|
f2 int8
|
|
} [packed]
|
|
|
|
syz_align6 {
|
|
f0 int8
|
|
f1 array[int32]
|
|
}
|
|
|
|
syz_align7 {
|
|
f0 syz_align8
|
|
f1 int8
|
|
}
|
|
|
|
syz_align8 {
|
|
f0 int8:1
|
|
f1 int8:1
|
|
f2 int8:1
|
|
f3 int16:1
|
|
f4 int16:1
|
|
f5 int16:1
|
|
} [packed, align_8]
|
|
|
|
# Structs
|
|
|
|
test$struct(a0 ptr[in, syz_struct0])
|
|
|
|
syz_struct0 {
|
|
f0 int64
|
|
f1 syz_struct1
|
|
}
|
|
|
|
syz_struct1 {
|
|
f0 int8
|
|
}
|
|
|
|
# Unions
|
|
|
|
test$union0(a0 ptr[in, syz_union0_struct])
|
|
test$union1(a0 ptr[in, syz_union1_struct])
|
|
test$union2(a0 ptr[in, syz_union2_struct])
|
|
|
|
syz_union0 [
|
|
f0 int64
|
|
f1 array[int64, 10]
|
|
f2 int8
|
|
]
|
|
|
|
syz_union0_struct {
|
|
f int64
|
|
u syz_union0
|
|
}
|
|
|
|
syz_union1 [
|
|
f0 int64
|
|
f1 int32
|
|
]
|
|
|
|
syz_union1_struct {
|
|
f0 syz_union1
|
|
f1 int8
|
|
} [packed]
|
|
|
|
syz_union2 [
|
|
f0 int64
|
|
f1 int32
|
|
] [varlen]
|
|
|
|
syz_union2_struct {
|
|
f0 syz_union2
|
|
f1 int8
|
|
} [packed]
|
|
|
|
syz_union3 [
|
|
f0 int32
|
|
]
|
|
|
|
union_arg [
|
|
f1 int8
|
|
f2 int64
|
|
f3 ptr[in, int32]
|
|
f4 fd
|
|
f5 const[1, intptr]
|
|
f6 flags[syz_length_flags, int32]
|
|
f7 proc[0, 1, int16]
|
|
]
|
|
|
|
test$syz_union3(a0 ptr[in, syz_union3])
|
|
test$syz_union4(a0 union_arg)
|
|
|
|
# Arrays
|
|
|
|
test$array0(a0 ptr[in, syz_array_struct])
|
|
test$array1(a0 ptr[in, syz_array_trailing])
|
|
test$array2(a0 ptr[in, syz_array_blob])
|
|
|
|
# Struct with a variable-length array or variable-length unions.
|
|
syz_array_struct {
|
|
f0 int8
|
|
f1 array[syz_array_union, 1:2]
|
|
f2 int64
|
|
} [packed]
|
|
|
|
syz_array_union [
|
|
f0 int16
|
|
f1 int64
|
|
] [varlen]
|
|
|
|
syz_array_trailing {
|
|
f0 int8
|
|
f1 array[int8, 4:8]
|
|
}
|
|
|
|
syz_array_blob {
|
|
f0 int16
|
|
f1 array[int8, 16]
|
|
f2 int16
|
|
}
|
|
|
|
# Length
|
|
|
|
test$length0(a0 ptr[in, syz_length_int_struct])
|
|
test$length1(a0 ptr[in, syz_length_const_struct])
|
|
test$length2(a0 ptr[in, syz_length_flags_struct])
|
|
test$length3(a0 ptr[in, syz_length_len_struct])
|
|
test$length4(a0 ptr[in, syz_length_len2_struct])
|
|
test$length5(a0 ptr[in, syz_length_parent_struct])
|
|
test$length6(a0 ptr[in, syz_length_array_struct])
|
|
test$length7(a0 ptr[in, syz_length_array2_struct])
|
|
test$length8(a0 ptr[in, syz_length_complex_struct])
|
|
test$length9(a0 ptr[in, syz_length_vma_struct])
|
|
|
|
test$length10(a0 vma, a1 len[a0], a2 bytesize[a0], a3 bytesize2[a0], a4 bytesize4[a0])
|
|
test$length11(a0 ptr[in, syz_length_large_struct], a1 len[a0])
|
|
test$length12(a0 ptr[in, syz_length_large_struct, opt], a1 len[a0])
|
|
test$length13(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64]])
|
|
test$length14(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64], opt])
|
|
test$length15(a0 int16, a1 len[a0])
|
|
|
|
test$length16(a0 ptr[in, syz_length_bytesize_struct])
|
|
test$length17(a0 ptr[in, syz_length_bytesize2_struct])
|
|
test$length18(a0 ptr[in, syz_length_bytesize3_struct])
|
|
test$length19(a0 ptr[in, syz_length_bf_struct])
|
|
|
|
test$length20(a0 ptr[in, syz_length_parent2_struct])
|
|
test$length21(a0 ptr[in, int64], a1 bitsize[a0])
|
|
test$length22(a0 ptr[in, array[int8]], a1 bitsize[a0])
|
|
|
|
syz_length_flags = 0, 1
|
|
|
|
syz_length_int_struct {
|
|
f0 int16
|
|
f1 len[f0, int16]
|
|
}
|
|
|
|
syz_length_const_struct {
|
|
f0 const[0, int32]
|
|
f1 len[f0, int32]
|
|
}
|
|
|
|
syz_length_flags_struct {
|
|
f0 flags[syz_length_flags, int64]
|
|
f1 len[f0, int64]
|
|
}
|
|
|
|
syz_length_len_struct {
|
|
f0 int32
|
|
f1 len[f0, int16]
|
|
f2 len[f1, int16]
|
|
}
|
|
|
|
syz_length_len2_struct {
|
|
f0 len[f1, int16]
|
|
f1 len[f0, int16]
|
|
}
|
|
|
|
syz_length_parent_struct {
|
|
f0 int16
|
|
f1 len[parent, int16]
|
|
}
|
|
|
|
syz_length_array_struct {
|
|
f0 array[int16, 4]
|
|
f1 len[f0, int16]
|
|
}
|
|
|
|
syz_length_array2_struct {
|
|
f0 array[int16, 4]
|
|
f1 bytesize[f0, int16]
|
|
}
|
|
|
|
syz_length_complex_inner_struct {
|
|
f0 int8
|
|
f1 len[f0, int8]
|
|
f2 len[parent, int16]
|
|
f3 array[int32, 3]
|
|
}
|
|
|
|
syz_length_complex_struct {
|
|
f0 len[parent, int64]
|
|
f1 syz_length_complex_inner_struct
|
|
f2 array[syz_length_complex_inner_struct, 1]
|
|
f3 len[f1, int32]
|
|
f4 len[f2, int16]
|
|
f5 array[int16]
|
|
}
|
|
|
|
syz_length_vma_struct {
|
|
f0 vma
|
|
f1 len[f0, int64]
|
|
}
|
|
|
|
syz_length_large_struct {
|
|
f0 int64
|
|
f1 int64
|
|
f2 array[int32, 8]
|
|
}
|
|
|
|
syz_length_bytesize_struct {
|
|
f0 array[int64, 2]
|
|
f1 len[f0, int8]
|
|
f2 bytesize[f0, int8]
|
|
f3 bytesize2[f0, int8]
|
|
f4 bytesize4[f0, int8]
|
|
f5 bytesize8[f0, int8]
|
|
}
|
|
|
|
syz_length_bytesize2_struct {
|
|
f0 int64
|
|
f1 bytesize[f0, int8]
|
|
f2 bytesize2[f0, int8]
|
|
f3 bytesize4[f0, int8]
|
|
f4 bytesize8[f0, int8]
|
|
}
|
|
|
|
syz_length_bytesize3_struct {
|
|
f0 int32
|
|
f1 bytesize[parent, int8]
|
|
f2 bytesize2[parent, int8]
|
|
f3 bytesize4[parent, int8]
|
|
f4 bytesize8[parent, int8]
|
|
}
|
|
|
|
syz_length_bf_struct_inner {
|
|
f0 int32:10
|
|
f1 int32:10
|
|
f2 int32:10
|
|
f3 int32:32
|
|
f4 int32:16
|
|
f5 int32:16
|
|
f6 int32:10
|
|
f7 len[parent, int32]
|
|
}
|
|
|
|
syz_length_bf_struct {
|
|
f0 syz_length_bf_struct_inner
|
|
f1 len[f0, int8]
|
|
f2 bytesize[f0, int8]
|
|
f3 bytesize4[f0, int8]
|
|
}
|
|
|
|
syz_length_parent2_struct_inner_inner {
|
|
f1 len[parent, int8]
|
|
f2 len[syz_length_parent2_struct_inner_inner, int8]
|
|
f3 len[syz_length_parent2_struct_inner, int8]
|
|
f4 len[syz_length_parent2_struct, int8]
|
|
}
|
|
|
|
syz_length_parent2_struct_inner {
|
|
f0 syz_length_parent2_struct_inner_inner
|
|
f1 len[parent, int8]
|
|
f2 len[syz_length_parent2_struct_inner, int8]
|
|
f3 len[syz_length_parent2_struct, int8]
|
|
}
|
|
|
|
syz_length_parent2_struct {
|
|
f0 syz_length_parent2_struct_inner
|
|
f1 len[parent, int8]
|
|
f2 len[syz_length_parent2_struct, int8]
|
|
}
|
|
|
|
type len_templ1[DATA1, DATA2] {
|
|
data DATA1
|
|
inner len_temp2[DATA2]
|
|
}
|
|
|
|
type len_temp2[DATA] {
|
|
data DATA
|
|
len len[len_templ1, int8]
|
|
}
|
|
|
|
test$length23(a ptr[in, len_templ1[int8, int16]])
|
|
|
|
type len_temp3[DATA] {
|
|
f1 DATA
|
|
f2 len_nontemp4
|
|
}
|
|
|
|
len_nontemp4 {
|
|
f1 len[len_temp3, int32]
|
|
}
|
|
|
|
len_nontemp5 {
|
|
f1 len_temp3[int8]
|
|
f2 len_temp3[int64]
|
|
}
|
|
|
|
len_unaligned {
|
|
f1 int32
|
|
f2 int8
|
|
}
|
|
|
|
explicitly_sized {
|
|
f1 int8
|
|
} [size[42]]
|
|
|
|
explicitly_sized_union [
|
|
f1 int8
|
|
] [size[42]]
|
|
|
|
static_filename {
|
|
f1 string[filename, 10]
|
|
f2 string[filename, 20]
|
|
f3 bytesize[f1, int8]
|
|
f4 bytesize[f2, int8]
|
|
f5 bytesize[parent, int8]
|
|
}
|
|
|
|
test$length24(a ptr[in, len_nontemp5])
|
|
test$length25(a0 ptr[in, array[array[int8]]], a1 len[a0])
|
|
test$length26(a ptr[in, len_unaligned], b bytesize[a])
|
|
test$length27(a0 ptr[in, explicitly_sized], a1 len[a0])
|
|
test$length28(a0 ptr[in, explicitly_sized_union], a1 len[a0])
|
|
test$length29(a ptr[in, static_filename])
|
|
|
|
# Big endian
|
|
|
|
test$end0(a0 ptr[in, syz_end_int_struct])
|
|
test$end1(a0 ptr[in, syz_end_var_struct])
|
|
|
|
syz_end_flags = 0, 1
|
|
|
|
syz_end_int_struct {
|
|
f0 int8
|
|
f1 int16be
|
|
f2 int32be
|
|
f3 int64be
|
|
} [packed]
|
|
|
|
syz_end_var_struct {
|
|
f0 len[parent, int16be]
|
|
f1 const[0x42, int32be]
|
|
f2 flags[syz_end_flags, int64be]
|
|
} [packed]
|
|
|
|
# Vma type
|
|
|
|
test$vma0(v0 vma, l0 len[v0], v1 vma[5], l1 len[v1], v2 vma[7:9], l2 len[v2])
|
|
|
|
# Text type
|
|
|
|
test$text_x86_real(a0 ptr[in, text[x86_real]], a1 len[a0])
|
|
test$text_x86_16(a0 ptr[in, text[x86_16]], a1 len[a0])
|
|
test$text_x86_32(a0 ptr[in, text[x86_32]], a1 len[a0])
|
|
test$text_x86_64(a0 ptr[in, text[x86_64]], a1 len[a0])
|
|
|
|
# Regression tests
|
|
|
|
test$regression0(a0 ptr[inout, syz_regression0_struct])
|
|
|
|
syz_regression0_struct {
|
|
f0 buffer[out]
|
|
}
|
|
|
|
test$regression1(a1 ptr[in, array[syz_regression1_struct]])
|
|
|
|
syz_regression1_struct {
|
|
f0 array[int8, 4]
|
|
}
|
|
|
|
test$regression2(a1 ptr[in, array[int32, 4]])
|
|
|
|
excessive_fields {
|
|
f1 int8
|
|
}
|
|
|
|
type_confusion [
|
|
f1 int8
|
|
]
|
|
|
|
test$excessive_args1()
|
|
test$excessive_args2(a1 int8)
|
|
test$excessive_fields1(a1 ptr[in, excessive_fields])
|
|
test$type_confusion1(a1 ptr[in, type_confusion])
|
|
|
|
# Bitfields
|
|
|
|
syz_bf_flags = 0, 1, 2
|
|
|
|
syz_bf_struct0 {
|
|
f0 flags[syz_bf_flags, int16:10]
|
|
f1 int64
|
|
f2 const[0x42, int16:5]
|
|
f3 int16:6
|
|
f4 const[0x42, int32:15]
|
|
f5 len[parent, int16:11]
|
|
f6 len[parent, int16be:11]
|
|
f7 int8
|
|
}
|
|
|
|
syz_bf_struct1_internal {
|
|
f0 int32:10
|
|
f1 int32:10
|
|
f2 int32:10
|
|
}
|
|
|
|
syz_bf_struct1 {
|
|
f0 syz_bf_struct1_internal
|
|
f1 int8
|
|
}
|
|
|
|
test$bf0(a0 ptr[in, syz_bf_struct0])
|
|
test$bf1(a0 ptr[in, syz_bf_struct1])
|
|
|
|
# Checksums
|
|
|
|
test$csum_encode(a0 ptr[in, syz_csum_encode])
|
|
test$csum_ipv4(a0 ptr[in, syz_csum_ipv4_header])
|
|
test$csum_ipv4_tcp(a0 ptr[in, syz_csum_ipv4_tcp_packet])
|
|
test$csum_ipv6_tcp(a0 ptr[in, syz_csum_ipv6_tcp_packet])
|
|
test$csum_ipv4_udp(a0 ptr[in, syz_csum_ipv4_udp_packet])
|
|
test$csum_ipv6_udp(a0 ptr[in, syz_csum_ipv6_udp_packet])
|
|
test$csum_ipv6_icmp(a0 ptr[in, syz_csum_ipv6_icmp_packet])
|
|
|
|
syz_csum_encode {
|
|
f0 int16
|
|
f1 int16be
|
|
f2 array[int32, 0:4]
|
|
f3 int8:4
|
|
f4 int8:4
|
|
f5 array[int8, 4]
|
|
} [packed]
|
|
|
|
syz_csum_ipv4_header {
|
|
csum csum[parent, inet, int16]
|
|
src_ip int32be
|
|
dst_ip int32be
|
|
} [packed]
|
|
|
|
syz_csum_tcp_header {
|
|
csum csum[syz_csum_tcp_packet, pseudo, IPPROTO_TCP, int16]
|
|
} [packed]
|
|
|
|
syz_csum_tcp_packet {
|
|
header syz_csum_tcp_header
|
|
payload array[int8]
|
|
} [packed]
|
|
|
|
syz_csum_ipv4_tcp_packet {
|
|
header syz_csum_ipv4_header
|
|
payload syz_csum_tcp_packet
|
|
} [packed]
|
|
|
|
syz_csum_ipv6_header {
|
|
src_ip array[int8, 16]
|
|
dst_ip array[int8, 16]
|
|
} [packed]
|
|
|
|
syz_csum_ipv6_tcp_packet {
|
|
header syz_csum_ipv6_header
|
|
payload syz_csum_tcp_packet
|
|
} [packed]
|
|
|
|
syz_csum_udp_packet {
|
|
csum csum[parent, pseudo, IPPROTO_UDP, int16]
|
|
payload array[int8]
|
|
} [packed]
|
|
|
|
syz_csum_ipv4_udp_packet {
|
|
header syz_csum_ipv4_header
|
|
payload syz_csum_udp_packet
|
|
} [packed]
|
|
|
|
syz_csum_ipv6_udp_packet {
|
|
header syz_csum_ipv6_header
|
|
payload syz_csum_udp_packet
|
|
} [packed]
|
|
|
|
syz_csum_icmp_packet {
|
|
csum csum[parent, pseudo, IPPROTO_ICMPV6, int16]
|
|
payload array[int8]
|
|
} [packed]
|
|
|
|
syz_csum_ipv6_icmp_packet {
|
|
header syz_csum_ipv6_header
|
|
payload syz_csum_icmp_packet
|
|
} [packed]
|
|
|
|
# Recursion
|
|
|
|
syz_recur_0 {
|
|
a0 ptr[in, syz_recur_0, opt]
|
|
}
|
|
|
|
syz_recur_1 {
|
|
a0 ptr[in, syz_recur_1, opt]
|
|
a1 ptr[in, syz_recur_2, opt]
|
|
}
|
|
|
|
syz_recur_2_0 {
|
|
a0 ptr[in, syz_recur_2_0, opt]
|
|
a1 ptr[in, syz_recur_2_0, opt]
|
|
a2 ptr[in, syz_recur_2_0, opt]
|
|
a3 ptr[in, syz_recur_2_0, opt]
|
|
}
|
|
|
|
syz_recur_2 {
|
|
a0 ptr[in, syz_recur_0, opt]
|
|
a1 ptr[in, syz_recur_1, opt]
|
|
a2 ptr[in, syz_recur_2_0, opt]
|
|
a3 ptr[in, syz_recur_2_0, opt]
|
|
a4 ptr[in, syz_recur_2, opt]
|
|
a5 ptr[in, syz_recur_2, opt]
|
|
}
|
|
|
|
test$recur0(a0 ptr[inout, syz_recur_0])
|
|
test$recur1(a0 ptr[inout, syz_recur_1])
|
|
test$recur2(a0 ptr[inout, syz_recur_2])
|
|
|
|
# Resources.
|
|
|
|
resource fd[int32]: 0xffffffffffffffff
|
|
resource syz_res[int32]: 0xffff
|
|
|
|
test$res0() syz_res
|
|
test$res1(a0 syz_res)
|
|
test$res2() fd
|
|
|
|
# ONLY_32BITS_CONST const is not present on all arches.
|
|
# Ensure that it does not break build.
|
|
|
|
resource syz_missing_const_res[int32]: ONLY_32BITS_CONST
|
|
|
|
test$missing_resource() syz_missing_const_res
|
|
test$missing_struct(a ptr[in, syz_use_missing])
|
|
|
|
syz_missing_const_struct {
|
|
a0 const[ONLY_32BITS_CONST, int32]
|
|
}
|
|
|
|
syz_use_missing {
|
|
a0 syz_missing_const_res
|
|
a1 syz_missing_const_struct
|
|
}
|
|
|
|
# Hints tests.
|
|
|
|
test$hint_data(a0 ptr[in, array[int8]])
|
|
|
|
# Mutation tests.
|
|
|
|
mutate0()
|
|
mutate1()
|
|
mutate2()
|
|
mutate3(vec ptr[in, array[int32[0:1]]], vlen len[vec])
|
|
mutate4(data ptr[in, array[int8]], size bytesize[data])
|
|
mutate5(filename ptr[in, filename], flags flags[open_flags]) fd
|
|
mutate6(fd fd, data ptr[in, array[int8]], size bytesize[data])
|
|
mutate7(a0 ptr[in, string], a1 len[a0])
|
|
mutate8(a0 proc[100, 4, opt])
|
|
|
|
open_flags = 0xabababababababab, 0xcdcdcdcdcdcdcdcd
|
|
|
|
# Serialization tests.
|
|
|
|
serialize0(a ptr[in, serialize0_struct])
|
|
serialize1(a ptr[out, array[int8]], b len[a])
|
|
|
|
serialize0_struct {
|
|
a string[serialize_strings, 10]
|
|
b string[serialize_strings, 5]
|
|
}
|
|
|
|
serialize_strings = "aaa", "bbb"
|
|
|
|
# Unsupported syscalls due to resources.
|
|
|
|
resource unsupported[int32]
|
|
|
|
unsupported$0(a unsupported) unsupported
|
|
unsupported$1(a unsupported) unsupported
|