forked from google/syzkaller
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sys.txt
1422 lines (1240 loc) · 61.4 KB
/
sys.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Copyright 2015 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
# Description of syscall arguments. See README.md for details.
include <linux/socket.h>
include <linux/ptrace.h>
include <linux/resource.h>
include <linux/stat.h>
include <linux/mman.h>
include <linux/time.h>
include <linux/mount.h>
include <linux/fs.h>
include <linux/eventpoll.h>
include <linux/signalfd.h>
include <linux/eventfd.h>
include <linux/timerfd.h>
include <linux/personality.h>
include <linux/wait.h>
include <linux/user.h>
include <linux/un.h>
include <linux/ioctl.h>
include <linux/fadvise.h>
include <linux/falloc.h>
include <linux/kexec.h>
include <linux/elf.h>
include <linux/fiemap.h>
include <linux/kd.h>
include <linux/vt.h>
include <linux/if_alg.h>
include <linux/nfc.h>
include <linux/sockios.h>
include <linux/net_tstamp.h>
include <linux/termios.h>
include <linux/fcntl.h>
include <linux/sched.h>
include <linux/mqueue.h>
include <linux/mempolicy.h>
include <linux/in.h>
include <linux/ip.h>
include <linux/tcp.h>
include <linux/udp.h>
include <linux/kcmp.h>
include <linux/nfs.h>
include <linux/syslog.h>
include <linux/exportfs.h>
include <linux/splice.h>
include <linux/filelock.h>
include <fs/overlayfs/overlayfs.h>
include <uapi/linux/memfd.h>
include <uapi/linux/module.h>
include <linux/ioprio.h>
include <linux/membarrier.h>
include <uapi/linux/kcov.h>
include <uapi/linux/membarrier.h>
include <uapi/linux/capability.h>
include <uapi/linux/seccomp.h>
include <uapi/linux/wait.h>
include <uapi/linux/watch_queue.h>
include <kernel/sched/sched.h>
include <uapi/linux/close_range.h>
include <uapi/linux/netfilter/xt_cgroup.h>
include <fs/smb/client/cifsglob.h>
include <xen/interface/io/xs_wire.h>
include <uapi/linux/prctl.h>
include <asm/prctl.h>
resource fd[int32]: -1
resource fd_dir[fd]: AT_FDCWD
# alignptr/align32/align64/padto64 can be used when ABI uses int64/intptr to hold a smaller type.
# E.g. pid/uid stored as intptr/int64.
type alignptr[T] {
v T
} [align[PTR_SIZE]]
type align32[T] {
v T
} [align[4]]
type align64[T] {
v T
} [align[8]]
type padto32[T] {
v T
} [size[4]]
type padto64[T] {
v T
} [size[8]]
type signalno int32[0:65]
type signalnoptr intptr[0:65]
# syz_execute_func caused multiple problems:
# 1. First it lead to corpus explosion. The program used existing values in registers
# to pollute output area. We tried to zero registers (though, not reliably).
# 2. It lead to explosion again. The exact mechanics are unknown, here is one sample:
# syz_execute_func(&(0x7f0000000440)="f2af91930f0124eda133fa20430fbafce842f66188d0d4
# 430fc7f314c1ab5bf9e2f9660f3a0fae5e090000ba023c1fb63ac4817d73d74ec482310d46f44
# 9f216c863fa438036a91bdbae95aaaa420f383c02c401405c6bfd49d768d768f833fefbab6464
# 660f38323c8f26dbc1a1fe5ff6f6df0804f4c4efa59c0f01c4288ba6452e000054c4431d5cc100")
# 3. The code can also execute syscalls (and it is know to), but it's not subject to
# target.SanitizeCall. As the result it can do things that programs are not supposed to do.
# 4. Besides linux, corpus explosion also happens on freebsd and is clearly attributable
# to syz_execute_func based on corpus contents. Mechanics are also not known.
# It also did not cause finding of any new bugs (at least not that I know of).
# So it's disabled on all OSes until we figure out how to resolve all these problems.
syz_execute_func(text ptr[in, text[target]]) (disabled)
# Exclude /sys/power/state as reported in https://lkml.org/lkml/2021/5/27/653
openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*:-/sys/power/state"]], flags flags[open_flags], mode flags[open_mode]) fd
open(file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd
# Just so that we have something that creates fd_dir resources.
open$dir(file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd_dir
openat$dir(fd const[AT_FDCWD], file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd_dir
openat(fd fd_dir[opt], file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd
openat2$dir(fd const[AT_FDCWD], file ptr[in, filename], how ptr[in, open_how], size bytesize[how]) fd_dir
openat2(fd fd_dir[opt], file ptr[in, filename], how ptr[in, open_how], size bytesize[how]) fd
creat(file ptr[in, filename], mode flags[open_mode]) fd
close(fd fd)
read(fd fd, buf buffer[out], count len[buf])
pread64(fd fd, buf buffer[out], count len[buf], pos fileoff)
readv(fd fd, vec ptr[in, array[iovec_out]], vlen len[vec])
preadv(fd fd, vec ptr[in, array[iovec_out]], vlen len[vec], off_low int32, off_high int32)
preadv2(fd fd, vec ptr[in, array[iovec_out]], vlen len[vec], off_low int32, off_high int32, flags flags[rwf_flags])
write(fd fd, buf buffer[in], count len[buf])
pwrite64(fd fd, buf buffer[in], count len[buf], pos fileoff)
writev(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec])
pwritev(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec], off_low int32, off_high int32)
pwritev2(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec], off_low int32, off_high int32, flags flags[rwf_flags])
lseek(fd fd, offset fileoff, whence flags[seek_whence])
copy_file_range(fd_in fd, off_in ptr[inout, fileoff[int64], opt], fd_out fd, off_out ptr[inout, fileoff[int64], opt], len intptr, flags flags[copy_file_range_flags])
rwf_flags = RWF_DSYNC, RWF_HIPRI, RWF_SYNC, RWF_NOWAIT, RWF_APPEND
copy_file_range_flags = 0
dup(oldfd fd) fd
dup2(oldfd fd, newfd fd) fd
dup3(oldfd fd, newfd fd, flags flags[dup_flags]) fd
pipe(pipefd ptr[out, pipefd])
pipe2(pipefd ptr[out, pipefd], flags flags[pipe_flags])
tee(fdin fd, fdout fd, len intptr, f flags[splice_flags])
splice(fdin fd, offin ptr[in, fileoff[int64]], fdout fd, offout ptr[in, fileoff[int64]], len intptr, f flags[splice_flags])
vmsplice(fd fd, vec ptr[in, array[iovec_in]], vlen len[vec], f flags[splice_flags])
sendfile(fdout fd, fdin fd, off ptr[inout, fileoff[intptr], opt], count intptr)
sendfile64(fdout fd, fdin fd, off ptr[inout, fileoff[int64], opt], count intptr)
cachestat_range {
off fileoff[int64]
len int64
}
cachestat {
nr_cache int64
nr_dirty int64
nr_writeback int64
nr_evicted int64
nr_recently_evicted int64
}
stat(file ptr[in, filename], statbuf ptr[out, stat])
lstat(file ptr[in, filename], statbuf ptr[out, stat])
fstat(fd fd, statbuf ptr[out, stat])
newfstatat(dfd const[AT_FDCWD], file ptr[in, filename], statbuf ptr[out, stat], flag flags[statx_flags])
stat64(file ptr[in, filename], statbuf ptr[out, stat64])
lstat64(file ptr[in, filename], statbuf ptr[out, stat64])
fstat64(fd fd, statbuf ptr[out, stat64])
fstatat64(dfd const[AT_FDCWD], file ptr[in, filename], statbuf ptr[out, stat64], flag flags[statx_flags])
statx(fd fd_dir, file ptr[in, filename], flags flags[statx_flags], mask flags[statx_mask], statxbuf ptr[out, statx])
cachestat(fd fd, cstat_range ptr[in, cachestat_range], cstat ptr[out, cachestat], flags const[0])
poll(fds ptr[in, array[pollfd]], nfds len[fds], timeout int32)
ppoll(fds ptr[in, array[pollfd]], nfds len[fds], tsp ptr[in, timespec], sigmask ptr[in, sigset_t], size len[sigmask])
select(n len[inp], inp ptr[inout, fd_set], outp ptr[inout, fd_set], exp ptr[inout, fd_set], tvp ptr[inout, timeval])
pselect6(n len[inp], inp ptr[inout, fd_set], outp ptr[inout, fd_set], exp ptr[inout, fd_set], tvp ptr[inout, timespec], sig ptr[in, sigset_size])
resource fd_epoll[fd]
epoll_create(size int32) fd_epoll
epoll_create1(flags flags[epoll_flags]) fd_epoll
epoll_ctl$EPOLL_CTL_ADD(epfd fd_epoll, op const[EPOLL_CTL_ADD], fd fd, ev ptr[in, epoll_event])
epoll_ctl$EPOLL_CTL_MOD(epfd fd_epoll, op const[EPOLL_CTL_MOD], fd fd, ev ptr[in, epoll_event])
epoll_ctl$EPOLL_CTL_DEL(epfd fd_epoll, op const[EPOLL_CTL_DEL], fd fd)
epoll_wait(epfd fd_epoll, events ptr[out, array[epoll_event]], maxevents len[events], timeout int32)
epoll_pwait(epfd fd_epoll, events ptr[out, array[epoll_event]], maxevents len[events], timeout int32, sigmask ptr[in, sigset_t], size bytesize[sigmask])
epoll_pwait2(epfd fd_epoll, events ptr[out, array[epoll_event]], maxevents len[events], timeout ptr[in, timespec], sigmask ptr[in, sigset_t], size bytesize[sigmask])
resource fd_timer[fd]
signalfd(fd fd, mask ptr[in, sigset_t], size len[mask]) fd
signalfd4(fd fd, mask ptr[in, sigset_t], size len[mask], flags flags[signalfd_flags]) fd
timerfd_create(clockid flags[clock_type], flags flags[timerfd_create_flags]) fd_timer
timerfd_settime(fd fd_timer, flags flags[timerfd_settime_flags], new ptr[in, itimerspec], old ptr[out, itimerspec])
timerfd_gettime(fd fd_timer, cur ptr[out, itimerspec])
ioctl$TFD_IOC_SET_TICKS(fd fd_timer, cmd const[TFD_IOC_SET_TICKS], arg ptr[in, int64])
resource fd_event[fd]
eventfd(initval int32) fd_event
eventfd2(initval int32, flags flags[eventfd_flags]) fd_event
read$eventfd(fd fd_event, val ptr[out, int64], len len[val])
write$eventfd(fd fd_event, val ptr[in, int64], len len[val])
brk(brk intptr)
mmap(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd, offset intptr[0:0xffffffff, 0x1000])
munmap(addr vma, len len[addr])
mremap(addr vma, len len[addr], newlen len[newaddr], flags flags[mremap_flags], newaddr vma)
remap_file_pages(addr vma, size len[addr], prot flags[mmap_prot], pgoff intptr, flags flags[mmap_flags])
mprotect(addr vma, len len[addr], prot flags[mmap_prot])
msync(addr vma, len len[addr], f flags[msync_flags])
madvise(addr vma, len len[addr], advice flags[madvise_flags])
process_madvise(pidfd fd_pidfd, vec ptr[in, array[iovec_in]], vlen len[vec], advice flags[madvise_flags], flags const[0])
process_mrelease(pidfd fd_pidfd, flags const[0])
fadvise64(fd fd, offset fileoff, len intptr, advice flags[fadvise_flags])
readahead(fd fd, off intptr, count intptr)
mbind(addr vma, len len[addr], mode flags[mbind_mode], nodemask ptr[in, int64], maxnode intptr, flags flags[mbind_flags])
move_pages(pid pid, nr len[pages], pages ptr[in, array[vma]], nodes ptr[in, array[int32], opt], status ptr[out, array[int32]], flags flags[move_pages_flags])
migrate_pages(pid pid, maxnode intptr, old ptr[in, int64], new ptr[in, int64])
set_mempolicy(mode flags[mbind_mode], nodemask ptr[in, int64], maxnode intptr)
get_mempolicy(mode ptr[out, int32], nodemask ptr[out, int64], maxnode intptr, addr vma, flags flags[mempolicy_flags])
set_mempolicy_home_node(addr vma, len len[addr], home_node intptr[0:3], flags const[0])
mincore(addr vma, size len[addr], vec buffer[out])
mlock(addr vma, size len[addr])
mlock2(addr vma, size len[addr], flags flags[mlock_flags])
munlock(addr vma, size len[addr])
mlockall(flags flags[mlockall_flags])
munlockall()
kcmp(pid1 pid, pid2 pid, type flags[kcmp_flags], fd1 fd, fd2 fd)
kcmp$KCMP_EPOLL_TFD(pid1 pid, pid2 pid, type const[KCMP_EPOLL_TFD], fd1 fd, idx2 ptr[in, kcmp_epoll_slot])
resource fd_memfd[fd]
memfd_create(name ptr[in, string], flags flags[memfd_flags]) fd_memfd
memfd_flags = MFD_CLOEXEC, MFD_ALLOW_SEALING, MFD_HUGETLB
_ = MFD_HUGE_SHIFT, MFD_HUGE_MASK, MFD_HUGE_64KB, MFD_HUGE_512KB, MFD_HUGE_1MB, MFD_HUGE_2MB, MFD_HUGE_8MB, MFD_HUGE_16MB
memfd_secret(flags flags[memfd_secret_flags]) fd
memfd_secret_flags = O_CLOEXEC
resource pkey[int32]: -1
pkey_alloc(flags const[0], val flags[pkey_flags]) pkey
pkey_free(key pkey)
pkey_mprotect(addr vma, len len[addr], prot flags[mmap_prot], key pkey)
syz_pkey_set(key pkey, val flags[pkey_flags])
pkey_flags = PKEY_DISABLE_ACCESS, PKEY_DISABLE_WRITE
restart_syscall()
# Almighty!
ioctl(fd fd, cmd int32, arg buffer[in])
ioctl$int_in(fd fd, cmd flags[ioctl_int_in], v ptr[in, int64])
ioctl$int_out(fd fd, cmd flags[ioctl_int_out], v ptr[out, intptr])
ioctl$FIOCLEX(fd fd, cmd const[FIOCLEX])
ioctl$FIONCLEX(fd fd, cmd const[FIONCLEX])
ioctl$FITHAW(fd fd, cmd const[FITHAW])
# FIFREEZE is disabled because it can easily kill the machine.
ioctl$FIFREEZE(fd fd, cmd const[FIFREEZE]) (disabled)
fcntl$dupfd(fd fd, cmd flags[fcntl_dupfd], arg fd) fd
fcntl$getflags(fd fd, cmd flags[fcntl_getflags])
fcntl$setflags(fd fd, cmd const[F_SETFD], flags flags[fcntl_flags])
fcntl$setstatus(fd fd, cmd const[F_SETFL], flags flags[fcntl_status])
fcntl$lock(fd fd, cmd flags[fcntl_lock], lock ptr[in, flock])
fcntl$getown(fd fd, cmd const[F_GETOWN]) pid
fcntl$setown(fd fd, cmd const[F_SETOWN], pid pid)
fcntl$getownex(fd fd, cmd const[F_GETOWN_EX], arg ptr[out, f_owner_ex])
fcntl$setownex(fd fd, cmd const[F_SETOWN_EX], arg ptr[in, f_owner_ex])
fcntl$setsig(fd fd, cmd const[F_SETSIG], sig signalnoptr)
fcntl$setlease(fd fd, cmd const[F_SETLEASE], typ flags[flock_type])
fcntl$notify(fd fd, cmd const[F_NOTIFY], typ flags[fcntl_notify])
fcntl$setpipe(fd fd, cmd const[F_SETPIPE_SZ], sz intptr)
fcntl$addseals(fd fd, cmd const[F_ADD_SEALS], seals flags[seal_types])
fcntl$F_GET_RW_HINT(fd fd, cmd const[F_GET_RW_HINT], hint ptr[out, int64])
fcntl$F_GET_FILE_RW_HINT(fd fd, cmd const[F_GET_FILE_RW_HINT], hint ptr[out, int64])
fcntl$F_SET_RW_HINT(fd fd, cmd const[F_SET_RW_HINT], hint ptr[in, flags[fcntl_rw_hint, int64]])
fcntl$F_SET_FILE_RW_HINT(fd fd, cmd const[F_SET_FILE_RW_HINT], hint ptr[in, flags[fcntl_rw_hint, int64]])
# Only some commands break return values.
# When/if we have stricter enforcement of arguments, we may remove some of breaks_returns attributes.
ptrace(req flags[ptrace_req], pid pid) (breaks_returns)
ptrace$peek(req flags[ptrace_req_peek], pid pid, addr ptr[out, intptr]) (breaks_returns)
ptrace$poke(req flags[ptrace_req_poke], pid pid, addr ptr[out, intptr], data intptr) (breaks_returns)
ptrace$peekuser(req const[PTRACE_PEEKUSR], pid pid, addr intptr) (breaks_returns)
ptrace$pokeuser(req const[PTRACE_POKEUSR], pid pid, addr intptr, data intptr) (breaks_returns)
ptrace$getregs(req flags[ptrace_req_getregs], pid pid, ignored intptr, data buffer[out]) (breaks_returns)
ptrace$getregset(req const[PTRACE_GETREGSET], pid pid, what flags[pthread_regset], data ptr[in, iovec_out]) (breaks_returns)
ptrace$setregs(req flags[ptrace_req_setregs], pid pid, ignored intptr, data buffer[in]) (breaks_returns)
ptrace$setregset(req const[PTRACE_SETREGSET], pid pid, what flags[pthread_regset], data ptr[in, iovec_in]) (breaks_returns)
ptrace$getsig(req const[PTRACE_GETSIGINFO], pid pid, ignored intptr, data ptr[out, siginfo]) (breaks_returns)
ptrace$setsig(req const[PTRACE_SETSIGINFO], pid pid, ignored intptr, data ptr[in, siginfo]) (breaks_returns)
ptrace$setopts(req flags[ptrace_req_setopts], pid pid, ignored intptr, flags flags[ptrace_options]) (breaks_returns)
ptrace$getenv(req const[PTRACE_GETEVENTMSG], pid pid, ignored intptr, data ptr[out, intptr]) (breaks_returns)
ptrace$cont(req flags[ptrace_req_cont], pid pid, ignored intptr, data intptr) (breaks_returns)
ptrace$PTRACE_SECCOMP_GET_FILTER(req const[PTRACE_SECCOMP_GET_FILTER], pid pid, addr intptr, data ptr[out, array[int8]]) (breaks_returns)
ptrace$PTRACE_SECCOMP_GET_METADATA(req const[PTRACE_SECCOMP_GET_METADATA], pid pid, addr len[data], data ptr[in, seccomp_metadata]) (breaks_returns)
ptrace$PTRACE_SETSIGMASK(req const[PTRACE_SETSIGMASK], pid pid, size bytesize[data], data ptr[in, sigset_t]) (breaks_returns)
ptrace$PTRACE_GETSIGMASK(req const[PTRACE_GETSIGMASK], pid pid, size bytesize[data], data ptr[out, sigset_t]) (breaks_returns)
ptrace$ARCH_GET_FS(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], code const[ARCH_GET_FS]) (breaks_returns)
ptrace$ARCH_GET_GS(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], code const[ARCH_GET_GS]) (breaks_returns)
ptrace$ARCH_SET_GS(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], code const[ARCH_SET_GS]) (breaks_returns)
ptrace$ARCH_GET_CPUID(req const[PTRACE_ARCH_PRCTL], pid pid, arg const[0], code const[ARCH_GET_CPUID]) (breaks_returns)
ptrace$ARCH_SET_CPUID(req const[PTRACE_ARCH_PRCTL], pid pid, arg boolptr, code const[ARCH_SET_CPUID]) (breaks_returns)
ptrace$ARCH_MAP_VDSO_X32(req const[PTRACE_ARCH_PRCTL], pid pid, arg intptr, code const[ARCH_MAP_VDSO_X32]) (breaks_returns)
ptrace$ARCH_MAP_VDSO_32(req const[PTRACE_ARCH_PRCTL], pid pid, arg intptr, code const[ARCH_MAP_VDSO_32]) (breaks_returns)
ptrace$ARCH_MAP_VDSO_64(req const[PTRACE_ARCH_PRCTL], pid pid, arg intptr, code const[ARCH_MAP_VDSO_64]) (breaks_returns)
ptrace$ARCH_SHSTK_STATUS(req const[PTRACE_ARCH_PRCTL], pid pid, res ptr[out, intptr], cmd const[ARCH_SHSTK_STATUS]) (breaks_returns)
ptrace$ARCH_SHSTK_LOCK(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_LOCK]) (breaks_returns)
ptrace$ARCH_SHSTK_UNLOCK(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_UNLOCK]) (breaks_returns)
ptrace$ARCH_SHSTK_ENABLE(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_ENABLE]) (breaks_returns)
ptrace$ARCH_SHSTK_DISABLE(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_DISABLE]) (breaks_returns)
ptrace$ARCH_GET_UNTAG_MASK(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], cmd const[ARCH_GET_UNTAG_MASK]) (breaks_returns)
ptrace$ARCH_GET_MAX_TAG_BITS(req const[PTRACE_ARCH_PRCTL], pid pid, arg ptr[out, intptr], cmd const[ARCH_GET_MAX_TAG_BITS]) (breaks_returns)
ptrace$ARCH_ENABLE_TAGGED_ADDR(req const[PTRACE_ARCH_PRCTL], pid pid, arg intptr[1:6], cmd const[ARCH_ENABLE_TAGGED_ADDR]) (breaks_returns)
ptrace$ARCH_FORCE_TAGGED_SVA(req const[PTRACE_ARCH_PRCTL], pid pid, arg const[0], cmd const[ARCH_FORCE_TAGGED_SVA]) (breaks_returns)
map_shadow_stack(addr vma, size bytesize[addr], flags boolptr)
seccomp_metadata {
filter_off int64
flags const[0, int64]
}
ptrace_peeksiginfo_args {
off int64
flags flags[ptrace_peeksiginfo_flags, int32]
nr len[syscall:data, int32]
}
ptrace$peeksig(req const[PTRACE_PEEKSIGINFO], pid pid, args ptr[in, ptrace_peeksiginfo_args], data ptr[out, array[siginfo]])
capget(hdr ptr[in, cap_header], data ptr[in, cap_data])
capset(hdr ptr[in, cap_header], data ptr[in, cap_data])
resource fd_mq[fd]
mq_open(name ptr[in, string], flags flags[mq_open_flags], mode flags[open_mode], attr ptr[in, mq_attr]) fd_mq
mq_timedsend(mqd fd_mq, msg buffer[in], msglen len[msg], prio intptr, timeout ptr[in, timespec, opt])
mq_timedreceive(mqd fd_mq, msg buffer[out], msglen len[msg], prio intptr, timeout ptr[in, timespec, opt])
mq_notify(mqd fd_mq, notif ptr[in, sigevent])
mq_getsetattr(mqd fd_mq, attr ptr[in, mq_attr], oldattr ptr[out, mq_attr, opt])
mq_unlink(name ptr[in, string])
mknod(file ptr[in, filename], mode flags[mknod_mode], dev int32)
mknod$loop(file ptr[in, filename], mode flags[mknod_mode], dev proc[1792, 2])
mknodat$loop(dirfd fd_dir, file ptr[in, filename], mode flags[mknod_mode], dev proc[1792, 2])
mknodat$null(dirfd fd_dir, file ptr[in, filename], mode flags[mknod_mode], dev const[0x103])
mknodat(dirfd fd_dir, file ptr[in, filename], mode flags[mknod_mode], dev int32)
chmod(file ptr[in, filename], mode flags[open_mode])
fchmod(fd fd, mode flags[open_mode])
fchmodat(dirfd fd_dir, file ptr[in, filename], mode flags[open_mode])
chown(file ptr[in, filename], uid uid, gid gid)
lchown(file ptr[in, filename], uid uid, gid gid)
fchown(fd fd, uid uid, gid gid)
fchownat(dirfd fd_dir, file ptr[in, filename], uid uid, gid gid, flags flags[at_flags])
fallocate(fd fd, mode flags[fallocate_mode], off intptr, len intptr)
faccessat(dirfd fd_dir, pathname ptr[in, filename], mode flags[open_mode])
faccessat2(dirfd fd_dir, pathname ptr[in, filename], mode flags[open_mode], flags flags[faccessat_flags])
utime(filename ptr[in, filename], times ptr[in, utimbuf])
utimes(filename ptr[in, filename], times ptr[in, itimerval])
futimesat(dir fd_dir, pathname ptr[in, filename], times ptr[in, itimerval])
utimensat(dir fd_dir, pathname ptr[in, filename], times ptr[in, itimerval], flags flags[utimensat_flags])
# Small trick - syzkaller cannot give the proper stack pointer to clone(), but we can do it with the aid of pseudo syscalls.
syz_clone(flags flags[clone_flags], stack buffer[in], stack_len bytesize[stack], parentid ptr[out, int32], childtid ptr[out, int32], tls buffer[in]) pid
syz_clone3(args ptr[in, clone_args], size bytesize[args]) pid
# We need these disabled definitions to simplify the presence and the NR checking.
clone(flags flags[clone_flags], sp buffer[in], parentid ptr[out, int32], childtid ptr[out, int32], tls buffer[in]) (breaks_returns, disabled)
clone3(args ptr[in, clone_args], size bytesize[args]) pid (breaks_returns, disabled)
clone_args {
flags flags[clone3_flags, int64]
pidfd ptr64[out, fd_pidfd]
child_tid ptr64[out, pid]
parent_tid ptr64[out, pid]
exit_signal align64[signalno]
stack ptr64[out, array[int8]]
stack_size bytesize[stack, int64]
tls ptr64[out, array[int8]]
set_tid ptr64[in, array[pid]]
set_tid_size len[set_tid, int64]
cgroup align64[fd_cgroup]
}
resource pid[int32]: 0, -1
resource uid[int32]: 0, -1, 0xee00, 0xee01
resource gid[int32]: 0, -1, 0xee00, 0xee01
getgid() gid
getegid() gid
setuid(uid uid)
setgid(gid gid)
getuid() uid
geteuid() uid
setpgid(pid pid, pgid pid)
getpgid(pid pid) pid
getpgrp(pid pid) pid
getpid() pid
gettid() pid
setreuid(ruid uid, euid uid)
setregid(rgid gid, egid gid)
setresuid(ruid uid, euid uid, suid uid)
setresgid(rgid gid, egid gid, sgid gid)
getresuid(ruid ptr[out, uid], euid ptr[out, uid], suid ptr[out, uid])
getresgid(rgid ptr[out, gid], egid ptr[out, gid], sgid ptr[out, gid])
setfsuid(fsuid uid)
setfsgid(fsgid gid)
getgroups(size len[list], list ptr[inout, array[gid]])
setgroups(size len[list], list ptr[in, array[gid]])
personality(persona flags[personality_flags])
# Don't mess with parent (fuzzer). If we ptrace attach to it, it will hang.
# If we setrlimit for parent, it will misbehave. Killing - the same. Nothing good.
#getppid() pid
#getsid(pid pid) pid
#setsid() pid
link(old ptr[in, filename], new ptr[in, filename])
linkat(oldfd fd_dir, old ptr[in, filename], newfd fd_dir, new ptr[in, filename], flags flags[linkat_flags])
symlinkat(old ptr[in, filename], newfd fd_dir, new ptr[in, filename])
symlink(old ptr[in, filename], new ptr[in, filename])
unlink(path ptr[in, filename])
unlinkat(fd fd_dir, path ptr[in, filename], flags flags[unlinkat_flags])
readlink(path ptr[in, filename], buf buffer[out], siz len[buf])
readlinkat(fd fd_dir, path ptr[in, filename], buf buffer[out], siz len[buf])
rename(old ptr[in, filename], new ptr[in, filename])
renameat(oldfd fd_dir, old ptr[in, filename], newfd fd_dir, new ptr[in, filename])
renameat2(oldfd fd_dir, old ptr[in, filename], newfd fd_dir, new ptr[in, filename], flags flags[renameat2_flags])
mkdir(path ptr[in, filename], mode flags[open_mode])
mkdirat(fd fd_dir[opt], path ptr[in, filename], mode flags[open_mode])
rmdir(path ptr[in, filename])
truncate(file ptr[in, filename], len intptr)
ftruncate(fd fd, len intptr)
flock(fd fd, op flags[flock_op])
fsync(fd fd)
fdatasync(fd fd)
sync()
syncfs(fd fd)
sync_file_range(fd fd, off intptr, nbytes intptr, flags flags[sync_file_flags])
lookup_dcookie(cookie intptr, buf buffer[out], len len[buf])
getdents(fd fd_dir, ent buffer[out], count len[ent])
getdents64(fd fd_dir, ent buffer[out], count len[ent])
name_to_handle_at(fd fd_dir, file ptr[in, filename], handle ptr[in, file_handle], mnt ptr[out, int32], flags flags[name_to_handle_at_flags])
open_by_handle_at(mountdirfd fd, handle ptr[in, file_handle], flags flags[open_flags])
chroot(dir ptr[in, filename])
getcwd(buf buffer[out], size len[buf])
chdir(dir ptr[in, filename])
fchdir(fd fd)
pivot_root(new_root ptr[in, filename], put_old ptr[in, filename])
sysfs$1(option const[1], fsname ptr[in, string])
sysfs$2(option const[2], fsindex intptr, fsname buffer[out])
sysfs$3(option const[3])
statfs(path ptr[in, filename], buf buffer[out])
fstatfs(fd fd, buf buffer[out])
uselib(lib ptr[in, filename])
init_module(mod ptr[in, string], len len[mod], args ptr[in, string])
finit_module(fd fd, args ptr[in, string], flags flags[finit_module_flags])
delete_module(name ptr[in, string], flags flags[delete_module_flags])
kexec_load(entry intptr, nr_segments len[segments], segments ptr[in, array[kexec_segment]], flags flags[kexec_load_flags])
syslog(cmd flags[syslog_cmd], buf ptr[out, array[int8], opt], len len[buf])
uname(buf buffer[out])
sysinfo(info buffer[out])
ustat(dev intptr, buf ptr[out, ustat])
acct(filename ptr[in, filename, opt])
getrusage(who flags[rusage_who], usage ptr[out, rusage])
getrlimit(res flags[rlimit_type], rlim ptr[out, rlimit])
setrlimit(res flags[rlimit_type], rlim ptr[in, rlimit])
prlimit64(pid pid, res flags[rlimit_type], new ptr[in, rlimit, opt], old ptr[out, rlimit, opt])
iopl(level int8)
ioperm(from intptr, num intptr, on intptr)
ioprio_get$pid(which flags[ioprio_which_pid], who pid)
ioprio_get$uid(which flags[ioprio_which_uid], who uid)
ioprio_set$pid(which flags[ioprio_which_pid], who pid, ioprio flags[ioprio_priorities])
ioprio_set$uid(which flags[ioprio_which_uid], who uid, ioprio flags[ioprio_priorities])
# NEED: we can express the construction of integers using structs with flags
# and bitfields, which are normally obtained using a combination of bitwise
# operations with the help of macros. However, structs can't be directly passed
# as a syscall argument; therefore, such constructions can't be directly passed either.
# One example is ioprio argument for ioprio_set, where we could have expressed the
# construction less messy. For now, some subset of valid values are enumerated as
# in ioprio_priorities.
# ioprio priority values are obtained using IOPRIO_PRIO_VALUE(class, data) macro.
# the behaviour of the macro is mimicked below and some priority values are enumerated.
ioprio_priorities = IOPRIO_CLASS_NONE_PRIO, IOPRIO_CLASS_IDLE_PRIO, IOPRIO_CLASS_RT_HIGH_PRIO, IOPRIO_CLASS_BE_HIGH_PRIO, IOPRIO_CLASS_RT_MID_PRIO, IOPRIO_CLASS_BE_MID_PRIO, IOPRIO_CLASS_RT_LOW_PRIO, IOPRIO_CLASS_BE_LOW_PRIO
# The classes RT and BE take data values from the range [0:7]. Use a subset of the available
# values (0, 4, 7) to ease collisions, and to avoid redundancy. The classes NONE and IDLE
# have only one valid priority value each with data set to 0.
define IOPRIO_CLASS_NONE_PRIO (IOPRIO_CLASS_NONE << IOPRIO_CLASS_SHIFT)
define IOPRIO_CLASS_IDLE_PRIO (IOPRIO_CLASS_IDLE << IOPRIO_CLASS_SHIFT)
define IOPRIO_CLASS_RT_HIGH_PRIO (IOPRIO_CLASS_RT << IOPRIO_CLASS_SHIFT)
define IOPRIO_CLASS_BE_HIGH_PRIO (IOPRIO_CLASS_BE << IOPRIO_CLASS_SHIFT)
define IOPRIO_CLASS_RT_MID_PRIO ((IOPRIO_CLASS_RT << IOPRIO_CLASS_SHIFT) + 4)
define IOPRIO_CLASS_BE_MID_PRIO ((IOPRIO_CLASS_BE << IOPRIO_CLASS_SHIFT) + 4)
define IOPRIO_CLASS_RT_LOW_PRIO ((IOPRIO_CLASS_RT << IOPRIO_CLASS_SHIFT) + 7)
define IOPRIO_CLASS_BE_LOW_PRIO ((IOPRIO_CLASS_BE << IOPRIO_CLASS_SHIFT) + 7)
resource timerid[int32]
timer_create(id flags[clock_id], ev ptr[in, sigevent], timerid ptr[out, timerid])
timer_gettime(timerid timerid, setting ptr[out, itimerspec])
timer_getoverrun(timerid timerid)
timer_settime(timerid timerid, flags flags[timer_flags], new ptr[in, itimerspec], old ptr[out, itimerspec, opt])
timer_delete(timerid timerid)
time(t ptr[out, intptr])
clock_gettime(id flags[clock_id], tp ptr[out, timespec])
clock_settime(id flags[clock_id], tp ptr[in, timespec])
clock_adjtime(id flags[clock_id], tx ptr[in, timex])
clock_getres(id flags[clock_id], tp ptr[out, timespec])
clock_nanosleep(id flags[clock_id], flags flags[timer_flags], rqtp ptr[in, timespec], rmtp ptr[out, timespec, opt])
rt_sigaction(sig signalno, act ptr[in, sigaction], oact ptr[out, sigaction, opt], sigsetsize len[fake], fake ptr[out, sigset_t])
rt_sigprocmask(how flags[sigprocmask_how], nset ptr[in, sigset_t], oset ptr[out, sigset_t, opt], sigsetsize len[nset])
rt_sigreturn()
rt_sigpending(set ptr[out, sigset_t], sigsetsize len[set])
rt_sigtimedwait(these ptr[in, sigset_t], info ptr[out, siginfo, opt], ts ptr[in, timespec], sigsetsize len[these])
rt_sigsuspend(new ptr[in, sigset_t], sigsetsize len[new])
rt_sigqueueinfo(pid pid, sig signalno, info ptr[in, siginfo])
rt_tgsigqueueinfo(gid pid, tid pid, sig signalno, info ptr[in, siginfo])
sigaltstack(ss ptr[in, sigaltstack], oss ptr[out, sigaltstack, opt])
tgkill(gid pid, tid pid, sig signalno)
tkill(tid pid, sig signalno)
pause()
alarm(seconds intptr)
nanosleep(req ptr[in, timespec], rem ptr[out, timespec, opt])
getitimer(which flags[getitimer_which], cur ptr[out, itimerval])
setitimer(which flags[getitimer_which], new ptr[in, itimerval], old ptr[out, itimerval, opt])
exit(code intptr)
exit_group(code intptr)
waitid(which flags[waitid_which], pid pid, infop ptr[out, siginfo, opt], options flags[wait_options], ru ptr[out, rusage, opt])
waitid$P_PIDFD(which const[P_PIDFD], pidfd fd_pidfd, infop ptr[out, siginfo, opt], options flags[wait_options], ru ptr[out, rusage, opt])
wait4(pid pid, status ptr[out, int32, opt], options flags[wait_options], ru ptr[out, rusage, opt])
times(buf ptr[out, tms])
# Can send signals to all processes (pid=-1).
#kill(pid pid, sig signalno)
set_thread_area(info ptr[in, user_desc])
get_thread_area(info ptr[in, user_desc])
modify_ldt$read(func const[0], buf buffer[out], len len[buf])
modify_ldt$write(func const[1], buf ptr[in, user_desc], len len[buf])
modify_ldt$read_default(func const[2], buf buffer[out], len len[buf])
modify_ldt$write2(func const[17], buf ptr[in, user_desc], len len[buf])
process_vm_readv(pid pid, loc_vec ptr[in, array[iovec_out]], loc_vlen len[loc_vec], rem_vec ptr[in, array[iovec_out]], rem_vlen len[rem_vec], flags const[0])
process_vm_writev(pid pid, loc_vec ptr[in, array[iovec_out]], loc_vlen len[loc_vec], rem_vec ptr[in, array[iovec_out]], rem_vlen len[rem_vec], flags const[0])
set_tid_address(tidptr ptr[out, int32])
getpriority(which flags[priority_which], who pid)
setpriority(which flags[priority_which], who pid, prio intptr)
sched_getscheduler(pid pid)
sched_setscheduler(pid pid, policy flags[sched_policy], prio ptr[in, int32])
sched_rr_get_interval(pid pid, tp ptr[out, timespec])
sched_getparam(pid pid, prio ptr[out, int32])
sched_setparam(pid pid, prio ptr[in, int32])
sched_getaffinity(pid pid, cpusetsize len[mask], mask ptr[out, int64])
sched_setaffinity(pid pid, cpusetsize len[mask], mask ptr[in, int64])
sched_getattr(pid pid, attr ptr[out, sched_attr], size len[attr], flags const[0])
sched_setattr(pid pid, attr ptr[in, sched_attr], flags const[0])
sched_yield()
getrandom(buf buffer[out], len len[buf], flags flags[getrandom_flags])
membarrier(cmd flags[membarrier_cmd], flags const[0])
membarrier_cmd = MEMBARRIER_CMD_GLOBAL, MEMBARRIER_CMD_GLOBAL_EXPEDITED, MEMBARRIER_CMD_PRIVATE_EXPEDITED, MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED, MEMBARRIER_CMD_PRIVATE_EXPEDITED_SYNC_CORE, MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED_SYNC_CORE, MEMBARRIER_CMD_QUERY, MEMBARRIER_CMD_REGISTER_GLOBAL_EXPEDITED, MEMBARRIER_CMD_SHARED
rseq(rseq ptr[in, rseq], rseq_len bytesize[rseq], flags boolptr, sig const[0])
rseq {
cpu_id_start const[0, int32]
cpu_id const[0, int32]
rseq_cs ptr64[in, rseq_cs, opt]
flags flags[rseq_cs_flags, int32]
} [align[32]]
rseq_cs {
version const[0, int32]
flags flags[rseq_cs_flags, int32]
start_ip int64
post_commit_offset int64
abort_ip int64
} [align[32]]
rseq_cs_flags = RSEQ_CS_FLAG_NO_RESTART_ON_PREEMPT, RSEQ_CS_FLAG_NO_RESTART_ON_SIGNAL, RSEQ_CS_FLAG_NO_RESTART_ON_MIGRATE
# start/end are unused for now, no definition of SYS_RISCV_FLUSH_ICACHE_LOCAL in uapi headers.
riscv_flush_icache(start const[0], end const[0], flags bool32)
syz_open_procfs(pid pid, file ptr[in, string[procfs_proc_file]]) fd
# TODO: some of net files are only available in the init namespace (e.g. bluetooth bnep and hci).
# We could find some way to open these files in the init namespace
# esp. taking into account that we create bluetooth sockets in init namespace.
procfs_proc_file = "auxv", "cmdline", "environ", "autogroup", "cgroup", "clear_refs", "comm", "coredump_filter", "cpuset", "gid_map", "io", "limits", "loginuid", "maps", "mountinfo", "mounts", "mountstats", "numa_maps", "oom_adj", "oom_score", "oom_score_adj", "pagemap", "personality", "projid_map", "sched", "schedstat", "sessionid", "setgroups", "smaps", "smaps_rollup", "totmaps", "stack", "stat", "statm", "status", "syscall", "timers", "uid_map", "wchan", "map_files", "attr", "attr/current", "attr/exec", "attr/fscreate", "attr/keycreate", "attr/prev", "attr/sockcreate", "ns", "children", "task", "fd", "fd/3", "fd/4", "fdinfo", "fdinfo/3", "fdinfo/4", "net", "net/anycast6", "net/arp", "net/bnep", "net/connector", "net/dev", "net/dev_mcast", "net/dev_snmp6", "net/fib_trie", "net/fib_triestat", "net/hci", "net/icmp", "net/icmp6", "net/if_inet6", "net/igmp", "net/igmp6", "net/ip6_flowlabel", "net/ip6_mr_cache", "net/ip6_mr_vif", "net/ip6_tables_matches", "net/ip6_tables_names", "net/ip6_tables_targets", "net/ip_mr_cache", "net/ip_mr_vif", "net/ip_tables_matches", "net/ip_tables_names", "net/ip_tables_targets", "net/ipv6_route", "net/l2cap", "net/llc/core", "net/llc/socket", "net/mcfilter", "net/mcfilter6", "net/netfilter", "net/netlink", "net/netstat", "net/nfsfs", "net/packet", "net/protocols", "net/psched", "net/ptype", "net/raw", "net/raw6", "net/rfcomm", "net/route", "net/rpc", "net/rt6_stats", "net/rt_acct", "net/rt_cache", "net/sco", "net/sctp", "net/snmp", "net/snmp6", "net/sockstat", "net/sockstat6", "net/softnet_stat", "net/stat", "net/tcp", "net/tcp6", "net/udp", "net/udp6", "net/udplite", "net/udplite6", "net/unix", "net/wireless", "net/xfrm_stat", "net/ip_vs", "net/ip_vs_stats", "net/ip_vs_stats_percpu", "net/nf_conntrack", "net/nf_conntrack_expect", "net/vlan/config", "net/vlan/vlan0", "net/vlan/vlan1", "net/kcm", "net/psched", "timerslack_ns"
openat$procfs(fd const[AT_FDCWD], file ptr[in, string[procfs_file]], flags const[O_RDONLY], mode const[0]) fd
procfs_file = "/proc/keys", "/proc/key-users", "/proc/crypto", "/proc/consoles", "/proc/cgroups", "/proc/zoneinfo", "/proc/vmstat", "/proc/vmallocinfo", "/proc/tty/drivers", "/proc/tty/ldiscs", "/proc/timer_list", "/proc/sysvipc/sem", "/proc/sysvipc/msg", "/proc/sysvipc/shm", "/proc/stat", "/proc/slabinfo", "/proc/schedstat", "/proc/partitions", "/proc/meminfo", "/proc/mdstat", "/proc/locks", "/proc/diskstats", "/proc/cpuinfo", "/proc/consoles", "/proc/bus/input/devices", "/proc/bus/input/handlers", "/proc/asound/seq/clients", "/proc/asound/seq/clients", "/proc/asound/seq/timer", "/proc/asound/timers"
resource fd_yama_ptrace_scope[fd]
# 0 - YAMA_SCOPE_DISABLED
# 1 - YAMA_SCOPE_RELATIONAL
# 2 - YAMA_SCOPE_CAPABILITY
# 3 - YAMA_SCOPE_NO_ATTACH
yama_modes = "0", "1", "2", "3"
openat$yama_ptrace_scope(fd const[AT_FDCWD], file ptr[in, string["/proc/sys/kernel/yama/ptrace_scope"]], flags const[O_RDWR], mode const[0]) fd_yama_ptrace_scope
write$yama_ptrace_scope(fd fd_yama_ptrace_scope, data ptr[in, string[yama_modes]], count len[data])
# Write into some interesting sysct's and sysfs/procfs files.
resource fd_sysctl[fd]
openat$sysctl(fd const[AT_FDCWD], file ptr[in, string[sysctl_file]], flags const[O_WRONLY], mode const[0]) fd_sysctl
write$sysctl(fd fd_sysctl, val ptr[in, string[sysctl_value]], len len[val])
sysctl_file = "/sys/kernel/mm/ksm/run", "/proc/sys/vm/compact_memory", "/proc/sys/vm/drop_caches", "/proc/sys/net/ipv4/tcp_timestamps", "/proc/sys/net/ipv4/tcp_sack", "/proc/sys/net/ipv4/tcp_dsack", "/proc/sys/net/ipv4/tcp_window_scaling", "/proc/sys/net/ipv4/tcp_syncookies", "/proc/sys/net/ipv4/tcp_recovery", "/proc/sys/net/ipv4/tcp_mtu_probing", "/proc/sys/net/ipv4/tcp_rfc1337", "/proc/self/clear_refs"
# Most of these values are suitable for all sysctl_file files.
sysctl_value = "0", "1", "2", "3", "4", "5", "6", "7"
# Write to this file triggers khugepaged scan.
# We don't want to write small values as we only want the explicitly triggered scan.
resource fd_khugepaged_scan[fd]
openat$khugepaged_scan(fd const[AT_FDCWD], file ptr[in, string["/sys/kernel/mm/transparent_hugepage/khugepaged/scan_sleep_millisecs"]], flags const[O_WRONLY], mode const[0]) fd_khugepaged_scan
write$khugepaged_scan(fd fd_khugepaged_scan, val ptr[in, string["1000000"]], len len[val])
resource fd_tcp_congestion[fd]
openat$tcp_congestion(fd const[AT_FDCWD], file ptr[in, string["/proc/sys/net/ipv4/tcp_congestion_control"]], flags const[O_WRONLY], mode const[0]) fd_tcp_congestion
write$tcp_congestion(fd fd_tcp_congestion, val ptr[in, string[tcp_congestion]], len len[val])
tcp_congestion = "reno", "bbr", "bic", "cdg", "cubic", "dctcp", "westwood", "highspeed", "hybla", "htcp", "vegas", "nv", "veno", "scalable", "lp", "yeah", "illinois"
resource fd_tcp_mem[fd]
openat$tcp_mem(fd const[AT_FDCWD], file ptr[in, string[tcp_mem_files]], flags const[O_WRONLY], mode const[0]) fd_tcp_mem
write$tcp_mem(fd fd_tcp_mem, val ptr[in, tcp_mem_values], len len[val])
tcp_mem_files = "/proc/sys/net/ipv4/tcp_rmem", "/proc/sys/net/ipv4/tcp_wmem"
tcp_mem_values {
v0 fmt[oct, int64]
sp0 const[' ', int8]
v1 fmt[oct, int64]
sp1 const[' ', int8]
v2 fmt[oct, int64]
z const[0, int8]
} [packed]
# /proc/self/reclaim is ChromeOS-specific:
# https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4c3ad28b9c913%5E%21/
resource fd_proc_reclaim[fd]
openat$proc_reclaim(fd const[AT_FDCWD], file ptr[in, string["/proc/self/reclaim"]], flags const[O_WRONLY], mode const[0]) fd_proc_reclaim
write$proc_reclaim(fd fd_proc_reclaim, val ptr[in, string[proc_reclaim_vals]], len len[val])
proc_reclaim_vals = "file", "anon", "all"
resource fd_pidfd[fd]
openat$pidfd(fd const[AT_FDCWD], file ptr[in, string["/proc/self"]], flags flags[open_flags], mode const[0]) fd_pidfd
openat$thread_pidfd(fd const[AT_FDCWD], file ptr[in, string["/proc/thread-self"]], flags flags[open_flags], mode const[0]) fd_pidfd
pidfd_send_signal(fd fd_pidfd, sig signalno, info ptr[in, siginfo], flags const[0])
# pidfd_open is dangerous, so we use syz_pidfd_open instead.
pidfd_open(pid pid, flags const[0]) fd_pidfd (disabled)
syz_pidfd_open(pid pid, flags const[0]) fd_pidfd
pidfd_getfd(pidfd fd_pidfd, fd fd, flags const[0]) fd
close_range(fd fd, max_fd fd, flags flags[close_range_flags])
# Uncomment on your own account.
#syz_open_dev$char(dev const[0xc], major intptr, minor intptr) fd
#syz_open_dev$block(dev const[0xb], major intptr, minor intptr) fd
# /dev/console known to cause problems on at least two different kernels.
# It can turn off all output or produce massive amounts of garbage on console.
# Disable it for now.
#syz_open_dev$console(dev ptr[in, string["/dev/console"]], id const[0], flags flags[open_flags]) fd
resource fd_autofs[fd]
# These devices are relatively safe (don't reboot and don't corrupt kernel memory).
# They need a more comprehensive support. But let at least open them for now,
# maybe fuzzer will be able to skrew them in a useful way.
# TODO: all these devices returning just fd need proper interface descriptions.
openat$vcs(fd const[AT_FDCWD], file ptr[in, string["/dev/vcs"]], flags flags[open_flags], mode const[0]) fd
syz_open_dev$vcsn(dev ptr[in, string["/dev/vcs#"]], id intptr, flags flags[open_flags]) fd
openat$vcsa(fd const[AT_FDCWD], file ptr[in, string["/dev/vcsa"]], flags flags[open_flags], mode const[0]) fd
syz_open_dev$vcsa(dev ptr[in, string["/dev/vcsa#"]], id intptr, flags flags[open_flags]) fd
openat$vcsu(fd const[AT_FDCWD], file ptr[in, string["/dev/vcsu"]], flags flags[open_flags], mode const[0]) fd
syz_open_dev$vcsu(dev ptr[in, string["/dev/vcsu#"]], id intptr, flags flags[open_flags]) fd
syz_open_dev$ircomm(dev ptr[in, string["/dev/ircomm#"]], id intptr, flags flags[open_flags]) fd
syz_open_dev$audion(dev ptr[in, string["/dev/audio#"]], id intptr, flags flags[open_flags]) fd
openat$null(fd const[AT_FDCWD], file ptr[in, string["/dev/null"]], flags flags[open_flags], mode const[0]) fd
openat$zero(fd const[AT_FDCWD], file ptr[in, string["/dev/zero"]], flags flags[open_flags], mode const[0]) fd
openat$full(fd const[AT_FDCWD], file ptr[in, string["/dev/full"]], flags flags[open_flags], mode const[0]) fd
openat$irnet(fd const[AT_FDCWD], file ptr[in, string["/dev/irnet"]], flags flags[open_flags], mode const[0]) fd
openat$hwrng(fd const[AT_FDCWD], file ptr[in, string["/dev/hwrng"]], flags flags[open_flags], mode const[0]) fd
openat$hpet(fd const[AT_FDCWD], file ptr[in, string["/dev/hpet"]], flags flags[open_flags], mode const[0]) fd
openat$autofs(fd const[AT_FDCWD], file ptr[in, string["/dev/autofs"]], flags flags[open_flags], mode const[0]) fd_autofs
openat$keychord(fd const[AT_FDCWD], file ptr[in, string["/dev/keychord"]], flags flags[open_flags], mode const[0]) fd
openat$zygote(fd const[AT_FDCWD], file ptr[in, string["/dev/socket/zygote"]], flags flags[open_flags], mode const[0]) fd
openat$pktcdvd(fd const[AT_FDCWD], file ptr[in, string["/dev/pktcdvd/control"]], flags flags[open_flags], mode const[0]) fd
openat$lightnvm(fd const[AT_FDCWD], file ptr[in, string["/dev/lightnvm/control"]], flags flags[open_flags], mode const[0]) fd
openat$xenevtchn(fd const[AT_FDCWD], file ptr[in, string["/dev/xen/evtchn"]], flags flags[open_flags], mode const[0]) fd
openat$dlm_control(fd const[AT_FDCWD], file ptr[in, string["/dev/dlm-control"]], flags flags[open_flags], mode const[0]) fd
openat$dlm_monitor(fd const[AT_FDCWD], file ptr[in, string["/dev/dlm-monitor"]], flags flags[open_flags], mode const[0]) fd
openat$dlm_plock(fd const[AT_FDCWD], file ptr[in, string["/dev/dlm_plock"]], flags flags[open_flags], mode const[0]) fd
openat$btrfs_control(fd const[AT_FDCWD], file ptr[in, string["/dev/btrfs-control"]], flags flags[open_flags], mode const[0]) fd
openat$ubi_ctrl(fd const[AT_FDCWD], file ptr[in, string["/dev/ubi_ctrl"]], flags flags[open_flags], mode const[0]) fd
openat$cachefiles(fd const[AT_FDCWD], file ptr[in, string["/dev/cachefiles"]], flags flags[open_flags], mode const[0]) fd
openat$ndctl0(fd const[AT_FDCWD], file ptr[in, string["/dev/ndctl0"]], flags flags[open_flags], mode const[0]) fd
openat$nmem0(fd const[AT_FDCWD], file ptr[in, string["/dev/nmem0"]], flags flags[open_flags], mode const[0]) fd
openat$nvram(fd const[AT_FDCWD], file ptr[in, string["/dev/nvram"]], flags flags[open_flags], mode const[0]) fd
openat$ocfs2_control(fd const[AT_FDCWD], file ptr[in, string["/dev/ocfs2_control"]], flags flags[open_flags], mode const[0]) fd
openat$nvme_fabrics(fd const[AT_FDCWD], file ptr[in, string["/dev/nvme-fabrics"]], flags flags[open_flags], mode const[0]) fd
openat$bsg(fd const[AT_FDCWD], file ptr[in, string["/dev/bsg"]], flags flags[open_flags], mode const[0]) fd
pipefd {
rfd fd
wfd fd
}
type iovec[DIR, T] {
addr ptr[DIR, T]
len len[addr, intptr]
}
type iovec_in iovec[in, array[int8]]
type iovec_out iovec[out, array[int8]]
stat {
st_dev intptr
st_ino intptr
st_mode int32
st_nlink int32
st_uid uid
st_gid gid
st_rdev intptr
__pad1 const[0, intptr]
st_size intptr
st_blksize int32
__pad2 const[0, int32]
st_blocks intptr
st_atime intptr
st_atime_nsec intptr
st_mtime intptr
st_mtime_nsec intptr
st_ctime intptr
st_ctime_nsec intptr
__unused4 const[0, int32]
__unused5 const[0, int32]
}
statx {
mask int32
blksize int32
attributes int64
nlink int32
uid uid
gid gid
mode int16
__spare0 int16
ino int64
size int64
blocks int64
__spare1 int64
atime statx_timestamp
btime statx_timestamp
ctime statx_timestamp
mtime statx_timestamp
rdev_major int32
rdev_minor int32
dev_major int32
dev_minor int32
__spare2 array[int64, 14]
}
define STAT64_SIZE sizeof(struct stat64)
type stat64 array[int8, STAT64_SIZE]
pollfd {
fd fd
events flags[pollfd_events, int16]
revents const[0, int16]
}
sigset_t {
mask array[intptr, _NSIG_WORDS]
}
sigset_size {
ss ptr[inout, sigset_t]
len len[ss, intptr]
}
resource time_sec[intptr]
resource time_nsec[intptr]
resource time_usec[intptr]
# prog knowns about this struct type
timespec {
sec time_sec
nsec time_nsec
}
# prog knowns about this struct type
timeval {
sec time_sec
usec time_usec
}
statx_timestamp {
sec int64
nsec int32
__reserved int32
}
itimerspec {
interv timespec
value timespec
}
itimerval {
interv timeval
value timeval
}
utimbuf {
actime intptr
modtime intptr
}
sigevent {
val const[0, intptr]
signo signalno
notify flags[sigev_notify, int32]
u sigevent_u
} [size[SIGEVENT_SIZE]]
sigevent_u [
tid pid
thr sigevent_thread
]
define SIGEVENT_SIZE sizeof(struct sigevent)
sigevent_thread {
# NEED: this is function pointer and pthread_attr_t (?)
func buffer[in]
attr buffer[in]
}
cap_header {
var flags[cap_version, int32]
pid pid
}
cap_data {
eff0 int32
perm0 int32
inher0 int32
eff1 int32
perm1 int32
inher1 int32
}
epoll_event {
ev flags[epoll_ev, int32]
data const[0, int64]
# TODO: this packed only on amd64
} [packed]
# TODO: fd_set needs to be a separate type
fd_set {
mask0 int64
mask1 int64
mask2 int64
mask3 int64
mask4 int64
mask5 int64
mask6 int64
mask7 int64
}
sock_fprog {
len len[filter, int16]
filter ptr[in, array[sock_filter]]
}
sock_filter {
code int16
jt int8
jf int8
k int32
}
file_handle [
raw file_handle_raw
shmem file_handle_t[1, fid_shmem]
fuse file_handle_t[0x81, fid_fuse]
fuse_with_parent file_handle_t[0x82, fid_fuse_with_parent]
nfs file_handle_t[36, fid_nfs]
FILEID_INO32_GEN file_handle_t[FILEID_INO32_GEN, fid_FILEID_INO32_GEN]
FILEID_INO32_GEN_PARENT file_handle_t[FILEID_INO32_GEN_PARENT, fid_FILEID_INO32_GEN_PARENT]
FILEID_UDF_WITHOUT_PARENT file_handle_t[FILEID_UDF_WITHOUT_PARENT, fid_FILEID_UDF_WITHOUT_PARENT]
FILEID_UDF_WITH_PARENT file_handle_t[FILEID_UDF_WITH_PARENT, fid_FILEID_UDF_WITH_PARENT]
FILEID_BTRFS_WITH_PARENT file_handle_t[FILEID_BTRFS_WITH_PARENT, btrfs_fid]
FILEID_BTRFS_WITH_PARENT_ROOT file_handle_t[FILEID_BTRFS_WITH_PARENT, btrfs_fid]
FILEID_BTRFS_WITHOUT_PARENT file_handle_t[FILEID_BTRFS_WITH_PARENT, btrfs_fid]
ceph_nfs_snapfh file_handle_t[FILEID_BTRFS_WITH_PARENT, ceph_nfs_snapfh]
ceph_nfs_fh file_handle_t[FILEID_INO32_GEN, ceph_nfs_fh]
ceph_nfs_confh file_handle_t[FILEID_INO32_GEN_PARENT, ceph_nfs_confh]
GFS2_SMALL_FH_SIZE file_handle_t[GFS2_SMALL_FH_SIZE, fid_GFS2_SMALL_FH_SIZE]
GFS2_LARGE_FH_SIZE file_handle_t[GFS2_LARGE_FH_SIZE, fid_GFS2_LARGE_FH_SIZE]
OVL_FILEID_V0 file_handle_t[OVL_FILEID_V0, ovl_fb]
OVL_FILEID_V1 file_handle_t[OVL_FILEID_V1, ovl_fh]
FILEID_NILFS_WITHOUT_PARENT file_handle_t[FILEID_NILFS_WITHOUT_PARENT, nilfs_fid]
FILEID_NILFS_WITH_PARENT file_handle_t[FILEID_NILFS_WITH_PARENT, nilfs_fid]
reiserfs_2 file_handle_t[2, fid_reiserfs_2]
reiserfs_3 file_handle_t[3, fid_reiserfs_3]
reiserfs_4 file_handle_t[4, fid_reiserfs_4]
reiserfs_5 file_handle_t[5, fid_reiserfs_5]
reiserfs_6 file_handle_t[6, fid_reiserfs_6]
xfs file_handle_t[0x81, xfs_fid64]
xfs_parent file_handle_t[0x82, xfs_fid64]
orangefs file_handle_t[1, fid_orangefs]
orangefs_parent file_handle_t[2, fid_orangefs_parent]
isofs file_handle_t[1, isofs_fid]
isofs_parent file_handle_t[2, isofs_fid]
ocfs2 file_handle_t[1, fid_ocfs2]
ocfs2_parent file_handle_t[2, fid_ocfs2_parent]
] [varlen]
file_handle_raw {
handle_bytes bytesize[f_handle, int32]
handle_type flags[fid_type, int32]
f_handle align32[array[int8]]
}
type file_handle_t[TYPE, FID] {
handle_bytes bytesize[f_handle, int32]
handle_type const[TYPE, int32]
f_handle FID
}
fid_shmem {
gen int32
ino int64
} [packed]
fid_fuse {
nodeid_hi int32
nodeid_lo int32
generation int32
}
fid_fuse_with_parent {
base fid_fuse
parent_fid fid_fuse
} [packed]
fid_FILEID_INO32_GEN {
ino int32
gen int32
}
fid_FILEID_INO32_GEN_PARENT {
base fid_FILEID_INO32_GEN
parent_ino int32
parent_gen int32
}
fid_FILEID_UDF_WITHOUT_PARENT {
block int32
partref int16
parent_partref int16
generation int32
}
fid_FILEID_UDF_WITH_PARENT {
base fid_FILEID_UDF_WITHOUT_PARENT
parent_block int32
parent_generation int32
}
btrfs_fid {
objectid int64
root_objectid int64
gen int32
parent_objectid int64