文本文件  |  682行  |  12.18 KB

# Copyright 2015 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

# Syscalls used in syzkaller tests.

test()

# Integer types.

test$int(a0 intptr, a1 int8, a2 int16, a3 int32, a4 int64)

# Opt arguments

test$opt0(a0 intptr[opt])
test$opt1(a0 ptr[in, intptr, opt])
test$opt2(a0 vma[opt])
test$opt3(a0 proc[100, 4, opt])

# Alignment and padding

test$align0(a0 ptr[in, syz_align0])
test$align1(a0 ptr[in, syz_align1])
test$align2(a0 ptr[in, syz_align2])
test$align3(a0 ptr[in, syz_align3])
test$align4(a0 ptr[in, syz_align4])
test$align5(a0 ptr[in, syz_align5])
test$align6(a0 ptr[in, syz_align6])
test$align7(a0 ptr[in, syz_align7])

syz_align0 {
	f0	int16
	f1	int32
	f2	int8
	f3	int16
	f4	int64
}

syz_align1 {
	f0	int16
	f1	int32
	f2	int8
	f3	int16
	f4	int64
} [packed]

syz_align2_packed {
	f0	array[int16, 1]
} [packed]

syz_align2_not_packed {
	f0	array[int16, 1]
}

syz_align2 {
	f0	int8
	f1	syz_align2_packed
	f2	syz_align2_not_packed
}

syz_align3_noalign {
	f0	int8
}

syz_align3_align4 {
	f0	int8
} [align_4]

syz_align3 {
	f0	int8
	f1	syz_align3_noalign
	f2	syz_align3_align4
}

syz_align4_internal {
	f0	int8
	f1	int16
} [packed, align_4]

syz_align4 {
	f0	syz_align4_internal
	f1	int8
}

syz_align5_internal {
	f0	int64
	f1	array[int16, 0:3]
}

syz_align5 {
	f0	syz_align5_internal
	f1	syz_align5_internal
	f2	int8
} [packed]

syz_align6 {
	f0	int8
	f1	array[int32]
}

syz_align7 {
	f0	syz_align8
	f1	int8
}

syz_align8 {
	f0	int8:1
	f1	int8:1
	f2	int8:1
	f3	int16:1
	f4	int16:1
	f5	int16:1
} [packed, align_8]

# Structs

test$struct(a0 ptr[in, syz_struct0])

syz_struct0 {
	f0	int64
	f1	syz_struct1
}

syz_struct1 {
	f0	int8
}

# Unions

test$union0(a0 ptr[in, syz_union0_struct])
test$union1(a0 ptr[in, syz_union1_struct])
test$union2(a0 ptr[in, syz_union2_struct])

syz_union0 [
	f0	int64
	f1	array[int64, 10]
	f2	int8
]

syz_union0_struct {
	f	int64
	u	syz_union0
}

syz_union1 [
	f0	int64
	f1	int32
]

syz_union1_struct {
	f0	syz_union1
	f1	int8
} [packed]

syz_union2 [
	f0	int64
	f1	int32
] [varlen]

syz_union2_struct {
	f0	syz_union2
	f1	int8
} [packed]

syz_union3 [
	f0	int32
]

union_arg [
	f1	int8
	f2	int64
	f3	ptr[in, int32]
	f4	fd
	f5	const[1, intptr]
	f6	flags[syz_length_flags, int32]
	f7	proc[0, 1, int16]
]

test$syz_union3(a0 ptr[in, syz_union3])
test$syz_union4(a0 union_arg)

# Arrays

test$array0(a0 ptr[in, syz_array_struct])
test$array1(a0 ptr[in, syz_array_trailing])
test$array2(a0 ptr[in, syz_array_blob])

# Struct with a variable-length array or variable-length unions.
syz_array_struct {
	f0	int8
	f1	array[syz_array_union, 1:2]
	f2	int64
} [packed]

syz_array_union [
	f0	int16
	f1	int64
] [varlen]

syz_array_trailing {
	f0	int8
	f1	array[int8, 4:8]
}

syz_array_blob {
	f0	int16
	f1	array[int8, 16]
	f2	int16
}

# Length

test$length0(a0 ptr[in, syz_length_int_struct])
test$length1(a0 ptr[in, syz_length_const_struct])
test$length2(a0 ptr[in, syz_length_flags_struct])
test$length3(a0 ptr[in, syz_length_len_struct])
test$length4(a0 ptr[in, syz_length_len2_struct])
test$length5(a0 ptr[in, syz_length_parent_struct])
test$length6(a0 ptr[in, syz_length_array_struct])
test$length7(a0 ptr[in, syz_length_array2_struct])
test$length8(a0 ptr[in, syz_length_complex_struct])
test$length9(a0 ptr[in, syz_length_vma_struct])

test$length10(a0 vma, a1 len[a0], a2 bytesize[a0], a3 bytesize2[a0], a4 bytesize4[a0])
test$length11(a0 ptr[in, syz_length_large_struct], a1 len[a0])
test$length12(a0 ptr[in, syz_length_large_struct, opt], a1 len[a0])
test$length13(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64]])
test$length14(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64], opt])
test$length15(a0 int16, a1 len[a0])

test$length16(a0 ptr[in, syz_length_bytesize_struct])
test$length17(a0 ptr[in, syz_length_bytesize2_struct])
test$length18(a0 ptr[in, syz_length_bytesize3_struct])
test$length19(a0 ptr[in, syz_length_bf_struct])

test$length20(a0 ptr[in, syz_length_parent2_struct])
test$length21(a0 ptr[in, int64], a1 bitsize[a0])
test$length22(a0 ptr[in, array[int8]], a1 bitsize[a0])

syz_length_flags = 0, 1

syz_length_int_struct {
	f0	int16
	f1	len[f0, int16]
}

syz_length_const_struct {
	f0	const[0, int32]
	f1	len[f0, int32]
}

syz_length_flags_struct {
	f0	flags[syz_length_flags, int64]
	f1	len[f0, int64]
}

syz_length_len_struct {
	f0	int32
	f1	len[f0, int16]
	f2	len[f1, int16]
}

syz_length_len2_struct {
	f0	len[f1, int16]
	f1	len[f0, int16]
}

syz_length_parent_struct {
	f0	int16
	f1	len[parent, int16]
}

syz_length_array_struct {
	f0	array[int16, 4]
	f1	len[f0, int16]
}

syz_length_array2_struct {
	f0	array[int16, 4]
	f1	bytesize[f0, int16]
}

syz_length_complex_inner_struct {
	f0	int8
	f1	len[f0, int8]
	f2	len[parent, int16]
	f3	array[int32, 3]
}

syz_length_complex_struct {
	f0	len[parent, int64]
	f1	syz_length_complex_inner_struct
	f2	array[syz_length_complex_inner_struct, 1]
	f3	len[f1, int32]
	f4	len[f2, int16]
	f5	array[int16]
}

syz_length_vma_struct {
	f0	vma
	f1	len[f0, int64]
}

syz_length_large_struct {
	f0	int64
	f1	int64
	f2	array[int32, 8]
}

syz_length_bytesize_struct {
	f0	array[int64, 2]
	f1	len[f0, int8]
	f2	bytesize[f0, int8]
	f3	bytesize2[f0, int8]
	f4	bytesize4[f0, int8]
	f5	bytesize8[f0, int8]
}

syz_length_bytesize2_struct {
	f0	int64
	f1	bytesize[f0, int8]
	f2	bytesize2[f0, int8]
	f3	bytesize4[f0, int8]
	f4	bytesize8[f0, int8]
}

syz_length_bytesize3_struct {
	f0	int32
	f1	bytesize[parent, int8]
	f2	bytesize2[parent, int8]
	f3	bytesize4[parent, int8]
	f4	bytesize8[parent, int8]
}

syz_length_bf_struct_inner {
	f0	int32:10
	f1	int32:10
	f2	int32:10
	f3	int32:32
	f4	int32:16
	f5	int32:16
	f6	int32:10
	f7	len[parent, int32]
}

syz_length_bf_struct {
	f0	syz_length_bf_struct_inner
	f1	len[f0, int8]
	f2	bytesize[f0, int8]
	f3	bytesize4[f0, int8]
}

syz_length_parent2_struct_inner_inner {
	f1	len[parent, int8]
	f2	len[syz_length_parent2_struct_inner_inner, int8]
	f3	len[syz_length_parent2_struct_inner, int8]
	f4	len[syz_length_parent2_struct, int8]
}

syz_length_parent2_struct_inner {
	f0	syz_length_parent2_struct_inner_inner
	f1	len[parent, int8]
	f2	len[syz_length_parent2_struct_inner, int8]
	f3	len[syz_length_parent2_struct, int8]
}

syz_length_parent2_struct {
	f0	syz_length_parent2_struct_inner
	f1	len[parent, int8]
	f2	len[syz_length_parent2_struct, int8]
}

type len_templ1[DATA1, DATA2] {
	data	DATA1
	inner	len_temp2[DATA2]
}

type len_temp2[DATA] {
	data	DATA
	len	len[len_templ1, int8]
}

test$length23(a ptr[in, len_templ1[int8, int16]])

type len_temp3[DATA] {
	f1	DATA
	f2	len_nontemp4
}

len_nontemp4 {
	f1	len[len_temp3, int32]
}

len_nontemp5 {
	f1	len_temp3[int8]
	f2	len_temp3[int64]
}

len_unaligned {
	f1	int32
	f2	int8
}

explicitly_sized {
	f1	int8
} [size[42]]

explicitly_sized_union [
	f1	int8
] [size[42]]

static_filename {
	f1	string[filename, 10]
	f2	string[filename, 20]
	f3	bytesize[f1, int8]
	f4	bytesize[f2, int8]
	f5	bytesize[parent, int8]
}

test$length24(a ptr[in, len_nontemp5])
test$length25(a0 ptr[in, array[array[int8]]], a1 len[a0])
test$length26(a ptr[in, len_unaligned], b bytesize[a])
test$length27(a0 ptr[in, explicitly_sized], a1 len[a0])
test$length28(a0 ptr[in, explicitly_sized_union], a1 len[a0])
test$length29(a ptr[in, static_filename])

# Big endian

test$end0(a0 ptr[in, syz_end_int_struct])
test$end1(a0 ptr[in, syz_end_var_struct])

syz_end_flags = 0, 1

syz_end_int_struct {
	f0	int8
	f1	int16be
	f2	int32be
	f3	int64be
} [packed]

syz_end_var_struct {
	f0	len[parent, int16be]
	f1	const[0x42, int32be]
	f2	flags[syz_end_flags, int64be]
} [packed]

# Vma type

test$vma0(v0 vma, l0 len[v0], v1 vma[5], l1 len[v1], v2 vma[7:9], l2 len[v2])

# Text type

test$text_x86_real(a0 ptr[in, text[x86_real]], a1 len[a0])
test$text_x86_16(a0 ptr[in, text[x86_16]], a1 len[a0])
test$text_x86_32(a0 ptr[in, text[x86_32]], a1 len[a0])
test$text_x86_64(a0 ptr[in, text[x86_64]], a1 len[a0])

# Regression tests

test$regression0(a0 ptr[inout, syz_regression0_struct])

syz_regression0_struct {
	f0	buffer[out]
}

test$regression1(a1 ptr[in, array[syz_regression1_struct]])

syz_regression1_struct {
	f0	array[int8, 4]
}

test$regression2(a1 ptr[in, array[int32, 4]])

excessive_fields {
	f1	int8
}

type_confusion [
	f1	int8
]

test$excessive_args1()
test$excessive_args2(a1 int8)
test$excessive_fields1(a1 ptr[in, excessive_fields])
test$type_confusion1(a1 ptr[in, type_confusion])

# Bitfields

syz_bf_flags = 0, 1, 2

syz_bf_struct0 {
	f0	flags[syz_bf_flags, int16:10]
	f1	int64
	f2	const[0x42, int16:5]
	f3	int16:6
	f4	const[0x42, int32:15]
	f5	len[parent, int16:11]
	f6	len[parent, int16be:11]
	f7	int8
}

syz_bf_struct1_internal {
	f0	int32:10
	f1	int32:10
	f2	int32:10
}

syz_bf_struct1 {
	f0	syz_bf_struct1_internal
	f1	int8
}

test$bf0(a0 ptr[in, syz_bf_struct0])
test$bf1(a0 ptr[in, syz_bf_struct1])

# Checksums

test$csum_encode(a0 ptr[in, syz_csum_encode])
test$csum_ipv4(a0 ptr[in, syz_csum_ipv4_header])
test$csum_ipv4_tcp(a0 ptr[in, syz_csum_ipv4_tcp_packet])
test$csum_ipv6_tcp(a0 ptr[in, syz_csum_ipv6_tcp_packet])
test$csum_ipv4_udp(a0 ptr[in, syz_csum_ipv4_udp_packet])
test$csum_ipv6_udp(a0 ptr[in, syz_csum_ipv6_udp_packet])
test$csum_ipv6_icmp(a0 ptr[in, syz_csum_ipv6_icmp_packet])

syz_csum_encode {
	f0	int16
	f1	int16be
	f2	array[int32, 0:4]
	f3	int8:4
	f4	int8:4
	f5	array[int8, 4]
} [packed]

syz_csum_ipv4_header {
	csum	csum[parent, inet, int16]
	src_ip	int32be
	dst_ip	int32be
} [packed]

syz_csum_tcp_header {
	csum	csum[syz_csum_tcp_packet, pseudo, IPPROTO_TCP, int16]
} [packed]

syz_csum_tcp_packet {
	header	syz_csum_tcp_header
	payload	array[int8]
} [packed]

syz_csum_ipv4_tcp_packet {
	header	syz_csum_ipv4_header
	payload	syz_csum_tcp_packet
} [packed]

syz_csum_ipv6_header {
	src_ip	array[int8, 16]
	dst_ip	array[int8, 16]
} [packed]

syz_csum_ipv6_tcp_packet {
	header	syz_csum_ipv6_header
	payload	syz_csum_tcp_packet
} [packed]

syz_csum_udp_packet {
	csum	csum[parent, pseudo, IPPROTO_UDP, int16]
	payload	array[int8]
} [packed]

syz_csum_ipv4_udp_packet {
	header	syz_csum_ipv4_header
	payload	syz_csum_udp_packet
} [packed]

syz_csum_ipv6_udp_packet {
	header	syz_csum_ipv6_header
	payload	syz_csum_udp_packet
} [packed]

syz_csum_icmp_packet {
	csum	csum[parent, pseudo, IPPROTO_ICMPV6, int16]
	payload	array[int8]
} [packed]

syz_csum_ipv6_icmp_packet {
	header	syz_csum_ipv6_header
	payload	syz_csum_icmp_packet
} [packed]

# Recursion

syz_recur_0 {
	a0	ptr[in, syz_recur_0, opt]
}

syz_recur_1 {
	a0	ptr[in, syz_recur_1, opt]
	a1	ptr[in, syz_recur_2, opt]
}

syz_recur_2_0 {
	a0	ptr[in, syz_recur_2_0, opt]
	a1	ptr[in, syz_recur_2_0, opt]
	a2	ptr[in, syz_recur_2_0, opt]
	a3	ptr[in, syz_recur_2_0, opt]
}

syz_recur_2 {
	a0	ptr[in, syz_recur_0, opt]
	a1	ptr[in, syz_recur_1, opt]
	a2	ptr[in, syz_recur_2_0, opt]
	a3	ptr[in, syz_recur_2_0, opt]
	a4	ptr[in, syz_recur_2, opt]
	a5	ptr[in, syz_recur_2, opt]
}

test$recur0(a0 ptr[inout, syz_recur_0])
test$recur1(a0 ptr[inout, syz_recur_1])
test$recur2(a0 ptr[inout, syz_recur_2])

# Resources.

resource fd[int32]: 0xffffffffffffffff
resource syz_res[int32]: 0xffff

test$res0() syz_res
test$res1(a0 syz_res)
test$res2() fd

# ONLY_32BITS_CONST const is not present on all arches.
# Ensure that it does not break build.

resource syz_missing_const_res[int32]: ONLY_32BITS_CONST

test$missing_resource() syz_missing_const_res
test$missing_struct(a ptr[in, syz_use_missing])

syz_missing_const_struct {
	a0	const[ONLY_32BITS_CONST, int32]
}

syz_use_missing {
	a0	syz_missing_const_res
	a1	syz_missing_const_struct
}

# Hints tests.

test$hint_data(a0 ptr[in, array[int8]])

# Mutation tests.

mutate0()
mutate1()
mutate2()
mutate3(vec ptr[in, array[int32[0:1]]], vlen len[vec])
mutate4(data ptr[in, array[int8]], size bytesize[data])
mutate5(filename ptr[in, filename], flags flags[open_flags]) fd
mutate6(fd fd, data ptr[in, array[int8]], size bytesize[data])
mutate7(a0 ptr[in, string], a1 len[a0])
mutate8(a0 proc[100, 4, opt])

open_flags = 0xabababababababab, 0xcdcdcdcdcdcdcdcd

# Serialization tests.

serialize0(a ptr[in, serialize0_struct])
serialize1(a ptr[out, array[int8]], b len[a])

serialize0_struct {
	a	string[serialize_strings, 10]
	b	string[serialize_strings, 5]
}

serialize_strings = "aaa", "bbb"

# Unsupported syscalls due to resources.

resource unsupported[int32]

unsupported$0(a unsupported) unsupported
unsupported$1(a unsupported) unsupported