sys/linux: add syzkaller defintions to fuzz ublk driver#7039
sys/linux: add syzkaller defintions to fuzz ublk driver#7039tejavojjala wants to merge 11 commits intogoogle:masterfrom
Conversation
tejavojjala
force-pushed
the
google-ublk
branch
5 times, most recently
from
8f35a37 to
a6e1b67
Compare
| "syz_io_uring_submit": alwaysSupported, | ||
| "syz_io_uring_complete": alwaysSupported, | ||
| "syz_ublk_setup_io_uring": linuxCheckUblkSupported, | ||
| "syz_ublk_add_dev": linuxCheckUblkSupported, |
There was a problem hiding this comment.
Since these depend on fd_ublk_ctrl and fd_ublk_ctrl is only obtained by opening /dev/ublk-control, I think you might not need these code changes. Syzkaller will automatically determine that fd_ublk_ctrl cannot be created and should disable all syscalls that depend on it.
See e.g. https://github.com/google/syzkaller/blob/master/pkg/vminfo/syscalls.go#L194
There was a problem hiding this comment.
When I don't add these, I see this panic error when running syzkaller
Do you happen to know how to resolve that
|
|
||
| #if SYZ_EXECUTOR || __NR_syz_ublk_setup_io_uring || __NR_syz_ublk_setup_queues | ||
|
|
||
| static long syz_ublk_setup_io_uring(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) |
There was a problem hiding this comment.
Maybe this one could also be a syzlang description? Compared to other new pseudo syscalls, syz_ublk_setup_io_uring seems to do little on top of the already existing syz_io_uring_setup.
There was a problem hiding this comment.
Sorry, didn't get what you mean by that
tejavojjala
force-pushed
the
google-ublk
branch
3 times, most recently
from
1d16e62 to
0986cc0
Compare
|
@tejavojjala I don't believe you're in the contributors file, please sign the Google CLA if you haven't already, and add your name to the file as a first commit |
tejavojjala
force-pushed
the
google-ublk
branch
from
0986cc0 to
878aa8e
Compare
Missed it. Done. |
The existing io_uring_sqe type only 64 bytes of data. For ioring_op_uring_cmds, 128 bytes are used to support 80 bytes of uring cmd data
ublk needs IORING_SETUP_SQE128 | IORING_SETUP_CQE32 to work Without this, the cmds would just fail and fuzzer wastes time
All ublk ctrl commands operate on a particular device. Instead of submitting control commands with random device ids using syz_io_uring_submit, its better to record the ublk dev id as a resource using a custom syzcall. This also lets us capture the fuzzer generated dev info which we can use in subsequent syzcalls
I added customer syzcalls to initialize queues and process IO on it The queue initialization complex is pretty complex and it would be very hard for the fuzzer to get it right due to the mmap setup and submitting and SQE with appropriate details for every slot in queue to indicate ublk readiness of the queue Also, we need to provide a custom syscall to process io on queue. Once cqe is advanced, we need to send a response back to make progress It can be hard for fuzzer to figure out the flow by itself
tejavojjala
force-pushed
the
google-ublk
branch
from
878aa8e to
ca02db5
Compare
3 participants
No description provided.