# Copyright 2015 syzkaller project authors. All rights reserved. # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. # Syscalls used in syzkaller tests. test() # Integer types. test$int(a0 intptr, a1 int8, a2 int16, a3 int32, a4 int64) # Opt arguments test$opt0(a0 intptr[opt]) test$opt1(a0 ptr[in, intptr, opt]) test$opt2(a0 vma[opt]) test$opt3(a0 proc[100, 4, opt]) # Alignment and padding test$align0(a0 ptr[in, syz_align0]) test$align1(a0 ptr[in, syz_align1]) test$align2(a0 ptr[in, syz_align2]) test$align3(a0 ptr[in, syz_align3]) test$align4(a0 ptr[in, syz_align4]) test$align5(a0 ptr[in, syz_align5]) test$align6(a0 ptr[in, syz_align6]) test$align7(a0 ptr[in, syz_align7]) syz_align0 { f0 int16 f1 int32 f2 int8 f3 int16 f4 int64 } syz_align1 { f0 int16 f1 int32 f2 int8 f3 int16 f4 int64 } [packed] syz_align2_packed { f0 array[int16, 1] } [packed] syz_align2_not_packed { f0 array[int16, 1] } syz_align2 { f0 int8 f1 syz_align2_packed f2 syz_align2_not_packed } syz_align3_noalign { f0 int8 } syz_align3_align4 { f0 int8 } [align_4] syz_align3 { f0 int8 f1 syz_align3_noalign f2 syz_align3_align4 } syz_align4_internal { f0 int8 f1 int16 } [packed, align_4] syz_align4 { f0 syz_align4_internal f1 int8 } syz_align5_internal { f0 int64 f1 array[int16, 0:3] } syz_align5 { f0 syz_align5_internal f1 syz_align5_internal f2 int8 } [packed] syz_align6 { f0 int8 f1 array[int32] } syz_align7 { f0 syz_align8 f1 int8 } syz_align8 { f0 int8:1 f1 int8:1 f2 int8:1 f3 int16:1 f4 int16:1 f5 int16:1 } [packed, align_8] # Structs test$struct(a0 ptr[in, syz_struct0]) syz_struct0 { f0 int64 f1 syz_struct1 } syz_struct1 { f0 int8 } # Unions test$union0(a0 ptr[in, syz_union0_struct]) test$union1(a0 ptr[in, syz_union1_struct]) test$union2(a0 ptr[in, syz_union2_struct]) syz_union0 [ f0 int64 f1 array[int64, 10] f2 int8 ] syz_union0_struct { f int64 u syz_union0 } syz_union1 [ f0 int64 f1 int32 ] syz_union1_struct { f0 syz_union1 f1 int8 } [packed] syz_union2 [ f0 int64 f1 int32 ] [varlen] syz_union2_struct { f0 syz_union2 f1 int8 } [packed] syz_union3 [ f0 int32 ] union_arg [ f1 int8 f2 int64 f3 ptr[in, int32] f4 fd f5 const[1, intptr] f6 flags[syz_length_flags, int32] f7 proc[0, 1, int16] ] test$syz_union3(a0 ptr[in, syz_union3]) test$syz_union4(a0 union_arg) # Arrays test$array0(a0 ptr[in, syz_array_struct]) test$array1(a0 ptr[in, syz_array_trailing]) test$array2(a0 ptr[in, syz_array_blob]) # Struct with a variable-length array or variable-length unions. syz_array_struct { f0 int8 f1 array[syz_array_union, 1:2] f2 int64 } [packed] syz_array_union [ f0 int16 f1 int64 ] [varlen] syz_array_trailing { f0 int8 f1 array[int8, 4:8] } syz_array_blob { f0 int16 f1 array[int8, 16] f2 int16 } # Length test$length0(a0 ptr[in, syz_length_int_struct]) test$length1(a0 ptr[in, syz_length_const_struct]) test$length2(a0 ptr[in, syz_length_flags_struct]) test$length3(a0 ptr[in, syz_length_len_struct]) test$length4(a0 ptr[in, syz_length_len2_struct]) test$length5(a0 ptr[in, syz_length_parent_struct]) test$length6(a0 ptr[in, syz_length_array_struct]) test$length7(a0 ptr[in, syz_length_array2_struct]) test$length8(a0 ptr[in, syz_length_complex_struct]) test$length9(a0 ptr[in, syz_length_vma_struct]) test$length10(a0 vma, a1 len[a0], a2 bytesize[a0], a3 bytesize2[a0], a4 bytesize4[a0]) test$length11(a0 ptr[in, syz_length_large_struct], a1 len[a0]) test$length12(a0 ptr[in, syz_length_large_struct, opt], a1 len[a0]) test$length13(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64]]) test$length14(a0 ptr[inout, syz_length_large_struct], a1 ptr[inout, len[a0, int64], opt]) test$length15(a0 int16, a1 len[a0]) test$length16(a0 ptr[in, syz_length_bytesize_struct]) test$length17(a0 ptr[in, syz_length_bytesize2_struct]) test$length18(a0 ptr[in, syz_length_bytesize3_struct]) test$length19(a0 ptr[in, syz_length_bf_struct]) test$length20(a0 ptr[in, syz_length_parent2_struct]) test$length21(a0 ptr[in, int64], a1 bitsize[a0]) test$length22(a0 ptr[in, array[int8]], a1 bitsize[a0]) syz_length_flags = 0, 1 syz_length_int_struct { f0 int16 f1 len[f0, int16] } syz_length_const_struct { f0 const[0, int32] f1 len[f0, int32] } syz_length_flags_struct { f0 flags[syz_length_flags, int64] f1 len[f0, int64] } syz_length_len_struct { f0 int32 f1 len[f0, int16] f2 len[f1, int16] } syz_length_len2_struct { f0 len[f1, int16] f1 len[f0, int16] } syz_length_parent_struct { f0 int16 f1 len[parent, int16] } syz_length_array_struct { f0 array[int16, 4] f1 len[f0, int16] } syz_length_array2_struct { f0 array[int16, 4] f1 bytesize[f0, int16] } syz_length_complex_inner_struct { f0 int8 f1 len[f0, int8] f2 len[parent, int16] f3 array[int32, 3] } syz_length_complex_struct { f0 len[parent, int64] f1 syz_length_complex_inner_struct f2 array[syz_length_complex_inner_struct, 1] f3 len[f1, int32] f4 len[f2, int16] f5 array[int16] } syz_length_vma_struct { f0 vma f1 len[f0, int64] } syz_length_large_struct { f0 int64 f1 int64 f2 array[int32, 8] } syz_length_bytesize_struct { f0 array[int64, 2] f1 len[f0, int8] f2 bytesize[f0, int8] f3 bytesize2[f0, int8] f4 bytesize4[f0, int8] f5 bytesize8[f0, int8] } syz_length_bytesize2_struct { f0 int64 f1 bytesize[f0, int8] f2 bytesize2[f0, int8] f3 bytesize4[f0, int8] f4 bytesize8[f0, int8] } syz_length_bytesize3_struct { f0 int32 f1 bytesize[parent, int8] f2 bytesize2[parent, int8] f3 bytesize4[parent, int8] f4 bytesize8[parent, int8] } syz_length_bf_struct_inner { f0 int32:10 f1 int32:10 f2 int32:10 f3 int32:32 f4 int32:16 f5 int32:16 f6 int32:10 f7 len[parent, int32] } syz_length_bf_struct { f0 syz_length_bf_struct_inner f1 len[f0, int8] f2 bytesize[f0, int8] f3 bytesize4[f0, int8] } syz_length_parent2_struct_inner_inner { f1 len[parent, int8] f2 len[syz_length_parent2_struct_inner_inner, int8] f3 len[syz_length_parent2_struct_inner, int8] f4 len[syz_length_parent2_struct, int8] } syz_length_parent2_struct_inner { f0 syz_length_parent2_struct_inner_inner f1 len[parent, int8] f2 len[syz_length_parent2_struct_inner, int8] f3 len[syz_length_parent2_struct, int8] } syz_length_parent2_struct { f0 syz_length_parent2_struct_inner f1 len[parent, int8] f2 len[syz_length_parent2_struct, int8] } type len_templ1[DATA1, DATA2] { data DATA1 inner len_temp2[DATA2] } type len_temp2[DATA] { data DATA len len[len_templ1, int8] } test$length23(a ptr[in, len_templ1[int8, int16]]) type len_temp3[DATA] { f1 DATA f2 len_nontemp4 } len_nontemp4 { f1 len[len_temp3, int32] } len_nontemp5 { f1 len_temp3[int8] f2 len_temp3[int64] } len_unaligned { f1 int32 f2 int8 } explicitly_sized { f1 int8 } [size[42]] explicitly_sized_union [ f1 int8 ] [size[42]] static_filename { f1 string[filename, 10] f2 string[filename, 20] f3 bytesize[f1, int8] f4 bytesize[f2, int8] f5 bytesize[parent, int8] } test$length24(a ptr[in, len_nontemp5]) test$length25(a0 ptr[in, array[array[int8]]], a1 len[a0]) test$length26(a ptr[in, len_unaligned], b bytesize[a]) test$length27(a0 ptr[in, explicitly_sized], a1 len[a0]) test$length28(a0 ptr[in, explicitly_sized_union], a1 len[a0]) test$length29(a ptr[in, static_filename]) # Big endian test$end0(a0 ptr[in, syz_end_int_struct]) test$end1(a0 ptr[in, syz_end_var_struct]) syz_end_flags = 0, 1 syz_end_int_struct { f0 int8 f1 int16be f2 int32be f3 int64be } [packed] syz_end_var_struct { f0 len[parent, int16be] f1 const[0x42, int32be] f2 flags[syz_end_flags, int64be] } [packed] # Vma type test$vma0(v0 vma, l0 len[v0], v1 vma[5], l1 len[v1], v2 vma[7:9], l2 len[v2]) # Text type test$text_x86_real(a0 ptr[in, text[x86_real]], a1 len[a0]) test$text_x86_16(a0 ptr[in, text[x86_16]], a1 len[a0]) test$text_x86_32(a0 ptr[in, text[x86_32]], a1 len[a0]) test$text_x86_64(a0 ptr[in, text[x86_64]], a1 len[a0]) # Regression tests test$regression0(a0 ptr[inout, syz_regression0_struct]) syz_regression0_struct { f0 buffer[out] } test$regression1(a1 ptr[in, array[syz_regression1_struct]]) syz_regression1_struct { f0 array[int8, 4] } test$regression2(a1 ptr[in, array[int32, 4]]) excessive_fields { f1 int8 } type_confusion [ f1 int8 ] test$excessive_args1() test$excessive_args2(a1 int8) test$excessive_fields1(a1 ptr[in, excessive_fields]) test$type_confusion1(a1 ptr[in, type_confusion]) # Bitfields syz_bf_flags = 0, 1, 2 syz_bf_struct0 { f0 flags[syz_bf_flags, int16:10] f1 int64 f2 const[0x42, int16:5] f3 int16:6 f4 const[0x42, int32:15] f5 len[parent, int16:11] f6 len[parent, int16be:11] f7 int8 } syz_bf_struct1_internal { f0 int32:10 f1 int32:10 f2 int32:10 } syz_bf_struct1 { f0 syz_bf_struct1_internal f1 int8 } test$bf0(a0 ptr[in, syz_bf_struct0]) test$bf1(a0 ptr[in, syz_bf_struct1]) # Checksums test$csum_encode(a0 ptr[in, syz_csum_encode]) test$csum_ipv4(a0 ptr[in, syz_csum_ipv4_header]) test$csum_ipv4_tcp(a0 ptr[in, syz_csum_ipv4_tcp_packet]) test$csum_ipv6_tcp(a0 ptr[in, syz_csum_ipv6_tcp_packet]) test$csum_ipv4_udp(a0 ptr[in, syz_csum_ipv4_udp_packet]) test$csum_ipv6_udp(a0 ptr[in, syz_csum_ipv6_udp_packet]) test$csum_ipv6_icmp(a0 ptr[in, syz_csum_ipv6_icmp_packet]) syz_csum_encode { f0 int16 f1 int16be f2 array[int32, 0:4] f3 int8:4 f4 int8:4 f5 array[int8, 4] } [packed] syz_csum_ipv4_header { csum csum[parent, inet, int16] src_ip int32be dst_ip int32be } [packed] syz_csum_tcp_header { csum csum[syz_csum_tcp_packet, pseudo, IPPROTO_TCP, int16] } [packed] syz_csum_tcp_packet { header syz_csum_tcp_header payload array[int8] } [packed] syz_csum_ipv4_tcp_packet { header syz_csum_ipv4_header payload syz_csum_tcp_packet } [packed] syz_csum_ipv6_header { src_ip array[int8, 16] dst_ip array[int8, 16] } [packed] syz_csum_ipv6_tcp_packet { header syz_csum_ipv6_header payload syz_csum_tcp_packet } [packed] syz_csum_udp_packet { csum csum[parent, pseudo, IPPROTO_UDP, int16] payload array[int8] } [packed] syz_csum_ipv4_udp_packet { header syz_csum_ipv4_header payload syz_csum_udp_packet } [packed] syz_csum_ipv6_udp_packet { header syz_csum_ipv6_header payload syz_csum_udp_packet } [packed] syz_csum_icmp_packet { csum csum[parent, pseudo, IPPROTO_ICMPV6, int16] payload array[int8] } [packed] syz_csum_ipv6_icmp_packet { header syz_csum_ipv6_header payload syz_csum_icmp_packet } [packed] # Recursion syz_recur_0 { a0 ptr[in, syz_recur_0, opt] } syz_recur_1 { a0 ptr[in, syz_recur_1, opt] a1 ptr[in, syz_recur_2, opt] } syz_recur_2_0 { a0 ptr[in, syz_recur_2_0, opt] a1 ptr[in, syz_recur_2_0, opt] a2 ptr[in, syz_recur_2_0, opt] a3 ptr[in, syz_recur_2_0, opt] } syz_recur_2 { a0 ptr[in, syz_recur_0, opt] a1 ptr[in, syz_recur_1, opt] a2 ptr[in, syz_recur_2_0, opt] a3 ptr[in, syz_recur_2_0, opt] a4 ptr[in, syz_recur_2, opt] a5 ptr[in, syz_recur_2, opt] } test$recur0(a0 ptr[inout, syz_recur_0]) test$recur1(a0 ptr[inout, syz_recur_1]) test$recur2(a0 ptr[inout, syz_recur_2]) # Resources. resource fd[int32]: 0xffffffffffffffff resource syz_res[int32]: 0xffff test$res0() syz_res test$res1(a0 syz_res) test$res2() fd # ONLY_32BITS_CONST const is not present on all arches. # Ensure that it does not break build. resource syz_missing_const_res[int32]: ONLY_32BITS_CONST test$missing_resource() syz_missing_const_res test$missing_struct(a ptr[in, syz_use_missing]) syz_missing_const_struct { a0 const[ONLY_32BITS_CONST, int32] } syz_use_missing { a0 syz_missing_const_res a1 syz_missing_const_struct } # Hints tests. test$hint_data(a0 ptr[in, array[int8]]) # Mutation tests. mutate0() mutate1() mutate2() mutate3(vec ptr[in, array[int32[0:1]]], vlen len[vec]) mutate4(data ptr[in, array[int8]], size bytesize[data]) mutate5(filename ptr[in, filename], flags flags[open_flags]) fd mutate6(fd fd, data ptr[in, array[int8]], size bytesize[data]) mutate7(a0 ptr[in, string], a1 len[a0]) mutate8(a0 proc[100, 4, opt]) open_flags = 0xabababababababab, 0xcdcdcdcdcdcdcdcd # Serialization tests. serialize0(a ptr[in, serialize0_struct]) serialize1(a ptr[out, array[int8]], b len[a]) serialize0_struct { a string[serialize_strings, 10] b string[serialize_strings, 5] } serialize_strings = "aaa", "bbb" # Unsupported syscalls due to resources. resource unsupported[int32] unsupported$0(a unsupported) unsupported unsupported$1(a unsupported) unsupported