[+CC dvyukov ]
On 20/02/2019 18:21, Johannes Thumshirn wrote:
> On 20/02/2019 17:15, Dan Williams wrote:> I wouldn't be opposed to
> syzkaller fuzzing the nvdimm-ioctl path.
> As a heads up, I've started adding the ioctl() definitions to syzcaller.
> Just so we don't duplicate any efforts.
So AFAICS this (see attachment) should do the trick.
@dvyukov is there something I'm missing, or can syzkaller pick up the
/dev/ndctl devices and start fuzzing the ioctl path with this?
Thanks,
Johannes
--
Johannes Thumshirn SUSE Labs Filesystems
[email protected] +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
# Copyright 2019 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in
the LICENSE file.
#include <asm/ioctl.h>
#include <linux/types.h>
#include <uapi/linux/ndctl.h>
resource fd_ndctl[fd]
syz_open_dev$ndctl(dev ptr[in, string["/dev/ndctl#"]], id intptr, flags
flags[open_flags]) fd_ndctl
ioctl$ND_IOCTL_DIMM_FLAGS(fd fd_ndctl, cmd const[ND_IOCTL_DIMM_FLAGS], arg
ptr[in, nd_cmd_dimm_flags])
ioctl$ND_IOCTL_GET_CONFIG_SIZE(fd fd_ndctl, cmd
const[ND_IOCTL_GET_CONFIG_SIZE], arg ptr[in, nd_cmd_get_config_size])
ioctl$ND_IOCTL_GET_CONFIG_DATA(fd fd_ndctl, cmd const[ND_IOCTL_GET_CONFIG_DAT],
arg ptr[in, nd_cmd_get_config_data_hdr])
ioctl$ND_IOCTL_SET_CONFIG_DATA(fd fd_ndctl, cmd
const[ND_IOCTL_SET_CONFIG_DATA], arg ptr[in, nd_cmd_set_config_hdr])
ioctl$ND_IOCTL_VENDOR(fd fd_ndctl, cmd const[ND_IOCTL_VENDOR], arg ptr[in,
nd_cmd_vendor_hdr])
ioctl$ND_IOCTL_ARS_CAP(fd fd_ndctl, cmd const[ND_IOCTL_ARS_CAP], arg ptr[in,
nd_cmd_ars_cap])
ioctl$ND_IOCTL_ARS_START(fd fd_ndctl, cmd const[ND_IOCTL_ARS_START], arg
ptr[in, nd_cmd_ars_start])
ioctl$ND_IOCTL_ARS_STATUS(fd fd_ndctl, cmd const[ND_IOCTL_ARS_STATUS], arg
ptr[in, nd_cmd_ars_status])
ioctl$ND_IOCTL_CLEAR_ERROR(fd fd_ndctl, cmd const[ND_IOCTL_CLEAR_ERROR], arg
ptr[in, nd_cmd_clear_error])
ioctl$ND_IOCTL_CALL(fd fd_ndctl, cmd const[ND_IOCTL_CALL], arg ptr[in,
nd_cmd_pkg])
nd_cmd_dimm_flags {
status int32
flags int32
} [packed]
nd_cmd_get_config_size {
status int32
config_size int32
max_xfer int32
} [packed]
nd_cmd_get_config_data_hdr {
in_offset int32
in_length len[out_buf, int32]
status int32
out_buf ptr[out, array[int8]
} [packed]
struct nd_cmd_set_config_hdr {
in_offset int32
in_length len[in_buf, int32]
in_buf ptr[in, array[int8]
} [packed]
struct nd_cmd_vendor_hdr {
opcode int32
in_length len[in_buf, int32]
in_buf ptr[in, array[int8]
} [packed]
nd_cmd_ars_cap {
address int64
length int64
status int32
max_ars_out int32
clear_err_unit int32
flags int16
reserved int16
} [packed]
nd_cmd_ars_start {
address int64
length int64
type int16
flags int8
reserved array[const[0, int8], 5]
status int32
scrub_time int32
} [packed]
type nd_ars_record {
handle int32
reserved int32
err_address int64
length int64
} [packed]
nd_cmd_ars_status {
status int32
out_length int32
address int64
length int64
restart_address int64
restart_length int64
type int16
flags int16
num_records len[records, int32]
records ptr[out, array[nd_ars_records]
} [packed]
nd_cmd_clear_error {
address int64
length int64
status int32
reserved array[const[0, int8], 4]
cleared int64
} [packed]
nd_cmd_pkg {
nd_family int64
nd_command int64
nd_size_in len[nd_payload, int32]
nd_size_out int32
nd_reserved2 array[const[0, int32], 9]
nd_fw_size int32
nd_payload ptr [in, array[int8]]
} [packed]
