sys/linux: another batch of syz-check fixes

Update #590
google · Dec 18, 2019 · 42dc692 · 42dc692
1 parent fa33c32
commit 42dc692
Show file tree

Hide file tree

Showing 25 changed files with 802 additions and 667 deletions.
diff --git a/executor/defs.h b/executor/defs.h
diff --git a/sys/linux/dev_cdrom.txt b/sys/linux/dev_cdrom.txt
@@ -76,9 +76,7 @@ ioctl$CDROM_SEND_PACKET(fd fd_cdrom, cmd const[CDROM_SEND_PACKET], arg ptr[inout
 ioctl$CDROM_NEXT_WRITABLE(fd fd_cdrom, cmd const[CDROM_NEXT_WRITABLE], arg ptr[out, int64])
 ioctl$CDROM_LAST_WRITTEN(fd fd_cdrom, cmd const[CDROM_LAST_WRITTEN], arg ptr[out, int64])
 
-cdrom_output_buffer {
-	reserved	array[int8, CD_FRAMESIZE_RAWER]
-}
+type cdrom_output_buffer array[int8, CD_FRAMESIZE_RAWER]
 
 cdrom_msf {
 	cdmsf_min0	int8

diff --git a/sys/linux/dev_cdrom.txt.warn b/sys/linux/dev_cdrom.txt.warn
@@ -1,4 +1,3 @@
-struct cdrom_output_buffer: no corresponding struct in kernel
 struct cdrom_msf_out_stub: no corresponding struct in kernel
 struct cdrom_addr: no corresponding struct in kernel
 field dvd_struct.physical: bad offset: syz=1 kernel=0

diff --git a/sys/linux/dev_dri.txt b/sys/linux/dev_dri.txt
@@ -140,12 +140,8 @@ drm_map {
 drm_client {
 	idx	int32
 	auth	int32
-	pid	pid
-# pid is declared is long
-	pid_pad	const[0, int32]
-	uid	uid
-# uid is declared is long
-	uid_pad	const[0, int32]
+	pid	alignptr[pid]
+	uid	alignptr[uid]
 	magic	intptr
 	iocs	intptr
 }
@@ -301,14 +297,15 @@ drm_mode_get_plane_res {
 }
 
 drm_mode_crtc {
-	connect	ptr[in, array[int32]]
-	cnt	len[connect, int32]
-	crtcid	int32
-	x	int32
-	y	int32
-	gamma	int32
-	valid	int32
-	mode	drm_mode_modeinfo
+	set_connectors_ptr	ptr64[in, array[int32]]
+	count_connectors	len[set_connectors_ptr, int32]
+	crtc_id			int32
+	fb_id			int32
+	x			int32
+	y			int32
+	gamma_size		int32
+	mode_valid		int32
+	mode			drm_mode_modeinfo
 }
 
 drm_mode_modeinfo {

diff --git a/sys/linux/dev_dri.txt.warn b/sys/linux/dev_dri.txt.warn
@@ -1,14 +1,6 @@
 struct drm_unique_in: no corresponding struct in kernel
 struct drm_unique_out: no corresponding struct in kernel
 struct drm_map: no corresponding struct in kernel
-struct drm_client: bad number of fields: syz=8 kernel=6
-field drm_client.pid: bad size: syz=4 kernel=8
-field drm_client.pid_pad/uid: bad offset: syz=12 kernel=16
-field drm_client.pid_pad/uid: bad size: syz=4 kernel=8
-field drm_client.uid/magic: bad offset: syz=16 kernel=24
-field drm_client.uid/magic: bad size: syz=4 kernel=8
-field drm_client.uid_pad/iocs: bad offset: syz=20 kernel=32
-field drm_client.uid_pad/iocs: bad size: syz=4 kernel=8
 struct drm_ctx_priv_map: no corresponding struct in kernel
 struct drm_ctx: no corresponding struct in kernel
 struct drm_ctx_res: no corresponding struct in kernel
@@ -21,6 +13,4 @@ struct drm_dma: no corresponding struct in kernel
 struct drm_control: no corresponding struct in kernel
 struct drm_scatter_gather: no corresponding struct in kernel
 struct drm_wait_vblank: no corresponding struct in kernel
-struct drm_mode_crtc: bad number of fields: syz=8 kernel=9
-field drm_mode_crtc.mode/mode_valid: bad size: syz=68 kernel=4
 field drm_mode_modeinfo.vrefr/vrefresh: bad size: syz=2 kernel=4
diff --git a/sys/linux/dev_kvm.txt b/sys/linux/dev_kvm.txt
@@ -115,8 +115,8 @@ ioctl$KVM_X86_SETUP_MCE(fd fd_kvmcpu, cmd const[KVM_X86_SETUP_MCE], arg ptr[in,
 ioctl$KVM_X86_SET_MCE(fd fd_kvmcpu, cmd const[KVM_X86_SET_MCE], arg ptr[in, kvm_x86_mce])
 ioctl$KVM_ARM_VCPU_INIT(fd fd_kvmcpu, cmd const[KVM_ARM_VCPU_INIT], arg ptr[in, kvm_vcpu_init])
 ioctl$KVM_ARM_SET_DEVICE_ADDR(fd fd_kvmcpu, cmd const[KVM_ARM_SET_DEVICE_ADDR], arg ptr[in, kvm_arm_device_addr])
-ioctl$KVM_GET_NESTED_STATE(fd fd_kvmcpu, cmd const[KVM_GET_NESTED_STATE], arg ptr[out, kvm_nested_state])
-ioctl$KVM_SET_NESTED_STATE(fd fd_kvmcpu, cmd const[KVM_SET_NESTED_STATE], arg ptr[in, kvm_nested_state])
+ioctl$KVM_GET_NESTED_STATE(fd fd_kvmcpu, cmd const[KVM_GET_NESTED_STATE], arg ptr[out, kvm_nested_state_arg])
+ioctl$KVM_SET_NESTED_STATE(fd fd_kvmcpu, cmd const[KVM_SET_NESTED_STATE], arg ptr[in, kvm_nested_state_arg])
 
 ioctl$KVM_SET_DEVICE_ATTR(fd fd_kvmdev, cmd const[KVM_SET_DEVICE_ATTR], arg ptr[in, kvm_device_attr])
 ioctl$KVM_GET_DEVICE_ATTR(fd fd_kvmdev, cmd const[KVM_GET_DEVICE_ATTR], arg ptr[in, kvm_device_attr])
@@ -428,9 +428,10 @@ kvm_irq_routing_irqchip {
 }
 
 kvm_irq_routing_msi {
-	addrlo	int32
-	addrhi	int32
-	data	int32
+	address_lo	int32
+	address_hi	int32
+	data		int32
+	devid		int32
 }
 
 kvm_irq_routing_s390_adapter {
@@ -474,7 +475,7 @@ kvm_xcrs {
 }
 
 kvm_xsave {
-	region	array[int8, 1024]
+	region	array[int32, 1024]
 }
 
 kvm_enable_cap_cpu {
@@ -500,29 +501,33 @@ kvm_userspace_memory_region {
 }
 
 kvm_vcpu_events {
-	exinjec	int8
-	exnr	int8
-	exhec	int8
-	pad1	const[0, int8]
-	exec	int32
+	exinjec			int8
+	exnr			int8
+	exhec			int8
+	pad1			const[0, int8]
+	exec			int32
 
-	ininjec	int8
-	innr	int8
-	insoft	int8
-	inshad	int8
+	ininjec			int8
+	innr			int8
+	insoft			int8
+	inshad			int8
 
-	nmiinj	int8
-	nmipend	int8
-	nmimask	int8
-	pad2	const[0, int8]
+	nmiinj			int8
+	nmipend			int8
+	nmimask			int8
+	pad2			const[0, int8]
 
-	sipi	int32
-	flags	int32
+	sipi_vector		int32
+	flags			int32
 
-	smismm	int8
-	smipend	int8
-	smiinsi	int8
-	smilatc	int8
+	smismm			int8
+	smipend			int8
+	smiinsi			int8
+	smilatc			int8
+
+	reserved		array[const[0, int8], 27]
+	exception_has_payload	int8
+	exception_payload	int64
 }
 
 kvm_clock_data {
@@ -584,11 +589,12 @@ kvm_cpuid2 {
 }
 
 kvm_translation {
-	laddr	flags[kvm_guest_addrs, int64]
-	paddr	flags[kvm_guest_addrs, int64]
-	valid	int8
-	write	int8
-	umode	int8
+	laddr		flags[kvm_guest_addrs, int64]
+	paddr		flags[kvm_guest_addrs, int64]
+	valid		int8
+	writeable	int8
+	usermode	int8
+	pad		array[const[0, int8], 5]
 }
 
 kvm_dirty_log {
@@ -695,7 +701,7 @@ kvm_irqchip {
 kvm_irq_chip [
 	pic	kvm_pic_state
 	ioapic	kvm_ioapic_state
-]
+] [size[512]]
 
 kvm_pic_state {
 	lastirr	int8
@@ -781,11 +787,15 @@ kvm_hyperv_eventfd {
 }
 
 kvm_nested_state {
-	flags		flags[kvm_nested_state_flags, int16]
-	format		const[0, int16]
-	size		bytesize[parent, int32]
-	vmx		kvm_vmx_nested_state
-	pad		array[const[0, int8], 96]
+	flags	flags[kvm_nested_state_flags, int16]
+	format	const[0, int16]
+	size	bytesize[parent, int32]
+	hdr	kvm_vmx_nested_state
+	data	void
+}
+
+kvm_nested_state_arg {
+	state		kvm_nested_state
 	current_vmcs	array[int8, VMCS12_SIZE]
 	shadow_vmcs	array[int8, VMCS12_SIZE]
 }
@@ -794,7 +804,7 @@ kvm_vmx_nested_state {
 	vmxon_pa	flags[kvm_guest_addrs, int64]
 	vmcs_pa		flags[kvm_guest_addrs, int64]
 	smm_flags	flags[kvm_nested_smm_flags, int16]
-}
+} [size[120]]
 
 kvm_nested_state_flags = KVM_STATE_NESTED_GUEST_MODE, KVM_STATE_NESTED_RUN_PENDING
 kvm_nested_smm_flags = KVM_STATE_NESTED_SMM_GUEST_MODE, KVM_STATE_NESTED_SMM_VMXON

diff --git a/sys/linux/dev_kvm.txt.warn b/sys/linux/dev_kvm.txt.warn
@@ -24,16 +24,11 @@ struct kvm_dirty_tlb: no corresponding struct in kernel
 struct kvm_assigned_msix_entry: no corresponding struct in kernel
 struct kvm_assigned_msix_nr: no corresponding struct in kernel
 struct kvm_irq_routing_entry_u: no corresponding struct in kernel
-struct kvm_irq_routing_msi: bad number of fields: syz=3 kernel=4
-struct kvm_irq_routing_msi: bad size: syz=12 kernel=16
 struct kvm_assigned_irq: no corresponding struct in kernel
 struct kvm_assigned_pci_dev: no corresponding struct in kernel
-struct kvm_xsave: bad size: syz=1024 kernel=4096
-field kvm_xsave.region: bad size: syz=1024 kernel=4096
 struct kvm_enable_cap_cpu: no corresponding struct in kernel
 struct kvm_enable_cap_vm: no corresponding struct in kernel
-struct kvm_vcpu_events: bad number of fields: syz=19 kernel=9
-struct kvm_vcpu_events: bad size: syz=28 kernel=64
+struct kvm_vcpu_events: bad number of fields: syz=22 kernel=9
 field kvm_vcpu_events.exinjec/exception: bad size: syz=1 kernel=8
 field kvm_vcpu_events.exnr/interrupt: bad offset: syz=1 kernel=8
 field kvm_vcpu_events.exnr/interrupt: bad size: syz=1 kernel=4
@@ -49,22 +44,18 @@ field kvm_vcpu_events.innr/reserved: bad size: syz=1 kernel=27
 field kvm_vcpu_events.insoft/exception_has_payload: bad offset: syz=10 kernel=55
 field kvm_vcpu_events.inshad/exception_payload: bad offset: syz=11 kernel=56
 field kvm_vcpu_events.inshad/exception_payload: bad size: syz=1 kernel=8
-struct kvm_translation: bad number of fields: syz=5 kernel=6
 struct kvm_regs: bad number of fields: syz=3 kernel=18
 field kvm_regs.gp/rax: bad size: syz=128 kernel=8
 field kvm_regs.rip/rbx: bad offset: syz=128 kernel=8
 field kvm_regs.rflags/rcx: bad offset: syz=136 kernel=16
 field kvm_fpu.fsw: bad size: syz=1 kernel=2
 field kvm_fpu.ftws/ftwx: bad offset: syz=131 kernel=132
 field kvm_fpu.pad1: bad offset: syz=132 kernel=133
-struct kvm_irqchip: bad size: syz=224 kernel=520
-field kvm_irqchip.chip: bad size: syz=216 kernel=512
 struct kvm_irq_chip: no corresponding struct in kernel
 struct kvm_ioapic_redir: no corresponding struct in kernel
 struct kvm_mce_cap: no corresponding struct in kernel
-struct kvm_nested_state: bad number of fields: syz=7 kernel=5
-struct kvm_nested_state: bad size: syz=8320 kernel=128
-field kvm_nested_state.vmx/hdr: bad size: syz=24 kernel=120
-field kvm_nested_state.pad/data: bad offset: syz=32 kernel=128
-field kvm_nested_state.pad/data: bad size: syz=96 kernel=0
+struct kvm_nested_state: bad size: syz=288 kernel=128
+field kvm_nested_state.hdr: bad offset: syz=96 kernel=8
+field kvm_nested_state.data: bad offset: syz=216 kernel=128
+struct kvm_nested_state_arg: no corresponding struct in kernel
 struct kvm_vmx_nested_state: no corresponding struct in kernel
diff --git a/sys/linux/dev_loop.txt b/sys/linux/dev_loop.txt
@@ -30,9 +30,9 @@ lo_flags = LO_FLAGS_READ_ONLY, LO_FLAGS_AUTOCLEAR, LO_FLAGS_PARTSCAN, LO_FLAGS_D
 
 loop_info {
 	lo_number	const[0, int32]
-	lo_device	const[0, int32]
-	lo_inode	const[0, int32]
-	lo_rdevice	const[0, int32]
+	lo_device	const[0, intptr]
+	lo_inode	const[0, intptr]
+	lo_rdevice	const[0, intptr]
 	lo_offset	int32
 	lo_enc_type	flags[lo_encrypt_type, int32]
 	lo_enc_key_size	int32[0:LO_KEY_SIZE]

diff --git a/sys/linux/dev_loop.txt.warn b/sys/linux/dev_loop.txt.warn
diff --git a/sys/linux/devio.txt b/sys/linux/devio.txt
@@ -68,9 +68,7 @@ usbdevfs_ctrltransfer {
 usb_request_type_flags = USB_DIR_OUT, USB_DIR_IN, USB_TYPE_MASK, USB_TYPE_STANDARD, USB_TYPE_CLASS, USB_TYPE_VENDOR, USB_TYPE_RESERVED, USB_RECIP_MASK, USB_RECIP_DEVICE, USB_RECIP_INTERFACE, USB_RECIP_ENDPOINT, USB_RECIP_OTHER, USB_RECIP_PORT, USB_RECIP_RPIPE
 
 usbdevfs_bulktransfer {
-	ep	usbdevfs_ep
-	pad0	int8
-	pad1	int16
+	ep	align32[usbdevfs_ep]
 	len	len[data, int32]
 	timeout	int32
 	data	ptr[inout, array[int8]]

diff --git a/sys/linux/devio.txt.warn b/sys/linux/devio.txt.warn
@@ -1,12 +1,4 @@
 struct usbdevfs_ep: no corresponding struct in kernel
-struct usbdevfs_bulktransfer: bad number of fields: syz=6 kernel=4
-field usbdevfs_bulktransfer.ep: bad size: syz=1 kernel=4
-field usbdevfs_bulktransfer.pad0/len: bad offset: syz=1 kernel=4
-field usbdevfs_bulktransfer.pad0/len: bad size: syz=1 kernel=4
-field usbdevfs_bulktransfer.pad1/timeout: bad offset: syz=2 kernel=8
-field usbdevfs_bulktransfer.pad1/timeout: bad size: syz=2 kernel=4
-field usbdevfs_bulktransfer.len/data: bad offset: syz=4 kernel=16
-field usbdevfs_bulktransfer.len/data: bad size: syz=4 kernel=8
 struct usbdevfs_urb_control: no corresponding struct in kernel
 struct usbdevfs_urb_bulk: no corresponding struct in kernel
 struct usbdevfs_urb_interrupt: no corresponding struct in kernel