#include <glib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/syscall.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Get/set list of supplementary group IDs.
// int setgroups(size_t size, const gid_t *list);
SYSFUZZ(setgroups, SYS_setgroups, SYS_FAIL, CLONE_DEFAULT, 0)
{
gpointer list;
glong retcode;
retcode = spawn_syscall_lwp(this, NULL, SYS_setgroups, // int
typelib_get_integer(), // int size
typelib_get_buffer(&list, PAGE_SIZE)); // gid_t list[]
typelib_clear_buffer(list);
return retcode;
}
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdbool.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Get/set resource limits.
SYSFUZZ(ugetrlimit, __NR_ugetrlimit, SYS_NONE, CLONE_DEFAULT, 0)
{
gpointer rlim;
gint retcode;
retcode = spawn_syscall_lwp(this, NULL, __NR_ugetrlimit, // int
typelib_get_integer(), // int resource
typelib_get_buffer(&rlim, g_random_int_range(0, 8192))); // struct rlimit *rlim
typelib_clear_buffer(rlim);
return retcode;
}
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
SYSFUZZ(pselect6, __NR_pselect6, SYS_NONE, CLONE_DEFAULT, 1000)
{
glong retcode;
gpointer readfds;
gpointer writefds;
gpointer exceptfds;
gpointer timeout;
gpointer sigmask;
retcode = spawn_syscall_lwp(this, NULL, __NR_pselect6, // int
typelib_get_integer(), // int nfds
typelib_get_buffer(&readfds, g_random_int_range(0, PAGE_SIZE)), // fd_set *readfds
typelib_get_buffer(&writefds, g_random_int_range(0, PAGE_SIZE)), // fd_set *writefds
typelib_get_buffer(&exceptfds, g_random_int_range(0, PAGE_SIZE)),// fd_set *exceptfds
typelib_get_buffer(&timeout, g_random_int_range(0, PAGE_SIZE)), // const struct timespec *timeout
typelib_get_buffer(&sigmask, g_random_int_range(0, PAGE_SIZE))); // const sigset_t *sigmask
typelib_clear_buffer(readfds);
typelib_clear_buffer(writefds);
typelib_clear_buffer(exceptfds);
typelib_clear_buffer(timeout);
typelib_clear_buffer(sigmask);
return retcode;
}
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Change ownership of a file.
SYSFUZZ(lchown32, __NR_lchown32, SYS_FAIL, CLONE_DEFAULT, 0)
{
gchar *pathname;
gint retcode;
// Execute systemcall.
retcode = spawn_syscall_lwp(this, NULL, __NR_lchown32, // int
typelib_get_pathname(&pathname), // const char *path
typelib_get_integer(), // uid_t owner
typelib_get_integer()); // gid_t group
g_free(pathname);
return retcode;
}
gint flags;
typelib_get_vma(this, &address, &oldsize);
newsize = g_random_boolean()
? (PAGE_SIZE * 1)
: (PAGE_SIZE * 2);
flags = typelib_get_integer_mask(MREMAP_FIXED | MREMAP_MAYMOVE);
// I don't currently handle MREMAP_FIXED.
flags &= ~MREMAP_FIXED;
retcode = syscall_fast_ret(&newaddr, __NR_mremap, // void *
address, // void *old_address
oldsize, // size_t old_size
newsize, // size_t new_size
flags, // int flags
typelib_get_integer()); // unsigned long new_addr
if (retcode == ESUCCESS) {
// FIXME: Do something like this.
// typelib_vma_moved(this, address, newaddr, newsize);
typelib_vma_stale(this, address);
typelib_vma_new(this, newaddr, newsize, VMA_NONE);
}
return retcode;
}
#include <glib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/syscall.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Return the current timespec value of tp for the specified clock
// long sys_clock_gettime (clockid_t which_clock, struct timespec *tp);
SYSFUZZ(clock_gettime, SYS_clock_gettime, SYS_NONE, CLONE_DEFAULT, 0)
{
gpointer tp;
glong retcode;
retcode = spawn_syscall_lwp(this, NULL, SYS_clock_gettime, // long
typelib_get_integer(), // clockid_t which_clock,
typelib_get_buffer(&tp, sizeof(struct timespec))); // struct timespec *tp
typelib_clear_buffer(tp);
return retcode;
}
# define _GNU_SOURCE
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Sync a file segment with disk.
// void sync_file_range(int fd, off64_t offset, off64_t nbytes,
// unsigned int flags);
// long sys32_sync_file_range(int fd, unsigned off_low, unsigned off_hi,
// unsigned n_low, unsigned n_hi, int flags);
SYSFUZZ(sync_file_range, __NR_sync_file_range, SYS_NONE, CLONE_DEFAULT, 0)
{
return spawn_syscall_lwp(this, NULL, __NR_sync_file_range, // int
typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd
typelib_get_integer(), // unsigned off_low
typelib_get_integer(), // unsigned off_high
typelib_get_integer(), // unsigned n_low
typelib_get_integer(), // unsigned n_high
typelib_get_integer_mask(SYNC_FILE_RANGE_WAIT_BEFORE
| SYNC_FILE_RANGE_WRITE
| SYNC_FILE_RANGE_WAIT_AFTER)); // int flags;
}
#include <glib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/syscall.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Receive a message from a socket.
// ssize_t recvfrom(int sockfd, void *buf, size_t len, int flags, struct sockaddr *src_addr, socklen_t *addrlen);
SYSFUZZ(recvfrom, SYS_recvfrom, SYS_NONE, CLONE_DEFAULT, 1000)
{
glong retcode;
gpointer buf;
gpointer dest_addr;
retcode = spawn_syscall_lwp(this, NULL, SYS_recvfrom, // ssize_t
typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int sockfd
typelib_get_buffer(&buf, PAGE_SIZE), // void *buf
typelib_get_integer_range(0, PAGE_SIZE), // size_t len
typelib_get_integer(), // int flags
typelib_get_buffer(&dest_addr, PAGE_SIZE), // const struct sockaddr *src_addr
typelib_get_integer_range(0, PAGE_SIZE)); // socklen_t addrlen
typelib_clear_buffer(buf);
typelib_clear_buffer(dest_addr);
return retcode;
}
#include <glib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/syscall.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Change permissions of a file.
// int fchmod(int fd, mode_t mode);
SYSFUZZ(fchmod, SYS_fchmod, SYS_NONE, CLONE_DEFAULT, 0)
{
return spawn_syscall_lwp(this, NULL, SYS_fchmod, // int
typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd
typelib_get_integer()); // mode_t mode
}
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Reposition read/write file offset.
// int _llseek(unsigned int fd, unsigned long offset_high,
// unsigned long offset_low, loff_t *result,
// unsigned int whence);
SYSFUZZ(_llseek, __NR__llseek, SYS_NONE, CLONE_DEFAULT, 0)
{
gpointer result;
gint retcode;
retcode = spawn_syscall_lwp(this, NULL, __NR__llseek, // int
typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd
typelib_get_integer(), // unsigned long offset_high
typelib_get_integer(), // unsigned long offset_low
typelib_get_buffer(&result, PAGE_SIZE), // loff_t *result
typelib_get_integer_range(0, 2)); // int whence
typelib_clear_buffer(result);
return retcode;
}
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdbool.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Set real and/or effective user or group ID.
SYSFUZZ(setreuid32, __NR_setreuid32, SYS_NONE, CLONE_DEFAULT, 0)
{
return spawn_syscall_lwp(this, NULL, __NR_setreuid32, // int
typelib_get_integer(), // uid_t ruid
typelib_get_integer()); // uid_t euid
}
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdbool.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Set group identity.
SYSFUZZ(setgid32, __NR_setgid32, SYS_NONE, CLONE_DEFAULT, 0)
{
return spawn_syscall_lwp(this, NULL, __NR_setgid32, // int
typelib_get_integer()); // gid_t gid
}
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdbool.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Set user identity used for file system checks.
// int setfsuid(uid_t fsuid);
SYSFUZZ(setfsuid32, __NR_setfsuid32, SYS_NONE, CLONE_DEFAULT, 0)
{
return spawn_syscall_lwp(this, NULL, __NR_setfsuid32, // int
typelib_get_integer()); // uid_t fsuid
}
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Read from or write to a file descriptor at a given offset.
// ssize_t pwrite(int fd, const void *buf, size_t count, off_t offset);
SYSFUZZ(pwrite64, __NR_pwrite64, SYS_NONE, CLONE_DEFAULT, 1000)
{
glong retcode;
gpointer buffer;
// Execute systemcall.
retcode = spawn_syscall_lwp(this, NULL, __NR_pwrite64, // ssize_t
typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd
typelib_get_buffer(&buffer, PAGE_SIZE), // void *buf
typelib_get_integer_range(0, PAGE_SIZE), // size_t count
typelib_get_integer()); // off_t offset
// Clean up.
typelib_clear_buffer(buffer);
return retcode;
}
#include <sys/mman.h>
#include <sys/syscall.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Map or unmap files or devices into memory.
// void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset);
SYSFUZZ(mmap, SYS_mmap, SYS_NONE, CLONE_DEFAULT, 0)
{
gintptr address;
glong retcode;
gsize size;
size = typelib_get_integer();
retcode = syscall_fast_ret(&address, SYS_mmap, // void *
typelib_get_integer(), // void *addr
typelib_get_integer(), // size_t length
size, // int prot
typelib_get_integer(), // int flags
typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd
typelib_get_integer()); // off_t offset
if (retcode == ESUCCESS) {
// First, round size up to PAGE_SIZE
size = (size + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
typelib_vma_new(this, address, size, 0);
}
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Truncate a file to a specified length.
SYSFUZZ(ftruncate64, __NR_ftruncate64, SYS_NONE, CLONE_DEFAULT, 0)
{
return spawn_syscall_lwp(this, NULL, __NR_ftruncate64, // int
typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd
typelib_get_integer()); // off_t length
}
#include <unistd.h>
#include <fcntl.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Wait for some event on a file descriptor.
// int ppoll(struct pollfd *fds, nfds_t nfds, const struct timespec *timeout, const sigset_t *sigmask);
SYSFUZZ(ppoll, __NR_ppoll, SYS_NONE, CLONE_DEFAULT, 1000)
{
glong retcode;
gpointer fds;
gpointer timeout;
gpointer sigmask;
// Execute systemcall.
retcode = spawn_syscall_lwp(this, NULL, __NR_ppoll, // int
typelib_get_buffer(&fds, g_random_int_range(0, PAGE_SIZE)), // struct pollfd *fds
typelib_get_integer(), // nfds_t nfds
typelib_get_buffer(&timeout, g_random_int_range(0, PAGE_SIZE)),
typelib_get_buffer(&sigmask, g_random_int_range(0, PAGE_SIZE)));
// Clean up.
typelib_clear_buffer(fds);
typelib_clear_buffer(timeout);
typelib_clear_buffer(sigmask);
return retcode;
}
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Change file timestamps with nanosecond precision.
// int utimensat(int dirfd, const char *pathname, const struct timespec times[2], int flags);
SYSFUZZ(utimensat, __NR_utimensat, SYS_NONE, CLONE_DEFAULT, 0)
{
gchar *filename;
gpointer times;
glong retcode;
retcode = spawn_syscall_lwp(this, NULL, __NR_utimensat, // int
typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int dirfd
typelib_get_pathname(&filename), // const char *filename
typelib_get_buffer(×, PAGE_SIZE), // const struct timespec times[2]
typelib_get_integer()); // int flags
typelib_clear_buffer(times);
g_free(filename);
return retcode;
}
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Request a key from the kernel’s key management facility
// key_serial_t request_key(const char *type, const char *description,
// const char *callout_info, key_serial_t keyring);
// XXX: i bet i need typelib support for those f*****g serials.
SYSFUZZ(request_key, __NR_request_key, SYS_NONE, CLONE_DEFAULT, 0)
{
gpointer type;
gpointer desc;
gpointer callout;
glong retcode;
retcode = spawn_syscall_lwp(this, NULL, __NR_request_key, // key_serial_t
typelib_get_buffer(&type, g_random_int_range(0, 1024)), // const char *type
typelib_get_buffer(&desc, g_random_int_range(0, 1024)), // const char *desc
typelib_get_buffer(&callout, g_random_int_range(0, PAGE_SIZE)), // const void *callout
g_random_boolean()
? + typelib_get_integer()
: - typelib_get_integer_range(0, 32)); // key_serial_t keyring
typelib_clear_buffer(type);
typelib_clear_buffer(desc);
typelib_clear_buffer(callout);
return retcode;
}
#include <glib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/syscall.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Check real user's permissions for a file.
SYSFUZZ(access, SYS_access, SYS_NONE, CLONE_DEFAULT, 1000)
{
gchar *pathname;
glong retcode;
retcode = spawn_syscall_lwp(this, NULL, SYS_access, // int
typelib_get_pathname(&pathname), // const char *pathname
typelib_get_integer()); // int mode
g_free(pathname);
return retcode;
}
#include <glib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/syscall.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Get and set options on sockets.
// int setsockopt(int sockfd, int level, int optname, const void *optval, socklen_t optlen);
SYSFUZZ(setsockopt, SYS_setsockopt, SYS_NONE, CLONE_DEFAULT, 1000)
{
gpointer optval;
glong retcode;
retcode = spawn_syscall_lwp(this, NULL, SYS_setsockopt, // int
typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int sockfd
typelib_get_integer_range(0, 64), // int level
typelib_get_integer(), // int optname
typelib_get_buffer(&optval, PAGE_SIZE), // const void *optval
typelib_get_integer_range(0, 64)); // socklen_t optlen
typelib_clear_buffer(optval);
return retcode;
}
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdbool.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Set the process execution domain.
// int personality(unsigned long persona);
SYSFUZZ(personality, __NR_personality, SYS_NONE, CLONE_DEFAULT, 0)
{
return spawn_syscall_lwp(this, NULL, __NR_personality, typelib_get_integer());
}
// Callback for typelib_add_resource().
static gboolean destroy_open_file(guintptr fd)
{
return syscall(__NR_close, fd) != -1;
}
// Create a file descriptor for event notification.
// int eventfd(unsigned int initval, int flags);
SYSFUZZ(eventfd, __NR_eventfd, SYS_NONE, CLONE_DEFAULT, 0)
{
glong retcode;
glong fd;
retcode = spawn_syscall_lwp(this, &fd, __NR_eventfd, // int
typelib_get_integer(), // int initval
typelib_get_integer()); // int flags
if (retcode == ESUCCESS) {
// Stop eventfd() from spamming my file descriptor list.
if (g_random_int_range(0, 128)) {
close(fd);
} else {
typelib_add_resource(this, fd, RES_FILE, RF_NONE, destroy_open_file);
}
}
return retcode;
}
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdbool.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Set real and/or effective user or group ID.
SYSFUZZ(setregid32, __NR_setregid32, SYS_NONE, CLONE_DEFAULT, 0)
{
return spawn_syscall_lwp(this, NULL, __NR_setregid32, // int
typelib_get_integer(), // gid_t rgid
typelib_get_integer()); // gid_t egid
}
#include <glib.h>
#include <asm/unistd.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdbool.h>
#include "sysfuzz.h"
#include "typelib.h"
#include "iknowthis.h"
// Execution time profile.
SYSFUZZ(profil, __NR_profil, SYS_NONE, CLONE_DEFAULT, 0)
{
gpointer buf;
gint retcode;
retcode = spawn_syscall_lwp(this, NULL, __NR_profil, // int
typelib_get_buffer(&buf, PAGE_SIZE), // unsigned short *buf
PAGE_SIZE, // size_t bufsiz
typelib_get_integer(), // size_t offset
typelib_get_integer()); // unsigned int scale
typelib_clear_buffer(buf);
return retcode;
}
