#include <glib.h> #include <errno.h> #include <unistd.h> #include <sys/syscall.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Get/set list of supplementary group IDs. // int setgroups(size_t size, const gid_t *list); SYSFUZZ(setgroups, SYS_setgroups, SYS_FAIL, CLONE_DEFAULT, 0) { gpointer list; glong retcode; retcode = spawn_syscall_lwp(this, NULL, SYS_setgroups, // int typelib_get_integer(), // int size typelib_get_buffer(&list, PAGE_SIZE)); // gid_t list[] typelib_clear_buffer(list); return retcode; }
#ifndef _GNU_SOURCE # define _GNU_SOURCE #endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <sys/types.h> #include <sys/wait.h> #include <stdbool.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Get/set resource limits. SYSFUZZ(ugetrlimit, __NR_ugetrlimit, SYS_NONE, CLONE_DEFAULT, 0) { gpointer rlim; gint retcode; retcode = spawn_syscall_lwp(this, NULL, __NR_ugetrlimit, // int typelib_get_integer(), // int resource typelib_get_buffer(&rlim, g_random_int_range(0, 8192))); // struct rlimit *rlim typelib_clear_buffer(rlim); return retcode; }
#include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" SYSFUZZ(pselect6, __NR_pselect6, SYS_NONE, CLONE_DEFAULT, 1000) { glong retcode; gpointer readfds; gpointer writefds; gpointer exceptfds; gpointer timeout; gpointer sigmask; retcode = spawn_syscall_lwp(this, NULL, __NR_pselect6, // int typelib_get_integer(), // int nfds typelib_get_buffer(&readfds, g_random_int_range(0, PAGE_SIZE)), // fd_set *readfds typelib_get_buffer(&writefds, g_random_int_range(0, PAGE_SIZE)), // fd_set *writefds typelib_get_buffer(&exceptfds, g_random_int_range(0, PAGE_SIZE)),// fd_set *exceptfds typelib_get_buffer(&timeout, g_random_int_range(0, PAGE_SIZE)), // const struct timespec *timeout typelib_get_buffer(&sigmask, g_random_int_range(0, PAGE_SIZE))); // const sigset_t *sigmask typelib_clear_buffer(readfds); typelib_clear_buffer(writefds); typelib_clear_buffer(exceptfds); typelib_clear_buffer(timeout); typelib_clear_buffer(sigmask); return retcode; }
#ifndef _GNU_SOURCE # define _GNU_SOURCE #endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Change ownership of a file. SYSFUZZ(lchown32, __NR_lchown32, SYS_FAIL, CLONE_DEFAULT, 0) { gchar *pathname; gint retcode; // Execute systemcall. retcode = spawn_syscall_lwp(this, NULL, __NR_lchown32, // int typelib_get_pathname(&pathname), // const char *path typelib_get_integer(), // uid_t owner typelib_get_integer()); // gid_t group g_free(pathname); return retcode; }
gint flags; typelib_get_vma(this, &address, &oldsize); newsize = g_random_boolean() ? (PAGE_SIZE * 1) : (PAGE_SIZE * 2); flags = typelib_get_integer_mask(MREMAP_FIXED | MREMAP_MAYMOVE); // I don't currently handle MREMAP_FIXED. flags &= ~MREMAP_FIXED; retcode = syscall_fast_ret(&newaddr, __NR_mremap, // void * address, // void *old_address oldsize, // size_t old_size newsize, // size_t new_size flags, // int flags typelib_get_integer()); // unsigned long new_addr if (retcode == ESUCCESS) { // FIXME: Do something like this. // typelib_vma_moved(this, address, newaddr, newsize); typelib_vma_stale(this, address); typelib_vma_new(this, newaddr, newsize, VMA_NONE); } return retcode; }
#include <glib.h> #include <errno.h> #include <unistd.h> #include <sys/time.h> #include <sys/syscall.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Return the current timespec value of tp for the specified clock // long sys_clock_gettime (clockid_t which_clock, struct timespec *tp); SYSFUZZ(clock_gettime, SYS_clock_gettime, SYS_NONE, CLONE_DEFAULT, 0) { gpointer tp; glong retcode; retcode = spawn_syscall_lwp(this, NULL, SYS_clock_gettime, // long typelib_get_integer(), // clockid_t which_clock, typelib_get_buffer(&tp, sizeof(struct timespec))); // struct timespec *tp typelib_clear_buffer(tp); return retcode; }
# define _GNU_SOURCE #endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Sync a file segment with disk. // void sync_file_range(int fd, off64_t offset, off64_t nbytes, // unsigned int flags); // long sys32_sync_file_range(int fd, unsigned off_low, unsigned off_hi, // unsigned n_low, unsigned n_hi, int flags); SYSFUZZ(sync_file_range, __NR_sync_file_range, SYS_NONE, CLONE_DEFAULT, 0) { return spawn_syscall_lwp(this, NULL, __NR_sync_file_range, // int typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd typelib_get_integer(), // unsigned off_low typelib_get_integer(), // unsigned off_high typelib_get_integer(), // unsigned n_low typelib_get_integer(), // unsigned n_high typelib_get_integer_mask(SYNC_FILE_RANGE_WAIT_BEFORE | SYNC_FILE_RANGE_WRITE | SYNC_FILE_RANGE_WAIT_AFTER)); // int flags; }
#include <glib.h> #include <errno.h> #include <unistd.h> #include <sys/syscall.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Receive a message from a socket. // ssize_t recvfrom(int sockfd, void *buf, size_t len, int flags, struct sockaddr *src_addr, socklen_t *addrlen); SYSFUZZ(recvfrom, SYS_recvfrom, SYS_NONE, CLONE_DEFAULT, 1000) { glong retcode; gpointer buf; gpointer dest_addr; retcode = spawn_syscall_lwp(this, NULL, SYS_recvfrom, // ssize_t typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int sockfd typelib_get_buffer(&buf, PAGE_SIZE), // void *buf typelib_get_integer_range(0, PAGE_SIZE), // size_t len typelib_get_integer(), // int flags typelib_get_buffer(&dest_addr, PAGE_SIZE), // const struct sockaddr *src_addr typelib_get_integer_range(0, PAGE_SIZE)); // socklen_t addrlen typelib_clear_buffer(buf); typelib_clear_buffer(dest_addr); return retcode; }
#include <glib.h> #include <errno.h> #include <unistd.h> #include <sys/syscall.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Change permissions of a file. // int fchmod(int fd, mode_t mode); SYSFUZZ(fchmod, SYS_fchmod, SYS_NONE, CLONE_DEFAULT, 0) { return spawn_syscall_lwp(this, NULL, SYS_fchmod, // int typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd typelib_get_integer()); // mode_t mode }
#include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Reposition read/write file offset. // int _llseek(unsigned int fd, unsigned long offset_high, // unsigned long offset_low, loff_t *result, // unsigned int whence); SYSFUZZ(_llseek, __NR__llseek, SYS_NONE, CLONE_DEFAULT, 0) { gpointer result; gint retcode; retcode = spawn_syscall_lwp(this, NULL, __NR__llseek, // int typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd typelib_get_integer(), // unsigned long offset_high typelib_get_integer(), // unsigned long offset_low typelib_get_buffer(&result, PAGE_SIZE), // loff_t *result typelib_get_integer_range(0, 2)); // int whence typelib_clear_buffer(result); return retcode; }
#ifndef _GNU_SOURCE # define _GNU_SOURCE #endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <sys/types.h> #include <sys/wait.h> #include <stdbool.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Set real and/or effective user or group ID. SYSFUZZ(setreuid32, __NR_setreuid32, SYS_NONE, CLONE_DEFAULT, 0) { return spawn_syscall_lwp(this, NULL, __NR_setreuid32, // int typelib_get_integer(), // uid_t ruid typelib_get_integer()); // uid_t euid }
#ifndef _GNU_SOURCE # define _GNU_SOURCE #endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <sys/types.h> #include <sys/wait.h> #include <stdbool.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Set group identity. SYSFUZZ(setgid32, __NR_setgid32, SYS_NONE, CLONE_DEFAULT, 0) { return spawn_syscall_lwp(this, NULL, __NR_setgid32, // int typelib_get_integer()); // gid_t gid }
#ifndef _GNU_SOURCE # define _GNU_SOURCE #endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <sys/types.h> #include <sys/wait.h> #include <stdbool.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Set user identity used for file system checks. // int setfsuid(uid_t fsuid); SYSFUZZ(setfsuid32, __NR_setfsuid32, SYS_NONE, CLONE_DEFAULT, 0) { return spawn_syscall_lwp(this, NULL, __NR_setfsuid32, // int typelib_get_integer()); // uid_t fsuid }
#endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Read from or write to a file descriptor at a given offset. // ssize_t pwrite(int fd, const void *buf, size_t count, off_t offset); SYSFUZZ(pwrite64, __NR_pwrite64, SYS_NONE, CLONE_DEFAULT, 1000) { glong retcode; gpointer buffer; // Execute systemcall. retcode = spawn_syscall_lwp(this, NULL, __NR_pwrite64, // ssize_t typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd typelib_get_buffer(&buffer, PAGE_SIZE), // void *buf typelib_get_integer_range(0, PAGE_SIZE), // size_t count typelib_get_integer()); // off_t offset // Clean up. typelib_clear_buffer(buffer); return retcode; }
#include <sys/mman.h> #include <sys/syscall.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Map or unmap files or devices into memory. // void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset); SYSFUZZ(mmap, SYS_mmap, SYS_NONE, CLONE_DEFAULT, 0) { gintptr address; glong retcode; gsize size; size = typelib_get_integer(); retcode = syscall_fast_ret(&address, SYS_mmap, // void * typelib_get_integer(), // void *addr typelib_get_integer(), // size_t length size, // int prot typelib_get_integer(), // int flags typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd typelib_get_integer()); // off_t offset if (retcode == ESUCCESS) { // First, round size up to PAGE_SIZE size = (size + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1); typelib_vma_new(this, address, size, 0); }
#ifndef _GNU_SOURCE # define _GNU_SOURCE #endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Truncate a file to a specified length. SYSFUZZ(ftruncate64, __NR_ftruncate64, SYS_NONE, CLONE_DEFAULT, 0) { return spawn_syscall_lwp(this, NULL, __NR_ftruncate64, // int typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int fd typelib_get_integer()); // off_t length }
#include <unistd.h> #include <fcntl.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Wait for some event on a file descriptor. // int ppoll(struct pollfd *fds, nfds_t nfds, const struct timespec *timeout, const sigset_t *sigmask); SYSFUZZ(ppoll, __NR_ppoll, SYS_NONE, CLONE_DEFAULT, 1000) { glong retcode; gpointer fds; gpointer timeout; gpointer sigmask; // Execute systemcall. retcode = spawn_syscall_lwp(this, NULL, __NR_ppoll, // int typelib_get_buffer(&fds, g_random_int_range(0, PAGE_SIZE)), // struct pollfd *fds typelib_get_integer(), // nfds_t nfds typelib_get_buffer(&timeout, g_random_int_range(0, PAGE_SIZE)), typelib_get_buffer(&sigmask, g_random_int_range(0, PAGE_SIZE))); // Clean up. typelib_clear_buffer(fds); typelib_clear_buffer(timeout); typelib_clear_buffer(sigmask); return retcode; }
#endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Change file timestamps with nanosecond precision. // int utimensat(int dirfd, const char *pathname, const struct timespec times[2], int flags); SYSFUZZ(utimensat, __NR_utimensat, SYS_NONE, CLONE_DEFAULT, 0) { gchar *filename; gpointer times; glong retcode; retcode = spawn_syscall_lwp(this, NULL, __NR_utimensat, // int typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int dirfd typelib_get_pathname(&filename), // const char *filename typelib_get_buffer(×, PAGE_SIZE), // const struct timespec times[2] typelib_get_integer()); // int flags typelib_clear_buffer(times); g_free(filename); return retcode; }
#include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Request a key from the kernel’s key management facility // key_serial_t request_key(const char *type, const char *description, // const char *callout_info, key_serial_t keyring); // XXX: i bet i need typelib support for those f*****g serials. SYSFUZZ(request_key, __NR_request_key, SYS_NONE, CLONE_DEFAULT, 0) { gpointer type; gpointer desc; gpointer callout; glong retcode; retcode = spawn_syscall_lwp(this, NULL, __NR_request_key, // key_serial_t typelib_get_buffer(&type, g_random_int_range(0, 1024)), // const char *type typelib_get_buffer(&desc, g_random_int_range(0, 1024)), // const char *desc typelib_get_buffer(&callout, g_random_int_range(0, PAGE_SIZE)), // const void *callout g_random_boolean() ? + typelib_get_integer() : - typelib_get_integer_range(0, 32)); // key_serial_t keyring typelib_clear_buffer(type); typelib_clear_buffer(desc); typelib_clear_buffer(callout); return retcode; }
#include <glib.h> #include <errno.h> #include <unistd.h> #include <sys/syscall.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Check real user's permissions for a file. SYSFUZZ(access, SYS_access, SYS_NONE, CLONE_DEFAULT, 1000) { gchar *pathname; glong retcode; retcode = spawn_syscall_lwp(this, NULL, SYS_access, // int typelib_get_pathname(&pathname), // const char *pathname typelib_get_integer()); // int mode g_free(pathname); return retcode; }
#include <glib.h> #include <errno.h> #include <unistd.h> #include <sys/syscall.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Get and set options on sockets. // int setsockopt(int sockfd, int level, int optname, const void *optval, socklen_t optlen); SYSFUZZ(setsockopt, SYS_setsockopt, SYS_NONE, CLONE_DEFAULT, 1000) { gpointer optval; glong retcode; retcode = spawn_syscall_lwp(this, NULL, SYS_setsockopt, // int typelib_get_resource(this, NULL, RES_FILE, RF_NONE), // int sockfd typelib_get_integer_range(0, 64), // int level typelib_get_integer(), // int optname typelib_get_buffer(&optval, PAGE_SIZE), // const void *optval typelib_get_integer_range(0, 64)); // socklen_t optlen typelib_clear_buffer(optval); return retcode; }
#ifndef _GNU_SOURCE # define _GNU_SOURCE #endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <sys/types.h> #include <sys/wait.h> #include <stdbool.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Set the process execution domain. // int personality(unsigned long persona); SYSFUZZ(personality, __NR_personality, SYS_NONE, CLONE_DEFAULT, 0) { return spawn_syscall_lwp(this, NULL, __NR_personality, typelib_get_integer()); }
// Callback for typelib_add_resource(). static gboolean destroy_open_file(guintptr fd) { return syscall(__NR_close, fd) != -1; } // Create a file descriptor for event notification. // int eventfd(unsigned int initval, int flags); SYSFUZZ(eventfd, __NR_eventfd, SYS_NONE, CLONE_DEFAULT, 0) { glong retcode; glong fd; retcode = spawn_syscall_lwp(this, &fd, __NR_eventfd, // int typelib_get_integer(), // int initval typelib_get_integer()); // int flags if (retcode == ESUCCESS) { // Stop eventfd() from spamming my file descriptor list. if (g_random_int_range(0, 128)) { close(fd); } else { typelib_add_resource(this, fd, RES_FILE, RF_NONE, destroy_open_file); } } return retcode; }
#ifndef _GNU_SOURCE # define _GNU_SOURCE #endif #include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <sys/types.h> #include <sys/wait.h> #include <stdbool.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Set real and/or effective user or group ID. SYSFUZZ(setregid32, __NR_setregid32, SYS_NONE, CLONE_DEFAULT, 0) { return spawn_syscall_lwp(this, NULL, __NR_setregid32, // int typelib_get_integer(), // gid_t rgid typelib_get_integer()); // gid_t egid }
#include <glib.h> #include <asm/unistd.h> #include <errno.h> #include <unistd.h> #include <sys/types.h> #include <sys/wait.h> #include <stdbool.h> #include "sysfuzz.h" #include "typelib.h" #include "iknowthis.h" // Execution time profile. SYSFUZZ(profil, __NR_profil, SYS_NONE, CLONE_DEFAULT, 0) { gpointer buf; gint retcode; retcode = spawn_syscall_lwp(this, NULL, __NR_profil, // int typelib_get_buffer(&buf, PAGE_SIZE), // unsigned short *buf PAGE_SIZE, // size_t bufsiz typelib_get_integer(), // size_t offset typelib_get_integer()); // unsigned int scale typelib_clear_buffer(buf); return retcode; }