Re: [PATCH] acpi/nfit: Fix bus command validation

[Johannes Thumshirn]

[+CC dvyukov ]

On 20/02/2019 18:21, Johannes Thumshirn wrote:
> On 20/02/2019 17:15, Dan Williams wrote:> I wouldn't be opposed to
> syzkaller fuzzing the nvdimm-ioctl path.
> As a heads up, I've started adding the ioctl() definitions to syzcaller.
> Just so we don't duplicate any efforts.

So AFAICS this (see attachment) should do the trick.

@dvyukov is there something I'm missing, or can syzkaller pick up the
/dev/ndctl devices and start fuzzing the ioctl path with this?

Thanks,
	Johannes
-- 
Johannes Thumshirn                            SUSE Labs Filesystems
jthumshirn@xxxxxxx                                +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 NÃrnberg
GF: Felix ImendÃrffer, Jane Smithard, Graham Norton
HRB 21284 (AG NÃrnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
# Copyright 2019 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

#include <asm/ioctl.h>
#include <linux/types.h>
#include <uapi/linux/ndctl.h>

resource fd_ndctl[fd]

syz_open_dev$ndctl(dev ptr[in, string["/dev/ndctl#"]], id intptr, flags flags[open_flags]) fd_ndctl

ioctl$ND_IOCTL_DIMM_FLAGS(fd fd_ndctl, cmd const[ND_IOCTL_DIMM_FLAGS], arg ptr[in, nd_cmd_dimm_flags])
ioctl$ND_IOCTL_GET_CONFIG_SIZE(fd fd_ndctl, cmd const[ND_IOCTL_GET_CONFIG_SIZE], arg ptr[in, nd_cmd_get_config_size])
ioctl$ND_IOCTL_GET_CONFIG_DATA(fd fd_ndctl, cmd const[ND_IOCTL_GET_CONFIG_DAT], arg ptr[in, nd_cmd_get_config_data_hdr])
ioctl$ND_IOCTL_SET_CONFIG_DATA(fd fd_ndctl, cmd const[ND_IOCTL_SET_CONFIG_DATA], arg ptr[in, nd_cmd_set_config_hdr])
ioctl$ND_IOCTL_VENDOR(fd fd_ndctl, cmd const[ND_IOCTL_VENDOR], arg ptr[in, nd_cmd_vendor_hdr])

ioctl$ND_IOCTL_ARS_CAP(fd fd_ndctl, cmd const[ND_IOCTL_ARS_CAP], arg ptr[in, nd_cmd_ars_cap])
ioctl$ND_IOCTL_ARS_START(fd fd_ndctl, cmd const[ND_IOCTL_ARS_START], arg ptr[in, nd_cmd_ars_start])
ioctl$ND_IOCTL_ARS_STATUS(fd fd_ndctl, cmd const[ND_IOCTL_ARS_STATUS], arg ptr[in, nd_cmd_ars_status])
ioctl$ND_IOCTL_CLEAR_ERROR(fd fd_ndctl, cmd const[ND_IOCTL_CLEAR_ERROR], arg ptr[in, nd_cmd_clear_error])
ioctl$ND_IOCTL_CALL(fd fd_ndctl, cmd const[ND_IOCTL_CALL], arg ptr[in, nd_cmd_pkg])

nd_cmd_dimm_flags {
	status	int32
	flags	int32
} [packed]

nd_cmd_get_config_size {
	status		int32
	config_size	int32
	max_xfer	int32
} [packed]

nd_cmd_get_config_data_hdr {
	in_offset	int32
	in_length	len[out_buf, int32]
	status		int32
	out_buf		ptr[out, array[int8]
} [packed]

struct nd_cmd_set_config_hdr {
	in_offset	int32
	in_length	len[in_buf, int32]
	in_buf		ptr[in, array[int8]
} [packed]

struct nd_cmd_vendor_hdr {
	opcode		int32
	in_length	len[in_buf, int32]
	in_buf		ptr[in, array[int8]
} [packed]

nd_cmd_ars_cap {
	address		int64
        length		int64
        status		int32
        max_ars_out	int32
        clear_err_unit	int32
        flags		int16
        reserved	int16
} [packed]

nd_cmd_ars_start {
        address		int64
        length		int64
        type		int16
        flags		int8
        reserved	array[const[0, int8], 5]
        status		int32
        scrub_time	int32
} [packed]

type nd_ars_record {
	handle		int32
	reserved	int32
	err_address	int64
	length		int64
} [packed]

nd_cmd_ars_status {
        status		int32
        out_length	int32
        address		int64
        length		int64
        restart_address int64
        restart_length	int64
        type		int16
        flags		int16
        num_records	len[records, int32]
	records		ptr[out, array[nd_ars_records]
} [packed]

nd_cmd_clear_error {
        address		int64
        length		int64
        status		int32
        reserved	array[const[0, int8], 4]
        cleared		int64
} [packed]

nd_cmd_pkg {
	nd_family	int64
	nd_command	int64
	nd_size_in 	len[nd_payload, int32]
	nd_size_out	int32
	nd_reserved2	array[const[0, int32], 9]
	nd_fw_size	int32
	nd_payload	ptr [in, array[int8]]

} [packed]