├── tools └── .gitignore ├── include ├── pipes.h ├── post-mortem.h ├── testfile.h ├── results.h ├── ftrace.h ├── perf.h ├── signals.h ├── types.h ├── sysv-shm.h ├── bdevs.h ├── userfaultfd.h ├── arg-decoder.h ├── files.h ├── domains.h ├── futex.h ├── taint.h ├── uid.h ├── logfile.h ├── bpf.h ├── socketinfo.h ├── log.h ├── stats.h ├── syscalls-mips.h ├── fanotify.h ├── arch-riscv64.h ├── locks.h ├── arch-sparc.h ├── arch-arm.h ├── pids.h ├── pathnames.h ├── arch-mips.h ├── object-types.h ├── arch-aarch64.h ├── arch-ia64.h ├── arch-i386.h ├── memfd.h ├── arch-sh.h ├── debug.h ├── arch-parisc.h ├── arch-s390.h ├── trinity.h ├── arch-alpha.h ├── arch-ppc.h ├── sanitise.h ├── fd.h ├── random.h ├── arch-tile.h └── arch-x86-64.h ├── .deps └── .gitignore ├── scripts ├── privs.sh ├── killtrin.sh ├── rmmod-all.sh ├── cppcheck.sh ├── paths.sh ├── taint.sh ├── load-all-modules.sh ├── analyse-dumps.sh ├── clean-cores.sh ├── test-all-syscalls-parallel.sh ├── clean-ipc.sh ├── Lindent ├── test-multi.sh ├── test-all-syscalls-sequentially.sh ├── test-vm.sh └── find.sh ├── syscalls ├── gettid.c ├── setsid.c ├── sgetmask.c ├── ni_syscall.c ├── sched_yield.c ├── getpid.c ├── getpgrp.c ├── getppid.c ├── umask.c ├── getpagesize.c ├── munlockall.c ├── nice.c ├── sync.c ├── ssetmask.c ├── io_destroy.c ├── pause.c ├── sparc │ └── kern_features.c ├── vhangup.c ├── getsid.c ├── restart_syscall.c ├── stime.c ├── time.c ├── timer_delete.c ├── msgget.c ├── personality.c ├── ppc │ └── rtas.c ├── shmdt.c ├── times.c ├── exit.c ├── ioprio_get.c ├── oldumount.c ├── rmdir.c ├── timer_getoverrun.c ├── uname.c ├── uselib.c ├── getpgid.c ├── sysinfo.c ├── vfork.c ├── mq_unlink.c ├── olduname.c ├── sigpending.c ├── sched_get_priority_max.c ├── sched_get_priority_min.c ├── bdflush.c ├── newuname.c ├── setpgid.c ├── sched_getscheduler.c ├── x86 │ ├── iopl.c │ ├── i386 │ │ ├── vm86.c │ │ └── vm86old.c │ ├── ioperm.c │ └── x86_64 │ │ └── arch_prctl.c ├── kill.c ├── semget.c ├── sysctl.c ├── syncfs.c ├── tkill.c ├── exit_group.c ├── getrusage.c ├── ioprio_set.c ├── listen.c ├── setpriority.c ├── io_setup.c ├── set_tid_address.c ├── signal.c ├── ustat.c ├── semctl.c ├── setrlimit.c ├── rt_sigpending.c ├── sethostname.c ├── shmat.c ├── getuid.c ├── semop.c ├── setdomainname.c ├── pciconfig_iobase.c ├── timer_gettime.c ├── utime.c ├── getitimer.c ├── io_uring_setup.c ├── utimes.c ├── sched_setattr.c ├── acct.c ├── inotify_rm_watch.c ├── sched_getparam.c ├── sched_setparam.c ├── gettimeofday.c ├── ia64 │ └── getunwind.c ├── settimeofday.c ├── tgkill.c ├── link.c ├── removexattr.c ├── rt_sigsuspend.c ├── waitpid.c ├── getcwd.c ├── reboot.c ├── rt_sigreturn.c ├── set_mempolicy.c ├── sigreturn.c ├── newstat.c ├── nfsservctl.c ├── sigprocmask.c ├── timerfd_gettime.c ├── mq_notify.c ├── newlstat.c ├── sched_rr_get_interval.c ├── getgid.c ├── pivot_root.c ├── getegid.c ├── lremovexattr.c ├── close.c ├── geteuid.c ├── readahead.c ├── brk.c ├── lookup_dcookie.c ├── io_cancel.c ├── setgid.c ├── clone3.c ├── fremovexattr.c ├── io_submit.c ├── nanosleep.c ├── capget.c ├── capset.c ├── sigaltstack.c ├── chdir.c ├── chroot.c ├── clock_adjtime.c ├── init_module.c ├── fchdir.c ├── memfd_secret.c ├── rt_tgsigqueueinfo.c ├── sigsuspend.c ├── sysfs.c ├── quotactl_fd.c ├── rt_sigqueueinfo.c ├── oldreaddir.c ├── wait4.c ├── fdatasync.c ├── fsync.c ├── mq_open.c ├── pciconfig_read.c ├── quotactl.c ├── sched_getaffinity.c ├── sched_setaffinity.c ├── pciconfig_write.c ├── semtimedop.c ├── pidfd_open.c ├── alarm.c ├── chmod.c ├── clock_getres.c ├── clock_gettime.c ├── flock.c ├── get_robust_list.c ├── setfsgid.c ├── setitimer.c ├── userfaultfd.c ├── delete_module.c ├── setfsuid.c ├── clock_settime.c ├── getcpu.c ├── process_mrelease.c ├── setns.c ├── shutdown.c ├── futimesat.c ├── waitid.c ├── mq_getsetattr.c ├── prlimit64.c ├── setregid.c ├── setreuid.c ├── creat.c ├── fsopen.c ├── llseek.c ├── pidfd_getfd.c ├── getpriority.c ├── getxattr.c ├── lgetxattr.c ├── landlock_restrict_self.c ├── munlock.c ├── umount.c ├── memfd_create.c ├── migrate_pages.c ├── fgetxattr.c ├── rt_sigtimedwait.c ├── unshare.c ├── io_getevents.c ├── setresuid.c ├── msgctl.c ├── pidfd_send_signal.c ├── shmctl.c ├── access.c ├── setresgid.c ├── rseq.c ├── setgroups.c ├── lseek.c ├── set_mempolicy_home_node.c ├── set_robust_list.c ├── msgsnd.c ├── sh │ └── cacheflush.c ├── finit_module.c ├── mq_timedreceive.c ├── shmget.c ├── setuid.c ├── utimensat.c ├── kcmp.c ├── s390x │ └── runtime_instr.c ├── timerfd_create.c ├── getgroups.c ├── getsockname.c ├── unlink.c ├── pselect6.c ├── mq_timedsend.c ├── sched_setscheduler.c ├── truncate.c ├── timer_settime.c ├── adjtimex.c ├── rt_sigprocmask.c ├── riscv_flush_icache.c ├── statfs.c ├── getpeername.c ├── getsockopt.c ├── io_pgetevents.c ├── lchown.c ├── mlockall.c ├── epoll_wait.c ├── landlock_create_ruleset.c ├── mkdir.c ├── setxattr.c ├── ipc.c ├── fspick.c ├── lsetxattr.c ├── kexec_load.c ├── pipe.c ├── fsetxattr.c ├── lstat.c ├── connect.c ├── swap.c ├── getrandom.c ├── io_uring_enter.c ├── getresuid.c ├── getrlimit.c ├── mknod.c ├── sched_getattr.c ├── symlink.c ├── getresgid.c ├── move_mount.c ├── fsmount.c ├── msgrcv.c ├── process_vm_readv.c ├── process_vm_writev.c ├── name_to_handle_at.c ├── socketpair.c ├── ftruncate.c ├── request_key.c ├── futex_waitv.c ├── readlink.c ├── kexec_file_load.c ├── inotify_add_watch.c ├── landlock_add_rule.c ├── membarrier.c ├── splice.c ├── sendfile.c ├── open_tree.c ├── keyctl.c ├── pkey.c ├── getdents.c ├── chown.c ├── mincore.c ├── tee.c └── timerfd_settime.c ├── .gitignore ├── net ├── proto-ip-raw.c ├── proto-xdp.c ├── proto-qrtr.c ├── proto-icmp6.c ├── proto-smc.c ├── proto-iucv.c ├── proto-ip-udp.c ├── proto-ip-dccp.c ├── proto-ip-udplite.c ├── proto-netrom.c └── proto-rxrpc.c ├── Documentation └── pro-tips.txt ├── ioctls ├── rfkill.c ├── vsock.c ├── hpet.c ├── random.c ├── msr.c ├── btrfs-control.c ├── mce.c └── sisfb.c └── log.c /tools/.gitignore: -------------------------------------------------------------------------------- 1 | analyze-sockets 2 | -------------------------------------------------------------------------------- /include/pipes.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | int get_rand_pipe_fd(void); 4 | -------------------------------------------------------------------------------- /include/post-mortem.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | void tainted_postmortem(void); 4 | -------------------------------------------------------------------------------- /include/testfile.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | int get_rand_testfile_fd(void); 4 | -------------------------------------------------------------------------------- /.deps/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything in this directory 2 | * 3 | # Except this file 4 | !.gitignore 5 | -------------------------------------------------------------------------------- /include/results.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "syscall.h" 4 | 5 | void handle_success(struct syscallrecord *rec); 6 | -------------------------------------------------------------------------------- /include/ftrace.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | void setup_ftrace(void); 4 | void stop_ftrace(void); 5 | 6 | extern const char *ftracedumpname; 7 | -------------------------------------------------------------------------------- /scripts/privs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ $(/usr/bin/id -u) -eq 0 ] ; then 4 | DROPPRIVS=--dropprivs 5 | else 6 | DROPPRIVS="" 7 | fi 8 | -------------------------------------------------------------------------------- /scripts/killtrin.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | for i in $(ps ax | grep trinity | grep -v grep | awk '{ print $1 }'); 4 | do 5 | kill -9 $i 6 | done 7 | -------------------------------------------------------------------------------- /scripts/rmmod-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for j in `lsmod |awk '{ print $1}' | grep -v caif | grep -v Module` 4 | do 5 | modprobe -r $j 6 | done 7 | 8 | -------------------------------------------------------------------------------- /include/perf.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "syscall.h" 4 | 5 | void sanitise_perf_event_open(struct syscallrecord *rec); 6 | 7 | int get_rand_perf_fd(void); 8 | -------------------------------------------------------------------------------- /include/signals.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | extern jmp_buf ret_jump; 6 | 7 | void mask_signals_child(void); 8 | void setup_main_signals(void); 9 | -------------------------------------------------------------------------------- /include/types.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef enum { FALSE = 0, TRUE = 1 } bool; 6 | 7 | typedef uint32_t u32; 8 | typedef uint64_t u64; 9 | -------------------------------------------------------------------------------- /include/sysv-shm.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | void create_sysv_shms(void); 4 | 5 | struct sysv_shm { 6 | void *ptr; 7 | int id; 8 | size_t size; 9 | int flags; 10 | }; 11 | -------------------------------------------------------------------------------- /include/bdevs.h: -------------------------------------------------------------------------------- 1 | #ifndef _DEVS_H 2 | #define _DEVS_H 1 3 | 4 | void process_bdev_param(char *optarg); 5 | void init_bdev_list(void); 6 | void dump_bdev_list(void); 7 | 8 | #endif /* _DEVS_H */ 9 | -------------------------------------------------------------------------------- /syscalls/gettid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(gettid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_gettid = { 7 | .name = "gettid", 8 | .num_args = 0, 9 | }; 10 | -------------------------------------------------------------------------------- /syscalls/setsid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(setsid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setsid = { 7 | .name = "setsid", 8 | .num_args = 0, 9 | }; 10 | -------------------------------------------------------------------------------- /include/userfaultfd.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // FIXME: Keep all this here until glibc supports it. 4 | #ifndef SYS_userfaultfd 5 | #ifdef __x86_64__ 6 | #define SYS_userfaultfd 323 7 | #endif 8 | #endif 9 | -------------------------------------------------------------------------------- /syscalls/sgetmask.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(sgetmask) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sgetmask = { 7 | .name = "sgetmask", 8 | .num_args = 0, 9 | }; 10 | -------------------------------------------------------------------------------- /syscalls/ni_syscall.c: -------------------------------------------------------------------------------- 1 | /* 2 | */ 3 | #include "sanitise.h" 4 | 5 | struct syscallentry syscall_ni_syscall = { 6 | .name = "ni_syscall (generic)", 7 | .num_args = 0, 8 | .flags = NI_SYSCALL, 9 | }; 10 | -------------------------------------------------------------------------------- /syscalls/sched_yield.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(sched_yield) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sched_yield = { 7 | .name = "sched_yield", 8 | .num_args = 0, 9 | }; 10 | -------------------------------------------------------------------------------- /syscalls/getpid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(getpid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getpid = { 7 | .name = "getpid", 8 | .num_args = 0, 9 | .rettype = RET_PID_T, 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/getpgrp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(getpgrp) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getpgrp = { 7 | .name = "getpgrp", 8 | .num_args = 0, 9 | .rettype = RET_PID_T, 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/getppid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(getppid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getppid = { 7 | .name = "getppid", 8 | .num_args = 0, 9 | .rettype = RET_PID_T, 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/umask.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(umask, int, mask) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_umask = { 7 | .name = "umask", 8 | .num_args = 1, 9 | .arg1name = "mask", 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/getpagesize.c: -------------------------------------------------------------------------------- 1 | /* 2 | * sys_getpagesize (void) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getpagesize = { 7 | .flags = BORING, 8 | .name = "getpagesize", 9 | .num_args = 0, 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/munlockall.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(munlockall) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_munlockall = { 7 | .name = "munlockall", 8 | .num_args = 0, 9 | .group = GROUP_VM, 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/nice.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(nice, int, increment) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_nice = { 7 | .name = "nice", 8 | .num_args = 1, 9 | .arg1name = "increment", 10 | }; 11 | -------------------------------------------------------------------------------- /include/arg-decoder.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "syscall.h" 4 | 5 | void output_rendered_buffer(char *buffer); 6 | void output_syscall_prefix(struct syscallrecord *rec); 7 | void output_syscall_postfix(struct syscallrecord *rec); 8 | -------------------------------------------------------------------------------- /syscalls/sync.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(sync) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sync = { 7 | .name = "sync", 8 | .num_args = 0, 9 | .group = GROUP_VFS, 10 | .flags = EXPENSIVE, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/ssetmask.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(ssetmask, int, newmask) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_ssetmask = { 7 | .name = "ssetmask", 8 | .num_args = 1, 9 | .arg1name = "newmask", 10 | }; 11 | -------------------------------------------------------------------------------- /scripts/cppcheck.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | cppcheck --quiet --enable=all -f . 2>warnings.$$ 4 | grep -v bounds warnings.$$ | grep -v Skipping | grep -v is\ never\ used | grep -v scanf | grep -v check-config | grep -v reassigned 5 | rm -f warnings.$$ 6 | -------------------------------------------------------------------------------- /syscalls/io_destroy.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(io_destroy, aio_context_t, ctx) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_io_destroy = { 7 | .name = "io_destroy", 8 | .num_args = 1, 9 | .arg1name = "ctx", 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/pause.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(pause) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_pause = { 7 | .name = "pause", 8 | .num_args = 0, 9 | .flags = AVOID_SYSCALL, // Boring. Can cause long sleeps 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/sparc/kern_features.c: -------------------------------------------------------------------------------- 1 | /* 2 | * long sys_kern_features(void) 3 | */ 4 | 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_kern_features = { 8 | .flags = BORING, 9 | .name = "kern_features", 10 | .num_args = 0, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/vhangup.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(vhangup 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_vhangup = { 7 | .name = "vhangup", 8 | .num_args = 0, 9 | .flags = AVOID_SYSCALL, // No args, confuses fuzzer 10 | }; 11 | -------------------------------------------------------------------------------- /scripts/paths.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | OLDPATH=$(pwd) 4 | TRINITY_PATH=${TRINITY_PATH:-$OLDPATH} 5 | 6 | if [ -d tmp ]; then 7 | TRINITY_TMP=$(mktemp -d $(pwd)/tmp/trinity.XXXXXX) 8 | else 9 | TRINITY_TMP=$(mktemp -d /tmp/trinity.XXXXXX) 10 | fi 11 | -------------------------------------------------------------------------------- /syscalls/getsid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(getsid, pid_t, pid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getsid = { 7 | .name = "getsid", 8 | .num_args = 1, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/restart_syscall.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(restart_syscall) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_restart_syscall = { 7 | .name = "restart_syscall", 8 | .num_args = 0, 9 | .flags = AVOID_SYSCALL, 10 | }; 11 | -------------------------------------------------------------------------------- /include/files.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "fd.h" 5 | 6 | unsigned long get_o_flags(void); 7 | 8 | void parse_devices(void); 9 | const char *map_dev(dev_t, mode_t); 10 | 11 | int open_with_fopen(const char *filename, int flags); 12 | -------------------------------------------------------------------------------- /syscalls/stime.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(stime, time_t __user *, tptr) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_stime = { 7 | .name = "stime", 8 | .num_args = 1, 9 | .arg1name = "tptr", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/time.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(time, time_t __user *, tloc) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_time = { 7 | .name = "time", 8 | .num_args = 1, 9 | .arg1name = "tloc", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/timer_delete.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(timer_delete, timer_t, timer_id) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_timer_delete = { 7 | .name = "timer_delete", 8 | .num_args = 1, 9 | .arg1name = "timer_id", 10 | }; 11 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | core.* 2 | *.o 3 | *.d 4 | trinity 5 | logs/ 6 | trinity*.log 7 | trinity.socketcache 8 | tmp 9 | trinity-*.tar.xz 10 | victims 11 | tags 12 | config.h 13 | version.h 14 | .*.swp 15 | cscope.* 16 | ncscope.* 17 | cov-int 18 | trinity-coverity.tar.xz 19 | -------------------------------------------------------------------------------- /syscalls/msgget.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_msgget = { 7 | .name = "msgget", 8 | .num_args = 2, 9 | .arg1name = "key", 10 | .arg2name = "msgflg", 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/personality.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(personality, unsigned int, personality 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_personality = { 7 | .name = "personality", 8 | .num_args = 1, 9 | .arg1name = "personality", 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/ppc/rtas.c: -------------------------------------------------------------------------------- 1 | /* 2 | * int ppc_rtas(struct rtas_args __user *uargs) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_rtas = { 7 | .name = "rtas", 8 | .num_args = 1, 9 | .arg1name = "uargs", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/shmdt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(shmdt, char __user *, shmaddr) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_shmdt = { 7 | .name = "shmdt", 8 | .num_args = 1, 9 | .arg1name = "shmaddr", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/times.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(times, struct tms __user *, tbuf) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_times = { 7 | .name = "times", 8 | .num_args = 1, 9 | .arg1name = "tbuf", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /include/domains.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | extern const char * get_domain_name(unsigned int domain); 4 | extern void find_specific_domain(const char *domainarg); 5 | extern void parse_exclude_domains(const char *arg); 6 | extern unsigned int find_next_enabled_domain(unsigned int from); 7 | -------------------------------------------------------------------------------- /syscalls/exit.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(exit, int, error_code) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_exit = { 7 | .name = "exit", 8 | .num_args = 1, 9 | .flags = AVOID_SYSCALL, // confuses fuzzer 10 | .arg1name = "error_code", 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/ioprio_get.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(ioprio_get, int, which, int, who) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_ioprio_get = { 7 | .name = "ioprio_get", 8 | .num_args = 2, 9 | .arg1name = "which", 10 | .arg2name = "who", 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/oldumount.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(oldumount, char __user *, name) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_oldumount = { 7 | .name = "oldumount", 8 | .num_args = 1, 9 | .arg1name = "name", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/rmdir.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(rmdir, const char __user *, pathname) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_rmdir = { 7 | .name = "rmdir", 8 | .num_args = 1, 9 | .arg1name = "pathname", 10 | .arg1type = ARG_PATHNAME, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/timer_getoverrun.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(timer_getoverrun, timer_t, timer_id) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_timer_getoverrun = { 7 | .name = "timer_getoverrun", 8 | .num_args = 1, 9 | .arg1name = "timer_id", 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/uname.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_uname = { 7 | .name = "uname", 8 | .num_args = 1, 9 | .arg1name = "name", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/uselib.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(uselib, const char __user *, library) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_uselib = { 7 | .name = "uselib", 8 | .num_args = 1, 9 | .arg1name = "library", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /net/proto-ip-raw.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "net.h" 4 | #include "trinity.h" 5 | 6 | void raw_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet) 7 | { 8 | so->optname = ICMP_FILTER; // that's all (for now?) 9 | } 10 | -------------------------------------------------------------------------------- /scripts/taint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | check_tainted() 4 | { 5 | if [ "$(cat /proc/sys/kernel/tainted)" != $TAINT ]; then 6 | echo ERROR: Taint flag changed $(cat /proc/sys/kernel/tainted) 7 | exit 8 | fi 9 | } 10 | 11 | TAINT=$(cat /proc/sys/kernel/tainted) 12 | -------------------------------------------------------------------------------- /syscalls/getpgid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(getpgid, pid_t, pid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getpgid = { 7 | .name = "getpgid", 8 | .num_args = 1, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .rettype = RET_PID_T, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/sysinfo.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(sysinfo, struct sysinfo __user *, info) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sysinfo = { 7 | .name = "sysinfo", 8 | .num_args = 1, 9 | .arg1name = "info", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/vfork.c: -------------------------------------------------------------------------------- 1 | /* 2 | int sys_vfork(struct pt_regs *regs) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_vfork = { 7 | .name = "vfork", 8 | .num_args = 1, 9 | .flags = AVOID_SYSCALL, // No args, confuses fuzzer 10 | .arg1name = "regs", 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/mq_unlink.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(mq_unlink, const char __user *, u_name) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_mq_unlink = { 7 | .name = "mq_unlink", 8 | .num_args = 1, 9 | .arg1name = "u_name", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/olduname.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_olduname = { 7 | .name = "olduname", 8 | .num_args = 1, 9 | .arg1name = "name", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/sigpending.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(sigpending, old_sigset_t __user *, set) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sigpending = { 7 | .name = "sigpending", 8 | .num_args = 1, 9 | .arg1name = "set", 10 | .arg1type = ARG_ADDRESS, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/sched_get_priority_max.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(sched_get_priority_max, int, policy) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sched_get_priority_max = { 7 | .name = "sched_get_priority_max", 8 | .num_args = 1, 9 | .arg1name = "policy", 10 | }; 11 | -------------------------------------------------------------------------------- /syscalls/sched_get_priority_min.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(sched_get_priority_min, int, policy) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sched_get_priority_min = { 7 | .name = "sched_get_priority_min", 8 | .num_args = 1, 9 | .arg1name = "policy", 10 | }; 11 | -------------------------------------------------------------------------------- /include/futex.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "types.h" 6 | 7 | struct __lock { 8 | uint32_t futex; 9 | pid_t owner_pid; 10 | }; 11 | 12 | void create_futexes(void); 13 | u32 * get_futex(void); 14 | struct __lock * get_random_lock(void); 15 | -------------------------------------------------------------------------------- /include/taint.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "types.h" 4 | 5 | #define TAINT_NAME_LEN 32 6 | 7 | extern int kernel_taint_initial; 8 | 9 | int get_taint(void); 10 | 11 | bool is_tainted(void); 12 | 13 | void process_taint_arg(char *taintarg); 14 | 15 | void init_taint_checking(void); 16 | -------------------------------------------------------------------------------- /include/uid.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "child.h" 4 | 5 | void dump_uids(void); 6 | void init_uids(void); 7 | void do_uid0_check(void); 8 | void check_uid(void); 9 | 10 | extern uid_t orig_uid; 11 | extern gid_t orig_gid; 12 | 13 | extern uid_t nobody_uid; 14 | extern gid_t nobody_gid; 15 | -------------------------------------------------------------------------------- /syscalls/bdflush.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(bdflush, int, func, long, data) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_bdflush = { 7 | .name = "bdflush", 8 | .num_args = 2, 9 | .arg1name = "func", 10 | .arg2name = "data", 11 | .arg2type = ARG_ADDRESS, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/newuname.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_newuname = { 8 | .name = "newuname", 9 | .num_args = 1, 10 | .arg1name = "name", 11 | .arg1type = ARG_ADDRESS, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/setpgid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setpgid = { 7 | .name = "setpgid", 8 | .num_args = 2, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "pgid", 12 | }; 13 | -------------------------------------------------------------------------------- /include/logfile.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "child.h" 4 | 5 | FILE *find_logfile_handle(void); 6 | void synclogs(void); 7 | 8 | extern FILE *mainlogfile; 9 | void open_main_logfile(void); 10 | void close_logfile(FILE **handle); 11 | 12 | void open_child_logfile(struct childdata *child); 13 | -------------------------------------------------------------------------------- /syscalls/sched_getscheduler.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(sched_getscheduler, pid_t, pid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sched_getscheduler = { 7 | .name = "sched_getscheduler", 8 | .num_args = 1, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/x86/iopl.c: -------------------------------------------------------------------------------- 1 | /* 2 | long sys_iopl(unsigned int level, struct pt_regs *regs) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_iopl = { 7 | .name = "iopl", 8 | .num_args = 2, 9 | .arg1name = "level", 10 | .arg2name = "regs", 11 | .arg2type = ARG_ADDRESS, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/kill.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_kill = { 7 | .name = "kill", 8 | .num_args = 2, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "sig", 12 | .flags = AVOID_SYSCALL, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/semget.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_semget = { 7 | .name = "semget", 8 | .num_args = 3, 9 | .arg1name = "key", 10 | .arg2name = "nsems", 11 | .arg3name = "semflg", 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/sysctl.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(sysctl, struct __sysctl_args __user *, args 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sysctl = { 7 | .name = "sysctl", 8 | .num_args = 1, 9 | .arg1name = "args", 10 | .arg1type = ARG_ADDRESS, 11 | .group = GROUP_VFS, 12 | }; 13 | -------------------------------------------------------------------------------- /scripts/load-all-modules.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | DIR=/lib/modules/`uname -r` 4 | 5 | for i in `find $DIR/kernel -type f -name "*.ko" | grep -v test_nx | grep -v ring_buffer_benchmark` 6 | do 7 | MOD=`basename $i | sed s/\.ko//` 8 | echo Loading $MOD 9 | /sbin/modprobe $MOD 10 | done 11 | -------------------------------------------------------------------------------- /syscalls/syncfs.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(syncfs, int, fd) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_syncfs = { 7 | .name = "syncfs", 8 | .num_args = 1, 9 | .arg1name = "fd", 10 | .arg1type = ARG_FD, 11 | .flags = NEED_ALARM | EXPENSIVE, 12 | .group = GROUP_VFS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/tkill.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(tkill, pid_t, pid, int, sig) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_tkill = { 7 | .name = "tkill", 8 | .num_args = 2, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "sig", 12 | .flags = AVOID_SYSCALL, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/exit_group.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(exit_group, int, error_code) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_exit_group = { 7 | .name = "exit_group", 8 | .num_args = 1, 9 | .flags = AVOID_SYSCALL, // No args to fuzz, confuses fuzzer 10 | .arg1name = "error_code", 11 | }; 12 | -------------------------------------------------------------------------------- /syscalls/getrusage.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(getrusage, int, who, struct rusage __user *, ru) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getrusage = { 7 | .name = "getrusage", 8 | .num_args = 2, 9 | .arg1name = "who", 10 | .arg2name = "ru", 11 | .arg2type = ARG_ADDRESS, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/ioprio_set.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_ioprio_set = { 7 | .name = "ioprio_set", 8 | .num_args = 3, 9 | .arg1name = "which", 10 | .arg2name = "who", 11 | .arg3name = "ioprio", 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/listen.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(listen, int, fd, int, backlog) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_listen = { 7 | .name = "listen", 8 | .num_args = 2, 9 | .arg1name = "fd", 10 | .arg1type = ARG_FD, 11 | .arg2name = "backlog", 12 | .flags = NEED_ALARM, 13 | }; 14 | -------------------------------------------------------------------------------- /include/bpf.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | int get_rand_bpf_fd(void); 4 | 5 | #ifndef BPF_MAP_TYPE_LRU_HASH 6 | #define BPF_MAP_TYPE_LRU_HASH 9 7 | #define BPF_MAP_TYPE_LRU_PERCPU_HASH 10 8 | #define BPF_MAP_TYPE_LPM_TRIE 11 9 | #endif 10 | #ifndef BPF_F_NO_COMMON_LRU 11 | #define BPF_F_NO_COMMON_LRU (1U << 1) 12 | #endif 13 | -------------------------------------------------------------------------------- /syscalls/setpriority.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setpriority = { 7 | .name = "setpriority", 8 | .num_args = 3, 9 | .arg1name = "which", 10 | .arg2name = "who", 11 | .arg3name = "niceval", 12 | }; 13 | -------------------------------------------------------------------------------- /include/socketinfo.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct socket_triplet { 4 | unsigned int family; 5 | unsigned int type; 6 | unsigned int protocol; 7 | }; 8 | 9 | /* We create one of these per socket fd we open, and store them in shm->sockets */ 10 | struct socketinfo { 11 | struct socket_triplet triplet; 12 | int fd; 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/io_setup.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(io_setup, unsigned, nr_events, aio_context_t __user *, ctxp) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_io_setup = { 7 | .name = "io_setup", 8 | .num_args = 2, 9 | .arg1name = "nr_events", 10 | .arg2name = "ctxp", 11 | .arg2type = ARG_ADDRESS, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/set_tid_address.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(set_tid_address, int __user *, tidptr) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_set_tid_address = { 7 | .name = "set_tid_address", 8 | .num_args = 1, 9 | .arg1name = "tidptr", 10 | .arg1type = ARG_ADDRESS, 11 | .flags = AVOID_SYSCALL, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/signal.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(signal, int, sig, __sighandler_t, handler) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_signal = { 7 | .name = "signal", 8 | .num_args = 2, 9 | .arg1name = "sig", 10 | .arg2name = "handler", 11 | .arg2type = ARG_ADDRESS, 12 | .flags = AVOID_SYSCALL, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/ustat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(ustat, unsigned, dev, struct ustat __user *, ubuf) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_ustat = { 7 | .name = "ustat", 8 | .num_args = 2, 9 | .arg1name = "dev", 10 | .arg2name = "ubuf", 11 | .arg2type = ARG_ADDRESS, 12 | .group = GROUP_VFS, 13 | }; 14 | -------------------------------------------------------------------------------- /net/proto-xdp.c: -------------------------------------------------------------------------------- 1 | #include "net.h" 2 | #include "compat.h" 3 | 4 | static struct socket_triplet xdp_triplet[] = { 5 | { .family = PF_XDP, .protocol = 0, .type = SOCK_RAW }, 6 | }; 7 | 8 | const struct netproto proto_xdp = { 9 | .name = "xdp", 10 | .valid_triplets = xdp_triplet, 11 | .nr_triplets = ARRAY_SIZE(xdp_triplet), 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/semctl.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE(semctl)(int semid, int semnum, int cmd, union semun arg) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_semctl = { 7 | .name = "semctl", 8 | .num_args = 4, 9 | .arg1name = "semid", 10 | .arg2name = "semnum", 11 | .arg3name = "cmd", 12 | .arg4name = "arg", 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/setrlimit.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setrlimit = { 7 | .name = "setrlimit", 8 | .num_args = 2, 9 | .arg1name = "resource", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "rlim", 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/rt_sigpending.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(rt_sigpending, sigset_t __user *, set, size_t, sigsetsize) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_rt_sigpending = { 7 | .name = "rt_sigpending", 8 | .num_args = 2, 9 | .arg1name = "set", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "sigsetsize", 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/sethostname.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(sethostname, char __user *, name, int, len) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sethostname = { 7 | .name = "sethostname", 8 | .num_args = 2, 9 | .arg1name = "name", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "len", 12 | .arg2type = ARG_LEN, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/shmat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(shmat, int, shmid, char __user *, shmaddr, int, shmflg) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_shmat = { 7 | .name = "shmat", 8 | .num_args = 3, 9 | .arg1name = "shmid", 10 | .arg2name = "shmaddr", 11 | .arg2type = ARG_ADDRESS, 12 | .arg3name = "shmflg", 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/x86/i386/vm86.c: -------------------------------------------------------------------------------- 1 | /* 2 | * int sys_vm86(unsigned long cmd, unsigned long arg, struct pt_regs *regs) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_vm86 = { 7 | .name = "vm86", 8 | .num_args = 3, 9 | .arg1name = "cmd", 10 | .arg2name = "arg", 11 | .arg3name = "regs", 12 | .arg3type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /include/log.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "child.h" 4 | #include "logfile.h" 5 | 6 | void init_logging(void); 7 | void shutdown_logging(void); 8 | 9 | enum { 10 | LOGGING_DISABLED, 11 | LOGGING_FILES, 12 | }; 13 | 14 | void init_child_logging(struct childdata *child); 15 | void shutdown_child_logging(struct childdata *child); 16 | -------------------------------------------------------------------------------- /syscalls/getuid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(getuid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getuid = { 7 | .name = "getuid", 8 | .num_args = 0, 9 | }; 10 | 11 | 12 | /* 13 | * SYSCALL_DEFINE0(getuid16) 14 | */ 15 | 16 | struct syscallentry syscall_getuid16 = { 17 | .name = "getuid16", 18 | .num_args = 0, 19 | }; 20 | -------------------------------------------------------------------------------- /syscalls/semop.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops, unsigned, nsops) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_semop = { 7 | .name = "semop", 8 | .num_args = 3, 9 | .arg1name = "semid", 10 | .arg2name = "tsops", 11 | .arg2type = ARG_ADDRESS, 12 | .arg3name = "nsops", 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/setdomainname.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setdomainname = { 7 | .name = "setdomainname", 8 | .num_args = 2, 9 | .arg1name = "name", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "len", 12 | .arg2type = ARG_LEN, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/x86/i386/vm86old.c: -------------------------------------------------------------------------------- 1 | /* 2 | * int sys_vm86old(struct vm86_struct __user *v86, struct pt_regs *regs) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_vm86old = { 7 | .name = "vm86old", 8 | .num_args = 2, 9 | .arg1name = "v86", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "regs", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/x86/ioperm.c: -------------------------------------------------------------------------------- 1 | /* 2 | asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_ioperm = { 7 | .name = "ioperm", 8 | .num_args = 3, 9 | .arg1name = "from", 10 | .arg2name = "num", 11 | .arg3name = "turn_on", 12 | .flags = AVOID_SYSCALL, 13 | }; 14 | -------------------------------------------------------------------------------- /net/proto-qrtr.c: -------------------------------------------------------------------------------- 1 | #include "net.h" 2 | #include "compat.h" 3 | 4 | static struct socket_triplet qipcrtr_triplet[] = { 5 | { .family = PF_QIPCRTR, .protocol = 0, .type = SOCK_DGRAM }, 6 | }; 7 | 8 | const struct netproto proto_qipcrtr = { 9 | .name = "qrtr", 10 | .valid_triplets = qipcrtr_triplet, 11 | .nr_triplets = ARRAY_SIZE(qipcrtr_triplet), 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/pciconfig_iobase.c: -------------------------------------------------------------------------------- 1 | /* 2 | asmlinkage long sys_pciconfig_iobase(long which, unsigned long bus, unsigned long devfn); 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_pciconfig_iobase = { 7 | .name = "pciconfig_iobase", 8 | .num_args = 3, 9 | .arg1name = "which", 10 | .arg2name = "bus", 11 | .arg3name = "devfn", 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/timer_gettime.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(timer_gettime, timer_t, timer_id, struct itimerspec __user *, setting) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_timer_gettime = { 7 | .name = "timer_gettime", 8 | .num_args = 2, 9 | .arg1name = "timer_id", 10 | .arg2name = "setting", 11 | .arg2type = ARG_ADDRESS, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/utime.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(utime, char __user *, filename, struct utimbuf __user *, times) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_utime = { 7 | .name = "utime", 8 | .num_args = 2, 9 | .arg1name = "filename", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "times", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /include/stats.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* Various statistics. */ 4 | 5 | struct stats_s { 6 | unsigned long op_count; 7 | unsigned long successes; 8 | unsigned long failures; 9 | 10 | /* Counts to tell if we're making progress or not. */ 11 | unsigned long previous_op_count; /* combined total of all children */ 12 | }; 13 | 14 | void dump_stats(void); 15 | -------------------------------------------------------------------------------- /scripts/analyse-dumps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | TRINITY_PATH=${TRINITY_PATH:-.} 4 | 5 | for core in tmp/trinity.*/tmp/core.* 6 | do 7 | gdb -batch -n -ex 'bt' $TRINITY_PATH/trinity $core > core.txt 8 | SHA=$(cat core.txt| grep -v New\ LWP | grep -v childno | sha1sum | awk '{ print $1 }') 9 | cat core.txt > core-$SHA.txt 10 | rm -f core.txt 11 | done 12 | 13 | -------------------------------------------------------------------------------- /syscalls/getitimer.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(getitimer, int, which, struct itimerval __user *, value) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getitimer = { 7 | .name = "getitimer", 8 | .num_args = 2, 9 | .arg1name = "which", 10 | .arg2name = "value", 11 | .arg2type = ARG_ADDRESS, 12 | .rettype = RET_ZERO_SUCCESS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/io_uring_setup.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(io_uring_setup, u32, entries, struct io_uring_params __user *, params) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_io_uring_setup = { 7 | .name = "io_uring_setup", 8 | .num_args = 2, 9 | .arg1name = "entries", 10 | .arg2name = "params", 11 | .arg2type = ARG_ADDRESS, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/utimes.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(utimes, char __user *, filename, struct timeval __user *, utimes) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_utimes = { 7 | .name = "utimes", 8 | .num_args = 2, 9 | .arg1name = "filename", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "utimes", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/sched_setattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(sched_setattr, pid_t, pid, struct sched_attr __user *, uattr) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sched_setattr = { 7 | .name = "sched_setattr", 8 | .num_args = 2, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "uattr", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/acct.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(acct, const char __user *, name) 3 | * 4 | * On success, zero is returned. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_acct = { 10 | .name = "acct", 11 | .num_args = 1, 12 | .arg1name = "name", 13 | .arg1type = ARG_ADDRESS, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/inotify_rm_watch.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(inotify_rm_watch, int, fd, __s32, wd) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_inotify_rm_watch = { 7 | .name = "inotify_rm_watch", 8 | .num_args = 2, 9 | .arg1name = "fd", 10 | .arg1type = ARG_FD, 11 | .arg2name = "wd", 12 | .flags = NEED_ALARM, 13 | .group = GROUP_VFS, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/sched_getparam.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(sched_getparam, pid_t, pid, struct sched_param __user *, param) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sched_getparam = { 7 | .name = "sched_getparam", 8 | .num_args = 2, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "param", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/sched_setparam.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(sched_setparam, pid_t, pid, struct sched_param __user *, param) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sched_setparam = { 7 | .name = "sched_setparam", 8 | .num_args = 2, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "param", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /Documentation/pro-tips.txt: -------------------------------------------------------------------------------- 1 | Some things you might like to know to run trinity like a pro(tm). 2 | 3 | - The kernel is pretty noisy in some areas. You might find that it's 4 | worthwhile to remove a bunch of the noisier printk/WARN statements 5 | in your kernel tree while fuzzing. 6 | 7 | - Likewise, setting the sysctl net.core.warnings = 0 may be a good idea. 8 | 9 | 10 | -------------------------------------------------------------------------------- /syscalls/gettimeofday.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(gettimeofday, struct timeval __user *, tv, struct timezone __user *, tz) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_gettimeofday = { 7 | .name = "gettimeofday", 8 | .num_args = 2, 9 | .arg1name = "tv", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "tz", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/ia64/getunwind.c: -------------------------------------------------------------------------------- 1 | /* 2 | sys_getunwind (void __user *buf, size_t buf_size) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getunwind = { 7 | .name = "getunwind", 8 | .num_args = 2, 9 | .flags = AVOID_SYSCALL, // IA-64 only 10 | .arg1name = "buf", 11 | .arg1type = ARG_ADDRESS, 12 | .arg2name = "buf_size", 13 | .arg2type = ARG_LEN, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/settimeofday.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(settimeofday, struct timeval __user *, tv, struct timezone __user *, tz) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_settimeofday = { 7 | .name = "settimeofday", 8 | .num_args = 2, 9 | .arg1name = "tv", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "tz", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/tgkill.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid_t, pid, int, sig) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_tgkill = { 7 | .name = "tgkill", 8 | .num_args = 3, 9 | .arg1name = "tgid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "pid", 12 | .arg2type = ARG_PID, 13 | .arg3name = "sig", 14 | .flags = AVOID_SYSCALL, 15 | }; 16 | -------------------------------------------------------------------------------- /include/syscalls-mips.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "sanitise.h" 4 | #include "syscall.h" 5 | #include "syscalls/syscalls.h" 6 | 7 | #if _MIPS_SIM == _ABIO32 8 | #include "syscalls-mips-o32.h" 9 | #elif _MIPS_SIM == _ABIN32 10 | #include "syscalls-mips-n32.h" 11 | #elif _MIPS_SIM == _ABI64 12 | #include "syscalls-mips-64.h" 13 | #else 14 | #error Unknown MIPS ABI 15 | #endif 16 | -------------------------------------------------------------------------------- /syscalls/link.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(link, const char __user *, oldname, const char __user *, newname) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_link = { 7 | .name = "link", 8 | .num_args = 2, 9 | .arg1name = "oldname", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "newname", 12 | .arg2type = ARG_PATHNAME, 13 | .group = GROUP_VFS, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/removexattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(removexattr, const char __user *, pathname, const char __user *, name) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_removexattr = { 7 | .name = "removexattr", 8 | .num_args = 2, 9 | .arg1name = "pathname", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "name", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/rt_sigsuspend.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(rt_sigsuspend, sigset_t __user *, unewset, size_t, sigsetsize) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_rt_sigsuspend = { 7 | .name = "rt_sigsuspend", 8 | .num_args = 2, 9 | .arg1name = "unewset", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "sigsetsize", 12 | .flags = AVOID_SYSCALL, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/waitpid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(waitpid, pid_t, pid, int __user *, stat_addr, int, options) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_waitpid = { 7 | .name = "waitpid", 8 | .num_args = 3, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "stat_addr", 12 | .arg2type = ARG_ADDRESS, 13 | .arg3name = "options", 14 | }; 15 | -------------------------------------------------------------------------------- /include/fanotify.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | unsigned long get_fanotify_init_flags(void); 4 | 5 | unsigned long get_fanotify_init_event_flags(void); 6 | 7 | // FIXME: Keep all this here until glibc supports it. 8 | #ifndef SYS_fanotify_init 9 | #ifdef __x86_64__ 10 | #define SYS_fanotify_init 300 11 | #endif 12 | #ifdef __i386__ 13 | #define SYS_fanotify_init 338 14 | #endif 15 | #endif 16 | -------------------------------------------------------------------------------- /syscalls/getcwd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(getcwd, char __user *, buf, unsigned long, size) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getcwd = { 7 | .name = "getcwd", 8 | .num_args = 2, 9 | .arg1name = "buf", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "size", 12 | .arg2type = ARG_LEN, 13 | .rettype = RET_PATH, 14 | .group = GROUP_VFS, 15 | }; 16 | -------------------------------------------------------------------------------- /syscalls/reboot.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd, void __user *, arg) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_reboot = { 7 | .name = "reboot", 8 | .num_args = 4, 9 | .arg1name = "magic1", 10 | .arg2name = "magic2", 11 | .arg3name = "cmd", 12 | .arg4name = "arg", 13 | .arg4type = ARG_ADDRESS, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/rt_sigreturn.c: -------------------------------------------------------------------------------- 1 | /* 2 | * long sys_rt_sigreturn(struct pt_regs *regs) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_rt_sigreturn = { 7 | .name = "rt_sigreturn", 8 | .num_args = 1, 9 | .flags = AVOID_SYSCALL, // Confuses the signal state and causes the fuzzer to hang with timeout not firing 10 | .arg1name = "regs", 11 | .arg1type = ARG_ADDRESS, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/set_mempolicy.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(set_mempolicy, int, mode, unsigned long __user *, nmask, unsigned long, maxnode) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_set_mempolicy = { 7 | .name = "set_mempolicy", 8 | .num_args = 3, 9 | .arg1name = "mode", 10 | .arg2name = "nmask", 11 | .arg2type = ARG_ADDRESS, 12 | .arg3name = "maxnode", 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/sigreturn.c: -------------------------------------------------------------------------------- 1 | /* 2 | * unsigned long sys_sigreturn(struct pt_regs *regs) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sigreturn = { 7 | .name = "rt_sigreturn", 8 | .num_args = 1, 9 | .flags = AVOID_SYSCALL, // Confuses the signal state and causes the fuzzer to hang with timeout not firing 10 | .arg1name = "regs", 11 | .arg1type = ARG_ADDRESS, 12 | }; 13 | -------------------------------------------------------------------------------- /syscalls/newstat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(newstat, const char __user *, filename, struct stat __user *, statbuf) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_newstat = { 7 | .name = "newstat", 8 | .num_args = 2, 9 | .arg1name = "filename", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "statbuf", 12 | .arg2type = ARG_ADDRESS, 13 | .group = GROUP_VFS, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/nfsservctl.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(nfsservctl, int, cmd, struct nfsctl_arg __user *, arg, void __user *, res 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_nfsservctl = { 7 | .name = "nfsservctl", 8 | .num_args = 3, 9 | .arg1name = "cmd", 10 | .arg2name = "arg", 11 | .arg2type = ARG_ADDRESS, 12 | .arg3name = "res", 13 | .arg3type = ARG_ADDRESS, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/sigprocmask.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(sigprocmask, int, how, old_sigset_t __user *, set, 3 | old_sigset_t __user *, oset) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_sigprocmask = { 8 | .name = "sigprocmask", 9 | .num_args = 3, 10 | .arg1name = "how", 11 | .arg2name = "set", 12 | .arg2type = ARG_ADDRESS, 13 | .arg3name = "oset", 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/timerfd_gettime.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(timerfd_gettime, int, ufd, struct itimerspec __user *, otmr) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_timerfd_gettime = { 7 | .name = "timerfd_gettime", 8 | .num_args = 2, 9 | .arg1name = "ufd", 10 | .arg1type = ARG_FD, 11 | .arg2name = "otmr", 12 | .arg2type = ARG_ADDRESS, 13 | .flags = NEED_ALARM, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/mq_notify.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(mq_notify, mqd_t, mqdes, const struct sigevent __user *, u_notification) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_mq_notify = { 7 | .name = "mq_notify", 8 | .num_args = 2, 9 | .arg1name = "mqdes", 10 | .arg1type = ARG_FD, 11 | .arg2name = "u_notification", 12 | .arg2type = ARG_ADDRESS, 13 | .flags = NEED_ALARM, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/newlstat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(newlstat, const char __user *, filename, struct stat __user *, statbuf) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_newlstat = { 7 | .name = "newlstat", 8 | .num_args = 2, 9 | .arg1name = "filename", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "statbuf", 12 | .arg2type = ARG_ADDRESS, 13 | .group = GROUP_VFS, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/sched_rr_get_interval.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(sched_rr_get_interval, pid_t, pid, struct timespec __user *, interval) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sched_rr_get_interval = { 7 | .name = "sched_rr_get_interval", 8 | .num_args = 2, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "interval", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | -------------------------------------------------------------------------------- /syscalls/getgid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(getgid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getgid = { 7 | .name = "getgid", 8 | .num_args = 0, 9 | .rettype = RET_GID_T, 10 | }; 11 | 12 | 13 | /* 14 | * SYSCALL_DEFINE0(getgid) 15 | */ 16 | 17 | struct syscallentry syscall_getgid16 = { 18 | .name = "getgid16", 19 | .num_args = 0, 20 | .rettype = RET_GID_T, 21 | }; 22 | -------------------------------------------------------------------------------- /syscalls/pivot_root.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, const char __user *, put_old) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_pivot_root = { 7 | .name = "pivot_root", 8 | .num_args = 2, 9 | .arg1name = "new_root", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "put_old", 12 | .arg2type = ARG_ADDRESS, 13 | .group = GROUP_VFS, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/getegid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(getegid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getegid = { 7 | .name = "getegid", 8 | .num_args = 0, 9 | .rettype = RET_GID_T, 10 | }; 11 | 12 | /* 13 | * SYSCALL_DEFINE0(getegid16) 14 | */ 15 | 16 | struct syscallentry syscall_getegid16 = { 17 | .name = "getegid16", 18 | .num_args = 0, 19 | .rettype = RET_GID_T, 20 | }; 21 | -------------------------------------------------------------------------------- /syscalls/lremovexattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname, const char __user *, name) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_lremovexattr = { 7 | .name = "lremovexattr", 8 | .num_args = 2, 9 | .arg1name = "pathname", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "name", 12 | .arg2type = ARG_ADDRESS, 13 | .group = GROUP_VFS, 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/close.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(close, unsigned int, fd) 3 | * 4 | * returns zero on success. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_close = { 10 | .name = "close", 11 | .num_args = 1, 12 | .arg1name = "fd", 13 | .arg1type = ARG_FD, 14 | .flags = AVOID_SYSCALL, 15 | .rettype = RET_ZERO_SUCCESS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/geteuid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE0(geteuid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_geteuid = { 7 | .name = "geteuid", 8 | .num_args = 0, 9 | .rettype = RET_UID_T, 10 | }; 11 | 12 | 13 | /* 14 | * SYSCALL_DEFINE0(geteuid16) 15 | */ 16 | 17 | struct syscallentry syscall_geteuid16 = { 18 | .name = "geteuid16", 19 | .num_args = 0, 20 | .rettype = RET_UID_T, 21 | }; 22 | -------------------------------------------------------------------------------- /syscalls/readahead.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE(readahead)(int fd, loff_t offset, size_t count) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_readahead = { 7 | .name = "readahead", 8 | .num_args = 3, 9 | .arg1name = "fd", 10 | .arg1type = ARG_FD, 11 | .arg2name = "offset", 12 | .arg3name = "count", 13 | .arg3type = ARG_LEN, 14 | .flags = NEED_ALARM, 15 | .group = GROUP_VFS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/brk.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(brk, unsigned long, brk) 3 | * 4 | * On success: Returns the new program break 5 | * On failure: Returns current program break 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_brk = { 10 | .name = "brk", 11 | .num_args = 1, 12 | .arg1name = "brk", 13 | .arg1type = ARG_ADDRESS, 14 | .rettype = RET_ZERO_SUCCESS, 15 | .flags = AVOID_SYSCALL, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/lookup_dcookie.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE(lookup_dcookie)(u64 cookie64, char __user * buf, size_t len) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_lookup_dcookie = { 7 | .name = "lookup_dcookie", 8 | .num_args = 3, 9 | .arg1name = "cookie64", 10 | .arg2name = "buf", 11 | .arg2type = ARG_ADDRESS, 12 | .arg3name = "len", 13 | .arg3type = ARG_LEN, 14 | .group = GROUP_VFS, 15 | }; 16 | -------------------------------------------------------------------------------- /scripts/clean-cores.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | TRINITY_PATH=${TRINITY_PATH:-.} 4 | 5 | # remove old cores 6 | for i in `find . -name "core.*" -exec ls -l {} \; | grep -v "$(date +%b\ %e)" | awk '{ print $9 }'`; do rm -f $i; done 7 | 8 | # Remove corrupted cores 9 | find . -empty -name "core.*" -exec rm -f {} \; 10 | for i in $(file core.* | grep -v $TRINITY_PATH/trinity | awk '{ print $1 }' | sed 's/://'); do rm -f $i; done 11 | -------------------------------------------------------------------------------- /syscalls/io_cancel.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, 3 | struct io_event __user *, result) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_io_cancel = { 8 | .name = "io_cancel", 9 | .num_args = 3, 10 | .arg1name = "ctx_id", 11 | .arg2name = "iocb", 12 | .arg2type = ARG_ADDRESS, 13 | .arg3name = "result", 14 | .arg3type = ARG_ADDRESS, 15 | }; 16 | -------------------------------------------------------------------------------- /syscalls/setgid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(setgid, gid_t, gid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setgid = { 7 | .name = "setgid", 8 | .num_args = 1, 9 | .arg1name = "gid", 10 | }; 11 | 12 | 13 | /* 14 | * SYSCALL_DEFINE1(setgid16, old_gid_t, gid) 15 | */ 16 | 17 | struct syscallentry syscall_setgid16 = { 18 | .name = "setgid16", 19 | .num_args = 1, 20 | .arg1name = "gid", 21 | }; 22 | -------------------------------------------------------------------------------- /net/proto-icmp6.c: -------------------------------------------------------------------------------- 1 | 2 | #ifdef USE_IPV6 3 | #include 4 | #include 5 | #include "net.h" 6 | #include "compat.h" 7 | #include "random.h" 8 | #include "utils.h" // RAND_ARRAY 9 | 10 | static const unsigned int icmpv6_opts[] = { ICMPV6_FILTER }; 11 | 12 | void icmpv6_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet) 13 | { 14 | so->optname = RAND_ARRAY(icmpv6_opts); 15 | } 16 | #endif 17 | -------------------------------------------------------------------------------- /syscalls/clone3.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(clone3, struct clone_args __user *, uargs, size_t, size) 3 | */ 4 | 5 | #include 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_clone3 = { 9 | .name = "clone3", 10 | .num_args = 2, 11 | .flags = AVOID_SYSCALL, 12 | .arg1name = "uargs", 13 | .arg1type = ARG_ADDRESS, 14 | .arg2name = "size", 15 | .arg2type = ARG_LEN, 16 | .rettype = RET_PID_T, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/fremovexattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_fremovexattr = { 7 | .name = "fremovexattr", 8 | .num_args = 2, 9 | .arg1name = "fd", 10 | .arg1type = ARG_FD, 11 | .arg2name = "name", 12 | .arg2type = ARG_ADDRESS, 13 | .rettype = RET_ZERO_SUCCESS, 14 | .flags = NEED_ALARM, 15 | .group = GROUP_VFS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/io_submit.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr, 3 | struct iocb __user * __user *, iocbpp) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_io_submit = { 8 | .name = "io_submit", 9 | .num_args = 3, 10 | .arg1name = "ctx_id", 11 | .arg2name = "nr", 12 | .arg2type = ARG_LEN, 13 | .arg3name = "iocbpp", 14 | .arg3type = ARG_ADDRESS, 15 | .flags = NEED_ALARM, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/nanosleep.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(nanosleep, struct timespec __user *, rqtp, struct timespec __user *, rmtp) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_nanosleep = { 7 | .name = "nanosleep", 8 | .num_args = 2, 9 | .arg1name = "rqtp", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "rmtp", 12 | .arg2type = ARG_ADDRESS, 13 | .flags = AVOID_SYSCALL, // Boring. Can cause long sleeps. 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/capget.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) 3 | * 4 | * On success, zero is returned. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_capget = { 10 | .name = "capget", 11 | .num_args = 2, 12 | .arg1name = "header", 13 | .arg2name = "dataptr", 14 | .rettype = RET_ZERO_SUCCESS, 15 | }; 16 | -------------------------------------------------------------------------------- /syscalls/capset.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) 3 | * 4 | * On success, zero is returned. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_capset = { 10 | .name = "capset", 11 | .num_args = 2, 12 | .arg1name = "header", 13 | .arg2name = "data", 14 | .rettype = RET_ZERO_SUCCESS, 15 | }; 16 | -------------------------------------------------------------------------------- /syscalls/sigaltstack.c: -------------------------------------------------------------------------------- 1 | /* 2 | long sys_sigaltstack(const stack_t __user *uss, stack_t __user *uoss, 3 | struct pt_regs *regs) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_sigaltstack = { 8 | .name = "sigaltstack", 9 | .num_args = 3, 10 | .arg1name = "uss", 11 | .arg1type = ARG_ADDRESS, 12 | .arg2name = "uoss", 13 | .arg2type = ARG_ADDRESS, 14 | .arg3name = "regs", 15 | .arg3type = ARG_ADDRESS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/chdir.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(chdir, const char __user *, filename) 3 | * 4 | * On success, zero is returned. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_chdir = { 10 | .name = "chdir", 11 | .num_args = 1, 12 | .arg1name = "filename", 13 | .arg1type = ARG_PATHNAME, 14 | .rettype = RET_ZERO_SUCCESS, 15 | .group = GROUP_VFS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/chroot.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(chroot, const char __user *, filename) 3 | * 4 | * On success, zero is returned. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_chroot = { 10 | .name = "chroot", 11 | .num_args = 1, 12 | .arg1name = "filename", 13 | .arg1type = ARG_PATHNAME, 14 | .rettype = RET_ZERO_SUCCESS, 15 | .group = GROUP_VFS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/clock_adjtime.c: -------------------------------------------------------------------------------- 1 | /* 2 | *SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock, 3 | * struct timex __user *, utx) 4 | */ 5 | 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_clock_adjtime = { 9 | .name = "clock_adjtime", 10 | .num_args = 2, 11 | .arg1name = "which_clock", 12 | .arg1type = ARG_RANGE, 13 | .low1range = 0, 14 | .hi1range = 16, 15 | .arg2name = "utx", 16 | .arg2type = ARG_ADDRESS, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/init_module.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(init_module, void __user *, umod, 3 | unsigned long, len, const char __user *, uargs) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_init_module = { 8 | .name = "init_module", 9 | .num_args = 3, 10 | .arg1name = "umod", 11 | .arg1type = ARG_ADDRESS, 12 | .arg2name = "len", 13 | .arg2type = ARG_LEN, 14 | .arg3name = "uargs", 15 | .arg3type = ARG_ADDRESS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/fchdir.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(fchdir, unsigned int, fd) 3 | * 4 | * On success, zero is returned. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_fchdir = { 10 | .name = "fchdir", 11 | .num_args = 1, 12 | .arg1name = "fd", 13 | .arg1type = ARG_FD, 14 | .rettype = RET_ZERO_SUCCESS, 15 | .flags = NEED_ALARM, 16 | .group = GROUP_VFS, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/memfd_secret.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(memfd_secret, unsigned int, flags) 3 | */ 4 | 5 | #include "sanitise.h" 6 | #include "memfd.h" 7 | #include "compat.h" 8 | 9 | static unsigned long memfd_secret_flags[] = { 10 | 0, 11 | }; 12 | 13 | struct syscallentry syscall_memfd_secret = { 14 | .name = "memfd_secret", 15 | .num_args = 1, 16 | .arg1name = "flag", 17 | .arg1type = ARG_LIST, 18 | .arg1list = ARGLIST(memfd_secret_flags), 19 | }; 20 | -------------------------------------------------------------------------------- /syscalls/rt_tgsigqueueinfo.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(rt_tgsigqueueinfo, pid_t, tgid, pid_t, pid, int, sig, 3 | siginfo_t __user *, uinfo) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_rt_tgsigqueueinfo = { 8 | .name = "rt_tgsigqueueinfo", 9 | .num_args = 4, 10 | .arg1name = "tgid", 11 | .arg2name = "pid", 12 | .arg2type = ARG_PID, 13 | .arg3name = "sig", 14 | .arg4name = "uinfo", 15 | .arg4type = ARG_ADDRESS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/sigsuspend.c: -------------------------------------------------------------------------------- 1 | /* 2 | * asmlinkage int 3 | sys_sigsuspend(int history0, int history1, old_sigset_t mask) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_sigsuspend = { 8 | .name = "sigsuspend", 9 | .num_args = 2, 10 | .arg1name = "history0", 11 | .arg2name = "history1", 12 | .arg3name = "mask", 13 | .flags = AVOID_SYSCALL, // Confuses the signal state and causes the fuzzer to hang with timeout not firing 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/sysfs.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(sysfs, int, option, unsigned long, arg1, unsigned long, arg2) 3 | */ 4 | #include "sanitise.h" 5 | 6 | static unsigned long sysfs_options[] = { 7 | 1, 2, 3, 8 | }; 9 | 10 | struct syscallentry syscall_sysfs = { 11 | .name = "sysfs", 12 | .num_args = 3, 13 | .arg1name = "option", 14 | .arg1type = ARG_OP, 15 | .arg1list = ARGLIST(sysfs_options), 16 | .arg2name = "arg1", 17 | .arg3name = "arg2", 18 | }; 19 | -------------------------------------------------------------------------------- /include/arch-riscv64.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define PAGE_OFFSET 0xffffffc000000000UL 4 | #define TASK_SIZE (1UL << 39) 5 | #define MODULE_ADDR (PAGE_OFFSET - 0x04000000) 6 | #define KERNEL_ADDR (PAGE_OFFSET + 0x80000) 7 | 8 | #define PAGE_SHIFT 12 9 | #define PTE_FILE_MAX_BITS 60 10 | 11 | #define PTRACE_GETREGS 0 12 | #define PTRACE_GETFPREGS 0 13 | #define PTRACE_SETREGS 0 14 | #define PTRACE_SETFPREGS 0 15 | 16 | #define SYSCALLS syscalls_riscv64 17 | -------------------------------------------------------------------------------- /syscalls/quotactl_fd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(quotactl_fd, unsigned int, fd, unsigned int, cmd, 3 | qid_t, id, void __user *, addr) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_quotactl_fd = { 8 | .name = "quotactl_fd", 9 | .num_args = 4, 10 | .arg1name = "fd", 11 | .arg1type = ARG_FD, 12 | .arg2name = "cmd", 13 | .arg3name = "id", 14 | .arg4name = "addr", 15 | .arg4type = ARG_ADDRESS, 16 | .group = GROUP_VFS, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/rt_sigqueueinfo.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig, siginfo_t __user *, uinfo) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_rt_sigqueueinfo = { 7 | .name = "rt_sigqueueinfo", 8 | .num_args = 3, 9 | .arg1name = "pid", 10 | .arg1type = ARG_PID, 11 | .arg2name = "sig", 12 | .arg3name = "uinfo", 13 | .arg3type = ARG_ADDRESS, 14 | .flags = AVOID_SYSCALL, // needs more signal handling. 15 | }; 16 | -------------------------------------------------------------------------------- /scripts/test-all-syscalls-parallel.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . scripts/paths.sh 4 | . scripts/privs.sh 5 | . scripts/taint.sh 6 | 7 | chmod 755 $TRINITY_TMP 8 | cd $TRINITY_TMP 9 | 10 | 11 | while [ 1 ]; 12 | do 13 | for syscall in $($TRINITY_PATH/trinity -L | grep entrypoint | grep -v AVOID | awk '{ print $3 }' | sort -u) 14 | do 15 | MALLOC_CHECK_=2 $TRINITY_PATH/trinity -q -c $syscall -D $DROPPRIVS & 16 | done 17 | wait 18 | check_tainted 19 | done 20 | -------------------------------------------------------------------------------- /syscalls/oldreaddir.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(old_readdir, unsigned int, fd, 3 | struct old_linux_dirent __user *, dirent, unsigned int, count) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_oldreaddir = { 8 | .name = "old_readdir", 9 | .num_args = 3, 10 | .arg1name = "fd", 11 | .arg1type = ARG_FD, 12 | .arg2name = "dirent", 13 | .arg2type = ARG_ADDRESS, 14 | .arg3name = "count", 15 | .arg3type = ARG_LEN, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/wait4.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(wait4, pid_t, upid, int __user *, stat_addr, 3 | int, options, struct rusage __user *, ru) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_wait4 = { 8 | .name = "wait4", 9 | .num_args = 4, 10 | .arg1name = "upid", 11 | .arg1type = ARG_PID, 12 | .arg2name = "stat_addr", 13 | .arg2type = ARG_ADDRESS, 14 | .arg3name = "options", 15 | .arg4name = "ru", 16 | .arg4type = ARG_ADDRESS, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/fdatasync.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(fdatasync, unsigned int, fd) 3 | * 4 | * On success, returns zero. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_fdatasync = { 10 | .name = "fdatasync", 11 | .num_args = 1, 12 | .arg1name = "fd", 13 | .arg1type = ARG_FD, 14 | .rettype = RET_ZERO_SUCCESS, 15 | .flags = NEED_ALARM | EXPENSIVE, 16 | .group = GROUP_VFS, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/fsync.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(fsync, unsigned int, fd) 3 | * 4 | * On success, these system calls return zero. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_fsync = { 10 | .name = "fsync", 11 | .num_args = 1, 12 | .arg1name = "fd", 13 | .arg1type = ARG_FD, 14 | .rettype = RET_ZERO_SUCCESS, 15 | .flags = NEED_ALARM | EXPENSIVE, 16 | .group = GROUP_VFS, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/mq_open.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(mq_open, const char __user *, u_name, int, oflag, mode_t, mode, struct mq_attr __user *, u_a> 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_mq_open = { 7 | .name = "mq_open", 8 | .num_args = 4, 9 | .arg1name = "u_name", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "oflag", 12 | .arg3name = "mode", 13 | .arg3type = ARG_MODE_T, 14 | .arg4name = "u_attr", 15 | .arg4type = ARG_ADDRESS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/pciconfig_read.c: -------------------------------------------------------------------------------- 1 | /* 2 | sys_pciconfig_read (unsigned long bus, unsigned long dfn, unsigned long off, unsigned long len, 3 | void *buf) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_pciconfig_read = { 8 | .name = "pciconfig_read", 9 | .num_args = 5, 10 | .arg1name = "bus", 11 | .arg2name = "dfn", 12 | .arg3name = "off", 13 | .arg4name = "len", 14 | .arg5name = "buf", 15 | .arg5type = ARG_ADDRESS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/quotactl.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(quotactl, unsigned int, cmd, const char __user *, special, 3 | qid_t, id, void __user *, addr) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_quotactl = { 8 | .name = "quotactl", 9 | .num_args = 4, 10 | .arg1name = "cmd", 11 | .arg2name = "special", 12 | .arg2type = ARG_ADDRESS, 13 | .arg3name = "id", 14 | .arg4name = "addr", 15 | .arg4type = ARG_ADDRESS, 16 | .group = GROUP_VFS, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/sched_getaffinity.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(sched_getaffinity, pid_t, pid, unsigned int, len, 3 | unsigned long __user *, user_mask_ptr) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_sched_getaffinity = { 8 | .name = "sched_getaffinity", 9 | .num_args = 3, 10 | .arg1name = "pid", 11 | .arg1type = ARG_PID, 12 | .arg2name = "len", 13 | .arg2type = ARG_LEN, 14 | .arg3name = "user_mask_ptr", 15 | .arg3type = ARG_ADDRESS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/sched_setaffinity.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(sched_setaffinity, pid_t, pid, unsigned int, len, 3 | unsigned long __user *, user_mask_ptr) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_sched_setaffinity = { 8 | .name = "sched_setaffinity", 9 | .num_args = 3, 10 | .arg1name = "pid", 11 | .arg1type = ARG_PID, 12 | .arg2name = "len", 13 | .arg2type = ARG_LEN, 14 | .arg3name = "user_mask_ptr", 15 | .arg3type = ARG_ADDRESS, 16 | }; 17 | -------------------------------------------------------------------------------- /include/locks.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "types.h" 5 | 6 | struct lock_struct { 7 | volatile unsigned char lock; 8 | pid_t owner; 9 | }; 10 | 11 | typedef struct lock_struct lock_t; 12 | 13 | #define UNLOCKED 0 14 | #define LOCKING 1 15 | #define LOCKED 2 16 | 17 | bool trylock(lock_t *_lock); 18 | void lock(lock_t *_lock); 19 | void unlock(lock_t *_lock); 20 | 21 | bool check_all_locks(void); 22 | 23 | void bust_lock(lock_t *_lock); 24 | -------------------------------------------------------------------------------- /scripts/clean-ipc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #for s in `ipcs -m | grep $(whoami) | cut -c12-19` 3 | #do 4 | #echo $s 5 | #ipcrm shm $s 6 | #done 7 | 8 | #for s in `ipcs -m | grep $(whoami) | grep -v ^0x00000000 | awk '{ print $1 }'`; do ipcrm -M $s ; done 9 | 10 | for s in `ipcs -m | grep $(whoami) | awk '{ print $2 }'`; do ipcrm -m $s; done 11 | 12 | for s in `ipcs -q | grep $(whoami) | grep -v ^0x00000000 | awk '{ print $1 }'` 13 | do 14 | ipcrm -Q $s 15 | done 16 | 17 | 18 | -------------------------------------------------------------------------------- /syscalls/pciconfig_write.c: -------------------------------------------------------------------------------- 1 | /* 2 | sys_pciconfig_write (unsigned long bus, unsigned long dfn, unsigned long off, unsigned long len, 3 | void *buf) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_pciconfig_write = { 8 | .name = "pciconfig_write", 9 | .num_args = 5, 10 | .arg1name = "bus", 11 | .arg2name = "dfn", 12 | .arg3name = "off", 13 | .arg4name = "len", 14 | .arg5name = "buf", 15 | .arg5type = ARG_ADDRESS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/semtimedop.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, 3 | unsigned, nsops, const struct timespec __user *, timeout) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_semtimedop = { 8 | .name = "semtimedop", 9 | .num_args = 4, 10 | .arg1name = "semid", 11 | .arg2name = "tsops", 12 | .arg2type = ARG_ADDRESS, 13 | .arg3name = "nsops", 14 | .arg4name = "timeout", 15 | .arg4type = ARG_ADDRESS, 16 | }; 17 | -------------------------------------------------------------------------------- /include/arch-sparc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef __arch64__ 4 | #define KERNEL_ADDR 0xfffff80000000000 5 | #define MODULE_ADDR 0xffffffffa0000000L // FIXME: Placeholder 6 | #define TASK_SIZE ~0UL 7 | #define PAGE_SHIFT 13 8 | #define PTE_FILE_MAX_BITS (64UL - PAGE_SHIFT - 1UL) 9 | #else 10 | #define KERNEL_ADDR 0xf0000000 11 | #define TASK_SIZE 0xF0000000UL 12 | #define PAGE_SHIFT 12 13 | #define PTE_FILE_MAX_BITS 24 14 | #endif 15 | 16 | #define SYSCALLS syscalls_sparc 17 | -------------------------------------------------------------------------------- /syscalls/pidfd_open.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(pidfd_open, pid_t, pid, unsigned int, flags) 3 | */ 4 | #include "sanitise.h" 5 | 6 | static unsigned long pidfd_open_flags[] = { 7 | 0, 8 | }; 9 | 10 | struct syscallentry syscall_pidfd_open = { 11 | .name = "pidfd_open", 12 | .num_args = 2, 13 | .arg1type = ARG_PID, 14 | .arg1name = "pid", 15 | .arg2name = "flags", 16 | .arg2type = ARG_LIST, 17 | .arg2list = ARGLIST(pidfd_open_flags), 18 | .rettype = RET_PID_T, 19 | }; 20 | -------------------------------------------------------------------------------- /include/arch-arm.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define PAGE_OFFSET 0xC0000000 4 | /* 5 | * Alternative possibilities for PAGE_OFFSET: 6 | * default 0x40000000 if VMSPLIT_1G 7 | * default 0x80000000 if VMSPLIT_2G 8 | */ 9 | #define TASK_SIZE (PAGE_OFFSET - 0x01000000) 10 | #define MODULE_ADDR (PAGE_OFFSET - 0x00800000) 11 | #define KERNEL_ADDR (PAGE_OFFSET + 0x00008000) 12 | 13 | #define PAGE_SHIFT 12 14 | 15 | #define PTE_FILE_MAX_BITS 29 16 | 17 | #define SYSCALLS syscalls_arm 18 | -------------------------------------------------------------------------------- /syscalls/alarm.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(alarm, unsigned int, seconds) 3 | * 4 | * returns the number of seconds remaining until any previously scheduled alarm was due to be delivered, 5 | * or zero if there was no previously scheduled 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_alarm = { 10 | .flags = AVOID_SYSCALL, /* we rely on a useful alarm for every syscall. */ 11 | .name = "alarm", 12 | .num_args = 1, 13 | .arg1name = "seconds", 14 | }; 15 | -------------------------------------------------------------------------------- /syscalls/chmod.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(chmod, const char __user *, filename, mode_t, mode) 3 | * 4 | * On success, zero is returned. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_chmod = { 10 | .name = "chmod", 11 | .num_args = 2, 12 | .arg1name = "filename", 13 | .arg1type = ARG_PATHNAME, 14 | .arg2name = "mode", 15 | .arg2type = ARG_MODE_T, 16 | .rettype = RET_ZERO_SUCCESS, 17 | }; 18 | -------------------------------------------------------------------------------- /include/pids.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "child.h" 5 | #include "types.h" 6 | 7 | extern pid_t *pids; 8 | extern pid_t mainpid; 9 | 10 | #define for_each_child(i) for (i = 0; i < max_children; i++) 11 | 12 | #define CHILD_NOT_FOUND -1 13 | #define EMPTY_PIDSLOT -1 14 | 15 | bool pid_alive(pid_t pid); 16 | int find_childno(pid_t mypid); 17 | bool pidmap_empty(void); 18 | void dump_childnos(void); 19 | int pid_is_valid(pid_t); 20 | void pids_init(void); 21 | -------------------------------------------------------------------------------- /syscalls/clock_getres.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(clock_getres, const clockid_t, which_clock, struct timespec __user *, tp) 3 | * 4 | * return 0 for success, or -1 for failure (in which case errno is set appropriately). 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_clock_getres = { 9 | .name = "clock_getres", 10 | .num_args = 2, 11 | .arg1name = "which_clock", 12 | .arg2name = "tp", 13 | .arg2type = ARG_ADDRESS, 14 | .rettype = RET_ZERO_SUCCESS, 15 | }; 16 | -------------------------------------------------------------------------------- /syscalls/clock_gettime.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(clock_gettime, const clockid_t, which_clock, struct timespec __user *,tp) 3 | * 4 | * return 0 for success, or -1 for failure (in which case errno is set appropriately). 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_clock_gettime = { 9 | .name = "clock_gettime", 10 | .num_args = 2, 11 | .arg1name = "which_clock", 12 | .arg2name = "tp", 13 | .arg2type = ARG_ADDRESS, 14 | .rettype = RET_ZERO_SUCCESS, 15 | }; 16 | -------------------------------------------------------------------------------- /syscalls/flock.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(flock, unsigned int, fd, unsigned int, cmd) 3 | * 4 | * On success, zero is returned. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_flock = { 10 | .name = "flock", 11 | .num_args = 2, 12 | .arg1name = "fd", 13 | .arg1type = ARG_FD, 14 | .arg2name = "cmd", 15 | .rettype = RET_ZERO_SUCCESS, 16 | .flags = NEED_ALARM, 17 | .group = GROUP_VFS, 18 | }; 19 | -------------------------------------------------------------------------------- /syscalls/get_robust_list.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(get_robust_list, int, pid, 3 | struct robust_list_head __user * __user *, head_ptr, 4 | size_t __user *, len_ptr) 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_get_robust_list = { 9 | .name = "get_robust_list", 10 | .num_args = 3, 11 | .arg1name = "pid", 12 | .arg1type = ARG_PID, 13 | .arg2name = "head_ptr", 14 | .arg2type = ARG_ADDRESS, 15 | .arg3name = "len_ptr", 16 | .arg3type = ARG_ADDRESS, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/setfsgid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(setfsgid, gid_t, gid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setfsgid = { 7 | .name = "setfsgid", 8 | .num_args = 1, 9 | .arg1name = "gid", 10 | .group = GROUP_VFS, 11 | }; 12 | 13 | /* 14 | * SYSCALL_DEFINE1(setfsgid16, old_gid_t, gid) 15 | */ 16 | 17 | struct syscallentry syscall_setfsgid16 = { 18 | .name = "setfsgid16", 19 | .num_args = 1, 20 | .arg1name = "gid", 21 | .group = GROUP_VFS, 22 | }; 23 | -------------------------------------------------------------------------------- /syscalls/setitimer.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(setitimer, int, which, struct itimerval __user *, value, struct itimerval __user *, ovalue) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setitimer = { 7 | .flags = AVOID_SYSCALL, /* setitimer interferes with alarm() */ 8 | .name = "setitimer", 9 | .num_args = 3, 10 | .arg1name = "which", 11 | .arg2name = "value", 12 | .arg2type = ARG_ADDRESS, 13 | .arg3name = "ovalue", 14 | .arg3type = ARG_ADDRESS, 15 | }; 16 | -------------------------------------------------------------------------------- /syscalls/userfaultfd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(userfaultfd, int, flags) 3 | */ 4 | 5 | #include 6 | #include "sanitise.h" 7 | 8 | static unsigned long userfaultfd_flags[] = { 9 | O_CLOEXEC, O_NONBLOCK, 10 | }; 11 | 12 | struct syscallentry syscall_userfaultfd = { 13 | .name = "userfaultfd", 14 | .num_args = 1, 15 | .arg1name = "flags", 16 | .arg1type = ARG_LIST, 17 | .arg1list = ARGLIST(userfaultfd_flags), 18 | .flags = NEED_ALARM, 19 | .rettype = RET_FD, 20 | }; 21 | -------------------------------------------------------------------------------- /syscalls/delete_module.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(delete_module, const char __user *, name_user, unsigned int, flags 3 | * 4 | * On success, zero is returned. 5 | * On error, -1 is returned and errno is set appropriately. 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_delete_module = { 10 | .name = "delete_module", 11 | .num_args = 2, 12 | .arg1name = "name_user", 13 | .arg1type = ARG_ADDRESS, 14 | .arg2name = "flags", 15 | .rettype = RET_ZERO_SUCCESS, 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/setfsuid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(setfsuid, uid_t, uid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setfsuid = { 7 | .name = "setfsuid", 8 | .num_args = 1, 9 | .arg1name = "uid", 10 | .group = GROUP_VFS, 11 | }; 12 | 13 | 14 | /* 15 | * SYSCALL_DEFINE1(setfsuid16, old_uid_t, uid) 16 | */ 17 | 18 | struct syscallentry syscall_setfsuid16 = { 19 | .name = "setfsuid16", 20 | .num_args = 1, 21 | .arg1name = "uid", 22 | .group = GROUP_VFS, 23 | }; 24 | -------------------------------------------------------------------------------- /syscalls/clock_settime.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock, const struct timespec __user *, tp) 3 | * 4 | * return 0 for success, or -1 for failure (in which case errno is set appropriately). 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_clock_settime = { 9 | .name = "clock_settime", 10 | .num_args = 2, 11 | .arg1name = "which_clock", 12 | .arg2name = "tp", 13 | .arg2type = ARG_ADDRESS, 14 | .rettype = RET_ZERO_SUCCESS, 15 | }; 16 | -------------------------------------------------------------------------------- /syscalls/getcpu.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(getcpu, unsigned __user *, cpup, unsigned __user *, nodep, 3 | struct getcpu_cache __user *, unused) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_getcpu = { 8 | .name = "getcpu", 9 | .num_args = 3, 10 | .arg1name = "cpup", 11 | .arg1type = ARG_ADDRESS, 12 | .arg2name = "nodep", 13 | .arg2type = ARG_ADDRESS, 14 | .arg3name = "unused", 15 | .arg3type = ARG_ADDRESS, 16 | .rettype = RET_ZERO_SUCCESS, 17 | }; 18 | -------------------------------------------------------------------------------- /syscalls/process_mrelease.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(process_mrelease, int, pidfd, unsigned int, flags) 3 | */ 4 | #include "sanitise.h" 5 | 6 | static unsigned long process_mrelease_flags[] = { 7 | 0, // currently no flags defined, mbz 8 | }; 9 | 10 | struct syscallentry syscall_process_mrelease = { 11 | .name = "process_mrelease", 12 | .num_args = 2, 13 | .arg1name = "pidfd", 14 | .arg2name = "flags", 15 | .arg2type = ARG_LIST, 16 | .arg2list = ARGLIST(process_mrelease_flags), 17 | }; 18 | -------------------------------------------------------------------------------- /include/pathnames.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | extern unsigned int nr_file_fds; 8 | extern char *victim_path; 9 | extern const char **fileindex; 10 | extern unsigned int files_in_index; 11 | 12 | #define MAX_PATH_LEN 4096 13 | 14 | #define NR_FILE_FDS 250U 15 | 16 | int check_stat_file(const struct stat *sb); 17 | void generate_filelist(void); 18 | const char * get_filename(void); 19 | const char * generate_pathname(void); 20 | -------------------------------------------------------------------------------- /syscalls/setns.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(setns, int, fd, int, nstype) 3 | */ 4 | #include 5 | #include "sanitise.h" 6 | 7 | static unsigned long setns_types[] = { 8 | 0, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWUTS, 9 | }; 10 | 11 | struct syscallentry syscall_setns= { 12 | .name = "setns", 13 | .num_args = 2, 14 | .arg1name = "fd", 15 | .arg1type = ARG_FD, 16 | .arg2name = "nstype", 17 | .arg2type = ARG_LIST, 18 | .arg2list = ARGLIST(setns_types), 19 | .flags = NEED_ALARM, 20 | }; 21 | -------------------------------------------------------------------------------- /syscalls/shutdown.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(shutdown, int, fd, int, how) 3 | */ 4 | #include 5 | #include "sanitise.h" 6 | 7 | static unsigned long shutdown_hows[] = { 8 | SHUT_RD, SHUT_WR, SHUT_RDWR, 9 | }; 10 | 11 | struct syscallentry syscall_shutdown = { 12 | .name = "shutdown", 13 | .num_args = 2, 14 | .arg1name = "fd", 15 | .arg1type = ARG_FD, 16 | .arg2name = "how", 17 | .arg2type = ARG_LIST, 18 | .arg2list = ARGLIST(shutdown_hows), 19 | .flags = NEED_ALARM, 20 | }; 21 | -------------------------------------------------------------------------------- /include/arch-mips.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define KERNEL_ADDR 0xc0100220 4 | #define MODULE_ADDR 0xa0000000 // FIXME: Placeholder 5 | #define PAGE_OFFSET 0x80000000 6 | #define TASK_SIZE (PAGE_OFFSET) 7 | #define PAGE_SHIFT 12 8 | #define PTE_FILE_MAX_BITS 31 9 | 10 | #if _MIPS_SIM == _ABIO32 11 | #define SYSCALL_OFFSET 4000 12 | #elif _MIPS_SIM == _ABIN32 13 | #define SYSCALL_OFFSET 6000 14 | #elif _MIPS_SIM == _ABI64 15 | #define SYSCALL_OFFSET 5000 16 | #endif 17 | 18 | #define SYSCALLS syscalls_mips 19 | -------------------------------------------------------------------------------- /include/object-types.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | enum objecttype { 4 | OBJ_MMAP_ANON, 5 | OBJ_MMAP_FILE, 6 | OBJ_MMAP_TESTFILE, 7 | OBJ_FD_PIPE, 8 | OBJ_FD_FILE, 9 | OBJ_FD_PERF, 10 | OBJ_FD_EPOLL, 11 | OBJ_FD_EVENTFD, 12 | OBJ_FD_TIMERFD, 13 | OBJ_FD_TESTFILE, 14 | OBJ_FD_MEMFD, 15 | OBJ_FD_DRM, 16 | OBJ_FD_INOTIFY, 17 | OBJ_FD_SOCKET, 18 | OBJ_FD_USERFAULTFD, 19 | OBJ_FD_FANOTIFY, 20 | OBJ_FD_BPF_MAP, 21 | OBJ_FD_BPF_PROG, 22 | OBJ_FUTEX, 23 | OBJ_SYSV_SHM, 24 | MAX_OBJECT_TYPES, 25 | }; 26 | -------------------------------------------------------------------------------- /syscalls/futimesat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(futimesat, int, dfd, const char __user *, filename, 3 | struct timeval __user *, utimes) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_futimesat = { 8 | .name = "futimesat", 9 | .num_args = 3, 10 | .arg1name = "dfd", 11 | .arg1type = ARG_FD, 12 | .arg2name = "filename", 13 | .arg2type = ARG_PATHNAME, 14 | .arg3name = "utimes", 15 | .arg3type = ARG_ADDRESS, 16 | .rettype = RET_ZERO_SUCCESS, 17 | .flags = NEED_ALARM, 18 | }; 19 | -------------------------------------------------------------------------------- /syscalls/waitid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *, 3 | infop, int, options, struct rusage __user *, ru) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_waitid = { 8 | .name = "waitid", 9 | .num_args = 5, 10 | .arg1name = "which", 11 | .arg2name = "upid", 12 | .arg2type = ARG_PID, 13 | .arg3name = "infop", 14 | .arg3type = ARG_ADDRESS, 15 | .arg4name = "options", 16 | .arg5name = "ru", 17 | .arg5type = ARG_ADDRESS, 18 | }; 19 | -------------------------------------------------------------------------------- /syscalls/mq_getsetattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(mq_getsetattr, mqd_t, mqdes, 3 | const struct mq_attr __user *, u_mqstat, 4 | struct mq_attr __user *, u_omqstat) 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_mq_getsetattr = { 9 | .name = "mq_getsetattr", 10 | .num_args = 3, 11 | .arg1name = "mqdes", 12 | .arg1type = ARG_FD, 13 | .arg2name = "u_mqstat", 14 | .arg2type = ARG_ADDRESS, 15 | .arg3name = "u_omqstat", 16 | .arg3type = ARG_ADDRESS, 17 | .flags = NEED_ALARM, 18 | }; 19 | -------------------------------------------------------------------------------- /include/arch-aarch64.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define PAGE_OFFSET 0xffffffc000000000UL 4 | #define TASK_SIZE (1UL << 39) 5 | #define MODULE_ADDR (PAGE_OFFSET - 0x04000000) 6 | #define KERNEL_ADDR (PAGE_OFFSET + 0x80000) 7 | 8 | /* PAGE_SHIFT is 16 ifdef CONFIG_ARM64_64K_PAGES */ 9 | #define PAGE_SHIFT 12 10 | #define PTE_FILE_MAX_BITS 60 11 | 12 | #define PTRACE_GETREGS 0 13 | #define PTRACE_GETFPREGS 0 14 | #define PTRACE_SETREGS 0 15 | #define PTRACE_SETFPREGS 0 16 | 17 | #define SYSCALLS syscalls_aarch64 18 | -------------------------------------------------------------------------------- /syscalls/prlimit64.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, 3 | const struct rlimit64 __user *, new_rlim, 4 | struct rlimit64 __user *, old_rlim) 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_prlimit64 = { 9 | .name = "prlimit64", 10 | .num_args = 4, 11 | .arg1name = "pid", 12 | .arg1type = ARG_PID, 13 | .arg2name = "resource", 14 | .arg3name = "new_rlim", 15 | .arg3type = ARG_ADDRESS, 16 | .arg4name = "old_rlim", 17 | .arg4type = ARG_ADDRESS, 18 | }; 19 | -------------------------------------------------------------------------------- /syscalls/setregid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setregid = { 7 | .name = "setregid", 8 | .num_args = 2, 9 | .arg1name = "rgid", 10 | .arg2name = "egid", 11 | }; 12 | 13 | /* 14 | * SYSCALL_DEFINE2(setregid16, old_gid_t, rgid, old_gid_t, egid) 15 | */ 16 | 17 | struct syscallentry syscall_setregid16 = { 18 | .name = "setregid16", 19 | .num_args = 2, 20 | .arg1name = "rgid", 21 | .arg2name = "egid", 22 | }; 23 | -------------------------------------------------------------------------------- /include/arch-ia64.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define KERNEL_ADDR 0xa000000100000000 4 | #define MODULE_ADDR 0xffffffffa0000000L // FIXME: Placeholder 5 | #define PAGE_OFFSET 0xe000000000000000 6 | #define TASK_SIZE 0xa000000000000000 7 | 8 | #define PAGE_SHIFT 12 9 | #define PTE_FILE_MAX_BITS 61 10 | 11 | #define SYSCALL_OFFSET 1024 12 | 13 | // for __IA64_UL_CONST we need to include: 14 | #include 15 | 16 | #define PTRACE_GETFPREGS 0 17 | #define PTRACE_SETFPREGS 0 18 | 19 | #define SYSCALLS syscalls_ia64 20 | -------------------------------------------------------------------------------- /syscalls/setreuid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setreuid = { 7 | .name = "setreuid", 8 | .num_args = 2, 9 | .arg1name = "ruid", 10 | .arg2name = "euid", 11 | }; 12 | 13 | 14 | /* 15 | * SYSCALL_DEFINE2(setreuid16, old_uid_t, ruid, old_uid_t, euid) 16 | */ 17 | 18 | struct syscallentry syscall_setreuid16 = { 19 | .name = "setreuid16", 20 | .num_args = 2, 21 | .arg1name = "ruid", 22 | .arg2name = "euid", 23 | }; 24 | -------------------------------------------------------------------------------- /syscalls/creat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(creat, const char __user *, pathname, int, mode) 3 | * 4 | * returns the new file descriptor on success. 5 | * returns -1 if an error occurred (in which case, errno is set appropriately). 6 | */ 7 | #include "sanitise.h" 8 | 9 | struct syscallentry syscall_creat = { 10 | .name = "creat", 11 | .num_args = 2, 12 | .arg1name = "pathname", 13 | .arg1type = ARG_PATHNAME, 14 | .arg2name = "mode", 15 | .arg2type = ARG_MODE_T, 16 | .rettype = RET_FD, 17 | .group = GROUP_VFS, 18 | }; 19 | -------------------------------------------------------------------------------- /syscalls/fsopen.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, unsigned int, flags) 3 | */ 4 | #include "sanitise.h" 5 | 6 | // TODO: construct arg1 from /proc/filesystems 7 | 8 | #define FSOPEN_CLOEXEC 0x00000001 9 | static unsigned long fsopen_flags[] = { 10 | FSOPEN_CLOEXEC 11 | }; 12 | 13 | struct syscallentry syscall_fsopen = { 14 | .name = "fsopen", 15 | .num_args = 2, 16 | .arg1name = "_fs_name", 17 | .arg2name = "flags", 18 | .arg2type = ARG_OP, 19 | .arg2list = ARGLIST(fsopen_flags), 20 | }; 21 | -------------------------------------------------------------------------------- /include/arch-i386.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define X86 1 4 | 5 | #define KERNEL_ADDR 0xc0100220 6 | #define MODULE_ADDR 0xa0000000 // FIXME: Placeholder 7 | 8 | #define PAGE_OFFSET 0xC0000000 9 | #define TASK_SIZE (PAGE_OFFSET) 10 | /* 11 | * Alternative possibilities for PAGE_OFFSET: 12 | * default 0xB0000000 if VMSPLIT_3G_OPT 13 | * default 0x78000000 if VMSPLIT_2G 14 | * default 0x40000000 if VMSPLIT_1G 15 | */ 16 | 17 | #define PAGE_SHIFT 12 18 | 19 | #define PTE_FILE_MAX_BITS 31 20 | 21 | #define SYSCALLS syscalls_i386 22 | -------------------------------------------------------------------------------- /syscalls/llseek.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(llseek, unsigned int, fd, unsigned long, offset_high, 3 | unsigned long, offset_low, loff_t __user *, result, 4 | unsigned int, origin) 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_llseek = { 9 | .name = "llseek", 10 | .num_args = 5, 11 | .arg1name = "fd", 12 | .arg1type = ARG_FD, 13 | .arg2name = "offset_high", 14 | .arg3name = "offset_low", 15 | .arg4name = "result", 16 | .arg5name = "origin", 17 | .group = GROUP_VFS, 18 | }; 19 | -------------------------------------------------------------------------------- /syscalls/pidfd_getfd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(pidfd_open, pid_t, pid, unsigned int, flags) 3 | */ 4 | #include "sanitise.h" 5 | 6 | static unsigned long pidfd_getfd_flags[] = { 7 | 0, 8 | }; 9 | 10 | struct syscallentry syscall_pidfd_getfd = { 11 | .name = "pidfd_getfd", 12 | .num_args = 3, 13 | .arg1name = "pidfd", 14 | .arg1type = ARG_PID, 15 | .arg2name = "fd", 16 | .arg2type = ARG_PID, 17 | .arg3name = "flags", 18 | .arg3type = ARG_LIST, 19 | .arg3list = ARGLIST(pidfd_getfd_flags), 20 | .rettype = RET_PID_T, 21 | }; 22 | -------------------------------------------------------------------------------- /syscalls/getpriority.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(getpriority, int, which, int, who) 3 | */ 4 | 5 | #include 6 | #include 7 | #include "sanitise.h" 8 | 9 | static unsigned long getpriority_which[] = { 10 | PRIO_PROCESS, PRIO_PGRP, PRIO_USER, 11 | }; 12 | 13 | struct syscallentry syscall_getpriority = { 14 | .name = "getpriority", 15 | .num_args = 2, 16 | .arg1name = "which", 17 | .arg1type = ARG_OP, 18 | .arg1list = ARGLIST(getpriority_which), 19 | .arg2name = "who", 20 | .arg2type = ARG_PID, 21 | }; 22 | -------------------------------------------------------------------------------- /syscalls/getxattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(getxattr, const char __user *, pathname, 3 | const char __user *, name, void __user *, value, size_t, size) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_getxattr = { 8 | .name = "getxattr", 9 | .num_args = 4, 10 | .arg1name = "pathname", 11 | .arg1type = ARG_PATHNAME, 12 | .arg2name = "name", 13 | .arg2type = ARG_ADDRESS, 14 | .arg3name = "value", 15 | .arg3type = ARG_ADDRESS, 16 | .arg4name = "size", 17 | .arg4type = ARG_LEN, 18 | .group = GROUP_VFS, 19 | }; 20 | -------------------------------------------------------------------------------- /syscalls/lgetxattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(lgetxattr, const char __user *, pathname, 3 | const char __user *, name, void __user *, value, size_t, size) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_lgetxattr = { 8 | .name = "lgetxattr", 9 | .num_args = 4, 10 | .arg1name = "pathname", 11 | .arg1type = ARG_PATHNAME, 12 | .arg2name = "name", 13 | .arg2type = ARG_ADDRESS, 14 | .arg3name = "value", 15 | .arg3type = ARG_ADDRESS, 16 | .arg4name = "size", 17 | .arg4type = ARG_LEN, 18 | .group = GROUP_VFS, 19 | }; 20 | -------------------------------------------------------------------------------- /scripts/Lindent: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | PARAM="-npro -kr -i8 -ts8 -nsob -l120 -ss -cs -cp1 -nfca" 3 | RES=`indent --version` 4 | V1=`echo $RES | cut -d' ' -f3 | cut -d'.' -f1` 5 | V2=`echo $RES | cut -d' ' -f3 | cut -d'.' -f2` 6 | V3=`echo $RES | cut -d' ' -f3 | cut -d'.' -f3` 7 | if [ $V1 -gt 2 ]; then 8 | PARAM="$PARAM -il0" 9 | elif [ $V1 -eq 2 ]; then 10 | if [ $V2 -gt 2 ]; then 11 | PARAM="$PARAM -il0"; 12 | elif [ $V2 -eq 2 ]; then 13 | if [ $V3 -ge 10 ]; then 14 | PARAM="$PARAM -il0" 15 | fi 16 | fi 17 | fi 18 | indent $PARAM "$@" 19 | -------------------------------------------------------------------------------- /include/memfd.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef MFD_CLOEXEC 4 | #define MFD_CLOEXEC 0x0001U 5 | #define MFD_ALLOW_SEALING 0x0002U 6 | #define MFD_HUGETLB 0x0004U 7 | #endif 8 | 9 | // FIXME: Keep all this here until glibc supports it. 10 | #ifndef SYS_memfd_create 11 | #ifdef __x86_64__ 12 | #define SYS_memfd_create 319 13 | #endif 14 | #ifdef __i386__ 15 | #define SYS_memfd_create 356 16 | #endif 17 | #ifdef __sparc__ 18 | #define SYS_memfd_create 348 19 | #endif 20 | #ifdef __ia64__ 21 | #define SYS_memfd_create 1340 22 | #endif 23 | #endif 24 | -------------------------------------------------------------------------------- /syscalls/landlock_restrict_self.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(landlock_restrict_self, 3 | * const int, ruleset_fd, const __u32, flags) 4 | */ 5 | #include "sanitise.h" 6 | 7 | //static unsigned long landlock_restrict_self_flags[] = { 8 | // , 9 | //}; 10 | 11 | struct syscallentry syscall_landlock_restrict_self = { 12 | .name = "landlock_restrict_self", 13 | .num_args = 2, 14 | .arg1name = "fd", 15 | .arg1type = ARG_FD, 16 | .arg2name = "flags", 17 | // arg2type = ARG_LIST, 18 | // arg2list = ARGLIST(landlock_restrict_self_flags), 19 | }; 20 | -------------------------------------------------------------------------------- /syscalls/munlock.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, len) 3 | */ 4 | #include "maps.h" 5 | #include "sanitise.h" 6 | #include "syscall.h" 7 | #include "trinity.h" 8 | 9 | static void sanitise_munlock(__unused__ struct syscallrecord *rec) 10 | { 11 | (void) common_set_mmap_ptr_len(); 12 | } 13 | 14 | struct syscallentry syscall_munlock = { 15 | .name = "munlock", 16 | .num_args = 2, 17 | .arg1name = "addr", 18 | .arg1type = ARG_MMAP, 19 | .arg2name = "len", 20 | .group = GROUP_VM, 21 | .sanitise = sanitise_munlock, 22 | }; 23 | -------------------------------------------------------------------------------- /syscalls/umount.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(umount, char __user *, name, int, flags) 3 | */ 4 | #include 5 | #include "sanitise.h" 6 | #include "compat.h" 7 | 8 | static unsigned long umount_flags[] = { 9 | MNT_FORCE, MNT_DETACH, MNT_EXPIRE, UMOUNT_NOFOLLOW, 10 | }; 11 | 12 | struct syscallentry syscall_umount = { 13 | .name = "umount", 14 | .num_args = 2, 15 | .arg1name = "name", 16 | .arg1type = ARG_PATHNAME, 17 | .arg2name = "flags", 18 | .arg2type = ARG_LIST, 19 | .arg2list = ARGLIST(umount_flags), 20 | .group = GROUP_VFS, 21 | }; 22 | -------------------------------------------------------------------------------- /include/arch-sh.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #if WORD_BIT == 64 6 | #define KERNEL_ADDR 0xfffff80000000000 7 | #define MODULE_ADDR 0xffffffffa0000000L // FIXME: Placeholder 8 | #define TASK_SIZE ~0UL 9 | #define PAGE_SHIFT 12 10 | #define PTE_FILE_MAX_BITS 29 11 | #else 12 | #define KERNEL_ADDR 0xf0000000 13 | #define TASK_SIZE 0xF0000000UL 14 | #define PAGE_SHIFT 12 15 | #define PTE_FILE_MAX_BITS 31 16 | #endif 17 | 18 | #define SYSCALLS syscalls_sh 19 | -------------------------------------------------------------------------------- /syscalls/memfd_create.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(memfd_create, const char __user *, uname, unsigned int, flag 3 | */ 4 | 5 | #include "sanitise.h" 6 | #include "memfd.h" 7 | #include "compat.h" 8 | 9 | static unsigned long memfd_create_flags[] = { 10 | MFD_CLOEXEC, MFD_ALLOW_SEALING, 11 | }; 12 | 13 | struct syscallentry syscall_memfd_create = { 14 | .name = "memfd_create", 15 | .num_args = 2, 16 | .arg1name = "uname", 17 | .arg1type = ARG_ADDRESS, 18 | .arg2name = "flag", 19 | .arg2type = ARG_LIST, 20 | .arg2list = ARGLIST(memfd_create_flags), 21 | }; 22 | -------------------------------------------------------------------------------- /syscalls/migrate_pages.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode, 3 | const unsigned long __user *, old_nodes, 4 | const unsigned long __user *, new_nodes) 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_migrate_pages = { 9 | .name = "migrate_pages", 10 | .num_args = 4, 11 | .arg1name = "pid", 12 | .arg1type = ARG_PID, 13 | .arg2name = "maxnode", 14 | .arg3name = "old_nodes", 15 | .arg3type = ARG_ADDRESS, 16 | .arg4name = "new_nodes", 17 | .arg4type = ARG_ADDRESS, 18 | .group = GROUP_VM, 19 | }; 20 | -------------------------------------------------------------------------------- /net/proto-smc.c: -------------------------------------------------------------------------------- 1 | #include "net.h" 2 | #include "compat.h" 3 | 4 | #define SMCPROTO_SMC 0 /* SMC protocol, IPv4 */ 5 | #define SMCPROTO_SMC6 1 /* SMC protocol, IPv6 */ 6 | 7 | static struct socket_triplet smc_triplet[] = { 8 | { .family = SMCPROTO_SMC, .protocol = SMCPROTO_SMC, .type = SOCK_STREAM }, 9 | { .family = SMCPROTO_SMC6, .protocol = SMCPROTO_SMC6, .type = SOCK_STREAM }, 10 | }; 11 | 12 | const struct netproto proto_smc = { 13 | .name = "smc", 14 | .valid_triplets = smc_triplet, 15 | .nr_triplets = ARRAY_SIZE(smc_triplet), 16 | }; 17 | -------------------------------------------------------------------------------- /syscalls/fgetxattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, 3 | void __user *, value, size_t, size) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_fgetxattr = { 8 | .name = "fgetxattr", 9 | .num_args = 4, 10 | .arg1name = "fd", 11 | .arg1type = ARG_FD, 12 | .arg2name = "name", 13 | .arg2type = ARG_ADDRESS, 14 | .arg3name = "value", 15 | .arg3type = ARG_ADDRESS, 16 | .arg4name = "size", 17 | .arg4type = ARG_LEN, 18 | .rettype = RET_ZERO_SUCCESS, 19 | .flags = NEED_ALARM, 20 | .group = GROUP_VFS, 21 | }; 22 | -------------------------------------------------------------------------------- /syscalls/rt_sigtimedwait.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(rt_sigtimedwait, const sigset_t __user *, uthese, 3 | siginfo_t __user *, uinfo, const struct timespec __user *, uts, 4 | size_t, sigsetsize) 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_rt_sigtimedwait = { 9 | .name = "rt_sigtimedwait", 10 | .num_args = 4, 11 | .arg1name = "uthese", 12 | .arg2name = "uinfo", 13 | .arg2type = ARG_ADDRESS, 14 | .arg3name = "uts", 15 | .arg3type = ARG_ADDRESS, 16 | .arg4name = "sigsetsize", 17 | .arg4type = ARG_ADDRESS, 18 | .flags = NEED_ALARM, 19 | }; 20 | -------------------------------------------------------------------------------- /syscalls/unshare.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) 3 | */ 4 | #include 5 | #include "sanitise.h" 6 | 7 | static unsigned long unshare_flags[] = { 8 | CLONE_THREAD, CLONE_FS, CLONE_NEWNS, CLONE_SIGHAND, 9 | CLONE_VM, CLONE_FILES, CLONE_SYSVSEM, CLONE_NEWUTS, 10 | CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWUSER, CLONE_NEWPID, 11 | }; 12 | 13 | struct syscallentry syscall_unshare = { 14 | .name = "unshare", 15 | .num_args = 1, 16 | .arg1name = "unshare_flags", 17 | .arg1type = ARG_LIST, 18 | .arg1list = ARGLIST(unshare_flags), 19 | }; 20 | -------------------------------------------------------------------------------- /syscalls/io_getevents.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(io_getevents, aio_context_t, ctx_id, 3 | long, min_nr, 4 | long, nr, 5 | struct io_event __user *, events, 6 | struct timespec __user *, timeout) 7 | */ 8 | #include "sanitise.h" 9 | 10 | struct syscallentry syscall_io_getevents = { 11 | .name = "io_getevents", 12 | .num_args = 5, 13 | .arg1name = "ctx_id", 14 | .arg2name = "min_nr", 15 | .arg2type = ARG_LEN, 16 | .arg3name = "nr", 17 | .arg3type = ARG_LEN, 18 | .arg4name = "events", 19 | .arg4type = ARG_ADDRESS, 20 | .arg5name = "timeout", 21 | .arg5type = ARG_ADDRESS, 22 | }; 23 | -------------------------------------------------------------------------------- /ioctls/rfkill.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "ioctls.h" 5 | #include "utils.h" 6 | 7 | static const struct ioctl rfkill_ioctls[] = { 8 | IOCTL(RFKILL_IOCTL_NOINPUT), 9 | }; 10 | 11 | static const char *const rfkill_devs[] = { 12 | "rfkill", 13 | }; 14 | 15 | static const struct ioctl_group rfkill_grp = { 16 | .devtype = DEV_MISC, 17 | .devs = rfkill_devs, 18 | .devs_cnt = ARRAY_SIZE(rfkill_devs), 19 | .sanitise = pick_random_ioctl, 20 | .ioctls = rfkill_ioctls, 21 | .ioctls_cnt = ARRAY_SIZE(rfkill_ioctls), 22 | }; 23 | 24 | REG_IOCTL_GROUP(rfkill_grp) 25 | -------------------------------------------------------------------------------- /syscalls/setresuid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setresuid = { 7 | .name = "setresuid", 8 | .num_args = 3, 9 | .arg1name = "ruid", 10 | .arg2name = "euid", 11 | .arg3name = "suid", 12 | }; 13 | 14 | /* 15 | * SYSCALL_DEFINE3(setresuid16, old_uid_t, ruid, old_uid_t, euid, old_uid_t, suid) 16 | */ 17 | 18 | struct syscallentry syscall_setresuid16 = { 19 | .name = "setresuid16", 20 | .num_args = 3, 21 | .arg1name = "ruid", 22 | .arg2name = "euid", 23 | .arg3name = "suid", 24 | }; 25 | -------------------------------------------------------------------------------- /syscalls/msgctl.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, struct msqid_ds __user *, buf) 3 | */ 4 | #include 5 | #include 6 | #include 7 | #include "sanitise.h" 8 | 9 | static unsigned long msgctl_cmds[] = { 10 | IPC_STAT, IPC_SET, IPC_RMID, IPC_INFO, 11 | MSG_INFO, MSG_STAT, 12 | }; 13 | 14 | struct syscallentry syscall_msgctl = { 15 | .name = "msgctl", 16 | .num_args = 3, 17 | .arg1name = "msqid", 18 | .arg2name = "cmd", 19 | .arg2type = ARG_OP, 20 | .arg2list = ARGLIST(msgctl_cmds), 21 | .arg3name = "buf", 22 | .arg3type = ARG_ADDRESS, 23 | }; 24 | -------------------------------------------------------------------------------- /syscalls/pidfd_send_signal.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(pidfd_send_signal, int, pidfd, int, sig, siginfo_t __user *, info, unsigned int, flags) 3 | */ 4 | #include "sanitise.h" 5 | 6 | static unsigned long pidfd_send_signal_flags[] = { 7 | 0, 8 | }; 9 | 10 | struct syscallentry syscall_pidfd_send_signal = { 11 | .name = "pidfd_send_signal", 12 | .num_args = 4, 13 | .arg1name = "pidfd", 14 | .arg1type = ARG_FD, 15 | .arg2name = "sig", 16 | .arg3name = "info", 17 | .arg3type = ARG_ADDRESS, 18 | .arg4name = "flags", 19 | .arg4type = ARG_OP, 20 | .arg4list = ARGLIST(pidfd_send_signal_flags), 21 | }; 22 | -------------------------------------------------------------------------------- /syscalls/shmctl.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) 3 | */ 4 | #include 5 | #include 6 | #include "sanitise.h" 7 | 8 | static unsigned long shmctl_ops[] = { 9 | IPC_STAT, IPC_SET, IPC_RMID, IPC_INFO, 10 | SHM_INFO, SHM_STAT, SHM_LOCK, SHM_UNLOCK, 11 | }; 12 | 13 | struct syscallentry syscall_shmctl = { 14 | .name = "shmctl", 15 | .num_args = 3, 16 | .arg1name = "shmid", 17 | .arg2name = "cmd", 18 | .arg2type = ARG_OP, 19 | .arg2list = ARGLIST(shmctl_ops), 20 | .arg3name = "buf", 21 | .arg3type = ARG_ADDRESS, 22 | }; 23 | -------------------------------------------------------------------------------- /syscalls/access.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(access, const char __user *, filename, int, mode) 3 | * 4 | * On success (all requested permissions granted), zero is returned. 5 | * On error (at least one bit in mode asked for a permission that is denied, 6 | * or some other error occurred), -1 is returned, and errno is set appropriately. 7 | */ 8 | #include "sanitise.h" 9 | 10 | struct syscallentry syscall_access = { 11 | .name = "access", 12 | .num_args = 2, 13 | .arg1name = "filename", 14 | .arg1type = ARG_PATHNAME, 15 | .arg2name = "mode", 16 | .arg2type = ARG_MODE_T, 17 | .group = GROUP_VFS, 18 | }; 19 | -------------------------------------------------------------------------------- /syscalls/setresgid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setresgid = { 7 | .name = "setresgid", 8 | .num_args = 3, 9 | .arg1name = "rgid", 10 | .arg2name = "egid", 11 | .arg3name = "sgid", 12 | }; 13 | 14 | 15 | /* 16 | * SYSCALL_DEFINE3(setresgid16, old_gid_t, rgid, old_gid_t, egid, old_gid_t, sgid) 17 | */ 18 | 19 | struct syscallentry syscall_setresgid16 = { 20 | .name = "setresgid16", 21 | .num_args = 3, 22 | .arg1name = "rgid", 23 | .arg2name = "egid", 24 | .arg3name = "sgid", 25 | }; 26 | -------------------------------------------------------------------------------- /include/debug.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "child.h" 4 | #include "syscall.h" 5 | #include "utils.h" 6 | 7 | void show_backtrace(void); 8 | 9 | extern void __BUG(const char *bugtxt, const char *filename, const char *funcname, unsigned int lineno); 10 | 11 | #define BUG(bugtxt) { \ 12 | __BUG(bugtxt, __FILE__, __func__, __LINE__); \ 13 | unreachable(); \ 14 | } 15 | 16 | #define BUG_ON(condition) do { if ((condition)) BUG(__stringify(condition)); } while (0) 17 | 18 | void dump_childdata(struct childdata *child); 19 | void dump_syscallrec(struct syscallrecord *rec); 20 | 21 | void syslogf(const char *fmt, ...); 22 | -------------------------------------------------------------------------------- /syscalls/rseq.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(rseq, struct rseq __user *, rseq, u32, rseq_len, 3 | * int, flags, u32, sig) 4 | */ 5 | 6 | #include "syscall.h" 7 | 8 | enum rseq_flags { 9 | RSEQ_FLAG_UNREGISTER = (1 << 0), 10 | }; 11 | 12 | static unsigned long rseq_flags[] = { 13 | RSEQ_FLAG_UNREGISTER, 14 | }; 15 | 16 | struct syscallentry syscall_rseq = { 17 | .name = "rseq,", 18 | .num_args = 4, 19 | 20 | .arg1name = "rseq", 21 | .arg2name = "rseq_len", 22 | .arg2type = ARG_LEN, 23 | .arg3name = "flags", 24 | .arg3type = ARG_LIST, 25 | .arg3list = ARGLIST(rseq_flags), 26 | .arg4name = "sig", 27 | }; 28 | -------------------------------------------------------------------------------- /ioctls/vsock.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define IOCTL_VM_SOCKETS_GET_LOCAL_CID _IO(7, 0xb9) 4 | 5 | #include "utils.h" 6 | #include "ioctls.h" 7 | 8 | static const struct ioctl vsock_ioctls[] = { 9 | IOCTL(IOCTL_VM_SOCKETS_GET_LOCAL_CID), 10 | }; 11 | 12 | static const char *const vsock_devs[] = { 13 | "vsock", 14 | }; 15 | 16 | static const struct ioctl_group vsock_grp = { 17 | .devtype = DEV_MISC, 18 | .devs = vsock_devs, 19 | .devs_cnt = ARRAY_SIZE(vsock_devs), 20 | .sanitise = pick_random_ioctl, 21 | .ioctls = vsock_ioctls, 22 | .ioctls_cnt = ARRAY_SIZE(vsock_ioctls), 23 | }; 24 | 25 | REG_IOCTL_GROUP(vsock_grp) 26 | -------------------------------------------------------------------------------- /syscalls/setgroups.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_setgroups = { 7 | .name = "setgroups", 8 | .num_args = 2, 9 | .arg1name = "gidsetsize", 10 | .arg2name = "grouplist", 11 | .arg2type = ARG_ADDRESS, 12 | }; 13 | 14 | 15 | /* 16 | * SYSCALL_DEFINE2(getgroups16, int, gidsetsize, old_gid_t __user *, grouplist) 17 | */ 18 | 19 | struct syscallentry syscall_setgroups16 = { 20 | .name = "setgroups16", 21 | .num_args = 2, 22 | .arg1name = "gidsetsize", 23 | .arg2name = "grouplist", 24 | .arg2type = ARG_ADDRESS, 25 | }; 26 | -------------------------------------------------------------------------------- /net/proto-iucv.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "net.h" 3 | #include "compat.h" 4 | #include "random.h" 5 | #include "utils.h" // RAND_ARRAY 6 | 7 | static const unsigned int iucv_opts[] = { 8 | SO_IPRMDATA_MSG, SO_MSGLIMIT, SO_MSGSIZE 9 | }; 10 | 11 | #define SOL_IUCV 277 12 | 13 | static void iucv_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet) 14 | { 15 | so->level = SOL_IUCV; 16 | 17 | so->optname = RAND_ARRAY(iucv_opts); 18 | 19 | so->optlen = sizeof(int); 20 | } 21 | 22 | const struct netproto proto_iucv = { 23 | .name = "iucv", 24 | // .socket = iucv_rand_socket, 25 | .setsockopt = iucv_setsockopt, 26 | }; 27 | -------------------------------------------------------------------------------- /syscalls/lseek.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(lseek, unsigned int, fd, off_t, offset, unsigned int, whence) 3 | */ 4 | #include 5 | #include 6 | #include "sanitise.h" 7 | #include "compat.h" 8 | 9 | static unsigned long lseek_whences[] = { 10 | SEEK_SET, SEEK_CUR, SEEK_END, SEEK_DATA, 11 | SEEK_HOLE, 12 | }; 13 | 14 | struct syscallentry syscall_lseek = { 15 | .name = "lseek", 16 | .num_args = 3, 17 | .arg1name = "fd", 18 | .arg1type = ARG_FD, 19 | .arg2name = "offset", 20 | .arg3name = "whence", 21 | .arg3type = ARG_OP, 22 | .arg3list = ARGLIST(lseek_whences), 23 | .flags = NEED_ALARM, 24 | .group = GROUP_VFS, 25 | }; 26 | -------------------------------------------------------------------------------- /include/arch-parisc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // FIXME: depends on kernel bit size, userspace is always 32 bit 4 | 5 | #define PAGE_OFFSET 0x10000000 6 | 7 | #if 0 8 | // for 64 bit 9 | #define PAGE_OFFSET 0x40000000 10 | #endif 11 | 12 | #define KERNEL_ADDR 0xa0000000 // FIXME: Placeholder 13 | #define MODULE_ADDR 0xa0000000L // FIXME: Placeholder 14 | #define TASK_SIZE 0xa0000000 // FIXME: Placeholder 15 | 16 | #define PAGE_SHIFT 12 17 | #define PTE_FILE_MAX_BITS (32 - 11) 18 | 19 | #define PTRACE_GETREGS 18 20 | #define PTRACE_GETFPREGS 14 21 | #define PTRACE_SETREGS 19 22 | #define PTRACE_SETFPREGS 15 23 | 24 | #define SYSCALLS syscalls_parisc 25 | -------------------------------------------------------------------------------- /syscalls/set_mempolicy_home_node.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, len, unsigned long, home_node, unsigned long, flags) 3 | */ 4 | #include "sanitise.h" 5 | 6 | static void sanitise_set_mempolicy_home_node(struct syscallrecord *rec) 7 | { 8 | rec->a4 = 0; // no flags right now 9 | } 10 | 11 | struct syscallentry syscall_set_mempolicy_home_node = { 12 | .name = "set_mempolicy_home_node", 13 | .num_args = 4, 14 | .arg1name = "start", 15 | .arg2name = "len", 16 | .arg2type = ARG_LEN, 17 | .arg3name = "home_node", 18 | .arg4name = "flags", 19 | .sanitise = sanitise_set_mempolicy_home_node, 20 | }; 21 | -------------------------------------------------------------------------------- /syscalls/set_robust_list.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head, size_t, len) 3 | */ 4 | #include 5 | #include "sanitise.h" 6 | #include "shm.h" 7 | #include "syscall.h" 8 | #include "trinity.h" 9 | 10 | static void sanitise_set_robust_list(struct syscallrecord *rec) 11 | { 12 | rec->a2 = sizeof(struct robust_list_head); 13 | } 14 | 15 | struct syscallentry syscall_set_robust_list = { 16 | .name = "set_robust_list", 17 | .num_args = 2, 18 | .sanitise = sanitise_set_robust_list, 19 | .arg1name = "head", 20 | .arg1type = ARG_ADDRESS, 21 | .arg2name = "len", 22 | .arg2type = ARG_LEN, 23 | }; 24 | -------------------------------------------------------------------------------- /include/arch-s390.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef __s390x__ 4 | 5 | #define KERNEL_ADDR 0UL 6 | #define MODULE_ADDR 0x1fffff80000000UL 7 | #define TASK_SIZE ~0UL 8 | #define PAGE_SHIFT 12 9 | #define PTE_FILE_MAX_BITS 59 10 | 11 | #define SYSCALLS syscalls_s390x 12 | 13 | #else /* __s390x__ */ 14 | 15 | #define KERNEL_ADDR 0UL 16 | #define TASK_SIZE 0x80000000UL 17 | #define PAGE_SHIFT 12 18 | #define PTE_FILE_MAX_BITS 26 19 | 20 | #define SYSCALLS syscalls_s390 21 | 22 | #endif /* __s390x__ */ 23 | 24 | #define PAGE_OFFSET 0x0UL 25 | #define PTRACE_GETREGS 0 26 | #define PTRACE_GETFPREGS 0 27 | #define PTRACE_SETREGS 0 28 | #define PTRACE_SETFPREGS 0 29 | -------------------------------------------------------------------------------- /net/proto-ip-udp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "net.h" 4 | #include "random.h" 5 | #include "utils.h" // RAND_ARRAY 6 | #include "compat.h" 7 | 8 | static const unsigned int udp_opts[] = { 9 | UDP_CORK, UDP_ENCAP 10 | }; 11 | 12 | void udp_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet) 13 | { 14 | char *optval; 15 | 16 | so->optname = RAND_ARRAY(udp_opts); 17 | 18 | switch (so->optname) { 19 | case UDP_CORK: 20 | break; 21 | case UDP_ENCAP: 22 | optval = (char *) so->optval; 23 | optval[0] = RAND_RANGE(1, 3); // Encapsulation types. 24 | break; 25 | default: 26 | break; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /syscalls/msgsnd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(msgsnd, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz, int, msgflg) 3 | */ 4 | #include 5 | #include 6 | #include "compat.h" 7 | #include "sanitise.h" 8 | 9 | static unsigned long msgsnd_flags[] = { 10 | MSG_NOERROR, MSG_EXCEPT, MSG_COPY, IPC_NOWAIT, 11 | }; 12 | 13 | struct syscallentry syscall_msgsnd = { 14 | .name = "msgsnd", 15 | .num_args = 4, 16 | .arg1name = "msqid", 17 | .arg2name = "msgp", 18 | .arg2type = ARG_ADDRESS, 19 | .arg3name = "msgsz", 20 | .arg3type = ARG_LEN, 21 | .arg4name = "msgflg", 22 | .arg4type = ARG_LIST, 23 | .arg4list = ARGLIST(msgsnd_flags), 24 | }; 25 | -------------------------------------------------------------------------------- /include/trinity.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "types.h" 4 | 5 | extern unsigned int num_online_cpus; 6 | extern struct rlimit max_files_rlimit; 7 | extern bool no_bind_to_cpu; 8 | 9 | extern char *progname; 10 | 11 | void main_loop(void); 12 | 13 | void panic(int reason); 14 | 15 | #define __unused__ __attribute((unused)) 16 | 17 | #define FAIL 0 18 | #define SUCCESS 1 19 | 20 | // output stuff that's used pretty much everywhere, so may as well be here. 21 | #define MAX_LOGLEVEL 3 22 | #define CONT -1 23 | void output(char level, const char *fmt, ...); 24 | void outputerr(const char *fmt, ...); 25 | void outputstd(const char *fmt, ...); 26 | void debugf(const char *fmt, ...); 27 | -------------------------------------------------------------------------------- /scripts/test-multi.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | . scripts/paths.sh 4 | . scripts/privs.sh 5 | . scripts/taint.sh 6 | 7 | cd $TRINITY_TMP 8 | 9 | NR_CPUS=$(nproc) 10 | NR_PROCESSES=$(($NR_CPUS * 16)) 11 | 12 | while [ 1 ]; 13 | do 14 | rm -f trinity 15 | cp $TRINITY_PATH/trinity . 16 | chmod -w trinity 17 | 18 | if [ -d tmp ]; then 19 | chmod 755 tmp 20 | rm -rf tmp 21 | fi 22 | mkdir -p tmp 23 | 24 | pushd tmp > /dev/null 25 | 26 | rm -f trinity.socketcache 27 | 28 | MALLOC_CHECK_=2 ../trinity -q -l off -C $NR_PROCESSES $DROPPRIVS -N 1000000 -E SMC -a64 29 | 30 | chmod 755 $TRINITY_TMP 31 | popd > /dev/null 32 | 33 | check_tainted 34 | 35 | done 36 | -------------------------------------------------------------------------------- /syscalls/sh/cacheflush.c: -------------------------------------------------------------------------------- 1 | /* 2 | * arch/sh/kernel/sys_sh.c: 3 | * asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, int op); 4 | */ 5 | 6 | #include "trinity.h" 7 | #include "sanitise.h" 8 | 9 | #include 10 | 11 | struct syscall syscall_sh_cacheflush = { 12 | .name = "sh_cacheflush", 13 | .num_args = 3, 14 | .arg1name = "addr", 15 | .arg1type = ARG_ADDRESS, 16 | .arg2name = "len", 17 | .arg2type = ARG_LEN, 18 | .arg3name = "op", 19 | .arg3type = ARG_LIST, 20 | .arg3list = { 21 | .num = 4, 22 | .values = { 23 | CACHEFLUSH_D_INVAL, 24 | CACHEFLUSH_D_WB, 25 | CACHEFLUSH_D_PURGE, 26 | CACHEFLUSH_I, 27 | }, 28 | }, 29 | }; 30 | -------------------------------------------------------------------------------- /syscalls/finit_module.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) 3 | */ 4 | #include "sanitise.h" 5 | 6 | #define MODULE_INIT_IGNORE_MODVERSIONS 1 7 | #define MODULE_INIT_IGNORE_VERMAGIC 2 8 | 9 | static unsigned long finit_module_flags[] = { 10 | MODULE_INIT_IGNORE_MODVERSIONS, MODULE_INIT_IGNORE_VERMAGIC, 11 | }; 12 | 13 | struct syscallentry syscall_finit_module = { 14 | .name = "finit_module", 15 | .num_args = 3, 16 | .arg1name = "fd", 17 | .arg1type = ARG_FD, 18 | .arg2name = "uargs", 19 | .arg2type = ARG_ADDRESS, 20 | .arg3name = "flags", 21 | .arg3type = ARG_LIST, 22 | .arg3list = ARGLIST(finit_module_flags), 23 | }; 24 | -------------------------------------------------------------------------------- /syscalls/mq_timedreceive.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr, 3 | size_t, msg_len, unsigned int __user *, u_msg_prio, 4 | const struct timespec __user *, u_abs_timeout) 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_mq_timedreceive = { 9 | .name = "mq_timedreceive", 10 | .num_args = 5, 11 | .arg1name = "mqdes", 12 | .arg1type = ARG_FD, 13 | .arg2name = "u_msg_ptr", 14 | .arg2type = ARG_ADDRESS, 15 | .arg3name = "msg_len", 16 | .arg3type = ARG_LEN, 17 | .arg4name = "u_msg_prio", 18 | .arg4type = ARG_ADDRESS, 19 | .arg5name = "u_abs_timeout", 20 | .arg5type = ARG_ADDRESS, 21 | .flags = NEED_ALARM, 22 | }; 23 | -------------------------------------------------------------------------------- /syscalls/shmget.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg) 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | #include "sanitise.h" 9 | #include "shm.h" 10 | #include "syscall.h" 11 | #include "trinity.h" 12 | 13 | static void post_shmget(struct syscallrecord *rec) 14 | { 15 | if (rec->retval == (unsigned long) -1L) 16 | return; 17 | 18 | shmctl(rec->retval, IPC_RMID, NULL); 19 | } 20 | 21 | struct syscallentry syscall_shmget = { 22 | .name = "shmget", 23 | .num_args = 3, 24 | .arg1name = "key", 25 | .arg2name = "size", 26 | .arg2type = ARG_LEN, 27 | .arg3name = "shmflg", 28 | .post = post_shmget, 29 | }; 30 | -------------------------------------------------------------------------------- /ioctls/hpet.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "utils.h" 5 | #include "ioctls.h" 6 | 7 | static const struct ioctl hpet_ioctls[] = { 8 | IOCTL(HPET_IE_ON), 9 | IOCTL(HPET_IE_OFF), 10 | IOCTL(HPET_INFO), 11 | IOCTL(HPET_EPI), 12 | IOCTL(HPET_DPI), 13 | IOCTL(HPET_IRQFREQ), 14 | }; 15 | 16 | static const char *const hpet_devs[] = { 17 | "hpet", 18 | }; 19 | 20 | static const struct ioctl_group hpet_grp = { 21 | .devtype = DEV_MISC, 22 | .devs = hpet_devs, 23 | .devs_cnt = ARRAY_SIZE(hpet_devs), 24 | .sanitise = pick_random_ioctl, 25 | .ioctls = hpet_ioctls, 26 | .ioctls_cnt = ARRAY_SIZE(hpet_ioctls), 27 | }; 28 | 29 | REG_IOCTL_GROUP(hpet_grp) 30 | -------------------------------------------------------------------------------- /syscalls/setuid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(setuid, uid_t, uid) 3 | */ 4 | #include "random.h" 5 | #include "shm.h" 6 | #include "sanitise.h" 7 | #include "syscall.h" 8 | #include "trinity.h" 9 | 10 | static void sanitise_setuid(struct syscallrecord *rec) 11 | { 12 | rec->a1 = rand32(); 13 | } 14 | 15 | struct syscallentry syscall_setuid = { 16 | .name = "setuid", 17 | .num_args = 1, 18 | .arg1name = "uid", 19 | .sanitise = sanitise_setuid, 20 | }; 21 | 22 | /* 23 | * SYSCALL_DEFINE1(setuid16, old_uid_t, uid) 24 | */ 25 | 26 | struct syscallentry syscall_setuid16 = { 27 | .name = "setuid16", 28 | .num_args = 1, 29 | .arg1name = "uid", 30 | .sanitise = sanitise_setuid, 31 | }; 32 | -------------------------------------------------------------------------------- /syscalls/utimensat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(utimensat, int, dfd, const char __user *, filename, 3 | struct timespec __user *, utimes, int, flags) 4 | */ 5 | #include 6 | #include "sanitise.h" 7 | 8 | static unsigned long utimensat_flags[] = { 9 | AT_SYMLINK_NOFOLLOW, 10 | }; 11 | 12 | struct syscallentry syscall_utimensat = { 13 | .name = "utimensat", 14 | .num_args = 4, 15 | .arg1name = "dfd", 16 | .arg1type = ARG_FD, 17 | .arg2name = "filename", 18 | .arg2type = ARG_PATHNAME, 19 | .arg3name = "utimes", 20 | .arg3type = ARG_ADDRESS, 21 | .arg4name = "flags", 22 | .arg4type = ARG_LIST, 23 | .arg4list = ARGLIST(utimensat_flags), 24 | .flags = NEED_ALARM, 25 | }; 26 | -------------------------------------------------------------------------------- /ioctls/random.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "utils.h" 4 | #include "ioctls.h" 5 | 6 | static const struct ioctl random_ioctls[] = { 7 | IOCTL(RNDGETENTCNT), 8 | IOCTL(RNDADDTOENTCNT), 9 | IOCTL(RNDGETPOOL), 10 | IOCTL(RNDADDENTROPY), 11 | IOCTL(RNDZAPENTCNT), 12 | IOCTL(RNDCLEARPOOL), 13 | }; 14 | 15 | static const char *const random_devs[] = { 16 | "mem", 17 | }; 18 | 19 | static const struct ioctl_group random_grp = { 20 | .devtype = DEV_CHAR, 21 | .devs = random_devs, 22 | .devs_cnt = ARRAY_SIZE(random_devs), 23 | .sanitise = pick_random_ioctl, 24 | .ioctls = random_ioctls, 25 | .ioctls_cnt = ARRAY_SIZE(random_ioctls), 26 | }; 27 | 28 | REG_IOCTL_GROUP(random_grp) 29 | -------------------------------------------------------------------------------- /syscalls/kcmp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, 3 | * unsigned long, idx1, unsigned long, idx2) 4 | * 5 | */ 6 | #include "sanitise.h" 7 | #include "compat.h" 8 | 9 | static unsigned long kcmp_types[] = { 10 | KCMP_FILE, KCMP_VM, KCMP_FILES, KCMP_FS, 11 | KCMP_SIGHAND, KCMP_IO, KCMP_SYSVSEM, 12 | }; 13 | 14 | struct syscallentry syscall_kcmp = { 15 | .name = "kcmp", 16 | .num_args = 5, 17 | .arg1name = "pid1", 18 | .arg1type = ARG_PID, 19 | .arg2name = "pid2", 20 | .arg2type = ARG_PID, 21 | .arg3name = "type", 22 | .arg3type = ARG_OP, 23 | .arg3list = ARGLIST(kcmp_types), 24 | .arg4name = "idx1", 25 | .arg5name = "idx2", 26 | }; 27 | -------------------------------------------------------------------------------- /syscalls/s390x/runtime_instr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * int runtime_instr(int on_off, int sig_nr) 3 | */ 4 | 5 | #include "sanitise.h" 6 | 7 | #define S390_RUNTIME_INSTR_START 0x1 8 | #define S390_RUNTIME_INSTR_STOP 0x2 9 | 10 | static unsigned long syscall_runtime_instr_arg1[] = { 11 | 0, S390_RUNTIME_INSTR_START, S390_RUNTIME_INSTR_STOP, 3 12 | }; 13 | 14 | struct syscallentry syscall_runtime_instr = { 15 | .name = "runtime_instr", 16 | .num_args = 2, 17 | .arg1name = "on_off", 18 | .arg1type = ARG_LIST, 19 | .arg1list = ARGLIST(syscall_runtime_instr_arg1), 20 | .arg2name = "sig_nr", 21 | .arg2type = ARG_RANGE, 22 | .low2range = 0, 23 | .hi2range = 128, 24 | .rettype = RET_ZERO_SUCCESS 25 | }; 26 | -------------------------------------------------------------------------------- /syscalls/timerfd_create.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(timerfd_create, int, clockid, int, flags) 3 | */ 4 | #include 5 | #include "sanitise.h" 6 | #include "compat.h" 7 | 8 | static unsigned long timerfd_create_clockids[] = { 9 | CLOCK_REALTIME, CLOCK_MONOTONIC, 10 | }; 11 | 12 | static unsigned long timerfd_create_flags[] = { 13 | TFD_NONBLOCK, TFD_CLOEXEC, 14 | }; 15 | 16 | struct syscallentry syscall_timerfd_create = { 17 | .name = "timerfd_create", 18 | .num_args = 2, 19 | .arg1name = "clockid", 20 | .arg1type = ARG_OP, 21 | .arg1list = ARGLIST(timerfd_create_clockids), 22 | .arg2name = "flags", 23 | .arg2type = ARG_LIST, 24 | .arg2list = ARGLIST(timerfd_create_flags), 25 | }; 26 | -------------------------------------------------------------------------------- /syscalls/getgroups.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(getgroups, int, gidsetsize, gid_t __user *, grouplist) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getgroups = { 7 | .name = "getgroups", 8 | .num_args = 2, 9 | .arg1name = "gidsetsize", 10 | .arg2type = ARG_ADDRESS, 11 | .arg2name = "grouplist", 12 | .rettype = RET_BORING, 13 | }; 14 | 15 | 16 | /* 17 | * SYSCALL_DEFINE2(getgroups16, int, gidsetsize, old_gid_t __user *, grouplist) 18 | */ 19 | 20 | struct syscallentry syscall_getgroups16 = { 21 | .name = "getgroups16", 22 | .num_args = 2, 23 | .arg1name = "gidsetsize", 24 | .arg2type = ARG_ADDRESS, 25 | .arg2name = "grouplist", 26 | .rettype = RET_BORING, 27 | }; 28 | -------------------------------------------------------------------------------- /syscalls/getsockname.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr __user *, usockaddr, int __user *, usockaddr_len) 3 | */ 4 | #include "net.h" 5 | #include "sanitise.h" 6 | 7 | static void sanitise_getsockname(struct syscallrecord *rec) 8 | { 9 | rec->a1 = fd_from_socketinfo((struct socketinfo *) rec->a1); 10 | } 11 | 12 | struct syscallentry syscall_getsockname = { 13 | .name = "getsockname", 14 | .num_args = 3, 15 | .arg1name = "fd", 16 | .arg1type = ARG_SOCKETINFO, 17 | .arg2name = "usockaddr", 18 | .arg2type = ARG_SOCKADDR, 19 | .arg3name = "usockaddr_len", 20 | .arg3type = ARG_SOCKADDRLEN, 21 | .flags = NEED_ALARM, 22 | .sanitise = sanitise_getsockname, 23 | }; 24 | -------------------------------------------------------------------------------- /syscalls/unlink.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(unlink, const char __user *, pathname) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_unlink = { 7 | .name = "unlink", 8 | .num_args = 1, 9 | .arg1name = "pathname", 10 | .arg1type = ARG_PATHNAME, 11 | .group = GROUP_VFS, 12 | }; 13 | 14 | /* 15 | * SYSCALL_DEFINE3(unlinkat, int, dfd, const char __user *, pathname, int, flag) 16 | */ 17 | 18 | struct syscallentry syscall_unlinkat = { 19 | .name = "unlinkat", 20 | .num_args = 3, 21 | .arg1name = "dfd", 22 | .arg1type = ARG_FD, 23 | .arg2name = "pathname", 24 | .arg2type = ARG_PATHNAME, 25 | .arg3name = "flag", 26 | .flags = NEED_ALARM, 27 | .group = GROUP_VFS, 28 | }; 29 | -------------------------------------------------------------------------------- /syscalls/pselect6.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE6(pselect6, int, n, fd_set __user *, inp, fd_set __user *, outp, 3 | fd_set __user *, exp, struct timespec __user *, tsp, 4 | void __user *, sig) 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_pselect6 = { 9 | .name = "pselect6", 10 | .num_args = 6, 11 | .flags = AVOID_SYSCALL, // Can cause the fuzzer to hang without timeout firing 12 | .arg1name = "n", 13 | .arg2name = "inp", 14 | .arg2type = ARG_ADDRESS, 15 | .arg3name = "outp", 16 | .arg3type = ARG_ADDRESS, 17 | .arg4name = "exp", 18 | .arg4type = ARG_ADDRESS, 19 | .arg5name = "tsp", 20 | .arg5type = ARG_ADDRESS, 21 | .arg6name = "sig", 22 | .arg6type = ARG_ADDRESS, 23 | }; 24 | -------------------------------------------------------------------------------- /syscalls/mq_timedsend.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr, 3 | size_t, msg_len, unsigned int, msg_prio, 4 | const struct timespec __user *, u_abs_timeout) 5 | */ 6 | #include "sanitise.h" 7 | 8 | struct syscallentry syscall_mq_timedsend = { 9 | .name = "mq_timedsend", 10 | .num_args = 5, 11 | .arg1name = "mqdes", 12 | .arg1type = ARG_FD, 13 | .arg2name = "u_msg_ptr", 14 | .arg2type = ARG_ADDRESS, 15 | .arg3name = "msg_len", 16 | .arg3type = ARG_LEN, 17 | .arg4name = "msg_prio", 18 | .arg4type = ARG_RANGE, 19 | .low4range = 0, 20 | .hi4range = 32768, 21 | .arg5name = "u_abs_timeout", 22 | .arg5type = ARG_ADDRESS, 23 | .flags = NEED_ALARM, 24 | }; 25 | -------------------------------------------------------------------------------- /syscalls/sched_setscheduler.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(sched_setscheduler, pid_t, pid, int, policy, struct sched_param __user *, param) 3 | */ 4 | #include 5 | #include "compat.h" 6 | #include "sanitise.h" 7 | 8 | static unsigned long sched_setscheduler_policies[] = { 9 | SCHED_OTHER, SCHED_FIFO, SCHED_RR, SCHED_BATCH, 10 | SCHED_IDLE, SCHED_DEADLINE, 11 | }; 12 | 13 | struct syscallentry syscall_sched_setscheduler = { 14 | .name = "sched_setscheduler", 15 | .num_args = 3, 16 | .arg1name = "pid", 17 | .arg1type = ARG_PID, 18 | .arg2name = "policy", 19 | .arg2type = ARG_OP, 20 | .arg2list = ARGLIST(sched_setscheduler_policies), 21 | .arg3name = "param", 22 | .arg3type = ARG_ADDRESS, 23 | }; 24 | -------------------------------------------------------------------------------- /syscalls/truncate.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(truncate, const char __user *, path, long, length) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_truncate = { 7 | .name = "truncate", 8 | .num_args = 2, 9 | .arg1name = "path", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "length", 12 | .arg2type = ARG_LEN, 13 | .group = GROUP_VFS, 14 | }; 15 | 16 | /* 17 | * SYSCALL_DEFINE(truncate64)(const char __user * path, loff_t length) 18 | */ 19 | 20 | struct syscallentry syscall_truncate64 = { 21 | .name = "truncate64", 22 | .num_args = 2, 23 | .arg1name = "path", 24 | .arg1type = ARG_PATHNAME, 25 | .arg2name = "length", 26 | .arg2type = ARG_LEN, 27 | .group = GROUP_VFS, 28 | }; 29 | -------------------------------------------------------------------------------- /syscalls/timer_settime.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(timer_settime, timer_t, timer_id, int, flags, 3 | TIMER_ABSTIMEconst struct itimerspec __user *, new_setting, 4 | struct itimerspec __user *, old_setting) 5 | */ 6 | #include 7 | #include "sanitise.h" 8 | 9 | static unsigned long timer_settime_flags[] = { 10 | TIMER_ABSTIME, 11 | }; 12 | 13 | struct syscallentry syscall_timer_settime = { 14 | .name = "timer_settime", 15 | .num_args = 4, 16 | .arg1name = "timer_id", 17 | .arg2name = "flags", 18 | .arg2type = ARG_LIST, 19 | .arg2list = ARGLIST(timer_settime_flags), 20 | .arg3name = "new_setting", 21 | .arg3type = ARG_ADDRESS, 22 | .arg4name = "old_setting", 23 | .arg4type = ARG_ADDRESS, 24 | }; 25 | -------------------------------------------------------------------------------- /syscalls/adjtimex.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(adjtimex, struct timex __user *, txc_p 3 | * 4 | * On success, adjtimex() returns the clock state: */ 5 | 6 | #define TIME_OK 0 /* clock synchronized */ 7 | #define TIME_INS 1 /* insert leap second */ 8 | #define TIME_DEL 2 /* delete leap second */ 9 | #define TIME_OOP 3 /* leap second in progress */ 10 | #define TIME_WAIT 4 /* leap second has occurred */ 11 | #define TIME_BAD 5 /* clock not synchronized */ 12 | 13 | /* On failure, adjtimex() returns -1 and sets errno. */ 14 | 15 | #include "sanitise.h" 16 | 17 | struct syscallentry syscall_adjtimex = { 18 | .name = "adjtimex", 19 | .num_args = 1, 20 | .arg1name = "txc_p", 21 | .arg1type = ARG_ADDRESS, 22 | }; 23 | -------------------------------------------------------------------------------- /syscalls/rt_sigprocmask.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(rt_sigprocmask, int, how, sigset_t __user *, set, 3 | sigset_t __user *, oset, size_t, sigsetsize) 4 | */ 5 | #include 6 | #include "sanitise.h" 7 | #include "shm.h" 8 | #include "syscall.h" 9 | #include "trinity.h" 10 | 11 | static void sanitise_rt_sigprocmask(struct syscallrecord *rec) 12 | { 13 | rec->a4 = sizeof(sigset_t); 14 | } 15 | 16 | struct syscallentry syscall_rt_sigprocmask = { 17 | .name = "rt_sigprocmask", 18 | .num_args = 4, 19 | .sanitise = sanitise_rt_sigprocmask, 20 | .arg1name = "how", 21 | .arg2name = "set", 22 | .arg2type = ARG_ADDRESS, 23 | .arg3name = "oset", 24 | .arg3type = ARG_ADDRESS, 25 | .arg4name = "sigsetsize", 26 | }; 27 | -------------------------------------------------------------------------------- /syscalls/riscv_flush_icache.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(wait4, pid_t, upid, int __user *, stat_addr, 3 | int, options, struct rusage __user *, ru) 4 | */ 5 | #include "sanitise.h" 6 | 7 | #ifndef SYS_RISCV_FLUSH_ICACHE_LOCAL 8 | #define SYS_RISCV_FLUSH_ICACHE_LOCAL 1UL 9 | #endif 10 | 11 | static unsigned long riscv_flush_icache_flags[] = { 12 | SYS_RISCV_FLUSH_ICACHE_LOCAL, 13 | }; 14 | 15 | struct syscallentry syscall_riscv_flush_icache = { 16 | .name = "riscv_flush_icache", 17 | .num_args = 3, 18 | .arg1name = "start", 19 | .arg1type = ARG_ADDRESS, 20 | .arg2name = "end", 21 | .arg2type = ARG_ADDRESS, 22 | .arg3name = "flags", 23 | .arg3type = ARG_OP, 24 | .arg3list = ARGLIST(riscv_flush_icache_flags), 25 | }; 26 | -------------------------------------------------------------------------------- /syscalls/statfs.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(statfs, const char __user *, pathname, struct statfs __user *, buf) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_statfs = { 7 | .name = "statfs", 8 | .num_args = 2, 9 | .arg1name = "pathname", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "buf", 12 | .arg2type = ARG_ADDRESS, 13 | }; 14 | 15 | /* 16 | * SYSCALL_DEFINE3(statfs64, const char __user *, pathname, size_t, sz, struct statfs64 __user *, buf) 17 | */ 18 | 19 | struct syscallentry syscall_statfs64 = { 20 | .name = "statfs64", 21 | .num_args = 2, 22 | .arg1name = "pathname", 23 | .arg1type = ARG_PATHNAME, 24 | .arg2name = "sz", 25 | .arg3name = "buf", 26 | .arg3type = ARG_ADDRESS, 27 | }; 28 | -------------------------------------------------------------------------------- /syscalls/getpeername.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr, int __user *, usockaddr_len) 3 | */ 4 | #include "net.h" 5 | #include "sanitise.h" 6 | 7 | static void sanitise_getpeername(struct syscallrecord *rec) 8 | { 9 | rec->a1 = fd_from_socketinfo((struct socketinfo *) rec->a1); 10 | } 11 | 12 | struct syscallentry syscall_getpeername = { 13 | .name = "getpeername", 14 | .num_args = 3, 15 | .arg1name = "fd", 16 | .arg1type = ARG_SOCKETINFO, 17 | .arg2name = "usockaddr", 18 | .arg2type = ARG_SOCKADDR, 19 | .arg3name = "usockaddr_len", 20 | .arg3type = ARG_SOCKADDRLEN, 21 | .rettype = RET_ZERO_SUCCESS, 22 | .flags = NEED_ALARM, 23 | .sanitise = sanitise_getpeername, 24 | }; 25 | -------------------------------------------------------------------------------- /syscalls/getsockopt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname, char __user *, optval, int __user *, optlen) 3 | */ 4 | #include "net.h" 5 | #include "sanitise.h" 6 | 7 | static void sanitise_getsockopt(struct syscallrecord *rec) 8 | { 9 | rec->a1 = fd_from_socketinfo((struct socketinfo *) rec->a1); 10 | } 11 | 12 | struct syscallentry syscall_getsockopt = { 13 | .name = "getsockopt", 14 | .num_args = 5, 15 | .arg1name = "fd", 16 | .arg1type = ARG_SOCKETINFO, 17 | .arg2name = "level", 18 | .arg3name = "optname", 19 | .arg4name = "optval", 20 | .arg4type = ARG_ADDRESS, 21 | .arg5name = "optlen", 22 | .arg5type = ARG_LEN, 23 | .flags = NEED_ALARM, 24 | .sanitise = sanitise_getsockopt, 25 | }; 26 | -------------------------------------------------------------------------------- /syscalls/io_pgetevents.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE6(io_pgetevents, 3 | * aio_context_t, ctx_id, 4 | * long, min_nr, 5 | * long, nr, 6 | * struct io_event __user *, events, 7 | * struct __kernel_timespec __user *, timeout, 8 | * const struct __aio_sigset __user *, usig) 9 | */ 10 | 11 | #include "syscall.h" 12 | 13 | struct syscallentry syscall_io_pgetevents = { 14 | .name = "io_pgetevents,", 15 | .num_args = 6, 16 | 17 | .arg1name = "ctx_id", 18 | .arg2name = "min_nr", 19 | .arg2type = ARG_LEN, 20 | .arg3name = "nr", 21 | .arg3type = ARG_LEN, 22 | .arg4name = "events", 23 | .arg5name = "timeout", 24 | .arg6name = "usig", 25 | }; 26 | -------------------------------------------------------------------------------- /syscalls/lchown.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_lchown = { 7 | .name = "lchown", 8 | .num_args = 3, 9 | .arg1name = "filename", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "user", 12 | .arg3name = "group", 13 | .group = GROUP_VFS, 14 | }; 15 | 16 | /* 17 | * SYSCALL_DEFINE3(lchown16, const char __user *, filename, old_uid_t, user, old_gid_t, group) 18 | */ 19 | 20 | struct syscallentry syscall_lchown16 = { 21 | .name = "lchown16", 22 | .num_args = 3, 23 | .arg1name = "filename", 24 | .arg1type = ARG_PATHNAME, 25 | .arg2name = "user", 26 | .arg3name = "group", 27 | .group = GROUP_VFS, 28 | }; 29 | -------------------------------------------------------------------------------- /ioctls/msr.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define X86_IOC_RDMSR_REGS _IOWR('c', 0xA0, __u32[8]) 5 | #define X86_IOC_WRMSR_REGS _IOWR('c', 0xA1, __u32[8]) 6 | 7 | #include "utils.h" 8 | #include "ioctls.h" 9 | 10 | static const struct ioctl msr_ioctls[] = { 11 | IOCTL(X86_IOC_RDMSR_REGS), 12 | //IOCTL(X86_IOC_WRMSR_REGS), // Too dangerous. 13 | }; 14 | 15 | static const char *const msr_devs[] = { 16 | "cpu/msr", 17 | }; 18 | 19 | static const struct ioctl_group msr_grp = { 20 | .devtype = DEV_CHAR, 21 | .devs = msr_devs, 22 | .devs_cnt = ARRAY_SIZE(msr_devs), 23 | .sanitise = pick_random_ioctl, 24 | .ioctls = msr_ioctls, 25 | .ioctls_cnt = ARRAY_SIZE(msr_ioctls), 26 | }; 27 | 28 | REG_IOCTL_GROUP(msr_grp) 29 | -------------------------------------------------------------------------------- /scripts/test-all-syscalls-sequentially.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # This is a useful test to run occasionally, to see which syscalls are 4 | # causing trinity to segfault. 5 | 6 | . scripts/paths.sh 7 | . scripts/privs.sh 8 | . scripts/taint.sh 9 | 10 | while [ 1 ] 11 | do 12 | for syscall in $($TRINITY_PATH/trinity -L | grep entrypoint | grep -v AVOID | awk '{ print $3 }' | sort -u) 13 | do 14 | pushd $TRINITY_TMP 15 | 16 | if [ ! -f $TRINITY_PATH/trinity ]; then 17 | echo lost! 18 | pwd 19 | exit 20 | fi 21 | 22 | MALLOC_CHECK_=2 $TRINITY_PATH/trinity -q -c $syscall -N 1000000 -l off -C 64 $DROPPRIVS -x execve 23 | 24 | chmod 755 $TRINITY_TMP 25 | popd 26 | 27 | check_tainted 28 | echo 29 | echo 30 | done 31 | check_tainted 32 | done 33 | -------------------------------------------------------------------------------- /syscalls/mlockall.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(mlockall, int, flags) 3 | */ 4 | #include 5 | #include "random.h" 6 | #include "sanitise.h" 7 | #include "shm.h" 8 | #include "syscall.h" 9 | #include "trinity.h" 10 | 11 | #ifndef MCL_CURRENT 12 | #define MCL_CURRENT 1 13 | #endif 14 | #ifndef MCL_FUTURE 15 | #define MCL_FUTURE 2 16 | #endif 17 | #ifndef MCL_ONFAULT 18 | #define MCL_ONFAULT 4 19 | #endif 20 | 21 | static unsigned long mlockall_flags[] = { 22 | MCL_CURRENT, MCL_FUTURE, MCL_ONFAULT, 23 | }; 24 | 25 | struct syscallentry syscall_mlockall = { 26 | .name = "mlockall", 27 | .num_args = 1, 28 | .arg1name = "flags", 29 | .arg1type = ARG_LIST, 30 | .arg1list = ARGLIST(mlockall_flags), 31 | .group = GROUP_VM, 32 | }; 33 | -------------------------------------------------------------------------------- /ioctls/btrfs-control.c: -------------------------------------------------------------------------------- 1 | 2 | #ifdef USE_BTRFS 3 | 4 | #include 5 | #include 6 | 7 | #include "utils.h" 8 | #include "ioctls.h" 9 | 10 | static const struct ioctl btrfs_control_ioctls[] = { 11 | IOCTL(BTRFS_IOC_SCAN_DEV), 12 | IOCTL(BTRFS_IOC_DEVICES_READY), 13 | }; 14 | 15 | static const char *const btrfs_control_devs[] = { 16 | "btrfs-control", 17 | }; 18 | 19 | static const struct ioctl_group btrfs_control_grp = { 20 | .devtype = DEV_MISC, 21 | .devs = btrfs_control_devs, 22 | .devs_cnt = ARRAY_SIZE(btrfs_control_devs), 23 | .sanitise = pick_random_ioctl, 24 | .ioctls = btrfs_control_ioctls, 25 | .ioctls_cnt = ARRAY_SIZE(btrfs_control_ioctls), 26 | }; 27 | 28 | REG_IOCTL_GROUP(btrfs_control_grp) 29 | 30 | #endif 31 | -------------------------------------------------------------------------------- /syscalls/epoll_wait.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(epoll_wait, int, epfd, struct epoll_event __user *, events, int, maxevents, int, timeout) 3 | * 4 | * When successful, returns the number of file descriptors ready for the requested I/O, 5 | * or zero if no file descriptor became ready during the requested timeout milliseconds. 6 | * When an error occurs, returns -1 and errno is set appropriately. 7 | */ 8 | #include "sanitise.h" 9 | 10 | struct syscallentry syscall_epoll_wait = { 11 | .name = "epoll_wait", 12 | .num_args = 4, 13 | .arg1name = "epfd", 14 | .arg1type = ARG_FD, 15 | .arg2name = "events", 16 | .arg2type = ARG_ADDRESS, 17 | .arg3name = "maxevents", 18 | .arg4name = "timeout", 19 | .rettype = RET_BORING, 20 | .flags = NEED_ALARM, 21 | }; 22 | -------------------------------------------------------------------------------- /ioctls/mce.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "utils.h" 4 | #include "ioctls.h" 5 | 6 | #define MCE_GET_RECORD_LEN _IOR('M', 1, int) 7 | #define MCE_GET_LOG_LEN _IOR('M', 2, int) 8 | #define MCE_GETCLEAR_FLAGS _IOR('M', 3, int) 9 | 10 | static const struct ioctl mce_ioctls[] = { 11 | IOCTL(MCE_GET_RECORD_LEN), 12 | IOCTL(MCE_GET_LOG_LEN), 13 | IOCTL(MCE_GETCLEAR_FLAGS), 14 | }; 15 | 16 | static const char *const mce_devs[] = { 17 | "mcelog", 18 | }; 19 | 20 | static const struct ioctl_group mce_grp = { 21 | .devtype = DEV_MISC, 22 | .devs = mce_devs, 23 | .devs_cnt = ARRAY_SIZE(mce_devs), 24 | .sanitise = pick_random_ioctl, 25 | .ioctls = mce_ioctls, 26 | .ioctls_cnt = ARRAY_SIZE(mce_ioctls), 27 | }; 28 | 29 | REG_IOCTL_GROUP(mce_grp) 30 | -------------------------------------------------------------------------------- /syscalls/landlock_create_ruleset.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(landlock_create_ruleset, 3 | * const struct landlock_ruleset_attr __user *const, attr, 4 | * const size_t, size, const __u32, flags) 5 | */ 6 | #include "sanitise.h" 7 | 8 | #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) 9 | 10 | static unsigned long landlock_create_ruleset_flags[] = { 11 | LANDLOCK_CREATE_RULESET_VERSION, 12 | }; 13 | 14 | struct syscallentry syscall_landlock_create_ruleset = { 15 | .name = "landlock_create_ruleset", 16 | .num_args = 3, 17 | .arg1name = "attr", 18 | .arg2name = "size", 19 | .arg2type = ARG_LEN, 20 | .arg3name = "flags", 21 | .arg3type = ARG_LIST, 22 | .arg3list = ARGLIST(landlock_create_ruleset_flags), 23 | }; 24 | -------------------------------------------------------------------------------- /syscalls/mkdir.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(mkdir, const char __user *, pathname, int, mode) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_mkdir = { 7 | .name = "mkdir", 8 | .num_args = 2, 9 | .arg1name = "pathname", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "mode", 12 | .arg2type = ARG_MODE_T, 13 | }; 14 | 15 | /* 16 | * SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) 17 | */ 18 | #include "sanitise.h" 19 | 20 | struct syscallentry syscall_mkdirat = { 21 | .name = "mkdirat", 22 | .num_args = 3, 23 | .arg1name = "dfd", 24 | .arg1type = ARG_FD, 25 | .arg2name = "pathname", 26 | .arg2type = ARG_PATHNAME, 27 | .arg3name = "mode", 28 | .arg3type = ARG_MODE_T, 29 | .flags = NEED_ALARM, 30 | }; 31 | -------------------------------------------------------------------------------- /syscalls/setxattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(setxattr, const char __user *, pathname, 3 | const char __user *, name, const void __user *, value, 4 | size_t, size, int, flags) 5 | */ 6 | 7 | #include 8 | #include "sanitise.h" 9 | 10 | static unsigned long setxattr_flags[] = { 11 | XATTR_CREATE, XATTR_REPLACE, 12 | }; 13 | 14 | struct syscallentry syscall_setxattr = { 15 | .name = "setxattr", 16 | .num_args = 5, 17 | .arg1name = "pathname", 18 | .arg1type = ARG_PATHNAME, 19 | .arg2name = "name", 20 | .arg2type = ARG_ADDRESS, 21 | .arg3name = "value", 22 | .arg3type = ARG_ADDRESS, 23 | .arg4name = "size", 24 | .arg4type = ARG_LEN, 25 | .arg5name = "flags", 26 | .arg5type = ARG_LIST, 27 | .arg5list = ARGLIST(setxattr_flags), 28 | }; 29 | -------------------------------------------------------------------------------- /syscalls/ipc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE6(ipc, unsigned int, call, int, first, unsigned long, second, 3 | unsigned long, third, void __user *, ptr, long, fifth) 4 | */ 5 | #include 6 | #include "sanitise.h" 7 | 8 | static unsigned long ipc_calls[] = { 9 | SEMOP, SEMGET, SEMCTL, SEMTIMEDOP, 10 | MSGSND, MSGRCV, MSGGET, MSGCTL, 11 | SHMAT, SHMDT, SHMGET, SHMCTL, 12 | }; 13 | 14 | struct syscallentry syscall_ipc = { 15 | .name = "ipc", 16 | .num_args = 6, 17 | .arg1name = "call", 18 | .arg1type = ARG_OP, 19 | .arg1list = ARGLIST(ipc_calls), 20 | .arg2name = "first", 21 | .arg3name = "second", 22 | .arg4name = "third", 23 | .arg5name = "ptr", 24 | .arg5type = ARG_ADDRESS, 25 | .arg6name = "fifth", 26 | .flags = IGNORE_ENOSYS, 27 | }; 28 | -------------------------------------------------------------------------------- /include/arch-alpha.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define KERNEL_ADDR 0xfffffc0000310000 4 | /* KERNEL_ADDR is 0xfffffc0001010000 ifndef CONFIG_ALPHA_LEGACY_START_ADDRESS */ 5 | 6 | #define PAGE_SHIFT 13 7 | #define PGDIR_SHIFT (PAGE_SHIFT + 2*(PAGE_SHIFT-3)) 8 | #define PGDIR_SIZE (1UL << PGDIR_SHIFT) 9 | #define MODULE_ADDR (-2*PGDIR_SIZE) 10 | /* MODULE_ADDR is 0xfffffe0000000000 ifdef CONFIG_ALPHA_LARGE_VMALLOC */ 11 | 12 | #define PAGE_OFFSET 0xfffffc0000000000UL 13 | /* PAGE_OFFSET is 0xffff800000000000UL ifdef USE_48_BIT_KSEG */ 14 | 15 | #define TASK_SIZE 0x40000000000UL 16 | 17 | #define PTE_FILE_MAX_BITS 32 18 | 19 | #define PTRACE_GETREGS 0 20 | #define PTRACE_GETFPREGS 0 21 | #define PTRACE_SETREGS 0 22 | #define PTRACE_SETFPREGS 0 23 | 24 | #define SYSCALLS syscalls_alpha 25 | -------------------------------------------------------------------------------- /net/proto-ip-dccp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "net.h" 4 | #include "compat.h" 5 | #include "random.h" 6 | #include "utils.h" // RAND_ARRAY 7 | 8 | static const unsigned int dccp_opts[] = { 9 | DCCP_SOCKOPT_PACKET_SIZE, DCCP_SOCKOPT_SERVICE, DCCP_SOCKOPT_CHANGE_L, DCCP_SOCKOPT_CHANGE_R, 10 | DCCP_SOCKOPT_GET_CUR_MPS, DCCP_SOCKOPT_SERVER_TIMEWAIT, DCCP_SOCKOPT_SEND_CSCOV, DCCP_SOCKOPT_RECV_CSCOV, 11 | DCCP_SOCKOPT_AVAILABLE_CCIDS, DCCP_SOCKOPT_CCID, DCCP_SOCKOPT_TX_CCID, DCCP_SOCKOPT_RX_CCID, 12 | DCCP_SOCKOPT_QPOLICY_ID, DCCP_SOCKOPT_QPOLICY_TXQLEN, DCCP_SOCKOPT_CCID_RX_INFO, DCCP_SOCKOPT_CCID_TX_INFO 13 | }; 14 | 15 | void dccp_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet) 16 | { 17 | so->optname = RAND_ARRAY(dccp_opts); 18 | } 19 | -------------------------------------------------------------------------------- /syscalls/fspick.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(fspick, int, dfd, const char __user *, path, unsigned int, flags) 3 | */ 4 | #include "sanitise.h" 5 | 6 | #define FSPICK_CLOEXEC 0x00000001 7 | #define FSPICK_SYMLINK_NOFOLLOW 0x00000002 8 | #define FSPICK_NO_AUTOMOUNT 0x00000004 9 | #define FSPICK_EMPTY_PATH 0x00000008 10 | 11 | static unsigned long fspick_flags[] = { 12 | FSPICK_CLOEXEC, 13 | FSPICK_SYMLINK_NOFOLLOW, 14 | FSPICK_NO_AUTOMOUNT, 15 | FSPICK_EMPTY_PATH, 16 | }; 17 | 18 | struct syscallentry syscall_fspick = { 19 | .name = "fspick", 20 | .num_args = 3, 21 | .arg1name = "dfd", 22 | .arg1type = ARG_FD, 23 | .arg2name = "path", 24 | .arg2type = ARG_PATHNAME, 25 | .arg3name = "flags", 26 | .arg3type = ARG_OP, 27 | .arg3list = ARGLIST(fspick_flags), 28 | }; 29 | -------------------------------------------------------------------------------- /syscalls/lsetxattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(lsetxattr, const char __user *, pathname, 3 | const char __user *, name, const void __user *, value, 4 | size_t, size, int, flags) 5 | */ 6 | 7 | #include 8 | #include "sanitise.h" 9 | 10 | static unsigned long lsetxattr_flags[] = { 11 | XATTR_CREATE, XATTR_REPLACE, 12 | }; 13 | 14 | struct syscallentry syscall_lsetxattr = { 15 | .name = "lsetxattr", 16 | .num_args = 5, 17 | .arg1name = "pathname", 18 | .arg1type = ARG_PATHNAME, 19 | .arg2name = "name", 20 | .arg2type = ARG_ADDRESS, 21 | .arg3name = "value", 22 | .arg3type = ARG_ADDRESS, 23 | .arg4name = "size", 24 | .arg4type = ARG_LEN, 25 | .arg5name = "flags", 26 | .arg5type = ARG_LIST, 27 | .arg5list = ARGLIST(lsetxattr_flags), 28 | .group = GROUP_VFS, 29 | }; 30 | -------------------------------------------------------------------------------- /syscalls/kexec_load.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, 3 | struct kexec_segment __user *, segments, unsigned long, flags) 4 | */ 5 | 6 | #define KEXEC_ON_CRASH 0x00000001 7 | #define KEXEC_PRESERVE_CONTEXT 0x00000002 8 | 9 | #include "sanitise.h" 10 | 11 | static unsigned long kexec_load_flags[] = { 12 | KEXEC_ON_CRASH, KEXEC_PRESERVE_CONTEXT, 13 | }; 14 | 15 | struct syscallentry syscall_kexec_load = { 16 | .name = "kexec_load", 17 | .num_args = 4, 18 | .arg1name = "entry", 19 | .arg1type = ARG_ADDRESS, 20 | .arg2name = "nr_segments", 21 | .arg2type = ARG_LEN, 22 | .arg3name = "segments", 23 | .arg3type = ARG_ADDRESS, 24 | .arg4name = "flags", 25 | .arg4type = ARG_LIST, 26 | .arg4list = ARGLIST(kexec_load_flags), 27 | }; 28 | -------------------------------------------------------------------------------- /syscalls/pipe.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE1(pipe, int __user *, fildes) 3 | */ 4 | #include 5 | #include 6 | #include "sanitise.h" 7 | #include "compat.h" 8 | 9 | struct syscallentry syscall_pipe = { 10 | .name = "pipe", 11 | .num_args = 1, 12 | .arg1name = "fildes", 13 | .arg1type = ARG_ADDRESS, 14 | .group = GROUP_VFS, 15 | }; 16 | 17 | /* 18 | * SYSCALL_DEFINE2(pipe2, int __user *, fildes, int, flags) 19 | */ 20 | 21 | static unsigned long pipe2_flags[] = { 22 | O_CLOEXEC, O_NONBLOCK, O_DIRECT, 23 | }; 24 | 25 | struct syscallentry syscall_pipe2 = { 26 | .name = "pipe2", 27 | .num_args = 2, 28 | .arg1name = "fildes", 29 | .arg1type = ARG_ADDRESS, 30 | .arg2name = "flags", 31 | .arg2type = ARG_LIST, 32 | .arg2list = ARGLIST(pipe2_flags), 33 | .group = GROUP_VFS, 34 | }; 35 | -------------------------------------------------------------------------------- /net/proto-ip-udplite.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "net.h" 4 | #include "random.h" 5 | #include "utils.h" // RAND_ARRAY 6 | #include "compat.h" 7 | 8 | static const unsigned int udplite_opts[] = { 9 | UDP_CORK, UDP_ENCAP, UDPLITE_SEND_CSCOV, UDPLITE_RECV_CSCOV, 10 | }; 11 | 12 | void udplite_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet) 13 | { 14 | char *optval; 15 | 16 | so->optname = RAND_ARRAY(udplite_opts); 17 | 18 | switch (so->optname) { 19 | case UDP_CORK: 20 | break; 21 | case UDP_ENCAP: 22 | optval = (char *) so->optval; 23 | optval[0] = RAND_RANGE(1, 3); // Encapsulation types. 24 | break; 25 | case UDPLITE_SEND_CSCOV: 26 | break; 27 | case UDPLITE_RECV_CSCOV: 28 | break; 29 | default: 30 | break; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /syscalls/fsetxattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name, 3 | const void __user *,value, size_t, size, int, flags) 4 | */ 5 | 6 | #include 7 | #include "sanitise.h" 8 | 9 | static unsigned long fsetxattr_flags[] = { 10 | XATTR_CREATE, XATTR_REPLACE, 11 | }; 12 | 13 | struct syscallentry syscall_fsetxattr = { 14 | .name = "fsetxattr", 15 | .num_args = 5, 16 | .arg1name = "fd", 17 | .arg1type = ARG_FD, 18 | .arg2name = "name", 19 | .arg2type = ARG_ADDRESS, 20 | .arg3name = "value", 21 | .arg3type = ARG_ADDRESS, 22 | .arg4name = "size", 23 | .arg4type = ARG_LEN, 24 | .arg5name = "flags", 25 | .arg5type = ARG_LIST, 26 | .arg5list = ARGLIST(fsetxattr_flags), 27 | .rettype = RET_ZERO_SUCCESS, 28 | .flags = NEED_ALARM, 29 | .group = GROUP_VFS, 30 | }; 31 | -------------------------------------------------------------------------------- /syscalls/lstat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(lstat, const char __user *, filename, 3 | struct __old_kernel_stat __user *, statbuf) 4 | */ 5 | #include "sanitise.h" 6 | 7 | struct syscallentry syscall_lstat = { 8 | .name = "lstat", 9 | .num_args = 2, 10 | .arg1name = "filename", 11 | .arg1type = ARG_PATHNAME, 12 | .arg2name = "statbuf", 13 | .arg2type = ARG_ADDRESS, 14 | .group = GROUP_VFS, 15 | }; 16 | 17 | 18 | /* 19 | * SYSCALL_DEFINE2(lstat64, const char __user *, filename, 20 | struct stat64 __user *, statbuf) 21 | */ 22 | 23 | struct syscallentry syscall_lstat64 = { 24 | .name = "lstat64", 25 | .num_args = 2, 26 | .arg1name = "filename", 27 | .arg1type = ARG_PATHNAME, 28 | .arg2name = "statbuf", 29 | .arg2type = ARG_ADDRESS, 30 | .group = GROUP_VFS, 31 | }; 32 | -------------------------------------------------------------------------------- /syscalls/connect.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, int, addrlen 3 | * 4 | * If the connection or binding succeeds, zero is returned. 5 | * On error, -1 is returned, and errno is set appropriately. 6 | */ 7 | #include "net.h" 8 | #include "sanitise.h" 9 | 10 | static void sanitise_connect(struct syscallrecord *rec) 11 | { 12 | rec->a1 = fd_from_socketinfo((struct socketinfo *) rec->a1); 13 | } 14 | 15 | struct syscallentry syscall_connect = { 16 | .name = "connect", 17 | .num_args = 3, 18 | .arg1name = "fd", 19 | .arg1type = ARG_SOCKETINFO, 20 | .arg2name = "uservaddr", 21 | .arg2type = ARG_SOCKADDR, 22 | .arg3name = "addrlen", 23 | .arg3type = ARG_SOCKADDRLEN, 24 | .rettype = RET_ZERO_SUCCESS, 25 | .flags = NEED_ALARM, 26 | .sanitise = sanitise_connect, 27 | }; 28 | -------------------------------------------------------------------------------- /syscalls/x86/x86_64/arch_prctl.c: -------------------------------------------------------------------------------- 1 | /* (x86-64 only) 2 | * long sys_arch_prctl(int code, unsigned long addr) 3 | * 4 | * On success, arch_prctl() returns 0 5 | * On error, -1 is returned, and errno is set to indicate the error. 6 | */ 7 | 8 | #if defined(__i386__) || defined (__x86_64__) 9 | 10 | #include "sanitise.h" 11 | #include 12 | #include 13 | 14 | static unsigned long arch_prctl_flags[] = { 15 | ARCH_SET_FS, ARCH_GET_FS, ARCH_SET_GS, ARCH_GET_GS 16 | }; 17 | 18 | struct syscallentry syscall_arch_prctl = { 19 | .name = "arch_prctl", 20 | .flags = AVOID_SYSCALL, 21 | .num_args = 2, 22 | .arg1name = "code", 23 | .arg1type = ARG_OP, 24 | .arg1list = ARGLIST(arch_prctl_flags), 25 | .arg2name = "addr", 26 | .arg2type = ARG_ADDRESS, 27 | .rettype = RET_BORING, 28 | }; 29 | #endif 30 | -------------------------------------------------------------------------------- /include/arch-ppc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef __powerpc64__ 4 | #define KERNEL_ADDR 0xc000000000000000UL 5 | #define MODULE_ADDR 0xd000000000000000UL 6 | #define PAGE_OFFSET 0xc000000000000000UL 7 | #define TASK_SIZE (PAGE_OFFSET) 8 | 9 | #define PAGE_SHIFT 12 10 | #define BITS_PER_LONG 64 11 | #define PTE_RPN_SHIFT (PAGE_SHIFT) 12 | #define PTE_FILE_MAX_BITS (BITS_PER_LONG - PTE_RPN_SHIFT) 13 | 14 | #else /* __powerpc64__ */ 15 | 16 | #define KERNEL_ADDR 0xc0000000 17 | #define MODULE_ADDR 0xd0000000 18 | #define PAGE_OFFSET 0xc0000000 19 | #define TASK_SIZE (PAGE_OFFSET) 20 | 21 | #define PAGE_SHIFT 12 22 | #define BITS_PER_LONG 32 23 | #define PTE_RPN_SHIFT (PAGE_SHIFT) 24 | #define PTE_FILE_MAX_BITS (BITS_PER_LONG - PTE_RPN_SHIFT) 25 | 26 | #endif /* __powerpc64__ */ 27 | 28 | #define SYSCALLS syscalls_ppc 29 | -------------------------------------------------------------------------------- /include/sanitise.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "syscall.h" 4 | 5 | void generic_sanitise(struct syscallrecord *rec); 6 | void generic_free_arg(struct syscallrecord *rec); 7 | 8 | unsigned long get_interesting_value(void); 9 | 10 | unsigned long get_argval(struct syscallrecord *rec, unsigned int argnum); 11 | 12 | void *get_address(void); 13 | void *get_non_null_address(void); 14 | void *get_writable_address(unsigned long size); 15 | unsigned long find_previous_arg_address(struct syscallrecord *rec, unsigned int argnum); 16 | struct iovec * alloc_iovec(unsigned int num); 17 | unsigned long get_len(void); 18 | unsigned int get_pid(void); 19 | 20 | void gen_unicode_page(char *page); 21 | 22 | enum argtype get_argtype(struct syscallentry *entry, unsigned int argnum); 23 | void generate_syscall_args(struct syscallrecord *rec); 24 | -------------------------------------------------------------------------------- /syscalls/swap.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags 3 | */ 4 | #include 5 | #include "sanitise.h" 6 | #include "compat.h" 7 | 8 | static unsigned long swapon_flags[] = { 9 | SWAP_FLAG_PREFER, SWAP_FLAG_DISCARD, 10 | }; 11 | 12 | struct syscallentry syscall_swapon = { 13 | .name = "swapon", 14 | .num_args = 2, 15 | .arg1name = "path", 16 | .arg1type = ARG_PATHNAME, 17 | .arg2name = "swap_flags", 18 | .arg2type = ARG_LIST, 19 | .arg2list = ARGLIST(swapon_flags), 20 | .group = GROUP_VFS, 21 | }; 22 | 23 | /* 24 | * SYSCALL_DEFINE1(swapoff, const char __user *, specialfile) 25 | */ 26 | struct syscallentry syscall_swapoff = { 27 | .name = "swapoff", 28 | .num_args = 1, 29 | .arg1name = "path", 30 | .arg1type = ARG_PATHNAME, 31 | .group = GROUP_VFS, 32 | }; 33 | -------------------------------------------------------------------------------- /syscalls/getrandom.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, unsigned int, flags) 3 | */ 4 | #include 5 | #include "maps.h" 6 | #include "sanitise.h" 7 | #include "trinity.h" 8 | 9 | #define GRND_NONBLOCK 0x0001 10 | #define GRND_RANDOM 0x0002 11 | 12 | static void sanitise_getrandom(__unused__ struct syscallrecord *rec) 13 | { 14 | (void) common_set_mmap_ptr_len(); 15 | } 16 | 17 | static unsigned long getrandom_flags[] = { 18 | GRND_NONBLOCK, GRND_RANDOM, 19 | }; 20 | 21 | struct syscallentry syscall_getrandom = { 22 | .name = "getrandom", 23 | .num_args = 3, 24 | .arg1name = "buf", 25 | .arg1type = ARG_MMAP, 26 | .arg2name = "count", 27 | .arg3name = "flags", 28 | .arg3type = ARG_LIST, 29 | .arg3list = ARGLIST(getrandom_flags), 30 | .sanitise = sanitise_getrandom, 31 | }; 32 | -------------------------------------------------------------------------------- /syscalls/io_uring_enter.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit, u32, min_complete, u32, flags, const sigset_t __user *, sig, size_t, sigsz) 3 | */ 4 | #include "sanitise.h" 5 | 6 | #define IORING_ENTER_GETEVENTS (1U << 0) 7 | #define IORING_ENTER_SQ_WAKEUP (1U << 1) 8 | 9 | static unsigned long io_uring_enter_flags[] = { 10 | IORING_ENTER_GETEVENTS, IORING_ENTER_SQ_WAKEUP, 11 | }; 12 | 13 | struct syscallentry syscall_io_uring_enter = { 14 | .name = "io_uring_enter", 15 | .num_args = 6, 16 | .arg1name = "fd", 17 | .arg1type = ARG_FD, 18 | .arg2name = "to_submit", 19 | .arg3name = "min_complete", 20 | .arg4name = "flags", 21 | .arg4type = ARG_OP, 22 | .arg4list = ARGLIST(io_uring_enter_flags), 23 | .arg5name = "sig", 24 | .arg5type = ARG_ADDRESS, 25 | .arg6name = "sigsz", 26 | }; 27 | -------------------------------------------------------------------------------- /syscalls/getresuid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(getresuid, uid_t __user *, ruid, uid_t __user *, euid, uid_t __user *, suid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getresuid = { 7 | .name = "getresuid", 8 | .num_args = 3, 9 | .arg1name = "ruid", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "euid", 12 | .arg2type = ARG_ADDRESS, 13 | .arg3name = "suid", 14 | .arg3type = ARG_ADDRESS, 15 | }; 16 | 17 | /* 18 | * SYSCALL_DEFINE3(getresuid16, old_uid_t __user *, ruid, old_uid_t __user *, euid, old_uid_t __user *, suid) 19 | */ 20 | 21 | struct syscallentry syscall_getresuid16 = { 22 | .name = "getresuid16", 23 | .num_args = 3, 24 | .arg1name = "ruid", 25 | .arg1type = ARG_ADDRESS, 26 | .arg2name = "euid", 27 | .arg2type = ARG_ADDRESS, 28 | .arg3name = "suid", 29 | .arg3type = ARG_ADDRESS, 30 | }; 31 | -------------------------------------------------------------------------------- /syscalls/getrlimit.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(getrlimit, unsigned int, resource, struct rlimit __user *, rlim) 3 | */ 4 | #include 5 | #include 6 | #include 7 | #include "sanitise.h" 8 | #include "shm.h" 9 | #include "compat.h" 10 | 11 | static unsigned long getrlimit_resources[] = { 12 | RLIMIT_AS, RLIMIT_CORE, RLIMIT_CPU, RLIMIT_DATA, 13 | RLIMIT_FSIZE, RLIMIT_LOCKS, RLIMIT_MEMLOCK, RLIMIT_MSGQUEUE, 14 | RLIMIT_NICE, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, 15 | RLIMIT_RTPRIO, RLIMIT_RTTIME, RLIMIT_SIGPENDING, RLIMIT_STACK, 16 | }; 17 | 18 | struct syscallentry syscall_getrlimit = { 19 | .name = "getrlimit", 20 | .num_args = 2, 21 | .arg1name = "resource", 22 | .arg1type = ARG_OP, 23 | .arg1list = ARGLIST(getrlimit_resources), 24 | .arg2name = "rlim", 25 | .arg2type = ARG_ADDRESS, 26 | }; 27 | -------------------------------------------------------------------------------- /syscalls/mknod.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(mknod, const char __user *, filename, int, mode, unsigned, dev) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_mknod = { 7 | .name = "mknod", 8 | .num_args = 3, 9 | .arg1name = "filename", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "mode", 12 | .arg2type = ARG_MODE_T, 13 | .arg3name = "dev", 14 | .group = GROUP_VFS, 15 | }; 16 | 17 | 18 | /* 19 | * SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, unsigned, dev) 20 | */ 21 | 22 | struct syscallentry syscall_mknodat = { 23 | .name = "mknodat", 24 | .num_args = 4, 25 | .arg1name = "dfd", 26 | .arg1type = ARG_FD, 27 | .arg2name = "filename", 28 | .arg2type = ARG_PATHNAME, 29 | .arg3name = "mode", 30 | .arg4name = "dev", 31 | .flags = NEED_ALARM, 32 | .group = GROUP_VFS, 33 | }; 34 | -------------------------------------------------------------------------------- /syscalls/sched_getattr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(sched_getattr, pid_t, pid, struct sched_attr __user *, uattr, unsigned int, size) 3 | */ 4 | #include 5 | #include "arch.h" 6 | #include "random.h" 7 | #include "sanitise.h" 8 | #include "shm.h" 9 | #include "syscall.h" 10 | #include "trinity.h" 11 | 12 | #define SCHED_ATTR_SIZE_VER0 48 13 | 14 | static void sanitise_sched_getattr(struct syscallrecord *rec) 15 | { 16 | unsigned long range = page_size - SCHED_ATTR_SIZE_VER0; 17 | 18 | rec->a3 = (rnd() % range) + SCHED_ATTR_SIZE_VER0; 19 | } 20 | 21 | struct syscallentry syscall_sched_getattr = { 22 | .name = "sched_getattr", 23 | .num_args = 3, 24 | .arg1name = "pid", 25 | .arg1type = ARG_PID, 26 | .arg2name = "param", 27 | .arg2type = ARG_ADDRESS, 28 | .arg3name = "size", 29 | .sanitise = sanitise_sched_getattr, 30 | }; 31 | -------------------------------------------------------------------------------- /include/fd.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "child.h" 4 | #include "list.h" 5 | #include "syscall.h" 6 | #include "types.h" 7 | 8 | void setup_fd_providers(void); 9 | 10 | unsigned int open_fds(void); 11 | 12 | void process_fds_param(char *optarg, bool enable); 13 | 14 | struct fd_provider { 15 | struct list_head list; 16 | const char *name; 17 | int (*open)(void); 18 | int (*get)(void); 19 | bool enabled; 20 | bool initialized; 21 | }; 22 | 23 | void register_fd_provider(const struct fd_provider *prov); 24 | 25 | unsigned int check_if_fd(struct childdata *child, struct syscallrecord *rec); 26 | 27 | int get_random_fd(void); 28 | int get_new_random_fd(void); 29 | 30 | #define REG_FD_PROV(_struct) \ 31 | static void __attribute__((constructor)) register_##_struct(void) { \ 32 | register_fd_provider(&_struct); \ 33 | } 34 | -------------------------------------------------------------------------------- /include/random.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "child.h" 5 | #include "types.h" 6 | 7 | int rnd(void); 8 | 9 | #define ONE_IN(x) ((rnd() % x) == 0) // limit of RAND_MAX-1 10 | 11 | #define RAND_BOOL() (rnd() & 1) 12 | #define RAND_BYTE() (rnd() & 0xff) 13 | #define RAND_RANGE(min, max) (min + rnd() / (RAND_MAX / (max - min + 1) + 1)) 14 | 15 | extern unsigned int seed; 16 | unsigned int init_seed(unsigned int seed); 17 | void set_seed(struct childdata *child); 18 | void reseed(void); 19 | 20 | void generate_rand_bytes(unsigned char *ptr, unsigned int len); 21 | void generate_random_page(char *page); 22 | unsigned short rand16(void); 23 | unsigned int rand32(void); 24 | u64 rand64(void); 25 | unsigned long rand_single_bit(unsigned char size); 26 | unsigned long set_rand_bitmask(unsigned int num, const unsigned long *values); 27 | -------------------------------------------------------------------------------- /syscalls/symlink.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(symlink, const char __user *, oldname, const char __user *, newname) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_symlink = { 7 | .name = "symlink", 8 | .num_args = 2, 9 | .arg1name = "oldname", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "newname", 12 | .arg2type = ARG_PATHNAME, 13 | .group = GROUP_VFS, 14 | }; 15 | 16 | /* 17 | * SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, 18 | int, newdfd, const char __user *, newname) 19 | */ 20 | 21 | struct syscallentry syscall_symlinkat = { 22 | .name = "symlinkat", 23 | .num_args = 3, 24 | .arg1name = "oldname", 25 | .arg1type = ARG_PATHNAME, 26 | .arg2name = "newdfd", 27 | .arg2type = ARG_FD, 28 | .arg3name = "newname", 29 | .arg3type = ARG_PATHNAME, 30 | .flags = NEED_ALARM, 31 | .group = GROUP_VFS, 32 | }; 33 | -------------------------------------------------------------------------------- /log.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "log.h" 8 | #include "logfile.h" 9 | #include "params.h" // logging, quiet_level 10 | #include "pids.h" 11 | #include "shm.h" 12 | 13 | void init_logging(void) 14 | { 15 | if (logging == LOGGING_DISABLED) 16 | return; 17 | open_main_logfile(); 18 | } 19 | 20 | void shutdown_logging(void) 21 | { 22 | if (logging == LOGGING_DISABLED) 23 | return; 24 | close_logfile(&mainlogfile); 25 | } 26 | 27 | void init_child_logging(struct childdata *child) 28 | { 29 | if (logging == LOGGING_DISABLED) 30 | return; 31 | open_child_logfile(child); 32 | } 33 | 34 | void shutdown_child_logging(struct childdata *child) 35 | { 36 | if (logging == LOGGING_DISABLED) 37 | return; 38 | close_logfile(&child->logfile); 39 | } 40 | -------------------------------------------------------------------------------- /syscalls/getresgid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(getresgid, gid_t __user *, rgid, gid_t __user *, egid, gid_t __user *, sgid) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_getresgid = { 7 | .name = "getresgid", 8 | .num_args = 3, 9 | .arg1name = "rgid", 10 | .arg1type = ARG_ADDRESS, 11 | .arg2name = "egid", 12 | .arg2type = ARG_ADDRESS, 13 | .arg3name = "sgid", 14 | .arg3type = ARG_ADDRESS, 15 | }; 16 | 17 | 18 | /* 19 | * SYSCALL_DEFINE3(getresgid16, old_gid_t __user *, rgid, old_gid_t __user *, egid, old_gid_t __user *, sgid) 20 | */ 21 | #include "sanitise.h" 22 | 23 | struct syscallentry syscall_getresgid16 = { 24 | .name = "getresgid16", 25 | .num_args = 3, 26 | .arg1name = "rgid", 27 | .arg1type = ARG_ADDRESS, 28 | .arg2name = "egid", 29 | .arg2type = ARG_ADDRESS, 30 | .arg3name = "sgid", 31 | .arg3type = ARG_ADDRESS, 32 | }; 33 | -------------------------------------------------------------------------------- /include/arch-tile.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef __tilegx__ 4 | 5 | #define MAX_VA_WIDTH 42 6 | #define MAX_PA_WIDTH 40 7 | 8 | #define PAGE_OFFSET (-(1 << (MAX_VA_WIDTH - 1))) 9 | #define KERNEL_HIGH_VADDR 0xfffffff800000000 /* high 32GB */ 10 | #define MEM_SV_START (KERNEL_HIGH_VADDR - 0x100000000) /* 256 MB */ 11 | #define MEM_MODULE_START (MEM_SV_START + (256*1024*1024)) /* 256 MB */ 12 | #define MEM_MODULE_END (MEM_MODULE_START + (256*1024*1024)) 13 | #define KERNEL_ADDR MEM_SV_START 14 | #define MODULE_ADDR MEM_MODULE_START 15 | 16 | #define TASK_SIZE_MAX (1 << (MAX_VA_WIDTH - 1)) 17 | #define TASK_SIZE TASK_SIZE_MAX 18 | 19 | #define PAGE_SHIFT 16 20 | #define PTE_FILE_MAX_BITS 32 21 | #define BITS_PER_LONG 64 22 | 23 | #endif 24 | 25 | #define SYSCALLS syscalls_tile 26 | -------------------------------------------------------------------------------- /syscalls/move_mount.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(move_mount, int, from_dfd, const char *, from_pathname, 3 | * int, to_dfd, const char *, to_pathname, unsigned int, flags) 4 | */ 5 | #include "sanitise.h" 6 | #include "compat.h" 7 | 8 | static unsigned long move_mount_flags[] = { 9 | MOVE_MOUNT_F_SYMLINKS, MOVE_MOUNT_F_AUTOMOUNTS, MOVE_MOUNT_F_EMPTY_PATH, MOVE_MOUNT_T_SYMLINKS, 10 | MOVE_MOUNT_T_AUTOMOUNTS, MOVE_MOUNT_T_EMPTY_PATH, 11 | }; 12 | 13 | struct syscallentry syscall_move_mount = { 14 | .name = "move_mount", 15 | .num_args = 5, 16 | .arg1name = "from_dfd", 17 | .arg1type = ARG_FD, 18 | .arg2name = "from_pathname", 19 | .arg2type = ARG_PATHNAME, 20 | .arg3name = "to_dfd", 21 | .arg3type = ARG_FD, 22 | .arg4name = "to_pathname", 23 | .arg4type = ARG_PATHNAME, 24 | .arg5name = "flags", 25 | .arg5type = ARG_OP, 26 | .arg5list = ARGLIST(move_mount_flags), 27 | }; 28 | -------------------------------------------------------------------------------- /scripts/test-vm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # This script demonstrates hunting for a VM bug that involved mmap + some other 4 | # VM related syscall. 5 | 6 | . scripts/paths.sh 7 | . scripts/privs.sh 8 | . scripts/taint.sh 9 | 10 | chmod 755 $TRINITY_TMP 11 | cd $TRINITY_TMP 12 | 13 | while [ 1 ]; 14 | do 15 | for syscall in madvise mbind migrate_pages mincore mlockall mlock move_pages mprotect mremap msync munlockall munlock munmap remap_file_pages vmsplice 16 | do 17 | echo testing mmap + $syscall 18 | pushd $TRINITY_TMP > /dev/null 19 | 20 | if [ ! -f $TRINITY_PATH/trinity ]; then 21 | echo lost! 22 | pwd 23 | exit 24 | fi 25 | 26 | MALLOC_CHECK_=2 $TRINITY_PATH/trinity -q -l off -c mmap -c $syscall -N 1000000 -C 64 $DROPPRIVS 27 | 28 | chmod 755 $TRINITY_TMP 29 | popd > /dev/null 30 | 31 | check_tainted 32 | echo 33 | echo 34 | done 35 | check_tainted 36 | done 37 | -------------------------------------------------------------------------------- /syscalls/fsmount.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(fsmount, int, fs_fd, unsigned int, flags, unsigned int, attr_flags) 3 | */ 4 | #include "sanitise.h" 5 | #include "compat.h" 6 | 7 | #define FSMOUNT_CLOEXEC 0x00000001 8 | static unsigned long fsmount_flags[] = { 9 | FSMOUNT_CLOEXEC, 10 | }; 11 | 12 | static unsigned long fsmount_attr_flags[] = { 13 | MOVE_MOUNT_F_SYMLINKS, 14 | MOVE_MOUNT_F_AUTOMOUNTS, 15 | MOVE_MOUNT_F_EMPTY_PATH, 16 | MOVE_MOUNT_T_SYMLINKS, 17 | MOVE_MOUNT_T_AUTOMOUNTS, 18 | MOVE_MOUNT_T_EMPTY_PATH, 19 | }; 20 | 21 | 22 | struct syscallentry syscall_fsmount = { 23 | .name = "fsmount", 24 | .num_args = 3, 25 | .arg1name = "fs_fd", 26 | .arg1type = ARG_FD, 27 | .arg2name = "flags", 28 | .arg2type = ARG_OP, 29 | .arg2list = ARGLIST(fsmount_flags), 30 | .arg3name = "attr_flags", 31 | .arg3type = ARG_OP, 32 | .arg3list = ARGLIST(fsmount_attr_flags), 33 | }; 34 | -------------------------------------------------------------------------------- /net/proto-netrom.c: -------------------------------------------------------------------------------- 1 | 2 | #ifdef USE_NETROM 3 | #include 4 | #include 5 | #include "net.h" 6 | #include "compat.h" 7 | #include "random.h" 8 | #include "utils.h" // RAND_ARRAY 9 | 10 | static void netrom_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet) 11 | { 12 | const unsigned int netrom_opts[] = { 13 | NETROM_T1, NETROM_T2, NETROM_N2, NETROM_T4, NETROM_IDLE 14 | }; 15 | 16 | so->level = SOL_NETROM; 17 | so->optname = RAND_ARRAY(netrom_opts); 18 | } 19 | 20 | static struct socket_triplet netrom_triplet[] = { 21 | { .family = PF_NETROM, .protocol = 0, .type = SOCK_SEQPACKET }, 22 | }; 23 | 24 | const struct netproto proto_netrom = { 25 | .name = "netrom", 26 | // .socket = netrom_rand_socket, 27 | .setsockopt = netrom_setsockopt, 28 | .valid_triplets = netrom_triplet, 29 | .nr_triplets = ARRAY_SIZE(netrom_triplet), 30 | }; 31 | #endif 32 | -------------------------------------------------------------------------------- /syscalls/msgrcv.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(msgrcv, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz, long, msgtyp, int, msgflg) 3 | */ 4 | #include 5 | #include 6 | #include "compat.h" 7 | #include "random.h" 8 | #include "sanitise.h" 9 | 10 | static void sanitise_msgrcv(struct syscallrecord *rec) 11 | { 12 | rec->a3 = rnd() % MSGMAX; 13 | } 14 | 15 | static unsigned long msgrcv_flags[] = { 16 | MSG_NOERROR, MSG_EXCEPT, MSG_COPY, IPC_NOWAIT, 17 | }; 18 | 19 | struct syscallentry syscall_msgrcv = { 20 | .name = "msgrcv", 21 | .num_args = 5, 22 | .arg1name = "msqid", 23 | .arg2name = "msgp", 24 | .arg2type = ARG_NON_NULL_ADDRESS, 25 | .arg3name = "msgsz", 26 | .arg4name = "msgtyp", 27 | .arg5name = "msgflg", 28 | .arg5type = ARG_LIST, 29 | .arg5list = ARGLIST(msgrcv_flags), 30 | .flags = IGNORE_ENOSYS | NEED_ALARM, 31 | .sanitise = sanitise_msgrcv, 32 | }; 33 | -------------------------------------------------------------------------------- /syscalls/process_vm_readv.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE6(process_vm_readv, pid_t, pid, const struct iovec __user *, lvec, 3 | * unsigned long, liovcnt, const struct iovec __user *, rvec, 4 | * unsigned long, riovcnt, unsigned long, flags) 5 | */ 6 | #include "sanitise.h" 7 | 8 | static unsigned long process_vm_readv_flags[] = { 9 | 0, // currently no flags defined, mbz 10 | }; 11 | 12 | struct syscallentry syscall_process_vm_readv = { 13 | .name = "process_vm_readv", 14 | .num_args = 6, 15 | .arg1name = "pid", 16 | .arg1type = ARG_PID, 17 | .arg2name = "lvec", 18 | .arg2type = ARG_IOVEC, 19 | .arg3name = "liovcnt", 20 | .arg3type = ARG_IOVECLEN, 21 | .arg4name = "rvec", 22 | .arg4type = ARG_IOVEC, 23 | .arg5name = "riovcnt", 24 | .arg5type = ARG_IOVECLEN, 25 | .arg6name = "flags", 26 | .arg6type = ARG_LIST, 27 | .arg6list = ARGLIST(process_vm_readv_flags), 28 | }; 29 | -------------------------------------------------------------------------------- /syscalls/process_vm_writev.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE6(process_vm_writev, pid_t, pid, const struct iovec __user *, lvec, 3 | * unsigned long, liovcnt, const struct iovec __user *, rvec, 4 | * unsigned long, riovcnt, unsigned long, flags) 5 | */ 6 | #include "sanitise.h" 7 | 8 | static unsigned long process_vm_writev_flags[] = { 9 | 0, // currently no flags defined, mbz 10 | }; 11 | 12 | struct syscallentry syscall_process_vm_writev = { 13 | .name = "process_vm_writev", 14 | .num_args = 6, 15 | .arg1name = "pid", 16 | .arg1type = ARG_PID, 17 | .arg2name = "lvec", 18 | .arg2type = ARG_IOVEC, 19 | .arg3name = "liovcnt", 20 | .arg3type = ARG_IOVECLEN, 21 | .arg4name = "rvec", 22 | .arg4type = ARG_IOVEC, 23 | .arg5name = "riovcnt", 24 | .arg5type = ARG_IOVECLEN, 25 | .arg6name = "flags", 26 | .arg6type = ARG_LIST, 27 | .arg6list = ARGLIST(process_vm_writev_flags), 28 | }; 29 | -------------------------------------------------------------------------------- /syscalls/name_to_handle_at.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(name_to_handle_at, int, dfd, const char __user *, name, 3 | * struct file_handle __user *, handle, int __user *, mnt_id, 4 | * int, flag) 5 | */ 6 | #include 7 | #include "sanitise.h" 8 | #include "compat.h" 9 | 10 | static unsigned long name_to_handle_at_flags[] = { 11 | AT_FDCWD, AT_SYMLINK_NOFOLLOW, AT_REMOVEDIR, AT_SYMLINK_FOLLOW, 12 | AT_NO_AUTOMOUNT, AT_EMPTY_PATH, 13 | }; 14 | 15 | struct syscallentry syscall_name_to_handle_at = { 16 | .name = "name_to_handle_at", 17 | .num_args = 5, 18 | .arg1name = "fd", 19 | .arg1type = ARG_FD, 20 | .arg2name = "name", 21 | .arg2type = ARG_ADDRESS, 22 | .arg3name = "handle", 23 | .arg3type = ARG_ADDRESS, 24 | .arg4name = "mnt_id", 25 | .arg4type = ARG_ADDRESS, 26 | .arg5name = "flag", 27 | .arg5type = ARG_LIST, 28 | .arg5list = ARGLIST(name_to_handle_at_flags), 29 | .flags = NEED_ALARM, 30 | }; 31 | -------------------------------------------------------------------------------- /syscalls/socketpair.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(socketpair, int, family, int, type, int, protocol, int __user *, usockvec) 3 | */ 4 | #include 5 | #include 6 | #include "sanitise.h" 7 | #include "utils.h" 8 | 9 | static void sanitise_socketpair(struct syscallrecord *rec) 10 | { 11 | rec->a1 = AF_UNIX; 12 | rec->a4 = (unsigned long) malloc(sizeof(int) * 2); 13 | } 14 | 15 | static void post_socketpair(struct syscallrecord *rec) 16 | { 17 | //TODO: on success we should put the fd's that 18 | // were created into a child-local fd array. 19 | 20 | freeptr(&rec->a4); 21 | } 22 | 23 | struct syscallentry syscall_socketpair = { 24 | .name = "socketpair", 25 | .num_args = 4, 26 | .arg1name = "family", 27 | .arg2name = "type", 28 | .arg3name = "protocol", 29 | .arg4name = "usockvec", 30 | .arg4type = ARG_ADDRESS, 31 | .sanitise = sanitise_socketpair, 32 | .post = post_socketpair, 33 | }; 34 | -------------------------------------------------------------------------------- /syscalls/ftruncate.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_ftruncate = { 7 | .name = "ftruncate", 8 | .num_args = 2, 9 | .arg1name = "fd", 10 | .arg1type = ARG_FD, 11 | .arg2name = "length", 12 | .arg2type = ARG_LEN, 13 | .rettype = RET_ZERO_SUCCESS, 14 | .flags = NEED_ALARM, 15 | .group = GROUP_VFS, 16 | }; 17 | 18 | 19 | /* 20 | * SYSCALL_DEFINE(ftruncate64)(unsigned int fd, loff_t length) 21 | * 22 | * On success, zero is returned. 23 | * On error, -1 is returned, and errno is set appropriately. 24 | */ 25 | 26 | struct syscallentry syscall_ftruncate64 = { 27 | .name = "ftruncate64", 28 | .num_args = 2, 29 | .arg1name = "fd", 30 | .arg1type = ARG_FD, 31 | .arg2name = "length", 32 | .arg2type = ARG_LEN, 33 | .rettype = RET_ZERO_SUCCESS, 34 | .flags = NEED_ALARM, 35 | .group = GROUP_VFS, 36 | }; 37 | -------------------------------------------------------------------------------- /net/proto-rxrpc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "net.h" 3 | #include "compat.h" 4 | #include "random.h" 5 | #include "utils.h" // RAND_ARRAY 6 | 7 | static const unsigned int rxrpc_opts[] = { 8 | RXRPC_USER_CALL_ID, RXRPC_ABORT, RXRPC_ACK, RXRPC_NET_ERROR, 9 | RXRPC_BUSY, RXRPC_LOCAL_ERROR, RXRPC_NEW_CALL, RXRPC_ACCEPT, 10 | }; 11 | 12 | #define SOL_RXRPC 272 13 | 14 | static void rxrpc_setsockopt(struct sockopt *so, __unused__ struct socket_triplet *triplet) 15 | { 16 | so->level = SOL_RXRPC; 17 | 18 | so->optname = RAND_ARRAY(rxrpc_opts); 19 | } 20 | 21 | static struct socket_triplet rxrpc_triplet[] = { 22 | { .family = PF_RXRPC, .protocol = PF_INET, .type = SOCK_DGRAM }, 23 | }; 24 | 25 | const struct netproto proto_rxrpc = { 26 | .name = "rxrpc", 27 | // .socket = rxrpc_rand_socket, 28 | .setsockopt = rxrpc_setsockopt, 29 | .valid_triplets = rxrpc_triplet, 30 | .nr_triplets = ARRAY_SIZE(rxrpc_triplet), 31 | }; 32 | -------------------------------------------------------------------------------- /syscalls/request_key.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(request_key, const char __user *, _type, 3 | const char __user *, _description, 4 | const char __user *, _callout_info, 5 | key_serial_t, destringid) 6 | */ 7 | #include 8 | #include "sanitise.h" 9 | 10 | static unsigned long request_key_ids[] = { 11 | KEY_SPEC_THREAD_KEYRING, KEY_SPEC_PROCESS_KEYRING, 12 | KEY_SPEC_SESSION_KEYRING, KEY_SPEC_USER_KEYRING, 13 | KEY_SPEC_USER_SESSION_KEYRING, KEY_SPEC_GROUP_KEYRING, 14 | KEY_SPEC_REQKEY_AUTH_KEY, KEY_SPEC_REQUESTOR_KEYRING, 15 | }; 16 | 17 | struct syscallentry syscall_request_key = { 18 | .name = "request_key", 19 | .num_args = 4, 20 | .arg1name = "_type", 21 | .arg1type = ARG_ADDRESS, 22 | .arg2name = "_description", 23 | .arg2type = ARG_ADDRESS, 24 | .arg3name = "_callout_info", 25 | .arg3type = ARG_ADDRESS, 26 | .arg4name = "destringid", 27 | .arg4type = ARG_OP, 28 | .arg4list = ARGLIST(request_key_ids), 29 | }; 30 | -------------------------------------------------------------------------------- /syscalls/futex_waitv.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(futex_waitv, struct futex_waitv __user *, waiters, 3 | unsigned int, nr_futexes, unsigned int, flags, 4 | struct __kernel_timespec __user *, timeout, clockid_t, clockid) 5 | */ 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include "sanitise.h" 15 | 16 | static void sanitise_futex_waitv(struct syscallrecord *rec) 17 | { 18 | rec->a3 = 0; // no flags right now 19 | } 20 | 21 | struct syscallentry syscall_futex_waitv = { 22 | .name = "futex_waitv", 23 | .num_args = 5, 24 | .arg1name = "waiters", 25 | .arg2name = "nr_futexes", 26 | .arg3name = "flags", 27 | .arg4name = "timeout", 28 | .arg5name = "clockid", 29 | .flags = NEED_ALARM | IGNORE_ENOSYS, 30 | .sanitise = sanitise_futex_waitv, 31 | }; 32 | -------------------------------------------------------------------------------- /syscalls/readlink.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(readlink, const char __user *, path, char __user *, buf, int, bufsiz) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_readlink = { 7 | .name = "readlink", 8 | .num_args = 3, 9 | .arg1name = "path", 10 | .arg1type = ARG_PATHNAME, 11 | .arg2name = "buf", 12 | .arg2type = ARG_ADDRESS, 13 | .arg3name = "bufsiz", 14 | .arg3type = ARG_LEN, 15 | .group = GROUP_VFS, 16 | }; 17 | 18 | 19 | /* 20 | * SYSCALL_DEFINE4(readlinkat, int, dfd, const char __user *, pathname, 21 | char __user *, buf, int, bufsiz) 22 | */ 23 | 24 | struct syscallentry syscall_readlinkat = { 25 | .name = "readlinkat", 26 | .num_args = 4, 27 | .arg1name = "dfd", 28 | .arg1type = ARG_FD, 29 | .arg2name = "pathname", 30 | .arg2type = ARG_PATHNAME, 31 | .arg3name = "buf", 32 | .arg3type = ARG_ADDRESS, 33 | .arg4name = "bufsiz", 34 | .arg4type = ARG_LEN, 35 | .flags = NEED_ALARM, 36 | .group = GROUP_VFS, 37 | }; 38 | -------------------------------------------------------------------------------- /syscalls/kexec_file_load.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, 3 | * unsigned long, cmdline_len, const char __user *, cmdline_ptr, 4 | * unsigned long, flags) 5 | */ 6 | 7 | #define KEXEC_FILE_UNLOAD 0x00000001 8 | #define KEXEC_FILE_ON_CRASH 0x00000002 9 | #define KEXEC_FILE_NO_INITRAMFS 0x00000004 10 | 11 | #include "sanitise.h" 12 | 13 | static unsigned long kexec_file_load_flags[] = { 14 | KEXEC_FILE_UNLOAD, KEXEC_FILE_ON_CRASH, KEXEC_FILE_NO_INITRAMFS, 15 | }; 16 | 17 | struct syscallentry syscall_kexec_file_load = { 18 | .name = "kexec_file_load", 19 | .num_args = 5, 20 | .arg1name = "kernel_fd", 21 | .arg1type = ARG_FD, 22 | .arg2name = "initrd_fd", 23 | .arg2type = ARG_FD, 24 | .arg3name = "cmdline_len", 25 | .arg3type = ARG_LEN, 26 | .arg4name = "cmdline_ptr", 27 | .arg4type = ARG_ADDRESS, 28 | .arg5name = "flags", 29 | .arg5type = ARG_LIST, 30 | .arg5list = ARGLIST(kexec_file_load_flags), 31 | }; 32 | -------------------------------------------------------------------------------- /scripts/find.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # This is an example of how to search for an interaction between 4 | # two syscalls. In the example below I was chasing an oops involving 5 | # ftruncate and another unknown syscall. 6 | # 7 | # I wanted to avoid execve, and the sync syscalls because they just slowed 8 | # things down, and had already been ruled out. 9 | # 10 | 11 | . scripts/paths.sh 12 | . scripts/privs.sh 13 | . scripts/taint.sh 14 | 15 | chmod 755 $TRINITY_TMP 16 | cd $TRINITY_TMP 17 | 18 | NR_CPUS=$(nproc) 19 | 20 | while [ 1 ]; 21 | do 22 | mkdir -p tmp.$i 23 | pushd tmp.$i 24 | 25 | if [ ! -f $TRINITY_PATH/trinity ]; then 26 | echo lost! 27 | pwd 28 | exit 29 | fi 30 | 31 | $TRINITY_PATH/trinity $DROPPRIVS -q -l off -a64 -c ftruncate -r20 -x execve -x execveat -x syncfs -x sync -x fsync -x fdatasync -C64 -N 1000000 --enable-fds=pseudo,testfile 32 | 33 | popd 34 | 35 | check_tainted 36 | 37 | chmod 755 $TRINITY_TMP 38 | 39 | done 40 | -------------------------------------------------------------------------------- /syscalls/inotify_add_watch.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(inotify_add_watch, int, fd, const char __user *, pathname, u32, mask) 3 | */ 4 | #include "sanitise.h" 5 | #include "compat.h" 6 | 7 | #include 8 | 9 | static unsigned long inotify_add_watch_masks[] = { 10 | IN_ACCESS, IN_MODIFY, IN_ATTRIB, IN_CLOSE_WRITE, 11 | IN_CLOSE_NOWRITE, IN_OPEN, IN_MOVED_FROM, IN_MOVED_TO, 12 | IN_CREATE, IN_DELETE, IN_DELETE_SELF, IN_MOVE_SELF, 13 | IN_UNMOUNT, IN_Q_OVERFLOW, IN_IGNORED, IN_ONLYDIR, 14 | IN_DONT_FOLLOW, IN_EXCL_UNLINK, IN_MASK_ADD, IN_ISDIR, 15 | IN_ONESHOT, 16 | }; 17 | 18 | struct syscallentry syscall_inotify_add_watch = { 19 | .name = "inotify_add_watch", 20 | .num_args = 3, 21 | .arg1name = "fd", 22 | .arg1type = ARG_FD, 23 | .arg2name = "pathname", 24 | .arg2type = ARG_PATHNAME, 25 | .arg3name = "mask", 26 | .arg3type = ARG_LIST, 27 | .arg3list = ARGLIST(inotify_add_watch_masks), 28 | .flags = NEED_ALARM, 29 | .group = GROUP_VFS, 30 | }; 31 | -------------------------------------------------------------------------------- /syscalls/landlock_add_rule.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(landlock_add_rule, 3 | * const int, ruleset_fd, const enum landlock_rule_type, rule_type, 4 | * const void __user *const, rule_attr, const __u32, flags) 5 | */ 6 | #include "sanitise.h" 7 | 8 | enum landlock_rule_type { 9 | LANDLOCK_RULE_PATH_BENEATH = 1, 10 | }; 11 | 12 | static unsigned long landlock_ruletypes[] = { 13 | LANDLOCK_RULE_PATH_BENEATH, 14 | }; 15 | 16 | // no flags for now 17 | //static unsigned long landlock_add_rule_flags[] = { 18 | // , 19 | //}; 20 | 21 | struct syscallentry syscall_landlock_add_rule = { 22 | .name = "landlock_add_rule", 23 | .num_args = 4, 24 | .arg1name = "ruleset_fd", 25 | .arg1type = ARG_FD, 26 | .arg2name = "rule_type", 27 | .arg2type = ARG_LIST, 28 | .arg2list = ARGLIST(landlock_ruletypes), 29 | .arg3name = "rule_attr", 30 | .arg4name = "flags", 31 | // .arg4type = ARG_LIST, 32 | // .arg4list = ARGLIST(landlock_add_rule_flags), 33 | }; 34 | -------------------------------------------------------------------------------- /syscalls/membarrier.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE2(membarrier, int, cmd, int, flags) 3 | */ 4 | #include 5 | #include "random.h" 6 | #include "sanitise.h" 7 | 8 | static void sanitise_membarrier(struct syscallrecord *rec) 9 | { 10 | // for now, there are no flags, but for future 11 | // proofing, we'll leak something random occasionally. 12 | // 0 the rest of the time, or we just EINVAL 13 | if (ONE_IN(1000)) 14 | rec->a2 = 1 << (rnd() % 4); 15 | else 16 | rec->a2 = 0; 17 | } 18 | 19 | enum membarrier_cmd { 20 | MEMBARRIER_CMD_QUERY = 0, 21 | MEMBARRIER_CMD_SHARED = (1 << 0), 22 | }; 23 | 24 | static unsigned long membarrier_cmds[] = { 25 | MEMBARRIER_CMD_QUERY, MEMBARRIER_CMD_SHARED, 26 | }; 27 | 28 | struct syscallentry syscall_membarrier = { 29 | .name = "membarrier", 30 | .num_args = 2, 31 | .arg1type = ARG_OP, 32 | .arg1name = "cmd", 33 | .arg1list = ARGLIST(membarrier_cmds), 34 | .arg2name = "flags", 35 | .sanitise = sanitise_membarrier, 36 | }; 37 | -------------------------------------------------------------------------------- /syscalls/splice.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE6(splice, int, fd_in, loff_t __user *, off_in, 3 | int, fd_out, loff_t __user *, off_out, 4 | size_t, len, unsigned int, flags) 5 | */ 6 | #include 7 | #include 8 | #include "random.h" 9 | #include "sanitise.h" 10 | #include "shm.h" 11 | #include "syscall.h" 12 | #include "trinity.h" 13 | #include "compat.h" 14 | 15 | static unsigned long splice_flags[] = { 16 | SPLICE_F_MOVE, SPLICE_F_NONBLOCK, SPLICE_F_MORE, SPLICE_F_GIFT, 17 | }; 18 | 19 | struct syscallentry syscall_splice = { 20 | .name = "splice", 21 | .num_args = 6, 22 | .arg1name = "fd_in", 23 | .arg1type = ARG_FD, 24 | .arg2name = "off_in", 25 | .arg2type = ARG_ADDRESS, 26 | .arg3name = "fd_out", 27 | .arg3type = ARG_FD, 28 | .arg4name = "off_out", 29 | .arg4type = ARG_ADDRESS, 30 | .arg5name = "len", 31 | .arg5type = ARG_LEN, 32 | .arg6name = "flags", 33 | .arg6type = ARG_LIST, 34 | .arg6list = ARGLIST(splice_flags), 35 | .flags = NEED_ALARM, 36 | }; 37 | -------------------------------------------------------------------------------- /syscalls/sendfile.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE4(sendfile, int, out_fd, int, in_fd, off_t __user *, offset, size_t, count) 3 | */ 4 | #include "sanitise.h" 5 | 6 | struct syscallentry syscall_sendfile = { 7 | .name = "sendfile", 8 | .num_args = 4, 9 | .arg1name = "out_fd", 10 | .arg1type = ARG_FD, 11 | .arg2name = "in_fd", 12 | .arg2type = ARG_FD, 13 | .arg3name = "offset", 14 | .arg3type = ARG_ADDRESS, 15 | .arg4name = "count", 16 | .arg4type = ARG_LEN, 17 | .flags = NEED_ALARM | IGNORE_ENOSYS, 18 | }; 19 | 20 | /* 21 | * SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd, loff_t __user *, offset, size_t, count) 22 | */ 23 | 24 | struct syscallentry syscall_sendfile64 = { 25 | .name = "sendfile", 26 | .num_args = 4, 27 | .arg1name = "out_fd", 28 | .arg1type = ARG_FD, 29 | .arg2name = "in_fd", 30 | .arg2type = ARG_FD, 31 | .arg3name = "offset", 32 | .arg3type = ARG_ADDRESS, 33 | .arg4name = "count", 34 | .arg4type = ARG_LEN, 35 | .flags = NEED_ALARM | IGNORE_ENOSYS, 36 | }; 37 | -------------------------------------------------------------------------------- /syscalls/open_tree.c: -------------------------------------------------------------------------------- 1 | /* 2 | * SYSCALL_DEFINE3(open_tree, int, dfd, const char *, filename, unsigned, flags) 3 | */ 4 | #include "sanitise.h" 5 | #include 6 | 7 | #ifndef OPEN_TREE_CLONE 8 | #define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ 9 | #define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ 10 | #endif 11 | 12 | #ifndef AT_RECURSIVE 13 | #define AT_RECURSIVE 0x8000 /* Apply to the entire subtree */ 14 | #endif 15 | 16 | static unsigned long open_tree_flags[] = { 17 | AT_EMPTY_PATH, AT_NO_AUTOMOUNT, AT_RECURSIVE, AT_SYMLINK_NOFOLLOW, 18 | OPEN_TREE_CLONE, OPEN_TREE_CLOEXEC, 19 | }; 20 | 21 | struct syscallentry syscall_open_tree = { 22 | .name = "open_tree", 23 | .num_args = 3, 24 | .arg1name = "dfd", 25 | .arg1type = ARG_FD, 26 | .arg2name = "filename", 27 | .arg2type = ARG_PATHNAME, 28 | .arg3name = "flags", 29 | .arg3type = ARG_OP, 30 | .arg3list = ARGLIST(open_tree_flags), 31 | }; 32 | -------------------------------------------------------------------------------- /ioctls/sisfb.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include