Linux system call fuzzer
Clone or download
vinsonlee and kernelslacker Check if VIDIOC_RESERVED is defined.
VIDIOC_RESERVED was removed in Linux 4.19.

commit ea8532daee31bc72abfbc9ca7a43cbec0f6c05af
Author: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Date:   Wed May 30 11:07:05 2018 -0400

    media: videodev2: get rid of VIDIOC_RESERVED

    While this ioctl is there at least since Kernel 2.6.12-rc2, it
    was never used by any upstream driver.

    Get rid of it.

    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

This patch fixes this build error.

  CC	ioctls/videodev2.o
In file included from ioctls/videodev2.c:4:
ioctls/videodev2.c:8:8: error: ‘VIDIOC_RESERVED’ undeclared here (not in a function); did you mean ‘VIDIOC_G_STD’?
  IOCTL(VIDIOC_RESERVED),
        ^~~~~~~~~~~~~~~
include/ioctls.h:53:15: note: in definition of macro ‘IOCTL’
  { .request = _request, .name = #_request, }
               ^~~~~~~~

Signed-off-by: Vinson Lee <vlee@freedesktop.org>
Latest commit a5f32b9 Aug 23, 2018
Permalink
Failed to load latest commit information.
.deps Rework the dependancy generation. Jul 20, 2012
Documentation fd logging -> object logging Nov 28, 2017
childops move the 'are we done' check to the generic child code. Jun 23, 2017
fds memfd: fix build with glibc 2.27 Mar 13, 2018
include parisc-specific updates Apr 13, 2018
ioctls Check if VIDIOC_RESERVED is defined. Aug 27, 2018
mm convert map dump to use init_msgobjhdr Apr 4, 2017
net configure: fix build with kernel headers v4.17+ Jun 8, 2018
patches refresh patches Jun 16, 2015
rand replace __WORDSIZE with WORD_BIT Aug 22, 2017
scripts update hashes Oct 26, 2017
server Fix pthread undefined references Apr 2, 2018
syscalls parisc-specific updates Apr 13, 2018
tools update netlink protocols Jul 12, 2017
.gitignore generate the version string at make time, instead of configure time. Jul 10, 2014
COPYING Fix the header. oops. Jun 11, 2012
Makefile trinity: Add support for runtime_instr svc Feb 18, 2018
README update some documentation regarding logging Sep 18, 2017
arg-decoder.c log.c->output.c log.h->arg-decoder.h Feb 22, 2017
blockdevs.c nr_blockdevs can't be negative Jun 30, 2015
child.c reinstate the log-to-file code for now. Sep 9, 2017
configure configure: fix build with kernel headers v4.17+ Jun 8, 2018
debug.c reinstate the log-to-file code for now. Sep 9, 2017
devices.c move output() and friends to trinity.h Feb 22, 2017
ftrace.c fix some ftrace resource leaks Mar 24, 2017
generate-args.c make iovec's with a single element half the time Feb 27, 2017
kcov.c Add initial support for kcov functionality. Aug 9, 2016
locks.c don't spin on locks if we've already finished. May 2, 2017
log-files.c Fix up null ptr deref when no -l arg. Sep 23, 2017
log.c reinstate the log-to-file code for now. Sep 9, 2017
main.c trinity: check pidstatfile before fclose Jun 8, 2018
objects.c copy the ->dump method into the child object header Apr 26, 2017
output.c short-circuit log handle discovery if logging disabled Mar 13, 2018
params.c update some documentation regarding logging Sep 18, 2017
pathnames.c pathnames: add missing nftw defines Aug 22, 2017
pids.c fix off-by-one in dump_childnos() Apr 16, 2017
post-mortem.c move output() and friends to trinity.h Feb 22, 2017
results.c remove duplicate get_argval function Aug 18, 2016
shm.c reinstate the log-to-file code for now. Sep 9, 2017
signals.c pass the signal from the sighandler using siglongjmp instead of globa… Jul 29, 2016
stats.c move output() and friends to trinity.h Feb 22, 2017
syscall.c document why we take that rec->lock in the extrafork path Dec 19, 2017
sysv-shm.c remove a bunch of bogus __unused__ attributes Apr 26, 2017
tables-biarch.c remove old debug leftover Jun 12, 2017
tables-uniarch.c fix memory corruption in tables-uniarch:log_enabled_syscalls_uniarch Apr 21, 2017
tables.c get_syscall_entry: remove SYSCALL_OFFSET Jun 29, 2017
taint.c micro-optimize the 'became tainted' case. Mar 21, 2017
trinity.1 update some documentation regarding logging Sep 18, 2017
trinity.c reinstate the log-to-file code for now. Sep 9, 2017
udp.c reinstate the log-to-file code for now. Sep 9, 2017
uid.c move output() and friends to trinity.h Feb 22, 2017
utils.c move output() and friends to trinity.h Feb 22, 2017

README

Trinity: Linux system call fuzzer.

	"After the initial euphoria of witnessing the explosion had passed, test
	 director Kenneth Bainbridge commented to Los Alamos director J. Robert
	 Oppenheimer, "Now we are all sons of bitches."   Oppenheimer later stated
	 that while watching the test he was reminded of a line from the Hindu
	 scripture the Bhagavad Gita:

		Now I am become Death, the destroyer of worlds."


#######################################################################

WARNINGS:
* This program may seriously corrupt your files, including any of those
  that may be writable on mounted network file shares.  It may create network
  packets that may cause disruption on your local network.

* Trinity may generate the right selection of syscalls to start sending random network
  packets to other hosts. While every effort is made to restrict this to IP addresses
  on local lans, multicast & broadcast, care should be taken to not allow the
  packets it generates to go out onto the internet.

  Run at your own risk.


#######################################################################

System call fuzzers aren't a particularly new idea.   As far back as 1991,
people have written apps that bomb syscall inputs with garbage data,
that have had a variety of success in crashing assorted operating systems.

After fixing the obvious dumb bugs however, a majority of the time
these calls will just by rejected by the kernel very near the beginning
of their function entry point as basic parameter validation is performed.

Trinity is a system call fuzzer which employs some techniques to
pass semi-intelligent arguments to the syscalls being called.

The intelligence features include:

- If a system call expects a certain datatype as an argument
  (for example a file descriptor) it gets passed one.
  This is the reason for the slow initial startup, as it generates a
  list of fd's of files it can read from /sys, /proc and /dev
  and then supplements this with fd's for various network protocol sockets.
  (Information on which protocols succeed/fail is cached on the first run,
   greatly increasing the speed of subsequent runs).

- If a system call only accepts certain values as an argument,
  (for example a 'flags' field), trinity has a list of all the valid
  flags that may be passed.
  Just to throw a spanner in the works, occasionally, it will bitflip
  one of the flags, just to make things more interesting.

- If a system call only takes a range of values, the random value
  passed is biased to usually fit within that range.


Trinity logs it's output to a files (1 for each child process), and fsync's
the files before it actually makes the system call. This way, should you trigger
something which panics the kernel, you should be able to find out exactly what
happened by examining the log.

There are several test harnesses provided (test-*.sh), which run trinity in
various modes and takes care of things like cpu affinity, and makes sure it runs from the
tmp directory. (Handy for cleaning up any garbage named files; just rm -rf tmp afterwards)

######### options ###############################################

 --quiet/-q: reduce verbosity.
   Specify once to not output register values, or twice to also suppress syscall count.

 --verbose: increase verbosity.

 -D: Debug mode.
     This is useful for catching core dumps if trinity is segfaulting, as by default
     the child processes ignore those signals.

 -sN: use N as random seed.  (Omitting this uses time of day as a seed).
  Note: There are currently a few bugs that mean no two runs are necessary 100%
  identical with the same seed. See the TODO for details.

 --kernel_taint/-T: controls which kernel taint flags should be considered.
	The following flag names are supported: PROPRIETARY_MODULE, FORCED_MODULE, UNSAFE_SMP,
	FORCED_RMMOD, MACHINE_CHECK, BAD_PAGE, USER, DIE, OVERRIDDEN_ACPI_TABLE, WARN, CRAP,
	FIRMWARE_WORKAROUND, and OOT_MODULE. For instance, to set trinity to monitor only BAD,
	WARN and MACHINE_CHECK flags one should specify "-T BAD,WARN,MACHINE_CHECK" parameter.

 --list/-L: list known syscalls and their offsets

 --proto/-P: For network sockets, only use a specific packet family.

 --victims/-V: Victim file/dirs.  By default, on startup trinity tree-walks /dev, /sys and /proc.
     Using this option you can specify a different path.
     (Currently limited to just one path)

 -p: Pause after making a syscall

 --children/-C: Number of child processes.

 -x: Exclude a syscall from being called.  Useful when there's a known kernel bug
     you keep hitting that you want to avoid.
     Can be specified multiple times.

 -cN: do syscall N with random inputs.
     Good for concentrating on a certain syscall, if for eg, you just added one.
     Can be specified multiple times.

 --group/-g
   Used to specify enabling a group of syscalls. Current groups defined are 'vm' and 'vfs'.

 --logging/-l <arg>
  off: This disables logging to files. Useful if you have a serial console, though you
         will likely lose any information about what system call was being called,
         what maps got set up etc. Does make things go considerably faster however,
         as it no longer fsync()'s after every syscall
  <hostname> : sends packets over udp to a trinity server running on another host.
         Note: Still in development. Enabling this feature disables log-to-file.
  <dir> : Specify a directory where trinity will dump its log files.

 --ioctls/-I will dump all available ioctls.

 --arch/-a Explicit selection of 32 or 64 bit variant of system calls.

#######################################################################

Examples:
./trinity -c splice
Stress test the splice syscall

./trinity -x splice
Call every syscall except for splice.

./trinity -qq -l off -C16
Turn off logging, and suppress most output to run as fast as possible. Use 16 child processes


#######################################################################

Development discussion of trinity occurs at trinity@vger.kernel.org
As with all vger mailing lists, subscribe by sending 'subscribe trinity'
in the body of a mail to majordomo@vger.kernel.org

######### Links to similar projects ####################################

= tsys - 1991.
  http://groups.google.com/groups?q=syscall+crashme&hl=en&lr=&ie=UTF-8&selm=1991Sep20.232550.5013%40smsc.sony.com&rnum=1

= iknowthis
  http://iknowthis.googlecode.com
  Fuzzer by Tavis Ormandy with very similar goals to this project.

= sysfuzz
  basic fuzzer by Ilja van Sprundel
  mentioned in http://events.ccc.de/congress/2005/fahrplan/attachments/683-slides_fuzzing.pdf
  http://leetupload.com/dbindex2/index.php?dir=Linux/&file=sysfuzz.tar.gz

= xnufuzz
  https://github.com/fintler/xnufuzz/tree/
  basic fuzzer for XNU.  Looks to be based on Ilja's sysfuzz.

= kg_crashme / ak_crashme / dj_crashme
  Kurt Garloff wrote a fuzzer similar to Ilja's sysfuzz in 2003.
  The ak / dj variants were improvements added by Andi Kleen, and Dave Jones.