github.com/google/syzkaller@v0.0.0-20251211124644-a066d2bc4b02/pkg/flatrpc/flatrpc.fbs (about) 1 // Copyright 2024 syzkaller project authors. All rights reserved. 2 // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 namespace rpc; 5 6 // Various consts shared between Go and C++ code. 7 enum Const : uint64 { 8 MaxInputSize = 4198400, // 4<<20 + 4<<10 9 MaxOutputSize = 14680064, // 14<<20 10 SnapshotShmemSize = 33554432, // Must be power-of-2 and >=MaxInputSize+MaxOutputSize 11 SnapshotDoorbellSize = 4096, // 4<<10 12 } 13 14 enum Feature : uint64 (bit_flags) { 15 Coverage, 16 Comparisons, 17 ExtraCoverage, 18 DelayKcovMmap, 19 KcovResetIoctl, 20 SandboxNone, 21 SandboxSetuid, 22 SandboxNamespace, 23 SandboxAndroid, 24 Fault, 25 Leak, 26 NetInjection, 27 NetDevices, 28 KCSAN, 29 DevlinkPCI, 30 NicVF, 31 USBEmulation, 32 VhciInjection, 33 WifiEmulation, 34 LRWPANEmulation, // 802.15.4 standard 35 BinFmtMisc, 36 Swap, 37 } 38 39 table ConnectHelloRaw { 40 cookie :uint64; 41 } 42 43 table ConnectRequestRaw { 44 cookie :uint64; 45 id :int64; 46 arch :string; 47 git_revision :string; 48 syz_revision :string; 49 } 50 51 table ConnectReplyRaw { 52 debug :bool; 53 cover :bool; 54 cover_edges :bool; 55 kernel_64_bit :bool; 56 procs :int32; 57 slowdown :int32; 58 syscall_timeout_ms :int32; 59 program_timeout_ms :int32; 60 leak_frames :[string]; 61 race_frames :[string]; 62 // Fuzzer sets up these features and returns results in InfoRequest.features. 63 features :Feature; 64 // Fuzzer reads these files inside of the VM and returns contents in InfoRequest.files. 65 files :[string]; 66 } 67 68 table InfoRequestRaw { 69 error :string; 70 features :[FeatureInfoRaw]; 71 files :[FileInfoRaw]; 72 } 73 74 table InfoReplyRaw { 75 cover_filter :[uint64]; 76 } 77 78 table FileInfoRaw { 79 name :string; 80 exists :bool; 81 error :string; 82 data :[uint8]; 83 } 84 85 table GlobInfoRaw { 86 name :string; 87 files :[string]; 88 } 89 90 table FeatureInfoRaw { 91 id :Feature; 92 need_setup :bool; 93 reason :string; 94 } 95 96 // Messages sent from the host to the executor. 97 union HostMessagesRaw { 98 ExecRequest :ExecRequestRaw, 99 SignalUpdate :SignalUpdateRaw, 100 CorpusTriaged :CorpusTriagedRaw, 101 StateRequest :StateRequestRaw, 102 } 103 104 table HostMessageRaw { 105 msg :HostMessagesRaw; 106 } 107 108 // Messages sent from the executor to the host. 109 union ExecutorMessagesRaw { 110 ExecResult :ExecResultRaw, 111 Executing :ExecutingMessageRaw, 112 State :StateResultRaw, 113 } 114 115 table ExecutorMessageRaw { 116 msg :ExecutorMessagesRaw; 117 } 118 119 enum RequestType : uint64 { 120 // Normal test program request (data contains serialized prog.Prog). 121 Program, 122 // Binary test program (data contains compiled executable binary). 123 Binary, 124 // Request for file glob expansion (data contains the glob pattern). 125 Glob, 126 } 127 128 enum RequestFlag : uint64 (bit_flags) { 129 // If set, collect program output and return in output field. 130 ReturnOutput, 131 // If set, don't fail on program failures, instead return the error in error field. 132 ReturnError, 133 } 134 135 // Note: New / changed flags should be added to parse_env_flags in executor.cc. 136 enum ExecEnv : uint64 (bit_flags) { 137 Debug, // debug output from executor 138 Signal, // collect feedback signals (coverage) 139 ReadOnlyCoverage, // map coverage as readonly, use an ioctl to reset it 140 ResetState, // fully reset executor state befor executing the test 141 SandboxNone, // minimal sandboxing 142 SandboxSetuid, // impersonate nobody user 143 SandboxNamespace, // use namespaces for sandboxing 144 SandboxAndroid, // use Android sandboxing for the untrusted_app domain 145 ExtraCover, // collect extra coverage 146 EnableTun, // setup and use /dev/tun for packet injection 147 EnableNetDev, // setup more network devices for testing 148 EnableNetReset, // reset network namespace between programs 149 EnableCgroups, // setup cgroups for testing 150 EnableCloseFds, // close fds after each program 151 EnableDevlinkPCI, // setup devlink PCI device 152 EnableVhciInjection, // setup and use /dev/vhci for hci packet injection 153 EnableWifi, // setup and use mac80211_hwsim for wifi emulation 154 DelayKcovMmap, // manage kcov memory in an optimized way 155 EnableNicVF, // setup NIC VF device 156 } 157 158 enum ExecFlag : uint64 (bit_flags) { 159 CollectSignal, // collect feedback signals 160 CollectCover, // collect coverage 161 DedupCover, // deduplicate coverage in executor 162 CollectComps, // collect KCOV comparisons 163 Threaded, // use multiple threads to mitigate blocked syscalls 164 } 165 166 struct ExecOptsRaw { 167 // Changing exec_flags between executions does not cause executor process restart. 168 // Changing env_flags/sandbox_arg does cause process restart. 169 env_flags :ExecEnv; 170 exec_flags :ExecFlag; 171 sandbox_arg :int64; 172 } 173 174 // Request to execute a test program. 175 table ExecRequestRaw { 176 id :int64; 177 type :RequestType; 178 // Bitmask of procs to avoid when executing this request, if possible. 179 avoid :uint64; 180 data :[uint8]; 181 exec_opts :ExecOptsRaw; 182 flags :RequestFlag; 183 // Return all signal for these calls. 184 all_signal :[int32]; 185 } 186 187 table SignalUpdateRaw { 188 new_max :[uint64]; 189 } 190 191 // This message serves as a signal that the corpus was triaged and the fuzzer 192 // can start activities that only make sense after corpus triage 193 // (leak checking, restarting procs, etc). 194 table CorpusTriagedRaw { 195 } 196 197 table StateRequestRaw { 198 } 199 200 // Notification from the executor that it started executing the program 'id'. 201 // We want this request to be as small and as fast as possible b/c we need it 202 // to reach the host (or at least leave the VM) before the VM crashes 203 // executing this program. 204 table ExecutingMessageRaw { 205 id :int64; 206 proc_id :int32; 207 try :int32; 208 // How long proc waited to receive the request (ns). 209 wait_duration :int64; 210 } 211 212 enum CallFlag : uint8 (bit_flags) { 213 Executed, // was started at all 214 Finished, // finished executing (rather than blocked forever) 215 Blocked, // finished but blocked during execution 216 FaultInjected, // fault was injected into this call 217 CoverageOverflow, // coverage buffer has overflowed so we have truncated coverage 218 } 219 220 table CallInfoRaw { 221 flags :CallFlag; 222 // Call errno (0 if the call was successful). 223 error :int32; 224 // Feedback signal, filled if ExecFlag.CollectSignal is set. 225 signal :[uint64]; 226 // Code coverage, filled if ExecFlag.CollectCover is set. 227 // If ExecFlag.DedupCover is set, then duplicates are removed, otherwise it contains a trace. 228 cover :[uint64]; 229 // Comparison operands. 230 comps :[ComparisonRaw]; 231 } 232 233 struct ComparisonRaw { 234 pc :uint64; 235 op1 :uint64; 236 op2 :uint64; 237 // If is_const is set, op2 was a source code const (could not come from the input), 238 // otherwise both operands were dynamic and could come from the input. 239 is_const :bool; 240 } 241 242 table ProgInfoRaw { 243 calls :[CallInfoRaw]; 244 // Contains signal and cover collected from background threads. 245 // The raw version is exported by executor, and them merged into extra on the host. 246 extra_raw :[CallInfoRaw]; 247 extra :CallInfoRaw; 248 // Total execution time of the program in nanoseconds. 249 elapsed :uint64; 250 // Number of programs executed in the same process before this one. 251 freshness :uint64; 252 } 253 254 // Result of executing a test program. 255 table ExecResultRaw { 256 id :int64; 257 proc :int32; 258 output :[uint8]; 259 // The program has hanged and we were not able to properly join it. 260 // So in some sense it's still running (e.g. can trigger a delayed kernel hang report). 261 hanged :bool; 262 error :string; 263 info :ProgInfoRaw; 264 } 265 266 table StateResultRaw { 267 data :[uint8]; 268 } 269 270 // SnapshotState is used for synchronization between host/target parts during snapshot execution. 271 enum SnapshotState : uint64 { 272 // Initial 0 state. 273 Initial, 274 // Host wrote handshake request data and is ready to take snapshot. 275 Handshake, 276 // Target received handshake request and is ready to be snapshotted. 277 Ready, 278 // Host has taken snapshot. 279 Snapshotted, 280 // Host wrote request data and resumed the target from snapshot. 281 Execute, 282 // Target has finished executing a request and is ready to be reset. 283 Executed, 284 // Target has failed to execute a request. 285 Failed, 286 } 287 288 // SnapshotHeader is located at the beginning of the snapshot output shared memory region. 289 table SnapshotHeader { 290 state :SnapshotState; 291 // Offset and size of the output data after program execution. 292 output_offset :uint32; 293 output_size :uint32; 294 } 295 296 table SnapshotHandshake { 297 cover_edges :bool; 298 kernel_64_bit :bool; 299 slowdown :int32; 300 syscall_timeout_ms :int32; 301 program_timeout_ms :int32; 302 features :Feature; 303 env_flags :ExecEnv; 304 sandbox_arg :int64; 305 } 306 307 table SnapshotRequest { 308 exec_flags :ExecFlag; 309 num_calls :int32; 310 all_call_signal :uint64; 311 all_extra_signal :bool; 312 prog_data :[uint8]; 313 }