| # Copyright 2018 syzkaller project authors. All rights reserved. |
| # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. |
| |
| # For fuzzing with qemu you need to enable cdrom option and provide an iso image. |
| # For example: in "vm" section of syzkaller configuration |
| # "vm" : { |
| # ... |
| # "cmdline": " -cdrom /.../ubuntu-18.04-desktop-amd64.iso " |
| # } |
| # In the kernel CONFIG_CDROM should be enabled. |
| # |
| # For more effective fuzzing one might want to disable |
| # CDROMEJECT && CDROMEJECT_SW. |
| # "disable_syscalls" : [ "ioctl$CDROMEJECT*" ] |
| |
| include <linux/cdrom.h> |
| include <uapi/linux/cdrom.h> |
| |
| resource fd_cdrom[fd] |
| |
| syz_open_dev$CDROM_DEV_LINK(dev ptr[in, string["/dev/cdrom"]], id intptr, flags flags[open_flags]) fd_cdrom |
| |
| ioctl$CDROMPAUSE(fd fd_cdrom, cmd const[CDROMPAUSE]) |
| ioctl$CDROMRESUME(fd fd_cdrom, cmd const[CDROMRESUME]) |
| ioctl$CDROMPLAYMSF(fd fd_cdrom, cmd const[CDROMPLAYMSF], arg ptr[in, cdrom_msf]) |
| ioctl$CDROMPLAYTRKIND(fd fd_cdrom, cmd const[CDROMPLAYTRKIND], arg ptr[in, cdrom_ti]) |
| ioctl$CDROMREADTOCHDR(fd fd_cdrom, cmd const[CDROMREADTOCHDR], arg ptr[inout, cdrom_tochdr]) |
| ioctl$CDROMREADTOCENTRY(fd fd_cdrom, cmd const[CDROMREADTOCENTRY], arg ptr[inout, cdrom_tocentry]) |
| ioctl$CDROMSTOP(fd fd_cdrom, cmd const[CDROMSTOP]) |
| ioctl$CDROMSTART(fd fd_cdrom, cmd const[CDROMSTART]) |
| ioctl$CDROMEJECT(fd fd_cdrom, cmd const[CDROMEJECT]) |
| ioctl$CDROMVOLCTRL(fd fd_cdrom, cmd const[CDROMVOLCTRL], arg ptr[in, cdrom_volctrl]) |
| ioctl$CDROMSUBCHNL(fd fd_cdrom, cmd const[CDROMSUBCHNL], arg ptr[inout, cdrom_subchnl]) |
| ioctl$CDROMREADMODE2(fd fd_cdrom, cmd const[CDROMREADMODE2], arg ptr[in, cdrom_msf_out_stub]) |
| ioctl$CDROMREADMODE1(fd fd_cdrom, cmd const[CDROMREADMODE1], arg ptr[in, cdrom_msf_out_stub]) |
| ioctl$CDROMREADAUDIO(fd fd_cdrom, cmd const[CDROMREADAUDIO], arg ptr[in, cdrom_read_audio]) |
| ioctl$CDROMEJECT_SW(fd fd_cdrom, cmd const[CDROMEJECT_SW], arg boolptr) |
| ioctl$CDROMMULTISESSION(fd fd_cdrom, cmd const[CDROMMULTISESSION], arg ptr[inout, cdrom_multisession]) |
| ioctl$CDROM_GET_MCN(fd fd_cdrom, cmd const[CDROM_GET_MCN], arg ptr[out, cdrom_mcn]) |
| ioctl$CDROMRESET(fd fd_cdrom, cmd const[CDROMRESET]) |
| ioctl$CDROMVOLREAD(fd fd_cdrom, cmd const[CDROMVOLREAD], arg ptr[out, cdrom_volctrl]) |
| ioctl$CDROMREADRAW(fd fd_cdrom, cmd const[CDROMREADRAW], arg ptr[in, cdrom_msf_out_stub]) |
| |
| ioctl$CDROMREADCOOKED(fd fd_cdrom, cmd const[CDROMREADCOOKED], arg ptr[out, cdrom_output_buffer]) |
| ioctl$CDROMSEEK(fd fd_cdrom, cmd const[CDROMSEEK], arg ptr[in, cdrom_msf]) |
| |
| ioctl$CDROMPLAYBLK(fd fd_cdrom, cmd const[CDROMPLAYBLK], arg ptr[in, cdrom_blk]) |
| |
| ioctl$CDROMREADALL(fd fd_cdrom, cmd const[CDROMREADALL], arg ptr[out, cdrom_output_buffer]) |
| |
| ioctl$CDROMGETSPINDOWN(fd fd_cdrom, cmd const[CDROMGETSPINDOWN], arg int8) |
| ioctl$CDROMSETSPINDOWN(fd fd_cdrom, cmd const[CDROMSETSPINDOWN], arg int8) |
| |
| ioctl$CDROMCLOSETRAY(fd fd_cdrom, cmd const[CDROMCLOSETRAY]) |
| |
| ioctl$CDROM_SET_OPTIONS(fd fd_cdrom, cmd const[CDROM_SET_OPTIONS], arg flags[cdrom_options]) |
| ioctl$CDROM_CLEAR_OPTIONS(fd fd_cdrom, cmd const[CDROM_CLEAR_OPTIONS], arg flags[cdrom_options]) |
| ioctl$CDROM_SELECT_SPEED(fd fd_cdrom, cmd const[CDROM_SELECT_SPEED], speed int64) |
| ioctl$CDROM_SELECT_DISK(fd fd_cdrom, cmd const[CDROM_SELECT_SPEED], disk int64) |
| ioctl$CDROM_MEDIA_CHANGED(fd fd_cdrom, cmd const[CDROM_MEDIA_CHANGED], slot int64) |
| ioctl$CDROM_DISC_STATUS(fd fd_cdrom, cmd const[CDROM_DISC_STATUS]) |
| ioctl$CDROM_CHANGER_NSLOTS(fd fd_cdrom, cmd const[CDROM_CHANGER_NSLOTS]) |
| ioctl$CDROM_LOCKDOOR(fd fd_cdrom, cmd const[CDROM_LOCKDOOR], lock boolptr) |
| ioctl$CDROM_DEBUG(fd fd_cdrom, cmd const[CDROM_DEBUG], debug boolptr) |
| ioctl$CDROM_GET_CAPABILITY(fd fd_cdrom, cmd const[CDROM_GET_CAPABILITY]) |
| |
| ioctl$CDROMAUDIOBUFSIZ(fd fd_cdrom, cmd const[CDROMAUDIOBUFSIZ], val int32) |
| |
| ioctl$DVD_READ_STRUCT(fd fd_cdrom, cmd const[DVD_READ_STRUCT], arg ptr[inout, dvd_struct]) |
| ioctl$DVD_WRITE_STRUCT(fd fd_cdrom, cmd const[DVD_READ_STRUCT], arg ptr[in, dvd_struct]) |
| ioctl$DVD_AUTH(fd fd_cdrom, cmd const[DVD_READ_STRUCT], arg ptr[inout, dvd_authinfo]) |
| |
| ioctl$CDROM_SEND_PACKET(fd fd_cdrom, cmd const[CDROM_SEND_PACKET], arg ptr[inout, cdrom_generic_command]) |
| |
| ioctl$CDROM_NEXT_WRITABLE(fd fd_cdrom, cmd const[CDROM_NEXT_WRITABLE], arg ptr[out, int64]) |
| ioctl$CDROM_LAST_WRITTEN(fd fd_cdrom, cmd const[CDROM_LAST_WRITTEN], arg ptr[out, int64]) |
| |
| cdrom_output_buffer { |
| reserved array[int8, CD_FRAMESIZE_RAWER] |
| } |
| |
| cdrom_msf { |
| cdmsf_min0 int8 |
| cdmsf_sec0 int8 |
| cdmsf_frame0 int8 |
| cdmsf_min1 int8 |
| cdmsf_sec1 int8 |
| cdmsf_frame1 int8 |
| } |
| |
| cdrom_msf_out_stub { |
| cdmsf_min0 int8 |
| cdmsf_sec0 int8 |
| cdmsf_frame0 int8 |
| cdmsf_min1 int8 |
| cdmsf_sec1 int8 |
| cdmsf_frame1 int8 |
| reserved array[const[0, int8], CDROM_MSF_OUT_STUB_SIZE] |
| } |
| |
| cdrom_ti { |
| cdti_trk0 int8 |
| cdti_int0 int8 |
| cdti_trk1 int8 |
| cdti_ind1 int8 |
| } |
| |
| cdrom_tochdr { |
| cdth_trk0 int8 |
| cdth_trk1 int8 |
| } |
| |
| cdrom_tocentry { |
| cdte_track int8 |
| cdte_adr int8:4 |
| cdte_ctrl int8:4 |
| cdte_format flags[cdrom_format, int8] |
| cdte_addr cdrom_addr |
| cdte_datamode int8 |
| } |
| |
| cdrom_addr [ |
| msf cdrom_msf0 |
| lba int32 |
| ] |
| |
| cdrom_msf0 { |
| minute int8 |
| second int8 |
| frame int8 |
| } |
| |
| cdrom_read_audio { |
| addr cdrom_addr |
| addr_format flags[cdrom_format, int8] |
| nframes bytesize[buf, int32] |
| buf ptr[out, array[int8, 1:CD_FRAMES]] |
| } |
| |
| cdrom_volctrl { |
| channel0 int8 |
| channel1 int8 |
| channel2 int8 |
| channel3 int8 |
| } |
| |
| cdrom_subchnl { |
| cdsc_format flags[cdrom_format, int8] |
| cdsc_audiostatus int8 |
| cdsc_adr int8:4 |
| cdsc_ctrl int8:4 |
| cdsc_trk int8 |
| cdsc_ind int8 |
| cdsc_absaddr cdrom_addr |
| cdsc_reladdr cdrom_addr |
| } |
| |
| cdrom_multisession { |
| addr cdrom_addr |
| xa_flag bool8 |
| addr_format flags[cdrom_format, int8] |
| } |
| |
| cdrom_mcn { |
| medium_catalog_number array[int8, 14] |
| } |
| |
| cdrom_blk { |
| from int32 |
| len int16 |
| } |
| |
| dvd_struct [ |
| type flags[dvd_struct_type, int8] |
| |
| physical dvd_physical |
| copyright dvd_copyright |
| disckey dvd_disckey |
| bca dvd_bca |
| manufact dvd_manufact |
| ] |
| |
| dvd_physical { |
| type const[DVD_STRUCT_PHYSICAL, int8] |
| layer_num int8[0:3] |
| layer array[dvd_layer, DVD_LAYERS] |
| } |
| |
| dvd_layer { |
| book_version int8:4 |
| book_type int8:4 |
| min_rate int8:4 |
| disc_size int8:4 |
| layer_type int8:4 |
| track_path int8:1 |
| nlayers int8:2 |
| track_density int8:4 |
| linear_density int8:4 |
| bca int8:1 |
| start_sector int32 |
| end_sector int32 |
| end_sector_l0 int32 |
| } |
| |
| dvd_copyright { |
| type const[DVD_STRUCT_COPYRIGHT, int8] |
| |
| layer_num int8[0:3] |
| cpst int8 |
| rmi int8 |
| } |
| |
| dvd_disckey { |
| type const[DVD_STRUCT_DISCKEY, int8] |
| |
| agid int32:2 |
| value array[int8, 2048] |
| } |
| |
| dvd_bca { |
| type const[DVD_STRUCT_BCA, int8] |
| |
| len len[value, int32] |
| value array[int8, 188] |
| } |
| |
| dvd_manufact { |
| type const[DVD_STRUCT_MANUFACT, int8] |
| |
| layer_num int8[0:3] |
| len len[value, int32] |
| value array[int8, 2048] |
| } |
| |
| dvd_authinfo [ |
| type flags[dvd_authinfo_type, int8] |
| |
| lsa dvd_lu_send_agid |
| hsc dvd_host_send_challenge |
| lsk dvd_send_key |
| lsc dvd_lu_send_challenge |
| hsk dvd_send_key |
| lstk dvd_lu_send_title_key |
| lsasf dvd_lu_send_asf |
| hrpcs dvd_host_send_rpcstate |
| lrpcs dvd_lu_send_rpcstate |
| ] |
| |
| type dvd_key array[int8, 5] |
| type dvd_challenge array[int8, 10] |
| |
| dvd_lu_send_agid { |
| type const[DVD_LU_SEND_AGID, int8] |
| agid int32:2 |
| } |
| |
| dvd_host_send_challenge { |
| type const[DVD_HOST_SEND_CHALLENGE, int8] |
| agid int32:2 |
| |
| chal dvd_challenge |
| } |
| |
| dvd_send_key_type = DVD_LU_SEND_KEY1, DVD_HOST_SEND_KEY2 |
| |
| dvd_send_key { |
| type flags[dvd_send_key_type, int8] |
| agid int32:2 |
| |
| key dvd_key |
| } |
| |
| dvd_lu_send_challenge { |
| type const[DVD_LU_SEND_CHALLENGE, int8] |
| agid int32:2 |
| |
| chal dvd_challenge |
| } |
| |
| dvd_lu_send_title_key { |
| type const[DVD_LU_SEND_TITLE_KEY, int8] |
| agid int32:2 |
| |
| title_key dvd_key |
| lba int32 |
| cpm int32:1 |
| cp_sec int32:1 |
| cgms int32:2 |
| } |
| |
| dvd_lu_send_asf { |
| type const[DVD_LU_SEND_ASF, int8] |
| agid int32:2 |
| |
| asf int32:1 |
| } |
| |
| dvd_host_send_rpcstate { |
| type const[DVD_HOST_SEND_RPC_STATE, int8] |
| pdrc int8 |
| } |
| |
| dvd_lu_send_rpcstate { |
| type int8:2 |
| vra int8:3 |
| ucca int8:3 |
| region_mask int8 |
| rpc_scheme int8 |
| } |
| |
| cdrom_generic_command { |
| cmd array[int8, CDROM_PACKET_SIZE] |
| buffer ptr[inout, array[int8]] |
| buflen len[buffer, int32] |
| stat int32 |
| sense ptr[inout, request_sense] |
| data_direction flags[cdrom_data_direction, int8] |
| quiet int32 |
| timeout int32 |
| reserved ptr[out, array[intptr, 1]] |
| } |
| |
| request_sense { |
| valid_err_code int8 |
| segment_number int8 |
| ili_sense_key int8 |
| information array[int8, 4] |
| add_sense_len int8 |
| command_info array[int8, 4] |
| asc int8 |
| ascq int8 |
| fruc int8 |
| sks array[int8, 3] |
| asb array[int8, 46] |
| } |
| |
| cdrom_options = CDO_AUTO_CLOSE, CDO_AUTO_EJECT, CDO_USE_FFLAGS, CDO_LOCK, CDO_CHECK_TYPE |
| cdrom_format = CDROM_MSF, CDROM_LBA |
| dvd_struct_type = DVD_STRUCT_PHYSICAL, DVD_STRUCT_COPYRIGHT, DVD_STRUCT_DISCKEY, DVD_STRUCT_BCA, DVD_STRUCT_MANUFACT |
| dvd_authinfo_type = DVD_LU_SEND_AGID, DVD_LU_SEND_KEY1, DVD_LU_SEND_CHALLENGE, DVD_LU_SEND_TITLE_KEY, DVD_LU_SEND_ASF, DVD_HOST_SEND_CHALLENGE, DVD_HOST_SEND_KEY2, DVD_INVALIDATE_AGID, DVD_LU_SEND_RPC_STATE, DVD_LU_SEND_RPC_STATE |
| cdrom_data_direction = CGC_DATA_UNKNOWN, CGC_DATA_WRITE, CGC_DATA_READ, CGC_DATA_NONE |
| |
| define CDROM_MSF_OUT_STUB_SIZE CD_FRAMESIZE_RAWER-6 |