Syzos nv 210126 #6651
Merged
Syzos nv 210126 #6651
+172
−54
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ramosian-glider
force-pushed
the
syzos-nv-210126
branch
2 times, most recently
from
c0707a0 to
7313e97
Compare
Member
Author
|
PTAL |
ramosian-glider
force-pushed
the
syzos-nv-210126
branch
from
7313e97 to
1e98079
Compare
ramosian-glider
force-pushed
the
syzos-nv-210126
branch
2 times, most recently
from
216d954 to
fd23b7e
Compare
Provide visibility into expected vs. actual KVM exit reasons during assertion failures.
Refactor the SYZOS guest memory layout to decouple the dynamic page table allocator from the fixed system data structures (GDT, IDT, initial PML4). Previously, the page table pool was located at 0x5000, tightly packed with the initial system pages. This rigid structure made it difficult to expand the pool or inject configuration data without shifting fixed offsets. Move X86_SYZOS_ADDR_PT_POOL to 0x180000, creating a distinct high-memory region well above the L2 VCPU data, and increase the pool size to 64 pages (256KB) to support deeper nested hierarchies. Update the syz_kvm_setup_syzos_vm logic to handle non-contiguous Guest-to-Host address translation via a new get_host_pte_ptr() helper. This is necessary because the executor's host memory allocation remains strictly linear while the guest physical address space now contains significant gaps. This layout change is a prerequisite for enabling "SYZOS inside SYZOS" (L2 nesting), allowing the future injection of boot arguments into the gap created between fixed data and dynamic regions.
Introduce a dedicated page at X86_SYZOS_ADDR_BOOT_ARGS to pass
configuration data from the executor to the SYZOS guest. This will allow
dynamic adjustments to the guest environment, such as specifying memory
region sizes.
- Added `MEM_REGION_FLAG_REMAINING` to flag the last memory region, which
will consume the rest of the available guest memory.
- Defined `struct syzos_boot_args` to pass the memory region layout to the
guest.
- Modified `syzos_mem_regions`:
- Reduced X86_SYZOS_ADDR_VAR_IDT size to 10 pages.
- Inserted the new X86_SYZOS_ADDR_BOOT_ARGS region.
- Added a final region with MEM_REGION_FLAG_REMAINING.
- Updated `setup_vm` to:
- Calculate the size of the REMAINING region.
- Populate the `syzos_boot_args` structure in the boot args page.
- Updated `setup_pg_table` to use the REMAINING flag to map the last region.
The syz_kvm_assert_syzos_uexit$x86 function expects a 64-bit value for the exit code. Update the test cases to use 0xffffffffffffffff instead of 0xffffffff to reflect the -1 value used to indicate the end of the test.
Reserve a dedicated 4KB page at X86_SYZOS_ADDR_GLOBALS (0x17F000) to store global state shared across the SYZOS L1 guest environment. This region is required to store the state of the guest-side memory allocator (specifically the allocation offset and total size of the unused heap), enabling thread-safe dynamic memory allocation for nested L2 page tables.
Enable the SYZOS guest (L1) to dynamically allocate memory for nested L2 page tables, replacing the previous rigid static layout. Move the mem_region and syzos_boot_args struct definitions to the guest header (common_kvm_amd64_syzos.h) to allow the guest to parse the memory map injected by the host. Introduce a bump allocator, guest_alloc_page(), which targets the X86_SYZOS_ADDR_UNUSED heap. This allocator relies on a new struct syzos_globals located at X86_SYZOS_ADDR_GLOBALS to track the allocation offset. Refactor setup_l2_page_tables() to allocate intermediate paging levels (PDPT, PD, PT) via guest_alloc_page() instead of using fixed contiguous offsets relative to the PML4. This allows for disjoint memory usage and supports future recursion requirements.
ramosian-glider
force-pushed
the
syzos-nv-210126
branch
from
dae6e55 to
4466bd4
Compare
a-nogikh
approved these changes
Jan 26, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before sending a pull request, please review Contribution Guidelines:
https://github.com/google/syzkaller/blob/master/docs/contributing.md