[google/syzkaller] f21a95: executor: implement L2 memory mirroring and dynami...
2 views
Skip to first unread message
Alexander Potapenko
Feb 9, 2026, 4:44:16 AMFeb 9
to syzk...@googlegroups.com
Branch: refs/heads/gh-readonly-queue/master/pr-6737-4c131dc4b96f069f4177bf6cdd08431aaf9add88
Home: https://github.com/google/syzkaller
Commit: f21a95cd9e1026a7a7e358ce594ae8ff1ce0c056
https://github.com/google/syzkaller/commit/f21a95cd9e1026a7a7e358ce594ae8ff1ce0c056
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm_amd64.h
M executor/common_kvm_amd64_syzos.h
Log Message:
-----------
executor: implement L2 memory mirroring and dynamic code loading
Refactor the SYZOS L1 guest to construct L2 page tables dynamically by
mirroring its own memory layout (provided via boot arguments) instead
of using a static 2MB identity map.
This change introduces l2_map_page to allocate unique backing memory
for most regions, while mapping X86_SYZOS_ADDR_USER_CODE and
X86_SYZOS_ADDR_STACK_BOTTOM to specific per-VM buffers reserved in L1.
This allows L1 to inject code and stack content into backing buffers
while the L2 guest executes them from standard virtual addresses.
Additionally, MEM_REGION_FLAG_* definitions are moved to the guest
header to support this logic.
Commit: 64ff670b4316a5d851373786045cecbbfe0cf3fd
https://github.com/google/syzkaller/commit/64ff670b4316a5d851373786045cecbbfe0cf3fd
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M Makefile
Log Message:
-----------
Makefile: fix format_cpp
`git ls-files *.h *.c *.cc *.cpp` misbehaves if there are files in the
project root matching the wildcards.
Use single quotes to escape them.
Commit: 3011de391e748b4807ba641400640ee577a1319f
https://github.com/google/syzkaller/commit/3011de391e748b4807ba641400640ee577a1319f
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm.h
M executor/common_kvm_syzos.h
Log Message:
-----------
executor: introduce force_inline
Turned out executor_fn_guest_addr() was not inlined when building
the reproducers with -O0, so the guest code crashed.
Commit: 91d686647eca17c731c837e1f1b817e8a61ddb6a
https://github.com/google/syzkaller/commit/91d686647eca17c731c837e1f1b817e8a61ddb6a
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/kvm.h
Log Message:
-----------
executor: fix the definition of X86_CR4_OSFXSR
X86_CR4_OSFXSR is 1<<9 according to
https://wiki.osdev.org/CPU_Registers_x86
Commit: 168b436f204a8cae6542d42542e18cc1197ac5b2
https://github.com/google/syzkaller/commit/168b436f204a8cae6542d42542e18cc1197ac5b2
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm_amd64.h
Log Message:
-----------
executor: enable X86_EFER_SVME for AMD
When setting up L1 guest, execute CPUID and enable X86_EFER_SVME for
AMD CPUs.
Commit: dcd3f1a34151f50991c29aa21677ba6f09159da8
https://github.com/google/syzkaller/commit/dcd3f1a34151f50991c29aa21677ba6f09159da8
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm.h
Log Message:
-----------
executor: fix ifdefs for executor_fn_guest_addr()
Make sure executor_fn_guest_addr() is defined when
__NR_syz_kvm_assert_syzos_uexit is.
Commit: d36c2ba14701aaa8b613b9babb65720a9b510bf9
https://github.com/google/syzkaller/commit/d36c2ba14701aaa8b613b9babb65720a9b510bf9
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm_amd64.h
M executor/common_kvm_amd64_syzos.h
M executor/kvm.h
M sys/linux/dev_kvm_amd64.txt
Log Message:
-----------
executor: sys/linux: Implement nested SYZOS loading
This commit introduces the `SYZOS_API_NESTED_LOAD_SYZOS` command to
enable running full SYZOS programs within a nested L2 guest, enhancing
fuzzing capabilities for nested virtualization.
Key changes include:
- Nested SYZOS Execution: The new command loads a SYZOS program into an
L2 VM, setting up its execution environment.
- ABI Refinement: Program size is now passed via the shared `syzos_globals`
memory region instead of registers, standardizing the ABI for L1 and L2.
- L2 State Management: Improved saving and restoring of L2 guest GPRs
across VM-exits using inline assembly wrappers for Intel and AMD.
- Nested UEXIT Propagation: Intercepts EPT/NPT faults on the exit page to
capture the L2 exit code from saved registers and forward it to L0 with
an incremented nesting level.
- L2 Memory Management: Updates to L2 page table setup, including skipping
NO_HOST_MEM regions to force exits, and a new `l2_gpa_to_pa` helper.
Commit: d733ce389c3287808dd15952c6aa481021110196
https://github.com/google/syzkaller/commit/d733ce389c3287808dd15952c6aa481021110196
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm_amd64.h
M executor/common_kvm_amd64_syzos.h
M executor/kvm.h
Log Message:
-----------
executor: rework L1 segment setup in SYZOS
This commit corrects the GDT setup for the data and TSS segments in L1.
Previously, the data segment was incorrectly using the TSS base address,
and the TSS base address was not properly set.
The data segment base is now set to 0, as it should be for a flat 64-bit
model. The TSS segment descriptor in the GDT now correctly points to
X86_SYZOS_ADDR_VAR_TSS and uses the full 64-bit address.
The attributes are also updated to mark the TSS as busy.
Additionally, the TSS region is now explicitly copied from L1 to L2 to
ensure the L2 environment has a valid TSS.
Commit: eababac62cc8b2dbcdadba991eecaa4fd521c42d
https://github.com/google/syzkaller/commit/eababac62cc8b2dbcdadba991eecaa4fd521c42d
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
A sys/linux/test/amd64-syz_kvm_nested_load_syzos
Log Message:
-----------
sys/linux/test: add amd64-syz_kvm_nested_load_syzos
The new test checks the following scenario:
- L0 VM launches L1 VM (SYZOS)
- L1 VM launches L2 VM (nested SYZOS)
- L2 VM issues a UEXIT
- L1 VM catches the UEXIT and forwards it to L0
- L0 VM checks the UEXIT code and resumes L1 VM
- L1 VM finishes its work and issues another UEXIT
- L0 VM checks the UEXIT code
Commit: 993198b3dea8fdf032e5ff4f0914b203e0f3b67d
https://github.com/google/syzkaller/commit/993198b3dea8fdf032e5ff4f0914b203e0f3b67d
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
A sys/linux/test/amd64-syz_kvm_nested_load_syzos-vmresume
Log Message:
-----------
sys/linux/test: add test for nested SYZOS resumption
Add sys/linux/test/amd64-syz_kvm_nested_load_syzos-vmresume to verify the
state preservation and resumption capabilities of the
SYZOS_API_NESTED_LOAD_SYZOS primitive.
The test deploys an L2 guest with a sequential multi-step payload:
1. `uexit(1)`
2. `uexit(2)`
The L1 hypervisor first executes `nested_vmlaunch`, causing L2 to run
until the first uexit. L1 then executes `nested_vmresume` to continue
L2 execution.
Commit: df949cd92b8e324cf57a033d3166077e6ab2ca79
https://github.com/google/syzkaller/commit/df949cd92b8e324cf57a033d3166077e6ab2ca79
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
A sys/linux/test/amd64-syz_kvm_nested_gpr_persistence
A sys/linux/test/amd64-syz_kvm_nested_gpr_persistence_syzos
Log Message:
-----------
sys/linux/test: add SYZOS tests for nested GPR persistence
Add two new SYZOS test cases to verify the persistence of
Guest Physical Registers (GPRs) in nested virtualization scenario.
These tests ensure that the hypervisor correctly saves and restores
L2 GPRs during nested VM-exits and VM-entries, preventing register
state corruption.
Compare: https://github.com/google/syzkaller/compare/f21a95cd9e10%5E...df949cd92b8e
To unsubscribe from these emails, change your notification settings at https://github.com/google/syzkaller/settings/notifications
Home: https://github.com/google/syzkaller
Commit: f21a95cd9e1026a7a7e358ce594ae8ff1ce0c056
https://github.com/google/syzkaller/commit/f21a95cd9e1026a7a7e358ce594ae8ff1ce0c056
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm_amd64.h
M executor/common_kvm_amd64_syzos.h
Log Message:
-----------
executor: implement L2 memory mirroring and dynamic code loading
Refactor the SYZOS L1 guest to construct L2 page tables dynamically by
mirroring its own memory layout (provided via boot arguments) instead
of using a static 2MB identity map.
This change introduces l2_map_page to allocate unique backing memory
for most regions, while mapping X86_SYZOS_ADDR_USER_CODE and
X86_SYZOS_ADDR_STACK_BOTTOM to specific per-VM buffers reserved in L1.
This allows L1 to inject code and stack content into backing buffers
while the L2 guest executes them from standard virtual addresses.
Additionally, MEM_REGION_FLAG_* definitions are moved to the guest
header to support this logic.
Commit: 64ff670b4316a5d851373786045cecbbfe0cf3fd
https://github.com/google/syzkaller/commit/64ff670b4316a5d851373786045cecbbfe0cf3fd
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M Makefile
Log Message:
-----------
Makefile: fix format_cpp
`git ls-files *.h *.c *.cc *.cpp` misbehaves if there are files in the
project root matching the wildcards.
Use single quotes to escape them.
Commit: 3011de391e748b4807ba641400640ee577a1319f
https://github.com/google/syzkaller/commit/3011de391e748b4807ba641400640ee577a1319f
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm.h
M executor/common_kvm_syzos.h
Log Message:
-----------
executor: introduce force_inline
Turned out executor_fn_guest_addr() was not inlined when building
the reproducers with -O0, so the guest code crashed.
Commit: 91d686647eca17c731c837e1f1b817e8a61ddb6a
https://github.com/google/syzkaller/commit/91d686647eca17c731c837e1f1b817e8a61ddb6a
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/kvm.h
Log Message:
-----------
executor: fix the definition of X86_CR4_OSFXSR
X86_CR4_OSFXSR is 1<<9 according to
https://wiki.osdev.org/CPU_Registers_x86
Commit: 168b436f204a8cae6542d42542e18cc1197ac5b2
https://github.com/google/syzkaller/commit/168b436f204a8cae6542d42542e18cc1197ac5b2
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm_amd64.h
Log Message:
-----------
executor: enable X86_EFER_SVME for AMD
When setting up L1 guest, execute CPUID and enable X86_EFER_SVME for
AMD CPUs.
Commit: dcd3f1a34151f50991c29aa21677ba6f09159da8
https://github.com/google/syzkaller/commit/dcd3f1a34151f50991c29aa21677ba6f09159da8
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm.h
Log Message:
-----------
executor: fix ifdefs for executor_fn_guest_addr()
Make sure executor_fn_guest_addr() is defined when
__NR_syz_kvm_assert_syzos_uexit is.
Commit: d36c2ba14701aaa8b613b9babb65720a9b510bf9
https://github.com/google/syzkaller/commit/d36c2ba14701aaa8b613b9babb65720a9b510bf9
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm_amd64.h
M executor/common_kvm_amd64_syzos.h
M executor/kvm.h
M sys/linux/dev_kvm_amd64.txt
Log Message:
-----------
executor: sys/linux: Implement nested SYZOS loading
This commit introduces the `SYZOS_API_NESTED_LOAD_SYZOS` command to
enable running full SYZOS programs within a nested L2 guest, enhancing
fuzzing capabilities for nested virtualization.
Key changes include:
- Nested SYZOS Execution: The new command loads a SYZOS program into an
L2 VM, setting up its execution environment.
- ABI Refinement: Program size is now passed via the shared `syzos_globals`
memory region instead of registers, standardizing the ABI for L1 and L2.
- L2 State Management: Improved saving and restoring of L2 guest GPRs
across VM-exits using inline assembly wrappers for Intel and AMD.
- Nested UEXIT Propagation: Intercepts EPT/NPT faults on the exit page to
capture the L2 exit code from saved registers and forward it to L0 with
an incremented nesting level.
- L2 Memory Management: Updates to L2 page table setup, including skipping
NO_HOST_MEM regions to force exits, and a new `l2_gpa_to_pa` helper.
Commit: d733ce389c3287808dd15952c6aa481021110196
https://github.com/google/syzkaller/commit/d733ce389c3287808dd15952c6aa481021110196
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
M executor/common_kvm_amd64.h
M executor/common_kvm_amd64_syzos.h
M executor/kvm.h
Log Message:
-----------
executor: rework L1 segment setup in SYZOS
This commit corrects the GDT setup for the data and TSS segments in L1.
Previously, the data segment was incorrectly using the TSS base address,
and the TSS base address was not properly set.
The data segment base is now set to 0, as it should be for a flat 64-bit
model. The TSS segment descriptor in the GDT now correctly points to
X86_SYZOS_ADDR_VAR_TSS and uses the full 64-bit address.
The attributes are also updated to mark the TSS as busy.
Additionally, the TSS region is now explicitly copied from L1 to L2 to
ensure the L2 environment has a valid TSS.
Commit: eababac62cc8b2dbcdadba991eecaa4fd521c42d
https://github.com/google/syzkaller/commit/eababac62cc8b2dbcdadba991eecaa4fd521c42d
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
A sys/linux/test/amd64-syz_kvm_nested_load_syzos
Log Message:
-----------
sys/linux/test: add amd64-syz_kvm_nested_load_syzos
The new test checks the following scenario:
- L0 VM launches L1 VM (SYZOS)
- L1 VM launches L2 VM (nested SYZOS)
- L2 VM issues a UEXIT
- L1 VM catches the UEXIT and forwards it to L0
- L0 VM checks the UEXIT code and resumes L1 VM
- L1 VM finishes its work and issues another UEXIT
- L0 VM checks the UEXIT code
Commit: 993198b3dea8fdf032e5ff4f0914b203e0f3b67d
https://github.com/google/syzkaller/commit/993198b3dea8fdf032e5ff4f0914b203e0f3b67d
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
A sys/linux/test/amd64-syz_kvm_nested_load_syzos-vmresume
Log Message:
-----------
sys/linux/test: add test for nested SYZOS resumption
Add sys/linux/test/amd64-syz_kvm_nested_load_syzos-vmresume to verify the
state preservation and resumption capabilities of the
SYZOS_API_NESTED_LOAD_SYZOS primitive.
The test deploys an L2 guest with a sequential multi-step payload:
1. `uexit(1)`
2. `uexit(2)`
The L1 hypervisor first executes `nested_vmlaunch`, causing L2 to run
until the first uexit. L1 then executes `nested_vmresume` to continue
L2 execution.
Commit: df949cd92b8e324cf57a033d3166077e6ab2ca79
https://github.com/google/syzkaller/commit/df949cd92b8e324cf57a033d3166077e6ab2ca79
Author: Alexander Potapenko <gli...@google.com>
Date: 2026-02-09 (Mon, 09 Feb 2026)
Changed paths:
A sys/linux/test/amd64-syz_kvm_nested_gpr_persistence
A sys/linux/test/amd64-syz_kvm_nested_gpr_persistence_syzos
Log Message:
-----------
sys/linux/test: add SYZOS tests for nested GPR persistence
Add two new SYZOS test cases to verify the persistence of
Guest Physical Registers (GPRs) in nested virtualization scenario.
These tests ensure that the hypervisor correctly saves and restores
L2 GPRs during nested VM-exits and VM-entries, preventing register
state corruption.
Compare: https://github.com/google/syzkaller/compare/f21a95cd9e10%5E...df949cd92b8e
To unsubscribe from these emails, change your notification settings at https://github.com/google/syzkaller/settings/notifications
Alexander Potapenko
Feb 9, 2026, 4:55:29 AMFeb 9
to syzk...@googlegroups.com
Branch: refs/heads/master
Compare: https://github.com/google/syzkaller/compare/4c131dc4b96f...df949cd92b8e
Reply all
Reply to author
Forward
0 new messages