1# Copyright 2018 syzkaller project authors. All rights reserved.
2# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
3
4# For fuzzing with qemu you need to enable cdrom option and provide an iso image.
5# For example: in "vm" section of syzkaller configuration
6# "vm" : {
7#     ...
8#     "cmdline": " -cdrom /.../ubuntu-18.04-desktop-amd64.iso "
9# }
10# In the kernel CONFIG_CDROM should be enabled.
11#
12# For more effective fuzzing one might want to disable
13# CDROMEJECT && CDROMEJECT_SW.
14# "disable_syscalls" : [ "ioctl$CDROMEJECT*" ]
15
16include <linux/cdrom.h>
17include <uapi/linux/cdrom.h>
18
19resource fd_cdrom[fd]
20
21syz_open_dev$CDROM_DEV_LINK(dev ptr[in, string["/dev/cdrom"]], id intptr, flags flags[open_flags]) fd_cdrom
22
23ioctl$CDROMPAUSE(fd fd_cdrom, cmd const[CDROMPAUSE])
24ioctl$CDROMRESUME(fd fd_cdrom, cmd const[CDROMRESUME])
25ioctl$CDROMPLAYMSF(fd fd_cdrom, cmd const[CDROMPLAYMSF], arg ptr[in, cdrom_msf])
26ioctl$CDROMPLAYTRKIND(fd fd_cdrom, cmd const[CDROMPLAYTRKIND], arg ptr[in, cdrom_ti])
27ioctl$CDROMREADTOCHDR(fd fd_cdrom, cmd const[CDROMREADTOCHDR], arg ptr[inout, cdrom_tochdr])
28ioctl$CDROMREADTOCENTRY(fd fd_cdrom, cmd const[CDROMREADTOCENTRY], arg ptr[inout, cdrom_tocentry])
29ioctl$CDROMSTOP(fd fd_cdrom, cmd const[CDROMSTOP])
30ioctl$CDROMSTART(fd fd_cdrom, cmd const[CDROMSTART])
31ioctl$CDROMEJECT(fd fd_cdrom, cmd const[CDROMEJECT])
32ioctl$CDROMVOLCTRL(fd fd_cdrom, cmd const[CDROMVOLCTRL], arg ptr[in, cdrom_volctrl])
33ioctl$CDROMSUBCHNL(fd fd_cdrom, cmd const[CDROMSUBCHNL], arg ptr[inout, cdrom_subchnl])
34ioctl$CDROMREADMODE2(fd fd_cdrom, cmd const[CDROMREADMODE2], arg ptr[in, cdrom_msf_out_stub])
35ioctl$CDROMREADMODE1(fd fd_cdrom, cmd const[CDROMREADMODE1], arg ptr[in, cdrom_msf_out_stub])
36ioctl$CDROMREADAUDIO(fd fd_cdrom, cmd const[CDROMREADAUDIO], arg ptr[in, cdrom_read_audio])
37ioctl$CDROMEJECT_SW(fd fd_cdrom, cmd const[CDROMEJECT_SW], arg boolptr)
38ioctl$CDROMMULTISESSION(fd fd_cdrom, cmd const[CDROMMULTISESSION], arg ptr[inout, cdrom_multisession])
39ioctl$CDROM_GET_MCN(fd fd_cdrom, cmd const[CDROM_GET_MCN], arg ptr[out, cdrom_mcn])
40ioctl$CDROMRESET(fd fd_cdrom, cmd const[CDROMRESET])
41ioctl$CDROMVOLREAD(fd fd_cdrom, cmd const[CDROMVOLREAD], arg ptr[out, cdrom_volctrl])
42ioctl$CDROMREADRAW(fd fd_cdrom, cmd const[CDROMREADRAW], arg ptr[in, cdrom_msf_out_stub])
43
44ioctl$CDROMREADCOOKED(fd fd_cdrom, cmd const[CDROMREADCOOKED], arg ptr[out, cdrom_output_buffer])
45ioctl$CDROMSEEK(fd fd_cdrom, cmd const[CDROMSEEK], arg ptr[in, cdrom_msf])
46
47ioctl$CDROMPLAYBLK(fd fd_cdrom, cmd const[CDROMPLAYBLK], arg ptr[in, cdrom_blk])
48
49ioctl$CDROMREADALL(fd fd_cdrom, cmd const[CDROMREADALL], arg ptr[out, cdrom_output_buffer])
50
51ioctl$CDROMGETSPINDOWN(fd fd_cdrom, cmd const[CDROMGETSPINDOWN], arg int8)
52ioctl$CDROMSETSPINDOWN(fd fd_cdrom, cmd const[CDROMSETSPINDOWN], arg int8)
53
54ioctl$CDROMCLOSETRAY(fd fd_cdrom, cmd const[CDROMCLOSETRAY])
55
56ioctl$CDROM_SET_OPTIONS(fd fd_cdrom, cmd const[CDROM_SET_OPTIONS], arg flags[cdrom_options])
57ioctl$CDROM_CLEAR_OPTIONS(fd fd_cdrom, cmd const[CDROM_CLEAR_OPTIONS], arg flags[cdrom_options])
58ioctl$CDROM_SELECT_SPEED(fd fd_cdrom, cmd const[CDROM_SELECT_SPEED], speed int64)
59ioctl$CDROM_SELECT_DISK(fd fd_cdrom, cmd const[CDROM_SELECT_SPEED], disk int64)
60ioctl$CDROM_MEDIA_CHANGED(fd fd_cdrom, cmd const[CDROM_MEDIA_CHANGED], slot int64)
61ioctl$CDROM_DISC_STATUS(fd fd_cdrom, cmd const[CDROM_DISC_STATUS])
62ioctl$CDROM_CHANGER_NSLOTS(fd fd_cdrom, cmd const[CDROM_CHANGER_NSLOTS])
63ioctl$CDROM_LOCKDOOR(fd fd_cdrom, cmd const[CDROM_LOCKDOOR], lock boolptr)
64ioctl$CDROM_DEBUG(fd fd_cdrom, cmd const[CDROM_DEBUG], debug boolptr)
65ioctl$CDROM_GET_CAPABILITY(fd fd_cdrom, cmd const[CDROM_GET_CAPABILITY])
66
67ioctl$CDROMAUDIOBUFSIZ(fd fd_cdrom, cmd const[CDROMAUDIOBUFSIZ], val int32)
68
69ioctl$DVD_READ_STRUCT(fd fd_cdrom, cmd const[DVD_READ_STRUCT], arg ptr[inout, dvd_struct])
70ioctl$DVD_WRITE_STRUCT(fd fd_cdrom, cmd const[DVD_READ_STRUCT], arg ptr[in, dvd_struct])
71ioctl$DVD_AUTH(fd fd_cdrom, cmd const[DVD_READ_STRUCT], arg ptr[inout, dvd_authinfo])
72
73ioctl$CDROM_SEND_PACKET(fd fd_cdrom, cmd const[CDROM_SEND_PACKET], arg ptr[inout, cdrom_generic_command])
74
75ioctl$CDROM_NEXT_WRITABLE(fd fd_cdrom, cmd const[CDROM_NEXT_WRITABLE], arg ptr[out, int64])
76ioctl$CDROM_LAST_WRITTEN(fd fd_cdrom, cmd const[CDROM_LAST_WRITTEN], arg ptr[out, int64])
77
78cdrom_output_buffer {
79	reserved	array[int8, CD_FRAMESIZE_RAWER]
80}
81
82cdrom_msf {
83	cdmsf_min0	int8
84	cdmsf_sec0	int8
85	cdmsf_frame0	int8
86	cdmsf_min1	int8
87	cdmsf_sec1	int8
88	cdmsf_frame1	int8
89}
90
91cdrom_msf_out_stub {
92	cdmsf_min0	int8
93	cdmsf_sec0	int8
94	cdmsf_frame0	int8
95	cdmsf_min1	int8
96	cdmsf_sec1	int8
97	cdmsf_frame1	int8
98	reserved	array[const[0, int8], CDROM_MSF_OUT_STUB_SIZE]
99}
100
101cdrom_ti {
102	cdti_trk0	int8
103	cdti_int0	int8
104	cdti_trk1	int8
105	cdti_ind1	int8
106}
107
108cdrom_tochdr {
109	cdth_trk0	int8
110	cdth_trk1	int8
111}
112
113cdrom_tocentry {
114	cdte_track	int8
115	cdte_adr	int8:4
116	cdte_ctrl	int8:4
117	cdte_format	flags[cdrom_format, int8]
118	cdte_addr	cdrom_addr
119	cdte_datamode	int8
120}
121
122cdrom_addr [
123	msf	cdrom_msf0
124	lba	int32
125]
126
127cdrom_msf0 {
128	minute	int8
129	second	int8
130	frame	int8
131}
132
133cdrom_read_audio {
134	addr		cdrom_addr
135	addr_format	flags[cdrom_format, int8]
136	nframes		bytesize[buf, int32]
137	buf		ptr[out, array[int8, 1:CD_FRAMES]]
138}
139
140cdrom_volctrl {
141	channel0	int8
142	channel1	int8
143	channel2	int8
144	channel3	int8
145}
146
147cdrom_subchnl {
148	cdsc_format		flags[cdrom_format, int8]
149	cdsc_audiostatus	int8
150	cdsc_adr		int8:4
151	cdsc_ctrl		int8:4
152	cdsc_trk		int8
153	cdsc_ind		int8
154	cdsc_absaddr		cdrom_addr
155	cdsc_reladdr		cdrom_addr
156}
157
158cdrom_multisession {
159	addr		cdrom_addr
160	xa_flag		bool8
161	addr_format	flags[cdrom_format, int8]
162}
163
164cdrom_mcn {
165	medium_catalog_number	array[int8, 14]
166}
167
168cdrom_blk {
169	from	int32
170	len	int16
171}
172
173dvd_struct [
174	type		flags[dvd_struct_type, int8]
175
176	physical	dvd_physical
177	copyright	dvd_copyright
178	disckey		dvd_disckey
179	bca		dvd_bca
180	manufact	dvd_manufact
181]
182
183dvd_physical {
184	type		const[DVD_STRUCT_PHYSICAL, int8]
185	layer_num	int8[0:3]
186	layer		array[dvd_layer, DVD_LAYERS]
187}
188
189dvd_layer {
190	book_version	int8:4
191	book_type	int8:4
192	min_rate	int8:4
193	disc_size	int8:4
194	layer_type	int8:4
195	track_path	int8:1
196	nlayers		int8:2
197	track_density	int8:4
198	linear_density	int8:4
199	bca		int8:1
200	start_sector	int32
201	end_sector	int32
202	end_sector_l0	int32
203}
204
205dvd_copyright {
206	type		const[DVD_STRUCT_COPYRIGHT, int8]
207
208	layer_num	int8[0:3]
209	cpst		int8
210	rmi		int8
211}
212
213dvd_disckey {
214	type	const[DVD_STRUCT_DISCKEY, int8]
215
216	agid	int32:2
217	value	array[int8, 2048]
218}
219
220dvd_bca {
221	type	const[DVD_STRUCT_BCA, int8]
222
223	len	len[value, int32]
224	value	array[int8, 188]
225}
226
227dvd_manufact {
228	type		const[DVD_STRUCT_MANUFACT, int8]
229
230	layer_num	int8[0:3]
231	len		len[value, int32]
232	value		array[int8, 2048]
233}
234
235dvd_authinfo [
236	type	flags[dvd_authinfo_type, int8]
237
238	lsa	dvd_lu_send_agid
239	hsc	dvd_host_send_challenge
240	lsk	dvd_send_key
241	lsc	dvd_lu_send_challenge
242	hsk	dvd_send_key
243	lstk	dvd_lu_send_title_key
244	lsasf	dvd_lu_send_asf
245	hrpcs	dvd_host_send_rpcstate
246	lrpcs	dvd_lu_send_rpcstate
247]
248
249type dvd_key array[int8, 5]
250type dvd_challenge array[int8, 10]
251
252dvd_lu_send_agid {
253	type	const[DVD_LU_SEND_AGID, int8]
254	agid	int32:2
255}
256
257dvd_host_send_challenge {
258	type	const[DVD_HOST_SEND_CHALLENGE, int8]
259	agid	int32:2
260
261	chal	dvd_challenge
262}
263
264dvd_send_key_type = DVD_LU_SEND_KEY1, DVD_HOST_SEND_KEY2
265
266dvd_send_key {
267	type	flags[dvd_send_key_type, int8]
268	agid	int32:2
269
270	key	dvd_key
271}
272
273dvd_lu_send_challenge {
274	type	const[DVD_LU_SEND_CHALLENGE, int8]
275	agid	int32:2
276
277	chal	dvd_challenge
278}
279
280dvd_lu_send_title_key {
281	type		const[DVD_LU_SEND_TITLE_KEY, int8]
282	agid		int32:2
283
284	title_key	dvd_key
285	lba		int32
286	cpm		int32:1
287	cp_sec		int32:1
288	cgms		int32:2
289}
290
291dvd_lu_send_asf {
292	type	const[DVD_LU_SEND_ASF, int8]
293	agid	int32:2
294
295	asf	int32:1
296}
297
298dvd_host_send_rpcstate {
299	type	const[DVD_HOST_SEND_RPC_STATE, int8]
300	pdrc	int8
301}
302
303dvd_lu_send_rpcstate {
304	type		int8:2
305	vra		int8:3
306	ucca		int8:3
307	region_mask	int8
308	rpc_scheme	int8
309}
310
311cdrom_generic_command {
312	cmd		array[int8, CDROM_PACKET_SIZE]
313	buffer		ptr[inout, array[int8]]
314	buflen		len[buffer, int32]
315	stat		int32
316	sense		ptr[inout, request_sense]
317	data_direction	flags[cdrom_data_direction, int8]
318	quiet		int32
319	timeout		int32
320	reserved	ptr[out, array[intptr, 1]]
321}
322
323request_sense {
324	valid_err_code	int8
325	segment_number	int8
326	ili_sense_key	int8
327	information	array[int8, 4]
328	add_sense_len	int8
329	command_info	array[int8, 4]
330	asc		int8
331	ascq		int8
332	fruc		int8
333	sks		array[int8, 3]
334	asb		array[int8, 46]
335}
336
337cdrom_options = CDO_AUTO_CLOSE, CDO_AUTO_EJECT, CDO_USE_FFLAGS, CDO_LOCK, CDO_CHECK_TYPE
338cdrom_format = CDROM_MSF, CDROM_LBA
339dvd_struct_type = DVD_STRUCT_PHYSICAL, DVD_STRUCT_COPYRIGHT, DVD_STRUCT_DISCKEY, DVD_STRUCT_BCA, DVD_STRUCT_MANUFACT
340dvd_authinfo_type = DVD_LU_SEND_AGID, DVD_LU_SEND_KEY1, DVD_LU_SEND_CHALLENGE, DVD_LU_SEND_TITLE_KEY, DVD_LU_SEND_ASF, DVD_HOST_SEND_CHALLENGE, DVD_HOST_SEND_KEY2, DVD_INVALIDATE_AGID, DVD_LU_SEND_RPC_STATE, DVD_LU_SEND_RPC_STATE
341cdrom_data_direction = CGC_DATA_UNKNOWN, CGC_DATA_WRITE, CGC_DATA_READ, CGC_DATA_NONE
342
343define CDROM_MSF_OUT_STUB_SIZE	CD_FRAMESIZE_RAWER-6
344