home / skills / benchflow-ai / skillsbench / syz-extract-constants

syz-extract-constants skill

Q: Why do I see "cannot find include file" when extracting?

Ensure SOURCEDIR points to a complete kernel source tree with proper uapi headers and that include paths are configured for the extraction step.

safe

/tasks/syzkaller-ppdev-syzlang/environment/skills/syz-extract-constants

This skill helps you generate and verify kernel constant values for syzlang descriptions using manual .const files, ensuring correct arches and ioctl

npx playbooks add skill benchflow-ai/skillsbench --skill syz-extract-constants

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.1 KB

---
name: syz-extract-constants
description: Defining and extracting kernel constants for syzkaller syzlang descriptions
---

# Defining Constants in Syzlang

## Overview

Syzkaller needs to know the actual values of kernel constants (ioctl numbers, flags, etc.) to generate valid fuzzing programs. There are two ways to provide these values:

1. **Manual `.const` file** - Define constants directly in a companion file
2. **`syz-extract` tool** - Extract values from kernel source headers (requires kernel source)

## Method 1: Manual Constants File (Recommended when no kernel source)

Create a `.const` file alongside your `.txt` file with the constant values:

### File naming
- Syzlang description: `sys/linux/dev_ppdev.txt`
- Constants file: `sys/linux/dev_ppdev.txt.const`

### Constants file format

```
# Constants for your syzlang descriptions
arches = 386, amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x
PPCLAIM = 28811
PPRELEASE = 28812
IEEE1284_MODE_NIBBLE = 0
IEEE1284_MODE_BYTE = 1
```

The `arches` line declares which architectures these constants are valid for. For architecture-independent constants (like ioctls), list all architectures.

### Calculating ioctl values

Linux ioctl numbers are encoded as:
- `_IO(type, nr)` = `(type << 8) | nr`
- `_IOR(type, nr, size)` = `(2 << 30) | (size << 16) | (type << 8) | nr`
- `_IOW(type, nr, size)` = `(1 << 30) | (size << 16) | (type << 8) | nr`
- `_IOWR(type, nr, size)` = `(3 << 30) | (size << 16) | (type << 8) | nr`

For ppdev (type='p'=0x70):
- `PPCLAIM = _IO('p', 0x8b)` = `0x708b` = `28811`

## Method 2: Using syz-extract (Requires kernel source)

If kernel source is available:

```bash
cd /opt/syzkaller

# Extract constants for a specific file
make extract TARGETOS=linux SOURCEDIR=/path/to/linux FILES=sys/linux/dev_ppdev.txt
```

**Note:** This environment does not include kernel source. Use Method 1 (manual constants file) instead.

## After Defining Constants

After creating the `.const` file, build syzkaller:

```bash
cd /opt/syzkaller
make descriptions  # Compiles descriptions + constants
make all           # Full build
```

## Common Errors

### "is defined for none of the arches"
This means the constant is used in the `.txt` file but not defined in the `.const` file.
- Add the missing constant to your `.const` file
- Ensure `arches` line lists the target architectures
PPCLAIM is defined for none of the arches
```

Solution: Run `make extract` with the correct kernel source path and FILES parameter.

### Missing headers
```
cannot find include file: uapi/linux/ppdev.h
```

Solution: Check the kernel source path and ensure headers are properly configured.

### "unknown file"
```
unknown file: sys/linux/dev_ppdev.txt
```

Solution: Use `make extract FILES=...` instead of calling `bin/syz-extract` directly.

## Example Workflow

1. Write the syzlang description file (`sys/linux/dev_ppdev.txt`)
2. Run `make extract TARGETOS=linux SOURCEDIR=/opt/linux/source FILES=sys/linux/dev_ppdev.txt`
3. Run `make generate` to regenerate Go code
4. Run `make` to build syzkaller
5. Test with `make descriptions` to verify everything compiles

Overview

This skill defines and extracts kernel constants needed by syzkaller syzlang descriptions so fuzzing programs reference correct ioctl numbers, flags, and other values. It documents two approaches: creating a manual .const file when kernel source is unavailable, and using the syz-extract workflow to pull constants from kernel headers when source is present. The guidance includes file naming, format, ioctl encoding, build steps, and common error fixes.

How this skill works

When no kernel source is available, you create a .const file next to your syzlang .txt description that lists constants and an arches line declaring supported architectures. When kernel source is available, the syz-extract/Makefile workflow parses kernel headers to compute constant values and writes them into the description build. After constants are provided, running the syzkaller build targets compiles descriptions and integrates the constants into generated code.

When to use it

You have no kernel source but need deterministic constant values for a syzlang description.
You have kernel source and want to extract constants directly from headers to avoid manual errors.
You need to define architecture-specific vs architecture-independent constants for syzkaller.
You are troubleshooting build or description errors related to missing constants.
You are preparing descriptions for multiple architectures and need a central constants file.

Best practices

Prefer a .const companion file when kernel source is not accessible; name it exactly <file>.txt.const next to the .txt file.
Always include an arches line listing the target architectures to avoid "defined for none of the arches" errors.
For ioctls, compute values using the documented _IO/_IOR/_IOW/_IOWR encodings to verify results before adding them.
When kernel source exists, run make extract with TARGETOS, SOURCEDIR, and FILES to ensure extracted constants match the headers.
Run make descriptions (and make all) after adding constants to validate integration and trigger generation of updated code.

Example use cases

Add constants for a third-party device description without access to the exact kernel tree: create sys/linux/dev_ppdev.txt.const with arches and values.
Automate extraction during CI by running make extract TARGETOS=linux SOURCEDIR=/path/to/linux FILES=sys/linux/dev_*.txt.
Fix build error "is defined for none of the arches" by adding the missing constant and appropriate arches line to the .const file.
Resolve header include errors by verifying SOURCEDIR contains required uapi headers before running syz-extract.
Regenerate descriptions and Go code after constants change by running make generate and make descriptions.

FAQ

What if I don't have kernel source?

Create a .const file next to the .txt description listing all required constants and an arches line; then run make descriptions to validate.

How do I compute ioctl numeric values?

Use the ioctl encodings: _IO = (type<<8)|nr; _IOR/_IOW/_IOWR include major size and direction bits as documented; compute with the type (e.g., 'p' = 0x70).

Why do I see "cannot find include file" when extracting?

Ensure SOURCEDIR points to a complete kernel source tree with proper uapi headers and that include paths are configured for the extraction step.