diff options
Diffstat (limited to 'executor')
| -rw-r--r-- | executor/common_linux.h | 4 | ||||
| -rw-r--r-- | executor/executor.h | 42 | ||||
| -rw-r--r-- | executor/executor_akaros.cc | 7 | ||||
| -rw-r--r-- | executor/executor_bsd.cc | 30 | ||||
| -rw-r--r-- | executor/executor_fuchsia.cc | 5 | ||||
| -rw-r--r-- | executor/executor_linux.cc | 15 | ||||
| -rw-r--r-- | executor/executor_windows.cc | 5 | ||||
| -rw-r--r-- | executor/syscalls_akaros.h | 2 | ||||
| -rw-r--r-- | executor/syscalls_freebsd.h | 2 | ||||
| -rw-r--r-- | executor/syscalls_fuchsia.h | 4 | ||||
| -rw-r--r-- | executor/syscalls_linux.h | 10 | ||||
| -rw-r--r-- | executor/syscalls_netbsd.h | 2 | ||||
| -rw-r--r-- | executor/syscalls_test.h | 4 | ||||
| -rw-r--r-- | executor/syscalls_windows.h | 2 |
14 files changed, 74 insertions, 60 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h index abfccdd6e..66247a952 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -1961,7 +1961,7 @@ extern unsigned long long procid; #if defined(SYZ_EXECUTOR) void reply_handshake(); -void receive_execute(bool need_prog); +void receive_execute(); void reply_execute(int status); extern uint32* output_data; extern uint32* output_pos; @@ -2030,7 +2030,7 @@ static void loop() // TODO: consider moving the read into the child. // Potentially it can speed up things a bit -- when the read finishes // we already have a forked worker process. - receive_execute(false); + receive_execute(); #endif int pid = fork(); if (pid < 0) diff --git a/executor/executor.h b/executor/executor.h index d5122cc71..15e1aa40b 100644 --- a/executor/executor.h +++ b/executor/executor.h @@ -86,7 +86,6 @@ struct thread_t { osthread_t th; char* cover_data; char* cover_end; - uint64 cover_buffer[1]; // fallback coverage buffer event_t ready; event_t done; @@ -182,11 +181,25 @@ bool copyout(char* addr, uint64 size, uint64* res); void cover_open(); void cover_enable(thread_t* th); void cover_reset(thread_t* th); -uint32 read_cover_size(thread_t* th); +uint32 cover_read_size(thread_t* th); bool cover_check(uint32 pc); bool cover_check(uint64 pc); static uint32 hash(uint32 a); static bool dedup(uint32 sig); +void setup_control_pipes(); +void receive_handshake(); +void receive_execute(); + +void main_init() +{ + setup_control_pipes(); + if (SYZ_EXECUTOR_USES_FORK_SERVER) + receive_handshake(); + else + receive_execute(); + if (flag_cover) + cover_open(); +} void setup_control_pipes() { @@ -235,7 +248,7 @@ void reply_handshake() fail("control pipe write failed"); } -void receive_execute(bool need_prog) +void receive_execute() { execute_req req; if (read(kInPipeFd, &req, sizeof(req)) != (ssize_t)sizeof(req)) @@ -260,11 +273,13 @@ void receive_execute(bool need_prog) procid, flag_threaded, flag_collide, flag_collect_cover, flag_collect_comps, flag_dedup_cover, flag_inject_fault, flag_fault_call, flag_fault_nth, req.prog_size); - if (req.prog_size == 0) { - if (need_prog) + if (SYZ_EXECUTOR_USES_SHMEM) { + if (req.prog_size) fail("need_prog: no program"); return; } + if (req.prog_size == 0) + fail("need_prog: no program"); uint64 pos = 0; for (;;) { ssize_t rv = read(kInPipeFd, input_data + pos, sizeof(input_data) - pos); @@ -301,7 +316,7 @@ void execute_one() retry: uint64* input_pos = (uint64*)input_data; - if (!colliding && !flag_threaded) + if (flag_cover && !colliding && !flag_threaded) cover_enable(&threads[0]); int call_index = 0; @@ -499,8 +514,10 @@ void write_coverage_signal(thread_t* th, uint32* signal_count_pos, uint32* cover cover_t prev = 0; for (uint32 i = 0; i < th->cover_size; i++) { cover_t pc = cover_data[i]; - if (!cover_check(pc)) + if (!cover_check(pc)) { + debug("got bad pc: 0x%llx\n", (uint64)pc); doexit(0); + } cover_t sig = pc ^ prev; prev = hash(pc); if (dedup(sig)) @@ -591,7 +608,7 @@ void handle_completion(thread_t* th) } // Write out number of comparisons. *comps_count_pos = comps_size; - } else { + } else if (flag_cover) { if (is_kernel_64_bit) write_coverage_signal<uint64>(th, signal_count_pos, cover_count_pos); else @@ -623,7 +640,8 @@ void* worker_thread(void* arg) { thread_t* th = (thread_t*)arg; - cover_enable(th); + if (flag_cover) + cover_enable(th); for (;;) { event_wait(&th->ready); execute_call(th); @@ -651,7 +669,8 @@ void execute_call(thread_t* th) fail_fd = inject_fault(flag_fault_nth); } - cover_reset(th); + if (flag_cover) + cover_reset(th); errno = 0; th->res = execute_syscall(call, th->args[0], th->args[1], th->args[2], th->args[3], th->args[4], th->args[5], @@ -659,7 +678,8 @@ void execute_call(thread_t* th) th->reserrno = errno; if (th->res == -1 && th->reserrno == 0) th->reserrno = EINVAL; // our syz syscalls may misbehave - th->cover_size = read_cover_size(th); + if (flag_cover) + th->cover_size = cover_read_size(th); th->fault_injected = false; if (flag_inject_fault && th->call_index == flag_fault_call) { diff --git a/executor/executor_akaros.cc b/executor/executor_akaros.cc index 1b690f2b9..e13719609 100644 --- a/executor/executor_akaros.cc +++ b/executor/executor_akaros.cc @@ -29,12 +29,11 @@ int main(int argc, char** argv) use_temporary_dir(); install_segv_handler(); - setup_control_pipes(); - receive_handshake(); + main_init(); reply_handshake(); for (;;) { - receive_execute(true); + receive_execute(); char cwdbuf[128] = "/syz-tmpXXXXXX"; mkdtemp(cwdbuf); int pid = fork(); @@ -91,7 +90,7 @@ void cover_reset(thread_t* th) { } -uint32 read_cover_size(thread_t* th) +uint32 cover_read_size(thread_t* th) { return 0; } diff --git a/executor/executor_bsd.cc b/executor/executor_bsd.cc index 4ae2cf223..d23f93fb8 100644 --- a/executor/executor_bsd.cc +++ b/executor/executor_bsd.cc @@ -89,13 +89,11 @@ int main(int argc, char** argv) setrlimit(RLIMIT_CORE, &rlim); install_segv_handler(); - setup_control_pipes(); - receive_handshake(); + main_init(); reply_handshake(); - cover_open(); for (;;) { - receive_execute(false); + receive_execute(); char cwdbuf[128] = "/syz-tmpXXXXXX"; if (!mkdtemp(cwdbuf)) fail("mkdtemp failed"); @@ -153,11 +151,9 @@ long execute_syscall(const call_t* c, long a0, long a1, long a2, long a3, long a void cover_open() { - if (!flag_cover) - return; +#if defined(__FreeBSD__) for (int i = 0; i < kMaxThreads; i++) { thread_t* th = &threads[i]; -#if defined(__FreeBSD__) th->cover_fd = open("/dev/kcov", O_RDWR); if (th->cover_fd == -1) fail("open of /dev/kcov failed"); @@ -171,18 +167,13 @@ void cover_open() fail("cover mmap failed"); th->cover_data = mmap_ptr; th->cover_end = mmap_ptr + mmap_alloc_size; -#else - th->cover_data = (char*)&th->cover_buffer[0]; - th->cover_end = th->cover_data + sizeof(th->cover_buffer); -#endif } +#endif } void cover_enable(thread_t* th) { #if defined(__FreeBSD__) - if (!flag_cover) - return; debug("#%d: enabling /dev/kcov\n", th->id); int kcov_mode = flag_collect_comps ? KCOV_MODE_TRACE_CMP : KCOV_MODE_TRACE_PC; if (ioctl(th->cover_fd, KIOENABLE, &kcov_mode)) @@ -194,17 +185,12 @@ void cover_enable(thread_t* th) void cover_reset(thread_t* th) { #if defined(__FreeBSD__) - if (!flag_cover) - return; - *th->cover_size_ptr = 0; #endif } -uint32 read_cover_size(thread_t* th) +uint32 cover_read_size(thread_t* th) { - if (!flag_cover) - return 0; #if defined(__FreeBSD__) uint64 size = *th->cover_size_ptr; debug("#%d: read cover size = %llu\n", th->id, size); @@ -212,11 +198,7 @@ uint32 read_cover_size(thread_t* th) fail("#%d: too much cover %llu", th->id, size); return size; #else - // Fallback coverage since we have no real coverage available. - // We use syscall number or-ed with returned errno value as signal. - // At least this gives us all combinations of syscall+errno. - th->cover_data[0] = (th->call_num << 16) | ((th->res == -1 ? th->reserrno : 0) & 0x3ff); - return 1; + return 0; #endif } diff --git a/executor/executor_fuchsia.cc b/executor/executor_fuchsia.cc index 6c7657732..c21198449 100644 --- a/executor/executor_fuchsia.cc +++ b/executor/executor_fuchsia.cc @@ -25,8 +25,7 @@ int main(int argc, char** argv) fail("mmap of data segment failed"); install_segv_handler(); - setup_control_pipes(); - receive_execute(true); + main_init(); execute_one(); return 0; } @@ -53,7 +52,7 @@ void cover_reset(thread_t* th) { } -uint32 read_cover_size(thread_t* th) +uint32 cover_read_size(thread_t* th) { return 0; } diff --git a/executor/executor_linux.cc b/executor/executor_linux.cc index f0bccd949..5325a84d2 100644 --- a/executor/executor_linux.cc +++ b/executor/executor_linux.cc @@ -72,10 +72,7 @@ int main(int argc, char** argv) // That's also the reason why we close kInPipeFd/kOutPipeFd below. close(kInFd); close(kOutFd); - setup_control_pipes(); - receive_handshake(); - - cover_open(); + main_init(); install_segv_handler(); use_temporary_dir(); @@ -133,8 +130,6 @@ long execute_syscall(const call_t* c, long a0, long a1, long a2, long a3, long a void cover_open() { - if (!flag_cover) - return; for (int i = 0; i < kMaxThreads; i++) { thread_t* th = &threads[i]; th->cover_fd = open("/sys/kernel/debug/kcov", O_RDWR); @@ -154,8 +149,6 @@ void cover_open() void cover_enable(thread_t* th) { - if (!flag_cover) - return; debug("#%d: enabling /sys/kernel/debug/kcov\n", th->id); int kcov_mode = flag_collect_comps ? KCOV_TRACE_CMP : KCOV_TRACE_PC; // This should be fatal, @@ -169,17 +162,13 @@ void cover_enable(thread_t* th) void cover_reset(thread_t* th) { - if (!flag_cover) - return; if (th == 0) th = current_thread; *(uint64*)th->cover_data = 0; } -uint32 read_cover_size(thread_t* th) +uint32 cover_read_size(thread_t* th) { - if (!flag_cover) - return 0; // Note: this assumes little-endian kernel. uint32 n = *(uint32*)th->cover_data; debug("#%d: read cover size = %u\n", th->id, n); diff --git a/executor/executor_windows.cc b/executor/executor_windows.cc index a9ba5ea63..73477bb4f 100644 --- a/executor/executor_windows.cc +++ b/executor/executor_windows.cc @@ -27,8 +27,7 @@ int main(int argc, char** argv) MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) != (void*)SYZ_DATA_OFFSET) fail("mmap of data segment failed"); - setup_control_pipes(); - receive_execute(true); + main_init(); execute_one(); return 0; } @@ -54,7 +53,7 @@ void cover_reset(thread_t* th) { } -uint32 read_cover_size(thread_t* th) +uint32 cover_read_size(thread_t* th) { return 0; } diff --git a/executor/syscalls_akaros.h b/executor/syscalls_akaros.h index 6ea7ea44e..de24a539f 100644 --- a/executor/syscalls_akaros.h +++ b/executor/syscalls_akaros.h @@ -3,6 +3,8 @@ #if defined(__x86_64__) || 0 #define GOARCH "amd64" #define SYZ_REVISION "9c09d67e0d2fb4a004add22093616420ce831dfc" +#define SYZ_EXECUTOR_USES_FORK_SERVER true +#define SYZ_EXECUTOR_USES_SHMEM false #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 diff --git a/executor/syscalls_freebsd.h b/executor/syscalls_freebsd.h index a8b960a31..d0d062e46 100644 --- a/executor/syscalls_freebsd.h +++ b/executor/syscalls_freebsd.h @@ -3,6 +3,8 @@ #if defined(__x86_64__) || 0 #define GOARCH "amd64" #define SYZ_REVISION "8cb11e146d49a5c6a0d12d988e21f2e9ca2c2f94" +#define SYZ_EXECUTOR_USES_FORK_SERVER true +#define SYZ_EXECUTOR_USES_SHMEM true #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 diff --git a/executor/syscalls_fuchsia.h b/executor/syscalls_fuchsia.h index 71168ed25..63031eaa8 100644 --- a/executor/syscalls_fuchsia.h +++ b/executor/syscalls_fuchsia.h @@ -3,6 +3,8 @@ #if defined(__x86_64__) || 0 #define GOARCH "amd64" #define SYZ_REVISION "5c60584793306c995f51b459bc98d260d6af8fd2" +#define SYZ_EXECUTOR_USES_FORK_SERVER false +#define SYZ_EXECUTOR_USES_SHMEM false #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 @@ -172,6 +174,8 @@ const call_t syscalls[] = { #if defined(__aarch64__) || 0 #define GOARCH "arm64" #define SYZ_REVISION "2e963a82bfbf3c29beae3fc949984472c9ef3512" +#define SYZ_EXECUTOR_USES_FORK_SERVER false +#define SYZ_EXECUTOR_USES_SHMEM false #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 diff --git a/executor/syscalls_linux.h b/executor/syscalls_linux.h index ef41c5885..5847f7412 100644 --- a/executor/syscalls_linux.h +++ b/executor/syscalls_linux.h @@ -3,6 +3,8 @@ #if defined(__i386__) || 0 #define GOARCH "386" #define SYZ_REVISION "fb282f1b092787fbad00ac8e1b8c7b09fe9c4508" +#define SYZ_EXECUTOR_USES_FORK_SERVER true +#define SYZ_EXECUTOR_USES_SHMEM true #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 @@ -2012,6 +2014,8 @@ const call_t syscalls[] = { #if defined(__x86_64__) || 0 #define GOARCH "amd64" #define SYZ_REVISION "ebc5f87dbeb579da0b2fa1afa8b276abd3d76db7" +#define SYZ_EXECUTOR_USES_FORK_SERVER true +#define SYZ_EXECUTOR_USES_SHMEM true #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 @@ -4073,6 +4077,8 @@ const call_t syscalls[] = { #if defined(__arm__) || 0 #define GOARCH "arm" #define SYZ_REVISION "feecafc9df92bb96d867216b25547470c3c5df58" +#define SYZ_EXECUTOR_USES_FORK_SERVER true +#define SYZ_EXECUTOR_USES_SHMEM true #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 @@ -6090,6 +6096,8 @@ const call_t syscalls[] = { #if defined(__aarch64__) || 0 #define GOARCH "arm64" #define SYZ_REVISION "2cb4965554b7542cf6dc6680a92afe835ce1734f" +#define SYZ_EXECUTOR_USES_FORK_SERVER true +#define SYZ_EXECUTOR_USES_SHMEM true #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 @@ -8079,6 +8087,8 @@ const call_t syscalls[] = { #if defined(__ppc64__) || defined(__PPC64__) || defined(__powerpc64__) || 0 #define GOARCH "ppc64le" #define SYZ_REVISION "49784caa8d5d34e193d979e258ed6b6d04fbfe8a" +#define SYZ_EXECUTOR_USES_FORK_SERVER true +#define SYZ_EXECUTOR_USES_SHMEM true #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 diff --git a/executor/syscalls_netbsd.h b/executor/syscalls_netbsd.h index a4cc3b867..9d2354f67 100644 --- a/executor/syscalls_netbsd.h +++ b/executor/syscalls_netbsd.h @@ -3,6 +3,8 @@ #if defined(__x86_64__) || 0 #define GOARCH "amd64" #define SYZ_REVISION "1c3f97d7ba7aa2f74ff155a040df838ef118c890" +#define SYZ_EXECUTOR_USES_FORK_SERVER true +#define SYZ_EXECUTOR_USES_SHMEM true #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 diff --git a/executor/syscalls_test.h b/executor/syscalls_test.h index f1359a023..5a1c84410 100644 --- a/executor/syscalls_test.h +++ b/executor/syscalls_test.h @@ -3,6 +3,8 @@ #if 0 #define GOARCH "32" #define SYZ_REVISION "d92d7712e00dad64bba08d7850d58c2c07fce4a2" +#define SYZ_EXECUTOR_USES_FORK_SERVER false +#define SYZ_EXECUTOR_USES_SHMEM false #define SYZ_PAGE_SIZE 8192 #define SYZ_NUM_PAGES 2048 #define SYZ_DATA_OFFSET 536870912 @@ -114,6 +116,8 @@ const call_t syscalls[] = { #if 0 #define GOARCH "64" #define SYZ_REVISION "043151c0569399dabddfd351e1e4e097cf457238" +#define SYZ_EXECUTOR_USES_FORK_SERVER false +#define SYZ_EXECUTOR_USES_SHMEM false #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 diff --git a/executor/syscalls_windows.h b/executor/syscalls_windows.h index 1bb9af1b2..7dcf746a6 100644 --- a/executor/syscalls_windows.h +++ b/executor/syscalls_windows.h @@ -3,6 +3,8 @@ #if defined(_M_X64) || 0 #define GOARCH "amd64" #define SYZ_REVISION "6285e05d0c2a423477b78cca69c1143794a9b482" +#define SYZ_EXECUTOR_USES_FORK_SERVER false +#define SYZ_EXECUTOR_USES_SHMEM false #define SYZ_PAGE_SIZE 4096 #define SYZ_NUM_PAGES 4096 #define SYZ_DATA_OFFSET 536870912 |