| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Otherwise the two instances can't communicate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the generated KFuzzTest programs were reusing the address of
the top-level input struct. A problem could arise when the encoded blob
is large and overflows into another allocated region - this certainly
happens in the case where the input struct points to some large char
buffer, for example.
While this wasn't directly a problem, it could lead to racy behavior
when running KFuzzTest targets concurrently.
To fix this, we now introduce an additional buffer parameter into
syz_kfuzztest_run that is as big as the maximum accepted input size in
the KFuzzTest kernel code. When this buffer is allocated, we ensure that
we have some allocated space in the program that can hold the entire
encoded input.
This works in practice, but has not been tested with concurrent
KFuzzTest executions yet.
|
| |
|
|
|
|
|
| |
If vmlinux is specified as a flag, we perform a setup stage where we
parse vmlinux for KFuzzTest targets.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
| |
Introduce a KFuzzTest mode for the fuzzer so that a smaller number of
recommended calls can be used if we are fuzzing KFuzzTest targets.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
| |
Add documentation for syzkaller's KFuzzTest integration, and a separate
documentation file for the syz-kfuzztest program.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
| |
Add a tool for generating a syscaller description for every KFuzzTest
target discovered in a vmlinux binary and outputting it to stdout.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
| |
syz-kfuzztest is a new standalone designed for fuzzing KFuzzTest on a
live kernel VM (e.g., inside QEMU). It has no dependencies on the
executor program, instead directly writing into a KFuzzTest target's
debugfs entry.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
| |
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
| |
Add logic for dynamic KFuzzTest target discovery in syz-manager. By
default, all KFuzzTest targets are enabled when the enable_kfuzztest
config option is set to true.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Internal kernel functions (and as a result KFuzzTest) have stricter
contracts than system calls. For this reason, we must avoid mutating
the following cases:
- Length arguments not matching the length of the related buffer.
- Strings not being null-terminated.
Add special cases for KFuzzTest calls that avoids these situations.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| | |
|
| |
|
|
|
|
|
| |
Add a new package, pkg/kfuzztest, that implements dynamic discovery of
KFuzzTest targets by parsing a vmlinux kernel binary.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
All non-base variants of syz_kfuzztest_run (i.e., those that are
discovered dynamically) are encoded so that they map onto the base
variant which is defined in kfuzztest.txt, and known by the executor.
We add a function for fetching this, that is wrapped in a sync.once
block to avoid repeated iteration over the target's array of syscalls.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
| |
As KFuzzTest targets are discovered at boot, we need a mechanism for
adding these to the array of enabled system calls. This is implemented
by the new Extend method, which performs this setup.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add syz_kfuzztest_run pseudo-syscall, KFuzzTest attribute, and encoding
logic.
KFuzzTest targets, which are invoked in the executor with the new
syz_kfuzztest_run pseudo-syscall, require specialized encoding. To
differentiate KFuzzTest calls from standard syzkaller calls, we
introduce a new attribute called KFuzzTest or "kfuzz_test" in syzkaller
descriptions that can be used to annotate calls.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a Go-native KCOV package, with a helper functions for tracing a
a function. This is in preparation for a standalone KFuzzTest tool,
which should be written in Go in order to take advantage of existing
fuzzing infrastructure.
The hard-coded coverage buffer size is the same as the executor program,
defined as `512 << 10` in `executor/executor.cc`.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| | |
|
| |
|
|
|
| |
Break checkCallResult() down into smaller functions, checkCallStatus() and
checkCallCoverage().
|
| |
|
|
| |
This is the proper level for TLS_RX/TLS_TX opts.
|
| |
|
|
| |
The syscall expects non-zero terminated strings.
|
| |
|
|
|
| |
The new test validates that KVM exits with KVM_EXIT_HLT when
encountering the x86 HLT instruction.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This ioctl accepts an arch-specific struct as an argument, so better split it
into several arch-specific ioctls.
To avoid compilation errors on exotic arches like MIPS, this patch also adds
sys/linux/dev_kvm_extra.txt that takes care of them.
While at it, also define KVM_GUESTDBG_USE_HW.
|
| |
|
|
|
|
|
|
| |
Add SYZOS calls that correspond to the IN and OUT x86 instructions
that perform port I/O.
These instructions have different variants, for now we just implement
the one that takes the port number from DX instead of encoding it in
the opcode.
|
| |
|
|
|
| |
Add a SYZOS call to write to one of the debug registers
(DR0-DR7).
|
| |
|
|
|
| |
Not strictly necessary, because syz_kvm_assert_syzos_uexit() is checking
the exit reason, but should test the pseudo-syscall itself.
|
| |
|
|
| |
Implement a pseudo-syscall to check the value of kvm_run.exit_reason
|
| |
|
|
|
|
|
|
|
|
| |
Pseudo-syscalls from noCovSyscalls may not generate any coverage, which
leads to a crash in the following line:
if len(inf.Signal) < 2 && !calls[callName] && len(info.Extra.Signal)
Make sure that this check is only done for calls not belonging to
noCovSyscalls.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
When compiling the executor in syz-env-old, -fstack-protector may
kick in and introduce global accesses that tools/check-syzos.sh reports.
To prevent this, introduce the __no_stack_protector macro attribute that
disable stack protection for the function in question, and use it for
guest code.
While at it, factor out some common definitions into common_kvm_syzos.h
|
| |
|
|
|
| |
Replace the switch statement in guest_handle_wr_crn() with a series of
if statements.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As shown in https://github.com/google/syzkaller/issues/5565,
SYZOS code in the `guest` section cannot reference global data,
because it is relocated into the guest memory.
While arm64 executor has a dynamic check for data accesses, it is
virtually impossible to do the same on x86 without implementing an
x86 disassembler. Instead of doing so, introduce a build-time script
that will detect instructions referencing global data on a best-effort
basis.
|
| |
|
|
|
| |
This is a best-effort attempt to fix the tests passing ANY arguments
to the syz_kvm_add_vcpu$arm64() syscall.
|
| |
|
|
|
|
| |
Not passing flattened arguments to syz_kvm_add_vcpu() serves two purposes:
- makes it easier to reason about the SYZOS program contents;
- prevents nonsensial mutations of them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `no_squash` per-syscall attribute prevents the fuzzer from generating
squashed arguments to a particular syscall.
This is particularly helpful for pseudo-syscalls with elaborate
arguments that are hard to reason about when they are squashed - e.g.
for syz_kvm_add_vcpu() that takes a SYZOS program as an input.
I've considered an alternative solution that prohibits ANY for all
pseudo-syscalls. But there is a bunch of existing programs (both
the tests and the repros) for syscalls like syz_mount_image() for which
the benefit of not passing ANY is not immediately obvious.
I therefore decided to go with an explicit attribute that can later
be enforced for every pseudo-syscall at compile time.
|
| |
|
|
|
|
| |
The image is to be deprecated.
Closes #6350.
|
| |
|
|
|
| |
If the archive turned out to be too large, just print an error message
and don't return an error from the status update function.
|
| |
|
|
|
|
|
|
| |
There are a number of patch series that don't apply to torvalds, but do
apply to linux-next.
Since we don't fetch all maintainer trees, use linux-next as the last
resort.
|
| |
|
|
|
|
| |
This should fix our broken bisections.
Closes #6136.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [cloud.google.com/go/compute/metadata](https://github.com/googleapis/google-cloud-go) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/v0.7.0...v0.8.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/compute/metadata
dependency-version: 0.8.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps google.golang.org/protobuf from 1.36.6 to 1.36.8.
---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
dependency-version: 1.36.8
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
|
|
| |
This makes it easier to figure out where the flags go by grepping for them
by name.
No functional change intended.
|
| |
|
|
|
|
|
|
|
|
| |
It does happen that we detect a bug that was introduced in the patch
series, but we don't report it becase no reliable reproducer was found.
Let's at least log such cases to better understand the scale of the
problem.
10 is an arbitrary cut-off value.
|
| |
|
|
|
|
|
|
|
| |
When determining whether a patch series is worth fuzzing, consider not
only the hashes of .text symbols, but also the hashes of the global
(static and non-static) variables.
As before, calculate the hashes during build and process them at the
beginning of the fuzz step.
|
| |
|
|
|
| |
Some series don't apply to torvalds, see e.g.
https://ci.syzbot.org/series/f429573e-7862-4f1e-97dd-3215a235b1d3
|
| |
|
|
| |
The ptp series go to the netdev list.
|
| |
|
|
|
| |
Transform the hard-coded list of feature combinations in to individual
groups of features.
|
| |
|
|
|
|
|
|
|
| |
Introduce a new Filesystem parameter - the maximum number of resulting
seeds.
If the total number of flag combinations exceeds this number, switch to
generating a covering array (that is, make sure that all flag value
pairs are covered, or at least as many of them as possible).
|
| |
|
|
|
|
|
|
|
| |
Don't generate just the hard-coded list of filesystems, but also
generate seeds for the externally supplied json description of a
filesystem.
Add a special syscall attribute to help syz-imagegen guess the actual
filesystem name from the syz_mount_image variant name.
|
| |
|
|
|
|
|
|
| |
Instead of:
ffx --target <target> target get-ssh-address
Use:
ffx --target <target> target list --format addresses
|
