| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, clang tools are built by copying their code into a
llvm-project repository and adding build rule to LLVM's CMake. This
allows pinning a specific LLVM hash which is convenient but it's also a
bit painful to copy code across repositories.
This adds a rule to make that can build syz-codesearch with a simple g++
invocation that uses llvm-config to get the LLVM compiler and linker
flags and hardcodes some clang libraries to link against since I could
not find a better way. (llvm-config does not have "components" for
clang)
|
| |
|
|
|
|
| |
Switch to exclude-list instead of an explicit list of C/C++ files to format.
We episodically forget to add new files.
With exclude-list it's impossible to forget.
|
| |
|
|
|
| |
Add server for running agentic workflows as part of syzbot.
The architecture and use are similar to that of syz-ci.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a clang tool that is used for code indexing (tools/clang/codesearch/).
It follows conventions and build procedure of the declextract tool.
Add pkg/codesearch package that aggregates the info exposed by the clang tools,
and allows doing simple queries:
- show source code of an entity (function, struct, etc)
- show entity comment
- show all entities defined in a source file
Add tools/syz-codesearch wrapper tool that allows to create index for a kernel build,
and then run code queries on it.
|
| |
|
|
|
| |
Some of the common helpers may be reused across different Clang tools
(currently json.h and .clang-format). Move the files to allow such reuse.
|
| |
|
|
|
|
|
|
|
| |
Fix the following error by only building it for Linux:
package github.com/google/syzkaller/pkg/kfuzztest-manager
imports github.com/google/syzkaller/pkg/kfuzztest-executor:
build constraints exclude all Go files in /syzkaller/gop
ath/src/github.com/google/syzkaller/pkg/kfuzztest-executor
|
| |
|
|
|
|
| |
It allows to use `syz-env make configs ... INSTANCE=`.
Helps with #6391
|
| |
|
|
|
|
|
|
|
| |
syz-kfuzztest is a new standalone designed for fuzzing KFuzzTest on a
live kernel VM (e.g., inside QEMU). It has no dependencies on the
executor program, instead directly writing into a KFuzzTest target's
debugfs entry.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As shown in https://github.com/google/syzkaller/issues/5565,
SYZOS code in the `guest` section cannot reference global data,
because it is relocated into the guest memory.
While arm64 executor has a dynamic check for data accesses, it is
virtually impossible to do the same on x86 without implementing an
x86 disassembler. Instead of doing so, introduce a build-time script
that will detect instructions referencing global data on a best-effort
basis.
|
| |
|
|
|
|
| |
When building with the Yocto go-mod class, the -modcacherw flag appended
to GOHOSTFLAGS must be considered in all build steps to make the go
cache writeable (deletable).
|
| |
|
|
| |
And update mistakenly used v2.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Typecheck is not a linter: https://golangci-lint.run/welcome/faq/#why-do-you-have-typecheck-errors .
The linters stylecheck, gosimple, and staticcheck has been merged inside the staticcheck.
Net config format.
goconst.ignore-tests doesn't exist anymore.
print-linter-name is replaced by print-issued-lines.
Github can parse golangci-lint output. --output-format is not needed anymore.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
clang-tidy-20 generates many more failures, many of which are in the
flartrpc library. Let's disable clang-analyzer-optin.core.EnumCastOutOfRange
for now.
It also complained about PROT_EXEC in the executor, but that is
necessary to support syz_execute_func().
|
| |
|
|
|
|
| |
Make fidlgen non special and run go generate for all packages.
This will avoid stale go:generate commands, and missed packages
(like we had for pkg/ifuzz/{x86,arm64} for years).
|
| |
|
|
|
|
| |
The generator does not run and generates broken code.
It looks like the generated file was edited manully.
Fix that.
|
| | |
|
| |
|
|
|
|
| |
Some functions are not the struct members now.
Some functions deleted.
Client mock generated.
|
| | |
|
| | |
|
| |
|
|
| |
Run differential fuzzing as a workflow step.
|
| |
|
|
|
|
|
|
| |
1. Init coveragedb client once and propagate it through context to enable mocking.
2. Always init coverage handlers. It simplifies testing.
3. Read webGit and coveragedb client from ctx to make it mockable.
4. Use int for file line number and int64 for merged coverage.
5. Add tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of generating Go files with descriptions
serialize them as gob and compress with flate.
This significantly reduces build time, go vet time,
and solves scalability problems with some static analysis tools.
Reference times (all after rm -rf ~/.cache/go-build) before:
TIME="%e %P %M" time go install ./syz-manager
48.29 577% 4824820
TIME="%e %P %M" time go test -c ./prog
56.28 380% 6973292
After:
TIME="%e %P %M" time go install ./syz-manager
22.81 865% 859788
TIME="%e %P %M" time go test -c ./prog
12.74 565% 267760
syz-manager size before/after: 194712597 -> 83418407
-57% even provided we now embed all descriptions
instead of just a single arch.
Deflate/decoding time for a single Linux arch is ~330ms.
Fixes #5542
|
| | |
|
| |
|
|
| |
Following standard conventions simplifies the Yocto recipe.
|
| |
|
|
|
|
|
|
| |
1. Make interface testable.
2. Add Spanner interfaces.
3. Generate mocks for proxy interfaces.
4. Test SaveMergeResult.
5. Test MergeCSVWriteJSONL and coveragedb.SaveMergeResult integration.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz-declextract accumulated a bunch of code health problems
so that now it's hard to change/extend it, lots of new features
can only be added in in hacky ways and cause lots of code duplication.
It's also completly untested. Rewrite the tool to:
- move as much code as possible to Go (working with the clang tool
is painful for a number of reasons)
- allow testing and add unit tests (first layer of tests test
what information is produced by the clang tool, second layer
of tests test how that information is transformed to descriptions)
- allow extending the clang tool output to export arbitrary info
in non-hacky way (now it produces arbitrary JSON instead of a mix
of incomplete descriptions and interfaces)
- remove code duplication in the clang tool and provide common
infrastructure to add new analysis w/o causing more duplication
- provide more convinient primitives in the clang tool
- improve code style consistency and stick to the LLVM code style
(in particular, variable names must start with a capital letter,
single-statement blocks are not surrounded with {})
- remove intermixing of code that works on different levels
(currently we have AST analysis + busness logic + printfs
all intermixed with each other)
- provide several helper Go packages for better code structuring
(e.g. pkg/clangtool just runs the tool on source files in parallel
and returns results, this already separates a bunch of low-level
logic from the rest of the code under a simple abstraction)
I've tried to make the output match the current output as much as possible
so that the diff is managable (in some cases at the cost of code quality,
this should be fixed in future commits). There are still some differences,
but hopefully they are managable for review (more includes/defines,
reordered some netlink attributes).
Fixed minor bugs are fixed along the way, but mostly NFC:
1. Some unions were incorrectly emitted as [varlen]
(C unions are never varlen).
2. Only a of [packed], [align[N]] attributes was emitted
for struct (both couldn't be emitted).
|
| |
|
|
|
| |
Check that HTML files are not inconsistently formatted
with both tabs and spaces.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the prototype version of the patch series fuzzing functionality
based on the syzkaller fuzzing engine.
The tool takes two syzkaller configs -- one for the base kernel, one for
the patched kernel. Optionally the patch itself can be also provided.
syz-diff will consider a bug patched-only if:
1) It happened while fuzzing the patched kernel.
2) It was never observed on the base kernel.
3) The tool found a repro on the patched kernel.
4) The repro did not crash the base kernel.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added more test coverage of the package and created an interface of
rpcserver to use it as the dependency (for syz-manager).
Also tried to cover with tests a private method handleConn(),
though it calls handleRunnerConn which has a separate logic in
Handshake(), which within handleConn() unit test we should've mocked.
This will require a refactoring of `runners map[int]*Runner` and
runner.go in general with a separate interface which we can mock as
well.
General idea is to have interfaces of Server (rpc), Runner etc. and mock a
compound logic like Handshake during a separate public (or private if it
has callable, if-else logic) method unit-testing.
|
| |
|
|
|
|
|
|
|
|
| |
act(https://github.com/nektos/act) is used to build github workflow locally.
When running `act -j build` in local host, it reports:
exec failed: unable to start container process: exec: "node": executable file
not found in $PATH: unknown.
Adding nodejs package can fix the build error.
Updated docs with act usage too.
|
| |
|
|
|
| |
Clang tool that uses AST matchers to extract relevant metadata about Linux system calls. The tool is to be extended
later to support more interfaces, collect more relevant metadata and to automatically generate syzkaller descriptions
|
| |
|
|
|
| |
All syz-ci instances must have updated by this time, so we no longer
need this noisy hack.
|
| |
|
|
|
|
|
| |
Download the latest gvisor release and run the syz-manager smoke-test
suite.
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| | |
|
| |
|
|
| |
Temporary hack to allow updating old syz-ci when syz-fuzzer is removed.
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
|
| |
It's handy b/c if one builds everything and then does "go fmt ./..."
then generated files change and everything needs to be built again.
|
| |
|
|
|
|
| |
Let's see if we can get away with C++17 for all our toolchains.
The later standard we can use, the better. C++17 has a number
of nice features, e.g. std::optional.
|
| |
|
|
|
|
| |
Switch to flatrpc.ProgInfo.
Note: this disables syz-runtest and syz-verifier.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add C++ compiler and flags to the target
and build executor with the C++ compiler.
This will be needed to merge syz-fuzzer in to syz-executor
since it will be beefier and will most likely require linking in libc++.
But also this should fix #4821 since we won't use C++ flags
when building C sources (we already had work-around in pkg/csource,
but not in syz-extract).
Fixes #4821
|
| |
|
|
|
|
|
| |
go:embed is a more modern way to do this and it does
not require a special Makefile step.
Since go:embed cannot use paths that contains "..",
the actual embeding is moved to executor package.
|
| | |
|
| |
|
|
|
|
|
|
| |
Move syz-stress logic into syz-execprog.
It's already doing most of what syz-stress could do,
it even can load a corpus since recently.
There are few remaining bits that are missing
in execprog, so add them to execprog.
|
| | |
|
| |
|
|
|
|
|
| |
Add schema for manager<->fuzzer communication.
We may need to change things when we start to use this,
but this serves as a proof of concept that we can
express things that we need in flatbuffers.
|
