aboutsummaryrefslogtreecommitdiffstats
path: root/csource
Commit message (Collapse)AuthorAgeFilesLines
* pkg/csource: move from csourceDmitry Vyukov2017-06-173-2646/+0
|
* executor: fix clang-tidy warningsDmitry Vyukov2017-06-132-16/+24
| | | | | A single check is enabled for now (misc-definitions-in-headers). But it's always fixable and found 2 bugs in csource.
* Merge pull request #223 from xairy/up-makedev-fixAndrey Konovalov2017-06-131-0/+1
|\ | | | | executor: add sys/sysmacros.h include for makedev in newer gcc
| * executor: add sys/sysmacros.h include for makedev in newer gccAndrey Konovalov2017-06-131-0/+1
| |
* | csource: reformatDmitry Vyukov2017-06-131-1/+1
|/
* csource: use reflect to iterate over optionsAndrey Konovalov2017-06-121-97/+48
|
* csource: don't use guard macros for debug() and NONFAILING()Andrey Konovalov2017-06-122-123/+97
|
* csource: speed up short testsAndrey Konovalov2017-06-121-7/+73
|
* repro: always minimize over EnableTunAndrey Konovalov2017-06-122-7/+9
|
* csource: generate includes when necessaryAndrey Konovalov2017-06-122-26/+111
|
* csource: don't generate execute_syscall callsAndrey Konovalov2017-06-122-6/+26
|
* csource: use tmp dir in repeat loop when tmpdir flag is onAndrey Konovalov2017-06-121-1/+9
|
* csource: only emit fail(), exitf() and doexit() when necessaryAndrey Konovalov2017-06-121-1/+15
|
* csourse: don't generate debug printfsAndrey Konovalov2017-06-123-14/+50
|
* csource: try to simplify repeat loopAndrey Konovalov2017-06-123-12/+28
|
* csource: use sandbox only when requiredAndrey Konovalov2017-06-123-10/+35
|
* csource: emit bitmasks only when requiredAndrey Konovalov2017-06-122-30/+26
|
* csource: force enable tun flag when requiredAndrey Konovalov2017-06-122-10/+18
|
* csource: only handle SIGSEGV when necessaryAndrey Konovalov2017-06-123-31/+62
|
* executor: don't define SYZ_ENABLE_TUN in executorAndrey Konovalov2017-06-121-11/+11
|
* csource: use tmp dir only when necessaryAndrey Konovalov2017-06-123-15/+30
|
* executor: split setup_main_process into smaller functionsAndrey Konovalov2017-06-122-22/+23
|
* csource: add EnableTun optionAndrey Konovalov2017-06-123-59/+67
|
* executor: call flush_tun for repeat reprosAndrey Konovalov2017-06-121-7/+12
|
* executor: move inet checksum code under ifdefAndrey Konovalov2017-06-121-30/+32
|
* pkg/fileutil: move from fileutilDmitry Vyukov2017-06-031-1/+1
|
* csource: regenerateDmitry Vyukov2017-06-031-1/+1
|
* all: speed up testsDmitry Vyukov2017-05-291-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mark tests as parallel where makes sense. Speed up sys.TransitivelyEnabledCalls. Execution time is now: ok github.com/google/syzkaller/config 0.172s ok github.com/google/syzkaller/cover 0.060s ok github.com/google/syzkaller/csource 3.081s ok github.com/google/syzkaller/db 0.395s ok github.com/google/syzkaller/executor 0.060s ok github.com/google/syzkaller/fileutil 0.106s ok github.com/google/syzkaller/host 1.530s ok github.com/google/syzkaller/ifuzz 0.491s ok github.com/google/syzkaller/ipc 1.374s ok github.com/google/syzkaller/log 0.014s ok github.com/google/syzkaller/prog 2.604s ok github.com/google/syzkaller/report 0.045s ok github.com/google/syzkaller/symbolizer 0.062s ok github.com/google/syzkaller/sys 0.365s ok github.com/google/syzkaller/syz-dash 0.014s ok github.com/google/syzkaller/syz-hub/state 0.427s ok github.com/google/syzkaller/vm 0.052s However, main time is still taken by rebuilding sys package. Fixes #182
* csource: reproduce crashes with fault injectionDmitry Vyukov2017-05-263-24/+56
|
* sys, executor: extract tcp sequence numbers from /dev/net/tunAndrey Konovalov2017-05-262-11/+136
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
* csource: regenerateDmitry Vyukov2017-05-251-0/+6
|
* prog, executor: move checksum computation to executorAndrey Konovalov2017-05-122-1/+56
| | | | | This commit moves checksum computation to executor. This will allow to embed dynamically generated values (like TCP sequence numbers) into packets.
* csource: strip __STDC_VERSION__ macro from generated sourceDmitry Vyukov2017-05-061-1/+12
|
* vm: add Odroid supportAndrey Konovalov2017-03-101-1/+1
| | | | | | | | | | | This commit adds Odroid C2 support to syzkaller. It's now possible to specify "type": "odroid" in manager config. Documentation on how to setup fuzzing with Odroid C2 board is here: https://github.com/google/syzkaller/wiki/Setup:-Odroid-C2 Note, that after this change libusb-1.0-0-dev package should be installed to build syzkaller.
* csource: regenerateDmitry Vyukov2017-03-051-1/+6
|
* csource: fix parallel mode to wait for subprocessesDmitry Vyukov2017-02-021-1/+3
| | | | | | Currently it lefts some orphaned children, so that ctrl+C does not kill them. Wait for the children.
* executor: fix undefined setup_tun() function error in c reprosAndrey Konovalov2017-02-011-2/+6
|
* csource: regenerate and reformatDmitry Vyukov2017-02-012-2/+4
|
* executor: fix tun initialization when sandbox != noneAndrey Konovalov2017-01-312-20/+31
|
* sys: improve kvm descriptionDmitry Vyukov2017-01-281-63/+106
| | | | | | Allow fuzzer to change types of segment descriptors. Alter more flags. Allow fuzzer to do a random vmwrite.
* csource, syz-gce: regenerate and reformatDmitry Vyukov2017-01-271-2/+2
|
* executor: protect against memory corruptions betterDmitry Vyukov2017-01-251-2/+8
| | | | | | | | | | | Fuzzer has figured out how to corrupt input/output shmem regions abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative text_size value that causes the memcpy to overwrite shmem regions. Protect better against such cases: 1. Make text_size unsigned (there is already a check that it is less than 1000). 2. Map input region as readable only, we don't write to it. 3. Add address sanity check to segv_handler, if we see that we are writing into executable data, it's better to crash instantly.
* executor: change tun subnet to 172.20.*Andrey Konovalov2017-01-231-3/+3
|
* csource: use 0x%x format for printing bitfield addr and argAndrey Konovalov2017-01-231-1/+1
|
* all: spot optimizationsDmitry Vyukov2017-01-201-1/+4
| | | | | | | | | | | | | A bunch of spot optmizations after cpu/memory profiling: 1. Optimize hot-path coverage comparison in fuzzer. 2. Don't allocate and copy serialized program, serialize directly into shmem. 3. Reduce allocations during parsing of output shmem (encoding/binary sucks). 4. Don't allocate and copy coverage arrays, refer directly to the shmem region (we are not going to mutate them). 5. Don't validate programs outside of tests, validation allocates tons of memory. 6. Replace the choose primitive with simpler switches. Choose allocates fullload of memory (for int, func, and everything the func refers). 7. Other minor optimizations.
* executor: fix warning regarding type cast in STORE_BY_BITMASKAndrey Konovalov2017-01-201-1/+1
|
* csource: fix STORE_BY_BITMASK in prog2cAndrey Konovalov2017-01-201-1/+1
|
* executor: fix copyin of valuesDmitry Vyukov2017-01-171-11/+13
| | | | | | Currently non-bitfield values are copied incorrectly. Probably all turned into zeros or something. Fix that. Add test.
* csource: regenerateDmitry Vyukov2017-01-171-0/+12
|
* prog: add bitfields to templatesAndrey Konovalov2017-01-171-1/+10
| | | | | | Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field. This fixes #72.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-12 00:25:01 +0000