aboutsummaryrefslogtreecommitdiffstats
path: root/executor/common.h
Commit message (Collapse)AuthorAgeFilesLines
* executor: fix clang-tidy warningsDmitry Vyukov2017-06-131-15/+15
| | | | | A single check is enabled for now (misc-definitions-in-headers). But it's always fixable and found 2 bugs in csource.
* executor: add sys/sysmacros.h include for makedev in newer gccAndrey Konovalov2017-06-131-0/+1
|
* csource: don't use guard macros for debug() and NONFAILING()Andrey Konovalov2017-06-121-33/+0
|
* repro: always minimize over EnableTunAndrey Konovalov2017-06-121-1/+1
|
* csource: generate includes when necessaryAndrey Konovalov2017-06-121-25/+102
|
* csource: don't generate execute_syscall callsAndrey Konovalov2017-06-121-0/+2
|
* csource: use tmp dir in repeat loop when tmpdir flag is onAndrey Konovalov2017-06-121-1/+9
|
* csource: only emit fail(), exitf() and doexit() when necessaryAndrey Konovalov2017-06-121-1/+15
|
* csourse: don't generate debug printfsAndrey Konovalov2017-06-121-2/+32
|
* csource: try to simplify repeat loopAndrey Konovalov2017-06-121-3/+10
|
* csource: use sandbox only when requiredAndrey Konovalov2017-06-121-0/+2
|
* csource: emit bitmasks only when requiredAndrey Konovalov2017-06-121-14/+16
|
* csource: force enable tun flag when requiredAndrey Konovalov2017-06-121-10/+2
|
* csource: only handle SIGSEGV when necessaryAndrey Konovalov2017-06-121-9/+20
|
* executor: don't define SYZ_ENABLE_TUN in executorAndrey Konovalov2017-06-121-16/+16
|
* csource: use tmp dir only when necessaryAndrey Konovalov2017-06-121-0/+2
|
* executor: split setup_main_process into smaller functionsAndrey Konovalov2017-06-121-22/+21
|
* csource: add EnableTun optionAndrey Konovalov2017-06-121-31/+35
|
* executor: call flush_tun for repeat reprosAndrey Konovalov2017-06-121-7/+12
|
* executor: move inet checksum code under ifdefAndrey Konovalov2017-06-121-30/+32
|
* executor: limit stack frame sizeDmitry Vyukov2017-05-311-1/+3
| | | | | | | | | Stack usage warning currently breaks our internal build (with 16K frame limit). Executor uses stacks of limited size, that's another reason to not allow frames of arbitrary size. Limit stack frame size to 8K. Reduce tun packet size. We don't need to read out whole packet.
* csource: reproduce crashes with fault injectionDmitry Vyukov2017-05-261-7/+26
|
* sys, executor: extract tcp sequence numbers from /dev/net/tunAndrey Konovalov2017-05-261-11/+141
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
* executor: mount /proc in namespaceDmitry Vyukov2017-05-231-0/+9
| | | | | | /proc is useful for fault injection and there is probably some interesting stuff to fuzz as well.
* prog, executor: move checksum computation to executorAndrey Konovalov2017-05-121-0/+30
| | | | | This commit moves checksum computation to executor. This will allow to embed dynamically generated values (like TCP sequence numbers) into packets.
* vm: add Odroid supportAndrey Konovalov2017-03-101-1/+1
| | | | | | | | | | | This commit adds Odroid C2 support to syzkaller. It's now possible to specify "type": "odroid" in manager config. Documentation on how to setup fuzzing with Odroid C2 board is here: https://github.com/google/syzkaller/wiki/Setup:-Odroid-C2 Note, that after this change libusb-1.0-0-dev package should be installed to build syzkaller.
* executor: fix ppc64le buildDmitry Vyukov2017-03-021-0/+5
|
* executor: treat EAGAIN as transient failure as ENOMEMDmitry Vyukov2017-02-151-2/+2
|
* executor: fix undefined setup_tun() function error in c reprosAndrey Konovalov2017-02-011-2/+6
|
* executor: fix tun initialization when sandbox != noneAndrey Konovalov2017-01-311-14/+28
|
* executor: protect against memory corruptions betterDmitry Vyukov2017-01-251-1/+13
| | | | | | | | | | | Fuzzer has figured out how to corrupt input/output shmem regions abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative text_size value that causes the memcpy to overwrite shmem regions. Protect better against such cases: 1. Make text_size unsigned (there is already a check that it is less than 1000). 2. Map input region as readable only, we don't write to it. 3. Add address sanity check to segv_handler, if we see that we are writing into executable data, it's better to crash instantly.
* executor: change tun subnet to 172.20.*Andrey Konovalov2017-01-231-5/+3
|
* executor: fix warning regarding type cast in STORE_BY_BITMASKAndrey Konovalov2017-01-201-1/+1
|
* executor: fix copyin of valuesDmitry Vyukov2017-01-171-11/+13
| | | | | | Currently non-bitfield values are copied incorrectly. Probably all turned into zeros or something. Fix that. Add test.
* prog: add bitfields to templatesAndrey Konovalov2017-01-171-0/+12
| | | | | | Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field. This fixes #72.
* sys, executor: more kvm improvementsDmitry Vyukov2017-01-121-1/+5
| | | | | | | 1. Basic support for arm64 kvm testing. 2. Fix compiler warnings in x86 kvm code. 3. Test all pseudo syz calls in csource. 4. Fix handling of real code in x86.
* sys: extend kvm supportDmitry Vyukov2017-01-091-0/+9
| | | | | | Add new pseudo syscall syz_kvm_setup_cpu that setups VCPU into interesting states for execution. KVM is too difficult to setup otherwise. Lots of improvements possible, but this is a starting point.
* executor: use NONFAILING strcpy in syz_open_devDmitry Vyukov2017-01-091-1/+1
| | | | The source is fuzzer provided memory, it can be non-addressable.
* csource: compile with -WerrorDmitry Vyukov2017-01-091-2/+2
| | | | | | Check for compiler warnings during compilation. Don't require -std=c99. Fix existing compiler warnings.
* executor: don't fail on ENOMEMDmitry Vyukov2016-12-161-1/+3
|
* executor: handle exit failuresDmitry Vyukov2016-12-081-9/+37
| | | | See the added comment for explanation.
* executor: add struct to cap structsDmitry Vyukov2016-12-071-2/+2
| | | | | Otherwise it does not compile as C. Also regenerate csource/common.go (it misses the MAX_PIDS change).
* executor: use different address for our network cardDmitry Vyukov2016-12-061-3/+7
| | | | | IP addresses like 192.168.0.1/192.168.1.1 are often used for routing between VM and the host. Offset our IP addresses to start from 192.168.218.0 to reduce potential conflicts.
* executor: change the way we wait for childrenDmitry Vyukov2016-12-051-2/+3
| | | | | | waitpid(pid) does not work if child invokes ptrace(PTRACE_TRACEME): https://groups.google.com/forum/#!topic/syzkaller/SjWzOnNRRIU Use waitpid(-1) instead.
* executor: don't try to open tun if it's not enabledAndrey Konovalov2016-12-021-3/+8
|
* csourse: emit remove_dir only when neededAndrey Konovalov2016-11-291-0/+2
|
* executor: emit ethernet trafficAndrey Konovalov2016-11-291-13/+134
|
* csource: don't emit syz_ syscalls is they are not usedDmitry Vyukov2016-11-261-3/+26
|
* executor: fix sandbox=setuidDmitry Vyukov2016-11-221-2/+4
| | | | | Need to chmod(0777) the work dir before we do setuid(nobody). Otherwise nobody user won't have rights to use the temp dir.
* csourceL add missing include and defineDmitry Vyukov2016-11-221-0/+2
|
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-13 03:38:26 +0000