aboutsummaryrefslogtreecommitdiffstats
path: root/executor/common.h
Commit message (Collapse)AuthorAgeFilesLines
* executor: disable clang-format for some partsDmitry Vyukov2018-07-271-8/+8
| | | | | clang-format badly mishandles this part, moreover different versions mishandle it differently.
* pkg/csource: add option to trace syscall resultsDmitry Vyukov2018-07-271-0/+11
| | | | This will be needed for testing of generated programs.
* pkg/csource: tidy generated codeDmitry Vyukov2018-07-271-7/+100
| | | | | | | | | | | 1. Remove unnecessary includes. 2. Remove thunk function in threaded mode. 3. Inline syscalls into main for the simplest case. 4. Define main in common.h rather than form with printfs. 5. Fix generation for repeat mode (we had 2 infinite loops: in main and in loop). 6. Remove unused functions (setup/reset_loop, setup/reset_test, sandbox_namespace, etc).
* executor: simplify event_timedwaitDmitry Vyukov2018-07-271-15/+10
| | | | | | We always have current_time_ms in event_timedwait so use it instead of manual clock_gettime calls which tend to be bulkier.
* executor: overhaulDmitry Vyukov2018-07-241-110/+477
| | | | | | | | | | | | | | | | | Make as much code as possible shared between all OSes. In particular main is now common across all OSes. Make more code shared between executor and csource (in particular, loop function and threaded execution logic). Also make loop and threaded logic shared across all OSes. Make more posix/unix code shared across OSes (e.g. signal handling, pthread creation, etc). Plus other changes along similar lines. Also support test OS in executor (based on portable posix) and add 4 arches that cover all execution modes (fork server/no fork server, shmem/no shmem). This change paves way for testing of executor code and allows to preserve consistency across OSes and executor/csource.
* executor: fix typo in commentAnton Lindqvist2018-07-231-1/+1
|
* pkg/csource: support fuchsiaDmitry Vyukov2018-06-291-7/+9
| | | | Lots of assorted heavylifting to support csource on fuchsia.
* executor: make syscall table and number constantDmitry Vyukov2018-06-071-3/+0
| | | | | | | | | We see some crashes that suggest corruption of the syscall number: invalid command number 1296 (errno 11) invalid command number 107 (errno 110) Make the table and the number constant to prevent corruption.
* sys/linux: add cgroup descriptionsDmitry Vyukov2018-03-251-0/+6
|
* executor: fix ifdef's for csourceDmitry Vyukov2018-03-071-1/+2
| | | | | | | There is test failure on travis: https://travis-ci.org/google/syzkaller/jobs/349948391 I can't reproduce it locally, and it only happened on 1.8, but not on 1.9? But this seems to be what could have provoked such failure.
* executor: fix includesDmitry Vyukov2018-03-051-1/+6
| | | | | | We use errno, vaargs, printf in all of fail/error/exitf, but we include the corresponding headers only when SYZ_USE_TMP_DIR. Include them whenever fail/error/exitf are used.
* sys/linux: add syz_init_net_socket syscallDmitry Vyukov2018-03-051-3/+4
| | | | | | | | | | | The new pseudo syscall allows opening sockets that can only be created in init net namespace (BLUETOOTH, NFC, LLC). Use it to open these sockets. Unfortunately this only works with sandbox none at the moment. The problem is that setns of a network namespace requires CAP_SYS_ADMIN in the target namespace, and we've lost all privs in the init namespace during creation of a user namespace.
* executor: introduce uint64/32/16/8 typesDmitry Vyukov2017-12-271-8/+12
| | | | | | | | | | | | | | | The "define uint64_t unsigned long long" were too good to work. With a different toolchain I am getting: cstdint:69:11: error: expected unqualified-id using ::uint64_t; ^ executor/common.h:34:18: note: expanded from macro 'uint64_t' Do it the proper way: introduce uint64/32/16/8 types and use them. pkg/csource then does s/uint64/uint64_t/ to not clutter code with additional typedefs.
* executor: check format stringsDmitry Vyukov2017-12-271-7/+11
| | | | | | | | | | | | | | | | | | | I see a crash which says: #0: too much cover 0 (errno 0) while the code is: uint64_t n = ...; if (n >= kCoverSize) fail("#%d: too much cover %u", th->id, n); It seems that the high part of n is set, but we don't see it. Add printf format attribute to fail and friends and fix all similar cases. Caught a bunch of similar cases and a missing argument in: exitf("opendir(%s) failed due to NOFILE, exiting");
* executor: fix macros in common.hAndrey Konovalov2017-12-141-3/+4
|
* executor: fix buildDmitry Vyukov2017-12-061-2/+2
| | | | | | exitf function was not defined with some combinations of options in csource. Fix defines and switch exitf back to fail, fail already checks ENOMEM/EAGAIN, so there is no reason to use exitf in this particular case.
* executor: fix build breakages due to doexitDmitry Vyukov2017-10-191-0/+8
| | | | | Some standard libraries contain "using ::exit;", which breaks with the current redefinition of exit.
* executor, pkg/ipc: unify ipc protocol between linux and other OSesDmitry Vyukov2017-10-161-5/+9
| | | | | | | | | | | | | | | | | We currently use more complex and functional protocol on linux, and a simple ad-hoc protocol on other OSes. This leads to code duplication in both ipc and executor. Linux supports coverage, shared memory communication and fork server, which would also be useful for most other OSes. Unify communication protocol and parametrize it by (1) use of shmem or only pipes, (2) use of fork server. This reduces duplication in ipc and executor and will allow to support the useful features for other OSes easily. Finally, this fixes akaros support as it currently uses syz-stress running on host (linux) and executor running on akaros.
* executor: write debug output to stderrDmitry Vyukov2017-10-161-2/+2
| | | | | | We print all other output to stderr, write debug output to stderr as well. This does not matter for the main use case of running syz-execprog -debug, but can is helpful if we want to communicate with syz-executor via stdin/stdout.
* executor: fix execution of windows syscallsDmitry Vyukov2017-09-271-2/+6
| | | | | First, they must be called with stdcall convention. Second, wrap them in __try/__except because they can crash.
* executor, sys/windows: initial windows supportDmitry Vyukov2017-09-251-63/+4
|
* all: more assorted fuchsia supportDmitry Vyukov2017-09-221-894/+24
|
* executor: sandbox with RLIMIT_MEMLOCKDmitry Vyukov2017-08-081-0/+2
| | | | | | | Locking memory is a reasonably legitimate local DoS vector. E.g. bpf maps allow allocation of large chunks of kernel memory without RLIMIT_MEMLOCK, which leads to hangups. Set RLIMIT_MEMLOCK=8MB in executor.
* pkg/csource: make all usleeps randomAndrey Konovalov2017-07-241-2/+0
| | | | | | We can't know the exact values of those sleeps in advance, they can be different for different bugs. Making them random increases the chance that the C repro executes with the right timings at some point.
* Port console to Darwin (#253)Zach Riggle2017-06-261-0/+2
| | | | | | | | | | | | * Port console to Darwin * Get syz-executor to build correctly * Do not export unix and syscall constants * Add presubmit test * Add myself to contributors
* executor: fix clang-tidy warningsDmitry Vyukov2017-06-131-15/+15
| | | | | A single check is enabled for now (misc-definitions-in-headers). But it's always fixable and found 2 bugs in csource.
* executor: add sys/sysmacros.h include for makedev in newer gccAndrey Konovalov2017-06-131-0/+1
|
* csource: don't use guard macros for debug() and NONFAILING()Andrey Konovalov2017-06-121-33/+0
|
* repro: always minimize over EnableTunAndrey Konovalov2017-06-121-1/+1
|
* csource: generate includes when necessaryAndrey Konovalov2017-06-121-25/+102
|
* csource: don't generate execute_syscall callsAndrey Konovalov2017-06-121-0/+2
|
* csource: use tmp dir in repeat loop when tmpdir flag is onAndrey Konovalov2017-06-121-1/+9
|
* csource: only emit fail(), exitf() and doexit() when necessaryAndrey Konovalov2017-06-121-1/+15
|
* csourse: don't generate debug printfsAndrey Konovalov2017-06-121-2/+32
|
* csource: try to simplify repeat loopAndrey Konovalov2017-06-121-3/+10
|
* csource: use sandbox only when requiredAndrey Konovalov2017-06-121-0/+2
|
* csource: emit bitmasks only when requiredAndrey Konovalov2017-06-121-14/+16
|
* csource: force enable tun flag when requiredAndrey Konovalov2017-06-121-10/+2
|
* csource: only handle SIGSEGV when necessaryAndrey Konovalov2017-06-121-9/+20
|
* executor: don't define SYZ_ENABLE_TUN in executorAndrey Konovalov2017-06-121-16/+16
|
* csource: use tmp dir only when necessaryAndrey Konovalov2017-06-121-0/+2
|
* executor: split setup_main_process into smaller functionsAndrey Konovalov2017-06-121-22/+21
|
* csource: add EnableTun optionAndrey Konovalov2017-06-121-31/+35
|
* executor: call flush_tun for repeat reprosAndrey Konovalov2017-06-121-7/+12
|
* executor: move inet checksum code under ifdefAndrey Konovalov2017-06-121-30/+32
|
* executor: limit stack frame sizeDmitry Vyukov2017-05-311-1/+3
| | | | | | | | | Stack usage warning currently breaks our internal build (with 16K frame limit). Executor uses stacks of limited size, that's another reason to not allow frames of arbitrary size. Limit stack frame size to 8K. Reduce tun packet size. We don't need to read out whole packet.
* csource: reproduce crashes with fault injectionDmitry Vyukov2017-05-261-7/+26
|
* sys, executor: extract tcp sequence numbers from /dev/net/tunAndrey Konovalov2017-05-261-11/+141
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
* executor: mount /proc in namespaceDmitry Vyukov2017-05-231-0/+9
| | | | | | /proc is useful for fault injection and there is probably some interesting stuff to fuzz as well.
* prog, executor: move checksum computation to executorAndrey Konovalov2017-05-121-0/+30
| | | | | This commit moves checksum computation to executor. This will allow to embed dynamically generated values (like TCP sequence numbers) into packets.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-24 21:26:26 +0000