| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Proper glob resolution is required for fuzzing.
If it times out, it does so silently, and fuzzing dictionary will be smaller then expected, without any obvious errors.
Given that, it makes sense to increase glob timeouts.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We query globs for 2 reasons:
1. Expand glob types in syscall descriptions.
2. Dynamic file probing for automatic descriptions generation.
In both of these contexts are are interested in files
that will be present during test program execution
(rather than normal unsandboxed execution).
For example, some files may not be accessible to test programs
after pivot root. On the other hand, we create and link
some additional files for the test program that don't
normally exist.
Add a new request type for querying of globs that are
executed in the test program context.
|
| | |
|
| |
|
|
|
|
| |
We include a number of C++ headers in the runnner.
On FreeBSD some of them mention malloc, and our defines break the build.
Use the style test to check only our files for these things.
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
|
| |
Currently we sleep only for 1 ms, which may produce some excessive CPU load
(we usually have 6/8 such processes waiting).
Make it sleep for 10 ms, but also make the sleep return immediately on child exit.
This shuold both improve latency and reduce CPU load.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Return failure reason from setup functions rather than crash.
This will provide better error messages, but also allow setup
w/o creating subprocesses which will be needed when we combine
fuzzer and executor.
Also close all resources created during setup.
This is also useful for in-process setup, but also should improve
chances of reproducing a bug with C reproducer. Currently leaked
file descriptors may disturb repro execution (e.g. it may act
on a wrong fd).
|
| |
|
|
| |
Enable it unconditionally.
|
| |
|
|
|
|
|
| |
Akaros support is unused, it was shutdown on syzbot for a while,
the akaros development seems to be frozen for years as well.
We have a bunch of hacks for Akaros since it supported
only super old gcc and haven't supported Go. Remove it.
|
| |
|
|
|
| |
If the feature is supported on the device, allocate a 128MB swap file
after VM boot and activate it.
|
| |
|
|
|
| |
It makes these extentions much more flexible as they can now also
customize what other features set up.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a long history of executor managing to corrupt itself in various
interesting ways (e.g. using read with a pointer pointing to some
global/stack variable and then kernel overwrites it). Or rt_sigreturn
can corrupt other registers which won't cause immediate SIGSEGV, but
rather some random behavior later. This is the race we can't win.
We can't rely on memory consistency when the test already started, so we
should use exitf instead of fail outside of setup sequence (and relying
more on unit testing to ensure that executor works as expected for sane
programs).
Suggested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The call to mkdtemp() will fail when given
/data/data/syzkaller/syzkaller-XXXXXX, since /data/data/syzkaller/
doesn't exist. The correct temporary dir on Android is /data/local/tmp,
which exists by default.
|
| |
|
|
|
| |
The extension point allows to setup the test process in a custom way
without overwriting any of the existing files.
|
| |
|
|
| |
Test that extension points keep stable interface and work.
|
| | |
|
| |
|
|
| |
The APPEND flag also prevents file removal.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is a BSD syscall, chflags(2), which lets one set various flags on
a file, including several that prevent unlinking. The use of this flag
can cause the executor to fail to clean up tmpdirs, which can lead to
spurious reports.
Thus, when unlinking fails, try again after clearing relevant flags. I
suspect this would be useful on other BSDs but I can't easily verify
that this change works there. It may eventually be worth having a
BSD-specific remove_dir() implementation.
|
| |
|
|
| |
Allow common_ext.h to provide setup_ext() function that is called during VM setup.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was found out in #2921, fork bombs are still possible in Linux-based
instances. One of the possible reasons is described below.
An invalid stack can be passed to the clone() call, thus causing it to stumble
on an invalid memory access right during returning from the clone() call. This
is in turn catched by the NONFAILING() macro and the control actually jumps
over it and eventually both the child and the parent continue executing the
same code.
Prevent it by handling SIGSEGV and SIGBUS differently during the clone process.
Co-authored-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add an empty common_ext.h which is included into executor and C reproducers
and can be used to add non-mainline pseudo-syscalls w/o changing any other files
(by replacing common_ext.h file).
It would be good to finish #2274 which allows to add pseudo-syscalls
along with *.txt descriptions, but #2274 is large and there are several
open design questions. So add this simple extension point for now.
|
| |
|
|
|
| |
Otherwise the pseudo syscalls there won't be able to access those
definitions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
| |
Currently we setup cgroups on every test process start
(along with sandbox creation). That's unnecessary because
that's global per-machine setup. Move cgroup setup into setup section
that's executed once per machine from pkg/host.Setup.
|
| |
|
|
|
|
|
|
| |
clang-format mis-formats #elif:
https://bugs.llvm.org/show_bug.cgi?id=48664
and then clang fails with:
error: misleading indentation; statement is not part of the previous 'if'
Split #elif into nested #if/else.
|
| |
|
|
|
|
| |
Historically the code base does not use single-line compound statements
({} around single-line blocks). But there are few precedents creeped into
already. Add a check to keep the code base consistent.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
| |
Pretty much ripped from freebsd +/- what isn't applicable to darwin.
|
| | |
|
| | |
|
| |
|
|
|
| |
dashboard link: https://syzkaller.appspot.com/bug?extid=38fe37bc451a42e6c9a4
Reported-by: syzbot+38fe37bc451a42e6c9a4@syzkaller.appspotmail.com
|
| |
|
|
|
| |
In preparation for making timeouts tunable based
on OS/arch/VM/etc de-hardcode all (almost) timeouts in executor.
|
| |
|
|
|
|
| |
Sysctl's are not captured as part of reproducers.
This can result in failure to reproduce a bug on developer machine.
Include sysctl setup as part of C reproducers.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the issue with gcc 10 on Fedora 32 s390x:
In file included from ../../executor/executor.cc:147:
../../executor/common.h: In function ‘void remove_dir(const char*)’:
../../executor/common.h:229:44: error: ‘%s’ directive output may be
truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=]
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
| ^~
../../executor/common.h:229:11: note: ‘snprintf’ output between 2 and 4352 bytes into a destination of size 4096
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
../../executor/common.h:243:1: error: the frame size of 21200 bytes is larger than 16384 bytes
[-Werror=frame-larger-than=]
243 | }
| ^
cc1plus: all warnings being treated as errors
compiler invocation: gcc [-o /tmp/syz-executor383272105 -DGOOS_test=1 -DGOARCH_64_fork=1 -DHOSTGOOS_linux=1
../../executor/executor.cc -m64 -no-pie -O2 -pthread -Wall -Werror -Wparentheses
-Wunused-const-variable -Wframe-larger-than=16384]
FAIL
FAIL github.com/google/syzkaller/pkg/runtest 0.998s
FAIL
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While investigating an OpenBSD reproducer[1][2] I discovered the
following:
* All threads are stuck on the last `sleep(1000000)` syscall in main(),
hence no output for the test machine.
* Each executor process created in loop() performs one iteration but
exits abnormally during the call to remove_dir().
* Calling remove_dir() will eventually invoke itself recursively since
one of the executed syscall is `mkdir("./file0", 0)` meaning that it
will try to remove the directory created by execute_one(). However,
`opendir(3)` fails with `EACCES` due to the permissions passed to
`mkdir(2)` is zero.
Instead of exiting, trying to remove the problematic directory in a best
effort manner makes the reproducer continue executing the generated
syscalls. This work around might be considered to narrow. Another option
would be to replace the `sleep(1000000)` with `waitpid(-1, NULL, 0)`
until ECHILD is hit.
[1] https://syzkaller.appspot.com/bug?id=6f7ce2a0536580a94f65f44e478732ec505e88af
[2] https://syzkaller.appspot.com/text?tag=ReproC&x=10fd1a71900000
|
| |
|
|
| |
Ensure that we can handle hanging syscalls in all modes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We generally use the newer C99 var declarations combined with initialization because:
- declarations are more local, reduced scope
- fewer lines of code
- less potential for using uninit vars and other bugs
However, we have some relic code from times when we did not understand
if we need to stick with C89 or not. Also some external contributions
that don't follow style around.
Add a static check for C89-style declarations and fix existing precedents.
Akaros toolchain uses -std=gnu89 (or something) and does not allow
variable declarations inside of for init statement. And we can't switch
it to -std=c99 because Akaros headers are C89 themselves.
So in common.h we need to declare loop counters outside of for.
|
| |
|
|
|
|
|
|
|
|
|
| |
syz-executor uses a heuristic to help fail closed if an invalid access
might corrupt the output region. This heuristic fails on FreeBSD, where
SIGBUS is delievered with si_addr equal to address of the faulting
instruction, rather than 0 when the fault address cannot be determined
(e.g., an amd64 protection fault). Always handle SIGBUS quietly on
FreeBSD.
This fixes pkg/runtest tests for sys/test/test/nonfailing.
|
| |
|
|
|
|
|
| |
Move the test from pkg/csource to executor/
in order to be able to (1) run it on *.cc files,
(2) run on unprocessed *.h files, (3) produce line numbers.
Add a check for missed space after //.
|
| |
|
|
|
|
|
|
|
| |
1. We don't generally use /* */ block comments,
few precedents we have are inconsistent with the rest of the code.
2. pkg/csource does not strip them from the resulting code.
Remove the cases we have and add a test to prevent new ones being added.
|
| |
|
|
|
|
| |
This is not needed anymore afer the previous commit.
Fixes #1918
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
csum_inet_update does not handle odd number of bytes
on big-endian architectures correctly. When calculating
the checksum of odd number of bytes, the last byte must be
interpreted as LSB on little-endian architectures and
as MSB on big-endian ones in a 16-bit half-word.
Futhermore, the checksum tests assume that the underlying architecture
is always little-endian. When a little-endian machine stores
a calculated checksum into memory, then the checksum's bytes
are automatically swapped. But this is NOT true on a big-endian
architecture.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| | |
|
| | |
|
