| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Fix all errors it points to.
The one in netlink_send_ext is concerning.
|
| |
|
|
|
|
|
|
|
| |
1. We don't generally use /* */ block comments,
few precedents we have are inconsistent with the rest of the code.
2. pkg/csource does not strip them from the resulting code.
Remove the cases we have and add a test to prevent new ones being added.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Regenerate const files on next-20200729.
Change conn handle to 200 because it also seems to be matches
against phy_handle fields which are int8 (current 256 does not fit into int8).
Use 200 for all handle's and all phy_handle's.
Remove hci_evt_le_cis_req, it does not seem to be used in the kernel.
Restrict some event types and statuses.
Add rssi field to hci_ev_le_advertising_info.
Use bytesize for some of the data length fields.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: initialize vhci in linux
* executor/common_linux.h: improve vhci initialization
* pkg/repro/repro.go: add missing vhci options
* executor/common_linux.h: fix type and add missing header
* executor, pkg: do it like NetInjection
* pkg/csource/csource.go: do not emit syz_emit_vhci if vhci is not enabled
* executor/common_linux.h: fix format string
* executor/common_linux.h: initialize with memset
For som reason {0} gets complains about missing braces...
* executor/common_linux.h: simplify vhci init
* executor/common_linux.h: try to bring all available hci devices up
* executor/common_linux.h: find which hci device has been registered
* executor/common_linux.h: use HCI_VENDOR_PKT response to retrieve device id
* sys/linux/dev_vhci.txt: fix structs of inquiry and report packets
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* sys/linux/dev_vhci.txt: pack extended_inquiry_info_t
* sys/linux/l2cap.txt: add l2cap_conf_opt struct
* executor/common_linux.h: just fill bd addr will 0xaa
* executor/common_linux.h: just fill bd addr will 0xaa
|
| |
|
|
|
|
| |
It is hard for the fuzzer to generate correct programs using mmap calls
with fuzzer-provided mmap length. This wrapper ensures correct length
computation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sys/linux: enhanced descs for io_uring
Introduced pseudo-call "syz_io_uring_put_sqes_on_ring()" for writing
submission queue entries (sqes) on sq_ring, which was obtained by
mmap'ping the offsets obtained from io_uring_setup().
Added descriptions for io_ring_register operations that were missing
earlier.
Did misc changes to adapt the descriptions for the updates on the
io_uring subsystem.
* pkg/host: add io_uring pseudo-syscall
* executor/common_linux.h: fix issues with io_uring pseudo-syscall
* executor: fixed io_uring offset computation
* executor: fixes and refactorings in syz_io_uring_submit()
* executor: added syz_io_uring_complete() pseudo-syscall for io_uring
* sys/linux: added descriptions for io_uring operations
Each operation requires a different struct io_uring_sqe set up. Those
are described to be submitted to the sq ring.
* executor: use uint32 instead of uint32_t
* executor: remove nonfailing from pseudo-calls
* sys/linux: fix io_uring epoll_ctl sqe
* prog: fix TestTransitivelyEnabledCallsLinux()
The newly introduced syscall, syz_io_uring_submit$IORING_OP_EPOLL_CTL,
uses fd_epoll. Adapt TestTransitivelyEnabledCallsLinux() to account for
this.
* sys/linux: add IORING_OP_PROVIDE_BUFFERS and IORING_OP_REMOVE_BUFFERS
* sys/linux: fix IORING_OP_WRITE_FIXED and IORING_OP_READ_FIXED
addr and len are for the buffer located at buf_index
* sys/linux: io_uring: use reg. bufs for READ, READV, RECV, RECVMSG
As a result, IOSQE_BUFFER_SELECT_BIT is included in the iosqe_flags.
* sys/linux: io_uring: misc fixes
* sys/linux: io_uring: add IORING_SETUP_ATTACH_WQ
* executor: refactorings on io_uring pseudo syscalls
* sys/linux: io_uring: fix desc for params.cq_entries
* executor: fix SQ_ARRAY_OFFSET computation
This is required with the fix in io_uring kernel code.
https://lore.kernel.org/io-uring/CACT4Y+bgTCMXi3eU7xV+W0ZZNceZFUWRTkngojdr0G_yuY8w9w@mail.gmail.com/T/#t
* executor: added pseudosyscall syz_io_uring_cq_eventfd_toggle()
The usage of cq_ring->flags is only for manipulating
IORING_CQ_EVENTFD_DISABLED bit. This is achieved by a pseudo-syscall,
which toggles the bit.
* executor: added pseudocall syz_io_uring_put_ring_metadata
Removed syz_io_uring_cq_eventfd_toggle() and introduced
syz_io_uring_put_ring_metadata() instead. We have many pieces of
metadata for both sq_ring and cq_ring, for which we are given the
offsets, and some of are not supposed to be manipulated by the
application. Among them, both sq and cq flags can be changed. Both valid
and invalid cases might cause interesting outcomes. Use the newly
introduced pseudo syscall to manipulate them randomly while also
manipulating the flags to their special values.
* executor: added pseudo-syscall syz_memcpy_off
Removed syz_io_uring_put_ring_metadata() and instead added a much more
generic pseudo systemcall to achieve the task. This should benefit other
subsystems as well.
* sys/linux: refactored io_uring descriptions
syz_io_uring_submit() is called with a union of sqes to reduce
duplication of other parameters of the function.
io_uring_sqe is templated with io_uring_sqe_t, and this template type is
used to describe sqes for different ops.
The organization of io_uring.txt is changed.
* sys/linux: io_uring: improved descs to utilize registered files
The files are registered using
io_uring_register$IORING_REGISTER_FILES(). When IOSQE_FIXED_FILE_BIT is
enabled in iosqe_flags in sqe, a variety of operations can use those
registered files using the index of the file instead of fd.
Changed the sqe descriptions for the eligible operations to utilize
this.
* sys/linux: io_uring: improved the descs to utilize personality_id in sqes
A personality_id can be registered for a io_uring fd using
io_uring_register$IORING_REGISTER_PERSONALITY(). This id can be utilized
within sqes. This commit improves the descs for io_uring to utilize it.
In addition, the descriptions for the misc field in io_uring_sqe_t is
refactored as most are shared among sqes.
* sys/linux: io_uring: utilized cqe.res
io_uring_cqe.res is used to carry the return value of operations
achieved through io_uring. The only operations with meaningful return
values (in terms of their possible usage) are openat and openat2. The
pseudo-syscall syz_io_uring_complete() is modified to account for this
and return those fds. The description for sqe_user_data is splitted into
two to identify openat and non-openat io_uring ops.
IORING_OP_IOCTL was suggested but never supported in io_uring. Thus, the
note on this is removed in the descriptions.
tee() expects pipefds, thus, IORING_OP_TEE. The descriptions for the
pipe r/w fds are written as ordinary fd. Thus, in the description for
IORING_OP_TEE, which is io_uring_sqe_tee, fd is used in the place where
pipefds are expected. The note on this is removed in the descriptions.
* sys/linux/test: added test for io_uring
This is not tested yet.
* sys/linux/test: fixed the test for io_uring
The changes successfully pass the sys/linux/test/io_uring test.
sys/linux/io_uring.txt: sq_ring_ptr and cq_ring_ptr are really the same.
Thus, they are replaced with ring_ptr.
executor/common_linux.h: thanks to io_uring test, a bug is found in
where the sq_array's address is computed in syz_io_uring_submit().
Fixed. In addition, similar to the descriptions, the naming for the
ring_ptr is changed from {sq,cq}_ring_ptr to ring_ptr.
* sys/linux: io_uring: misc fixes
* sys/linux: io_uring: changed the sqe_user_data enum
Used a smaller range to ease the collisions. Used comperatively unique
and magic numbers for openat user_data to avoid thinking as if the cqe
belongs to openat while the user_data is coming from some random
location.
* pkg/host: added checks for io_uring syscall
* pkg/host: fixed checks for io_uring syscall
* sys/linux: fixed io_uring test
|
| |
|
|
|
|
| |
This is not needed anymore afer the previous commit.
Fixes #1918
|
| |
|
|
| |
Enable the cpuset.memory_pressure_enabled flag in the root cpuset.
|
| |
|
|
| |
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
| |
|
|
| |
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mmap syscall is special on Linux s390x because
the parameters for this syscall are passed as a struct
on user stack instead of registers.
* Introduce the SyscallTrampolines table into targets.Target
to address the above problem.
* There is a bug in Linux kernel s390x which causes QEMU TCG
to hang when KASAN is enabled. The bug has been fixed
in the forthcoming Linux 5.8 version. Until then do not enable
KASAN when using QEMU TCG, QEMU KVM shall have no problems with
KASAN.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
| |
Improve used terminology by using better verbs to express the effect of
the whitelist/blacklist.
This also changes executor to exclusively show respectful log messages,
and as per recent conversion, converts the last such case.
|
| |
|
|
|
|
|
|
| |
Some terms are normalised on the technical level
but may be oppressive on a societal level.
Replace them with more technically neutral terms.
See the following doc for a longer version:
https://tools.ietf.org/id/draft-knodel-terminology-00.html
|
| |
|
|
|
|
|
|
| |
The issues is only present with verbose debugging enabled.
executor/common_linux.h: In function ‘void netlink_device_change(nlmsg*, int, const char*, bool, const char*, const void*, int, const char*)’:
executor/common_linux.h:380:7: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
380 | debug("netlink: device %s up master %s: %s\n", name, master, strerror(err));
|
| | |
|
| |
|
|
|
| |
KVM was removed for ARM.
Improved CI finally allows to catch this.
|
| |
|
|
|
|
| |
In some configurations tun_frags_enabled ends up being unused
with a compiler warning and failed build.
Remove mode code if ENABLE_NAPI_FRAGS is not enabled.
|
| |
|
|
|
|
|
|
|
| |
The feature gets enabled when /dev/raw-gadget is present and accessible.
With this feature enabled, executor will do chmod 0666 /dev/raw-gadget on
startup, which makes it possible to do USB fuzzing in setuid and namespace
sandboxes. There should be no backwards compatibility issues with syz
reproducers that don't explicitly enable this feature, as they currently only
work in none sandbox.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ThreadSanitizer says:
WARNING: ThreadSanitizer: data race (pid=3)
Atomic read of size 4 at 0x56360e562f08 by main thread:
#0 __tsan_atomic32_load <null> (libtsan.so.0+0x64249)
#1 event_isset executor/common_linux.h:51 (syz-executor.0+0x2cf1f)
#2 handle_completion executor/executor.cc:886 (syz-executor.0+0x2cf1f)
#3 execute_one executor/executor.cc:732 (syz-executor.0+0x2da3b)
#4 loop executor/common.h:581 (syz-executor.0+0x2f1aa)
#5 do_sandbox_none executor/common_linux.h:2694 (syz-executor.0+0x189d6)
#6 main executor/executor.cc:407 (syz-executor.0+0x189d6)
Previous write of size 4 at 0x56360e562f08 by thread T1:
#0 event_reset executor/common_linux.h:32 (syz-executor.0+0x1f5af)
#1 worker_thread executor/executor.cc:1048 (syz-executor.0+0x1f5af)
#2 <null> <null> (libtsan.so.0+0x2b0b6)
Location is global 'threads' of size 2560 at 0x56360e562f00 (syz-executor.0+0x00000008bf08)
Thread T1 (tid=6, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2d55b)
#1 thread_start executor/common.h:256 (syz-executor.0+0x2d707)
#2 thread_create executor/executor.cc:1037 (syz-executor.0+0x2d707)
#3 schedule_call executor/executor.cc:811 (syz-executor.0+0x2d707)
#4 execute_one executor/executor.cc:719 (syz-executor.0+0x2d707)
#5 loop executor/common.h:581 (syz-executor.0+0x2f1aa)
#6 do_sandbox_none executor/common_linux.h:2694 (syz-executor.0+0x189d6)
#7 main executor/executor.cc:407 (syz-executor.0+0x189d6)
|
| |
|
|
|
|
|
| |
Among other things this changes timeout for USB programs from 2 to 3 seconds.
ath9k fuzzing also requires ath9k firmware to be present, so system images
need to be regenerated with the updated script.
|
| |
|
|
| |
Fix code formatting, clang-tidy warnings, minor style nits.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This adds support for the seccomp filters that are part of Android into
the sandbox. A process running as untrusted_app in Android has a
restricted set of syscalls that it is allow to run. This is
accomplished by setting seccomp filters in the zygote process prior to
forking into the application process. The seccomp filter list comes
directly from the Android source, it cannot be dynamically loaded from
an Android phone because libseccomp_policy.so does not exist as a
library on the system partition.
|
| |
|
|
|
|
|
| |
NETLINK_GENERIC isn't supported in gVisor.
Fixes: c5ed587f4af5 ("wireguard: setup some initial devices in a triangle")
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
| |
unshare(CLONE_NEWPID) was commented out in 4428511d10687cb446ad705148333478437d3f23 accidentially.
Uncomment it.
Spotted by @xairy:
https://github.com/google/syzkaller/commit/4428511d10687cb446ad705148333478437d3f23#r37456572
|
| | |
|
| |
|
|
| |
Update #1594
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* wireguard: setup some initial devices in a triangle
The fuzzer will wind up undoing some of this, which is fine, but at
least it now has the chance of hitting some other paths it wasn't
before.
Closes: #1599
* wireguard: make code ugly after `make generate` pass
* wireguard: get rid of unused structs that are still interesting
* wireguard: compile in C++ mode with gcc 7
Complex designated initializers are only supported in C++ mode from gcc
8, and for whatever reason syzkaller wants to be compiled in C++ mode.
* wireguard: add braces around debug statements for checker
* wireguard: regenerate go source
|
| |
|
|
|
| |
This matches more closely what people are used to dealing with. We also
add one additional device for interesting multi-interface effects.
|
| |
|
|
| |
Update #806
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Now other machines failed with redefinition IPVLAN_F_VEPA.
The #ifndef does not really work the way it should due
to the way pkg/csource preprocesses sources.
IPVLAN_F_VEPA is never defined during preprocessing.
Let's try this.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
virt_wifi docs say that the enslaved device won't be usable
on itself. It's probably not a good idea to make lo unusable.
Enslave a dedicated veth instead.
|
| |
|
|
| |
+ some netlink descriptions
|
| |
|
|
|
|
|
|
|
| |
Add basic stuff to enable MIPS64ELR2 target:
- build
- make extract
- make generate
- qemu execution
- system call parsing from /proc/kallsyms
|
| |
|
|
|
|
|
|
|
| |
Amusingly we never passed number of threads to wake for FUTEX_WAKE.
It somehow worked reliably on linux (we just needed it to not be 0,
so presumably garbage in registers did it).
However, in gVisor every other syscall wasn't even started
(first syscall on a thread started, but second on the same worker
thread wasn't unable to start).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Build with some gcc's fails:
In file included from executor/executor.cc:133:0:
executor/common_linux.h: In function ‘long int syz_read_part_table(long unsigned int, long unsigned int, long int)’:
executor/common.h:117:15: error: ignoring return value of ‘ssize_t pwrite(int, const void*, size_t, __off_t)’, declared with attribute warn_unused_result [-Werror=unused-result]
__VA_ARGS__; \
^
executor/common_linux.h:1279:3: note: in expansion of macro ‘NONFAILING’
NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset));
^
executor/common_linux.h: In function ‘long int syz_mount_image(long int, long int, long unsigned int, long unsigned int, long int, long int, long int)’:
executor/common.h:117:15: error: ignoring return value of ‘ssize_t pwrite(int, const void*, size_t, __off_t)’, declared with attribute warn_unused_result [-Werror=unused-result]
__VA_ARGS__; \
^
executor/common_linux.h:1364:3: note: in expansion of macro ‘NONFAILING’
NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset));
^
cc1plus: all warnings being treated as errors
|
| |
|
|
|
|
|
| |
1. It always crashed in cover_reset when coverage is disabled.
2. Use NONFAILING when accessing image segments.
3. Give it additional 100 ms as it may be slow.
4. Add a test for syz_mount_image.
|
| | |
|
| |
|
|
| |
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
| |
During kernel -net and -next-next trees merge, the value got moved.
Fix it.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gVisor doesn't support netdevsim and NETLINK_GENERIC and
without this fix, sys-executor always fails:
E openat(AT_FDCWD, /sys/bus/netdevsim/new_device, ...)
X openat(AT_FDCWD, /sys/bus/netdevsim/new_device, ...) = 0x0 errno=2
E socket(AF_NETLINK, SOCK_RAW|0x0, NETLINK_GENERIC)
X socket(AF_NETLINK, SOCK_RAW|0x0, NETLINK_GENERIC) = 0x0 errno=93
E write(0x2 host:[3], "socket(AF_NETLINK) failed\n", 0x1a)
X write(0x2 host:[3], ..., 0x1a) = 0x1a (2.767µs)
E write(0x2 host:[3], " (errno 93)\n", 0xc)
X write(0x2 host:[3], ..., 0xc) = 0xc (2.729µs)
E exit_group(0x43)
X exit_group(0x43) = 0x0 (900ns)
Cc: Jiri Pirko <jiri@mellanox.com>
Fixes: f350e2dc1f59 ("executor: rename devlink port netdevices to defined names")
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
| |
When USB_DEBUG is enabled, syzkaller crashes on unknown USB requests.
This helps to find missing descriptions for particular USB classes.
|
| |
|
|
|
|
|
| |
stdbool.h is required by initialize_devlink_ports(): true define.
fcntl.h is required by initialize_devlink_pci(): O_RDONLY define.
Signed-off-by: Denis Efremov <efremov@linux.com>
|
