| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
unshare(CLONE_NEWPID) was commented out in 4428511d10687cb446ad705148333478437d3f23 accidentially.
Uncomment it.
Spotted by @xairy:
https://github.com/google/syzkaller/commit/4428511d10687cb446ad705148333478437d3f23#r37456572
|
| | |
|
| |
|
|
| |
Update #1594
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* wireguard: setup some initial devices in a triangle
The fuzzer will wind up undoing some of this, which is fine, but at
least it now has the chance of hitting some other paths it wasn't
before.
Closes: #1599
* wireguard: make code ugly after `make generate` pass
* wireguard: get rid of unused structs that are still interesting
* wireguard: compile in C++ mode with gcc 7
Complex designated initializers are only supported in C++ mode from gcc
8, and for whatever reason syzkaller wants to be compiled in C++ mode.
* wireguard: add braces around debug statements for checker
* wireguard: regenerate go source
|
| |
|
|
|
| |
This matches more closely what people are used to dealing with. We also
add one additional device for interesting multi-interface effects.
|
| |
|
|
| |
Update #806
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Now other machines failed with redefinition IPVLAN_F_VEPA.
The #ifndef does not really work the way it should due
to the way pkg/csource preprocesses sources.
IPVLAN_F_VEPA is never defined during preprocessing.
Let's try this.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
virt_wifi docs say that the enslaved device won't be usable
on itself. It's probably not a good idea to make lo unusable.
Enslave a dedicated veth instead.
|
| |
|
|
| |
+ some netlink descriptions
|
| |
|
|
|
|
|
|
|
| |
Add basic stuff to enable MIPS64ELR2 target:
- build
- make extract
- make generate
- qemu execution
- system call parsing from /proc/kallsyms
|
| |
|
|
|
|
|
|
|
| |
Amusingly we never passed number of threads to wake for FUTEX_WAKE.
It somehow worked reliably on linux (we just needed it to not be 0,
so presumably garbage in registers did it).
However, in gVisor every other syscall wasn't even started
(first syscall on a thread started, but second on the same worker
thread wasn't unable to start).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Build with some gcc's fails:
In file included from executor/executor.cc:133:0:
executor/common_linux.h: In function ‘long int syz_read_part_table(long unsigned int, long unsigned int, long int)’:
executor/common.h:117:15: error: ignoring return value of ‘ssize_t pwrite(int, const void*, size_t, __off_t)’, declared with attribute warn_unused_result [-Werror=unused-result]
__VA_ARGS__; \
^
executor/common_linux.h:1279:3: note: in expansion of macro ‘NONFAILING’
NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset));
^
executor/common_linux.h: In function ‘long int syz_mount_image(long int, long int, long unsigned int, long unsigned int, long int, long int, long int)’:
executor/common.h:117:15: error: ignoring return value of ‘ssize_t pwrite(int, const void*, size_t, __off_t)’, declared with attribute warn_unused_result [-Werror=unused-result]
__VA_ARGS__; \
^
executor/common_linux.h:1364:3: note: in expansion of macro ‘NONFAILING’
NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset));
^
cc1plus: all warnings being treated as errors
|
| |
|
|
|
|
|
| |
1. It always crashed in cover_reset when coverage is disabled.
2. Use NONFAILING when accessing image segments.
3. Give it additional 100 ms as it may be slow.
4. Add a test for syz_mount_image.
|
| | |
|
| |
|
|
| |
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
| |
During kernel -net and -next-next trees merge, the value got moved.
Fix it.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gVisor doesn't support netdevsim and NETLINK_GENERIC and
without this fix, sys-executor always fails:
E openat(AT_FDCWD, /sys/bus/netdevsim/new_device, ...)
X openat(AT_FDCWD, /sys/bus/netdevsim/new_device, ...) = 0x0 errno=2
E socket(AF_NETLINK, SOCK_RAW|0x0, NETLINK_GENERIC)
X socket(AF_NETLINK, SOCK_RAW|0x0, NETLINK_GENERIC) = 0x0 errno=93
E write(0x2 host:[3], "socket(AF_NETLINK) failed\n", 0x1a)
X write(0x2 host:[3], ..., 0x1a) = 0x1a (2.767µs)
E write(0x2 host:[3], " (errno 93)\n", 0xc)
X write(0x2 host:[3], ..., 0xc) = 0xc (2.729µs)
E exit_group(0x43)
X exit_group(0x43) = 0x0 (900ns)
Cc: Jiri Pirko <jiri@mellanox.com>
Fixes: f350e2dc1f59 ("executor: rename devlink port netdevices to defined names")
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
| |
When USB_DEBUG is enabled, syzkaller crashes on unknown USB requests.
This helps to find missing descriptions for particular USB classes.
|
| |
|
|
|
|
|
| |
stdbool.h is required by initialize_devlink_ports(): true define.
fcntl.h is required by initialize_devlink_pci(): O_RDONLY define.
Signed-off-by: Denis Efremov <efremov@linux.com>
|
| |
|
|
| |
In preparation for future changes.
|
| |
|
|
|
| |
Rename some macros in preparation for subsequent changes
which will align names across the code base.
|
| | |
|
| |
|
|
|
| |
Rename some flags in preparation for subsequent changes
which will align names across the code base.
|
| |
|
|
|
|
|
|
|
| |
In case the dump is empty, NLMSG_DONE type message is received from
kernel right away. Count with this and return 0. Set the reply_len to 0.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: f350e2dc1f59 ("executor: rename devlink port netdevices to defined names")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
| |
Devlink port netdevices stay in the form of eth%d. Rename then to
defined names so they could be used for system calls.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
|
| |
Don't rely on global "nlmsg" struct and rather pass the structure to
netlink_* helpers. That allows to possibly work with multiple netlink
messages (sending while receiving for example) at the same time.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
| |
Extend existing helper netlink_device_change() in order to allow to
change netdevice names.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
| |
IFLA_NAME is going to be used to set the name of the netdevice, so
change the handle to be ifindex.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
| |
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
| |
Adding vxcan1 also adds vxcan0. Setup and use both.
|
| |
|
|
|
|
|
|
| |
In case there is a fixed pci devlink handle "pci/pci/0000:00:10.0"
on the system (initial network namespace), it is moved to a working
network namespace.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
| |
Add support for basic set of devlink interface syscalls
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
| |
Create testing netdevsim instance with 4 ports.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
| |
This adds support to add frames that have already been in data races, to
the KCSAN report blacklist.
|
| |
|
|
|
| |
This commit changes syz_usb_control_io to enable the relevant endpoints
for the interface being set via a SET_INTERFACE request.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
By default, the current KCSAN .config does not enable KCSAN during boot,
since we encounter races during boot which would prevent syzkaller from
ever executing.
This adds support to detect if KCSAN is available, and enables it on the
fuzzer host.
|
| |
|
|
|
|
|
|
|
|
| |
A process with CAP_SYS_NICE can bring kernel down by asking for too high SCHED_DEADLINE priority,
as the result rcu and other system services that use kernel threads will stop functioning.
Some parameters for SCHED_DEADLINE should be OK, but we don't have means to enforce
values of indirect syscall arguments. Peter Zijlstra proposed sysctl_deadline_period_{min,max}
which could be used to enfore safe limits without droppping CAP_SYS_NICE, but we don't have it yet.
See the following bug for details:
https://groups.google.com/forum/#!topic/syzkaller-bugs/G6Wl_PKPIWI
|
| |
|
|
|
|
| |
We only drop CAP_SYS_PTRACE for sandbox=namespace,
but it can equally affect testing with sandbox=none.
Drop it for sandbox=none, add a test.
|
| |
|
|
| |
Otherwise C repros print infinite stream of the same leaks again and again.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.
1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.
2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.
3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.
4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.
5. Fix pkg/repro to do something more sane for leak bugs.
Few other minor fixes here and there.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
|
| |
|
|
|
|
|
|
| |
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The added test triggers warnings like these:
<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
extern int mkdir (const char *__path, __mode_t __mode)
^~~~~
cc1: all warnings being treated as errors
<stdin>: In function ‘syz_open_procfs.constprop’:
<stdin>:530:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:532:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:534:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
Use volatile for all arguments of syz_ functions to prevent
compiler from treating the arguments as constants in reproducers.
Popped up during bisection that used a repro that previously worked.
Update #501
|
