| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
SYS_memfd_create define produces warning in scource
if system headers already contain the definition (we strip all ifdefs!).
The same is true for CLONE_NEWCGROUP but we just never hit it yet.
Also fix format string for 32 bits.
Also fix potential uninit var in csource, and a missing new line.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Turns out creating a cgroup per test is too expensive.
Moreover, it leads to hanged tasks as cgroup destruction
is asynchronous and overloads kernel work queues.
Create only a single cgroup per proc, but restrict
descriptions to mess with that single group,
instead test processes create own nested cgroups for messing.
|
| |
|
|
| |
We left entries non-zero, so memcmp always failed.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
There is test failure on travis:
https://travis-ci.org/google/syzkaller/jobs/349948391
I can't reproduce it locally, and it only happened on 1.8, but not on 1.9?
But this seems to be what could have provoked such failure.
|
| |
|
|
|
|
|
|
|
|
|
| |
The new pseudo syscall allows opening sockets that can only
be created in init net namespace (BLUETOOTH, NFC, LLC).
Use it to open these sockets.
Unfortunately this only works with sandbox none at the moment.
The problem is that setns of a network namespace requires CAP_SYS_ADMIN
in the target namespace, and we've lost all privs in the init namespace
during creation of a user namespace.
|
| |
|
|
| |
Remove executor_pid, enable_tun and setup_tun.
|
| |
|
|
|
|
|
|
|
|
| |
We now always create net namespace for testing,
so socket ports and other IDs do not overlap between
different test processes.
Proc types play badly with squashing packets to ANYBLOB.
To squash into a block we need concrete value, but it depends
on process id.
Removing proc also makes tun setup and address descriptions simpler.
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently when executor creates fd's it gets: 0, 3, 4.
When tun is enabled: 3, 4, 5.
For C programs: 3, 4, 5.
When run is enabled: 4, 5, 6.
Theoretically it should not matter,
but these fd numbers are probably sometimes are used as data.
So make them consistent in all these cases (3, 4, 5).
|
| |
|
|
|
|
| |
Squash complex structs into flat byte array and mutate this array
with generic blob mutations. This allows to mutate what we currently
consider as paddings and add/remove paddings from structs, etc.
|
| | |
|
| |
|
|
| |
Older versions of linux require an additional header.
|
| | |
|
| |
|
|
| |
debug calls are only properly stripped if they are on a single line.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Put the underflow entry at the end.
Entries must end on an unconditional, non-goto entry,
otherwise fallthrough from the last entry is invalid.
Add arp tables support.
Split unspec matches/targets to unspec and inet.
Reset ipv6 and arp tables in executor.
Fix number of counters in tables.
Plus a bunch of assorted fixes for matches/targets.
|
| |
|
|
|
| |
ipt_get_entries.entrytable must be pointer aligned,
so in 32-bit build there is no padding before it.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Now we create tun in the _outer_ net namespace,
which is tied to init user namespace. Thus fuzzer
does not have CAP_ADMIN in it.
In the end it seems that there is no sandboxing sequence,
which would give us everything we need.
Reshuffle sequences so that we have corrent namespace
hierarchy, but don't have IFF_NAPI_FRAGS.
|
| | |
|
| |
|
|
|
|
|
|
| |
For sandbox=namespace we first create network devices
and then do CLONE_NEWNS, which brings us into a new
namespace which actually does not have any of these devices.
Tun mostly worked, because we hold fd to the tun device.
However, even for tun we could not see the "syz0" device.
|
| |
|
|
|
|
| |
We test in a new network namespace, which does not have any
devices set up (even lo). Create/up as many devices as possible.
Give them some addresses and use these addresses in descriptions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "define uint64_t unsigned long long" were too good to work.
With a different toolchain I am getting:
cstdint:69:11: error: expected unqualified-id
using ::uint64_t;
^
executor/common.h:34:18: note: expanded from macro 'uint64_t'
Do it the proper way: introduce uint64/32/16/8 types and use them.
pkg/csource then does s/uint64/uint64_t/ to not clutter code with
additional typedefs.
|
| |
|
|
| |
Detected only by clang.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I see a crash which says:
#0: too much cover 0 (errno 0)
while the code is:
uint64_t n = ...;
if (n >= kCoverSize)
fail("#%d: too much cover %u", th->id, n);
It seems that the high part of n is set, but we don't see it.
Add printf format attribute to fail and friends and fix all similar cases.
Caught a bunch of similar cases and a missing argument in:
exitf("opendir(%s) failed due to NOFILE, exiting");
|
| |
|
|
|
|
|
|
| |
Currently csource uses completely different, simpler way of scheduling
syscalls onto threads (thread per call with random sleeps).
Mimic the way calls are scheduled in executor.
Fixes #312
|
| |
|
|
| |
doexit already contains an infinite loop.
|
| |
|
|
|
|
|
|
|
|
| |
Generated program always uses pid=0 even when there are multiple processes.
Make each process use own pid.
Unfortunately required to do quite significant changes to prog,
because the current format only supported fixed pid.
Fixes #490
|
| |
|
|
|
|
| |
We have them in linux solely for historical reasons.
Fixes #462
|
| |
|
|
|
|
| |
exitf function was not defined with some combinations of options in csource.
Fix defines and switch exitf back to fail, fail already checks ENOMEM/EAGAIN,
so there is no reason to use exitf in this particular case.
|
| |
|
|
|
|
|
|
| |
Unshare as much as we can for all sandboxing modes.
This fixes "kernel panic: Attempted to kill init!" crashes
under sandbox=none. And should just generally improve
reproducibility, e.g. if we unshare SYSVSEM fuzzer won't
collide with any existing semaphores.
|
| |
|
|
|
| |
We see occasional ENOENT/EACCES errors returned.
It seems that fuzzer somehow gets its hands to it.
|
| | |
|
| |
|
|
| |
Makes code slightly simpler.
|
| |
|
|
|
|
|
|
|
| |
For some racy bugs syzkaller can generate a C reproducer with tun
enabled, when it's not actuallly required to trigger the bug.
Some kernel developers (that don't have CONFIG_TUN=y on their setups)
complain about such C repros.
When tun is not available, instead of exiting, print a message that tun
initialization failed and proceed.
|
| |
|
|
|
| |
Some standard libraries contain "using ::exit;",
which breaks with the current redefinition of exit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently use more complex and functional protocol on linux,
and a simple ad-hoc protocol on other OSes.
This leads to code duplication in both ipc and executor.
Linux supports coverage, shared memory communication and fork server,
which would also be useful for most other OSes.
Unify communication protocol and parametrize it by
(1) use of shmem or only pipes, (2) use of fork server.
This reduces duplication in ipc and executor and will
allow to support the useful features for other OSes easily.
Finally, this fixes akaros support as it currently uses
syz-stress running on host (linux) and executor running on akaros.
|
| |
|
|
| |
writev requires <sys/uio.h>. Include it.
|
| |
|
|
|
|
| |
Executor process does not have any env, including PATH.
On some distributions, system/shell adds a minimal PATH, on some it does not.
Set own standard PATH to make it work across distributions.
|
| |
|
|
|
|
| |
A recent linux commit "tun: enable napi_gro_frags() for TUN/TAP driver"
added support for fragmentation when emitting packets via tun.
Support this feature in syz_emit_ethernet.
|
| | |
|
| |
|
