aboutsummaryrefslogtreecommitdiffstats
path: root/executor/common_linux.h
Commit message (Collapse)AuthorAgeFilesLines
* executor: better prevent the panic on ext4 errors (#3604)Aleksandr Nogikh2023-01-031-1/+9
| | | | We already suppress them, but the current approach fails if syzkaller slightly corrupts the options string. Do the check more rigorously.
* executor: simplify setup_loop_deviceDmitry Vyukov2022-11-231-8/+6
| | | | | We can close memfd as soon as we passed it to LOOP_SET_FD (it holds a reference to the file).
* executor: don't reset loop device on partition scan successDmitry Vyukov2022-11-231-1/+2
| | | | | | We symlink resulting partitions into the test dir. If we do LOOP_CLR_FD, device and partitions disappear. Don't do LOOP_CLR_FD on success.
* executor: don't pass uncompressed zlib sizeDmitry Vyukov2022-11-231-17/+10
| | | | | | This will allow us to mutate the image size. Fixes #3527
* executor: fix puff_zlib_to_file signatureDmitry Vyukov2022-11-231-3/+3
| | | | | | In executor code we commonly use the syscall interface for functions: return -1 on erorr and set errno. Use this interface for puff_zlib_to_file.
* executor: update to match the new `syz_mount_image` callHrutvik Kanabar2022-11-211-27/+35
| | | | | | Update the executor to handle the new `syz_mount_image`/`syz_part_table` pseudo-syscalls. It now expects compressed images, and decompresses them using the new `common_zlib.h` header file before mounting.
* executor: fix "wrong response packet" in BT fuzzing (#3493)Tamas Koczka2022-11-071-11/+37
| | | | | | | | | | | | | | | | | | Problem: the BT initialization logic (`initialize_vhci()` in `common_linux.h`) expected `HCI_VENDOR_PKT` to be sent first, but this is not always the case as the kernel sends these two packets almost at the same time (both are sent as the result of the `open("/dev/vhci", …)` call): * syscall thread: `HCI_VENDOR_PKT` (in `__vhci_create_device`) * `power_on` queue thread: `HCI_OP_RESET` (from `hci_reset_sync` <- `hci_init1_sync` <- `hci_init_sync` <- `hci_dev_open_sync` <- `hci_dev_do_open` <- `hci_power_on` <- `hdev->power_on` <- (worker queue) <- `hci_register_dev` <- `__vhci_create_device`) Solution: handle both `HCI_OP_RESET` and `HCI_VENDOR_PKT` packets in `initialize_vhci`. Also instead of waiting for the kernel to send `HCI_VENDOR_PKT` after 1 second, we initiate the setup by sending `HCI_VENDOR_PKT` (request) to the kernel first.
* executor: enable core dumpsDmitry Vyukov2022-10-071-1/+2
| | | | | | | | Core dumping known to have bugs. Just few recent kernel commits: [brown paperbag] fix coredump breakage [coredump] don't use __kernel_write() on kmap_local_page() We also also found some info leaks in core dumps before. No reason to not test them.
* executor: move syz_mount_image's sanity checks to syz-fuzzerAleksandr Nogikh2022-09-271-23/+0
| | | | | It will simplify the C code and let us extract the raw images in a more convenient way.
* executor: add NIC PCI pass-through VF supportGeorge Kennedy2022-09-211-76/+217
| | | | | | | | | | | | | | | Add support for moving a NIC PCI pass-through VF into Syzkaller's network namespace so that it will tested. As DEVLINK support is triggered by setting the pass-through device to "addr=0x10", NIC PCI pass-through VF support will be triggered by setting the device to "addr=0x11". If a NIC PCI pass-through VF is detected in do_sandbox, setup a staging namespace before the fork() and transfer the NIC VF interface to it. After the fork() and in the child transfer the NIC VF interface to Syzkaller's network namespace and rename the interface to netpci0 so that it will be tested. Signed-off-by: George Kennedy <george.kennedy@oracle.com>
* sys/linux, tools/syz-imagegen: allow `syz_mount_image` to change directoryHrutvik Kanabar2022-09-131-2/+10
| | | | | | | | | | | | | | | | | | | | Add a boolean argument to the `syz_mount_image` pseudo-syscall. When this is true, `syz_mount_image` will change directory to the mountpoint after mounting the image passed. Experimentation suggests that to reproduce many non-`ext4` filesystem bugs, it is sufficient to mount the filesystem within an `ext4`-based VM and then change directory to the mountpoint before executing code. This change aims to increase the probability that a mount operation will be succeeded by the corresponding change in directory, and so increase the probability of finding non-`ext4` bugs. We also have to update the `syz-imagegen` tool. Now it generates seed `syz_mount_image` calls with change of directory enabled. The previous behaviour (i.e. no change of directory) will be recovered by use of existing corpuses and fuzzing the change-of-directory argument. The next commit will regenerate all `syz_mount_image` seeds.
* executor: fix setup of netdevsim deviceDmitry Vyukov2022-09-091-7/+8
| | | | | | | | | | 2 fixed: 1. netdevsim devices cannot be created via NETLINK anymore: https://elixir.bootlin.com/linux/v6.0-rc4/source/drivers/net/netdevsim/netdev.c#L397 But we already create them via /sys/bus/netdevsim/new_device, so just remove the netlink creation. 2. These devices are sticky and are not removed on net namspace destruction, so delete the previous version explicitly.
* executor: fix setup of xfrm deviceDmitry Vyukov2022-09-091-12/+29
| | | | | | | | | | XFRM device creation will fail w/o IFLA_XFRM_IF_ID attribute: https://elixir.bootlin.com/linux/v6.0-rc4/source/net/xfrm/xfrm_interface.c#L648 Add this attribute. This ID is also present in descriptions in at least 2 places. In one we got it wrong, it's not ifindex (easy to confuse because of the name). Fix it as well.
* Revert "pkg/csource: inline void* cast into generated code"Dmitry Vyukov2022-09-061-0/+4
| | | | | | | This reverts commit 922294abb4c0bc72b24d8526d625110d73fa1b5a. The commit reported to cause old warnings on s390x: https://github.com/google/syzkaller/commit/922294abb4c0bc72b24d8526d625110d73fa1b5a#commitcomment-83096994
* pkg/csource: inline void* cast into generated codeGreg Steuck2022-09-051-3/+0
| | | | | The previous indirection via conditional macros in platform specific places was needless obfuscation.
* pkg/csource, pkg/instance, pkg/ipc, pkg/mgrconfig, tools/syz-prog2c, ↵Andrey Artemiev2022-08-061-5/+6
| | | | syz-manager: introduce a new setting 'sandbox_arg' (#3263)
* executor: fixed fuzzing with System account in Android sandbox (#3275)Andrey Artemiev2022-08-051-1/+2
|
* vm/adb: wait for Android boot to finishAndrey Artemiev2022-07-251-5/+1
| | | | executor: removed condition around tun init
* executor: fix mounting of cgroups on read-only fsDmitry Vyukov2022-07-211-23/+33
| | | | | | If root fs is read-only, mkdir(/syzcgroup) will fail and a later rmdir(/syzcgroup/unified) will fail with ENOENT which we don't expect and fail. Return early if mkdir(/syzcgroup) fails.
* executor: added code to run Android with System accountAndrey Artemiev2022-07-191-11/+36
|
* executor: prevent ENOSPC if cgroup mount failsDmitry Vyukov2022-07-151-1/+15
| | | | | | Remove /syzcgroup/* if cgroup mount fails. See #3241 for context. Fixes #3241
* executor: fix enabling of ICMP/ping socketsDmitry Vyukov2022-06-201-1/+4
| | | | | | | | | | net/ipv4/ping_group_range sysctl grants access to ICMP sockets to the specified user groups. But it needs to be set inside of the net namespace (it's per-namespace). We were setting it but in the init namespace only (which we don't use). Set it after CLONE_NEWNET. This repairs testing of ICMP sockets. Note: don't set it for setuid sandbox since it's "low privilege".
* executor: fixed sandbox 'android'Andrey Artemiev2022-06-031-1/+2
|
* executor: include sched.h for syz_cloneAndrei Vagin2022-05-271-0/+2
| | | | | | | | | | | | | | | | syzkaller reports the following error when it tries to create a C reproducer: <stdin>: In function ‘syz_clone’: <stdin>:289:48: error: ‘CLONE_VM’ undeclared (first use in this function) <stdin>:289:48: note: each undeclared identifier is reported only once for each function it appears in compiler invocation: gcc [-o /tmp/syz-executor3459695007 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w]
* executor: applied Bionic patchAndrey Artemiev2022-04-131-0/+29
|
* executor: tolerate syz_genetlink_get_family_id failuresAleksandr Nogikh2022-02-251-4/+1
| | | | | | | | | | We cannot expect syscalls to always succeed during fuzzing, especially when the situation involves a complex interaction with the system. For the syz_genetlink_get_family_id case, it leads to numerous SYZFAIL crashes every day. Don't print a SYZFAIL error for this pseudo syscall.
* executor: fail on SEGV during clone()Aleksandr Nogikh2022-01-211-1/+11
| | | | | | | | | | | | | | | As was found out in #2921, fork bombs are still possible in Linux-based instances. One of the possible reasons is described below. An invalid stack can be passed to the clone() call, thus causing it to stumble on an invalid memory access right during returning from the clone() call. This is in turn catched by the NONFAILING() macro and the control actually jumps over it and eventually both the child and the parent continue executing the same code. Prevent it by handling SIGSEGV and SIGBUS differently during the clone process. Co-authored-by: Andrei Vagin <avagin@google.com>
* all: add syz_clone() and syz_clone3() pseudo callsAleksandr Nogikh2022-01-131-0/+59
| | | | | | | | | | | | | | | | | | | | As was pointed out in #2921, the current approach of limiting the number of pids per process does not work on all Linux-based kernels. We could just treat fork, clone and clone3 in a special way (e.g. exit on a zero return). However, in that case we also need to sanitize the arguments for clone and clone3 - if CLONE_VM is passed and stack is 0, the forked child processes (threads) will become nearly unindentifiable and will corrupt syz-executor's memory. While we could sanitize clone's arguments, we cannot do so for clone3 - nothing can guarantee that they will not be changed concurrently. Instead of calling those syscalls directly, introduce a special pseudo syscall syz_clone3. It copies and sanitizes the arguments and then executes clone3 (or fork, if we're on an older kernel) in such a way so as to prevent fork bombs from happening. Also introduce syz_clone() to still be able to fuzz it on older systems.
* executor: remove custom sys_io_uring_setup definitionAleksandr Nogikh2022-01-131-7/+1
|
* executor: remove sys_memfd_create definesAleksandr Nogikh2022-01-131-19/+1
| | | | | Add memfd_create as a dependency to syz_mount_image and syz_read_part_table.
* executor: spread overlapping fdsAleksandr Nogikh2021-12-061-3/+3
| | | | | | | There's a chance that the methods from common_bsd.h and common_linux.h could dup2 (and thus close) an fd belonging to a kcov instance. Prevent this by adjusting fd consts.
* executor: do not follow symlinks during umountAleksandr Nogikh2021-10-291-4/+4
| | | | | Add a UMOUNT_NOFOLLOW flag to umount2 in order to prevent remove_dir from unmounting what was not mounted by the executed program.
* all: add binderfs fuzzing supportAleksandr Nogikh2021-10-291-0/+38
| | | | | | | | Create one instance of binderfs per process and add descriptions to enable syzkaller to create binderfs mounts and binder devices itself. Keep descriptions compatible with the legacy mode (when devices are created at boot time).
* executor: don't mount some cgroup controllers during setupDmitry Vyukov2021-10-131-3/+3
| | | | | | | Leave some controllers unbound so that the fuzzer can mount them during fuzzing. This is suboptimal because all controllers are global (so different test processes will collide, state accumulate, etc), but this still should give at least some new coverage.
* executor: don't fail on cgroup mountingDmitry Vyukov2021-10-131-2/+6
| | | | | | | | | | | | | | | | On stretch images setup_cgroups fails as: mount(/syzcgroup/net, net) failed: 22 mount(/syzcgroup/net, net_cls) failed: 22 mount(/syzcgroup/net, net_prio) failed: 22 mount(/syzcgroup/net, blkio) failed: 22 SYZFAIL: mount cgroup failed (/syzcgroup/net, devices,freezer): 16 (errno 16: Device or resource busy) It seems that systemd starts messing with these mounts somehow and repeated mounting fails with EBUSY. Don't hard fail on that error.
* executor: setup cgroups onceDmitry Vyukov2021-10-121-7/+0
| | | | | | | Currently we setup cgroups on every test process start (along with sandbox creation). That's unnecessary because that's global per-machine setup. Move cgroup setup into setup section that's executed once per machine from pkg/host.Setup.
* executor: enable cgroup controllers one-by-oneDmitry Vyukov2021-10-121-18/+49
| | | | | | | | Currently we enable all controllers at once. As the result if one of them fails (b/c of older kernel or not enabled configs), all will fail. Enable them one-by-one instead. This way we can support kernels that don't have all of the controllers.
* executor: mount new cgroupsDmitry Vyukov2021-10-121-2/+2
| | | | Mount net, blkio, rlimit cgroups.
* executor: check for single-line compound statementsDmitry Vyukov2021-10-011-2/+1
| | | | | | Historically the code base does not use single-line compound statements ({} around single-line blocks). But there are few precedents creeped into already. Add a check to keep the code base consistent.
* all: refactor fault injection into call propsAleksandr Nogikh2021-09-221-1/+1
| | | | | | | | | | | | Now that call properties mechanism is implemented, we can refactor fault injection. Unfortunately, it is impossible to remove all traces of the previous apprach. In reprolist and while performing syz-ci jobs, syzkaller still needs to parse the old format. Remove the old prog options-based approach whenever possible and replace it with the use of call properties.
* sys: skip kvm const extraction for non i386/amd64Aleksandr Nogikh2021-09-131-1/+1
| | | | | | | | | | | | It is impossible to compile a number of definitions in include/uapi/linux/kvm.h for other platforms, which leads to syz-extract failing to update constants. Skip processing of this file for all arches except i386 and amd64. This is a hacky and (hopefully) temporary solution until #2754 is implemented.
* executor: move vm.nr_overcommit_hugepages into configDmitry Vyukov2021-05-121-2/+0
| | | | | Move the sysctl into config, so that kernels can opt out of it if necessary (not all kernels enable it and interested in testing).
* executor: set ctrl-alt-del sysctl to 0Dmitry Vyukov2021-04-221-1/+11
| | | | | | | This blocks some of the ways the fuzzer can trigger a reboot. ctrl-alt-del=0 tells kernel to signal cad_pid instead of rebooting and setting cad_pid to the current pid (transient "syz-executor setup") makes it a no-op. For context see: https://groups.google.com/g/syzkaller-bugs/c/WqOY4TiRnFg/m/6P9u8lWZAQAJ
* dashboard/config/linux: disable BPF_JIT on subset of instancesDmitry Vyukov2021-03-091-2/+0
| | | | | Currently we enable JIT always and don't test interpreter. Enable JIT on subset of instances and disable on others using kernel config.
* executor: don't setup x86-specific sysctl on non-x86Dmitry Vyukov2021-03-071-32/+34
| | | | | /sys/kernel/debug/x86/nmi_longest_ns is x86 specific, don't set it on non-x86 arches.
* executor: disable rfkill during setupDmitry Vyukov2021-03-041-0/+18
| | | | | If rfkill is enabled by the fuzzer, wifi setup will fail. Disable rfkill to initial state during setup.
* pkg/report: detect executor failuresDmitry Vyukov2021-02-211-93/+83
| | | | | | | | | | | | Currently all executor fail errors go into "lost connection" bucket. This is not very useful. First, there are different executor failures. Second, it's not possible to understand what failures happen how frequently. Third, there are not authentic lost connection. Create separate SYZFAIL: bugs for them. Update #573 Update #502 Update #318
* executor: don't fail in syz_genetlink_get_family_idDmitry Vyukov2021-02-191-82/+114
| | | | | | | | | | We used to use our own netlink socket and then fail on any errors. But commit "sys/linux: add ieee802154 descriptions" made it possible to use fuzzer-provided socket, and fuzzer can pass any invalid fd. So don't fail on errors now. Fixes #2444
* sys/linux: add ieee802154 descriptionsDmitry Vyukov2021-02-121-18/+72
|
* executor: don't include kvm on armDmitry Vyukov2021-01-261-1/+1
| | | | | | KVM was removed for arm architecture. Latest Linux headers don't contain <asm/kvm.h> for arm. So don't even include them.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-12 08:17:15 +0000