| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fuzzer managed to do:
executing program 0:
...
close_range(r5, 0xffffffffffffffff, 0x0)
...
SYZFATAL: executor 0 failed 11 times: executor 0: exit status 67
SYZFAIL: tun read failed
(errno 9: Bad file descriptor)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fuzzer managed to do:
executing program 4:
...
prlimit64(0x0, 0x7, &(0x7f0000000000), 0x0)
...
syz_usbip_server_init(0x3)
...
SYZFATAL: executor 4 failed 11 times: executor 4: exit status 67
SYZFAIL: syz_usbip_server_init: socketpair failed
(errno 24: Too many open files)
|
| |
|
|
|
|
|
|
|
|
| |
Starting from v6.9, we can no longer reuse a loop device while some
filesystem is mounted on it. It conflicts with the MNT_DETACH approach
we were previously using.
Let's umount synchronously instead, but also with a MNT_FORCE flag to
abort potentially long graceful cleanup operations. We don't need them
for the filesystems mounted only for fuzzing purposes.
|
| |
|
|
|
|
| |
Don't treat ENOENT from socket call as fatal.
Fuzzer manages to make all socket calls for a particular
protocol fail using NLBL_MGMT_C_REMOVE netlink function.
|
| |
|
|
|
|
|
|
|
|
| |
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect
assumptions about the ring buffer size, causing the kernel to write
outside of the mapped memory, smashing whatever follows it.
This is a hotfix for https://github.com/google/syzkaller/issues/4531
that will stop the ci-upstream-gce-arm64 from generating random
coverage.
|
| |
|
|
|
|
|
| |
The fd may be closed by an async close() call, it's not a reason to
report a failure.
Reported-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
| |
When BLK_DEV_WRITE_MOUNTED is enabled, the kernel treats the loopfd
reference as a writer and does not let us issue mount() calls over the
same block device.
|
| |
|
|
|
| |
This should never be happening during fuzzing. Otherwise we let
syz-executor silently crash and restart insane number of times.
|
| |
|
|
|
|
| |
During fuzzing, it's expected that certain operations might return
errors. Don't abort the whole syz-executor process in this case, this is
too expensive.
|
| |
|
|
|
|
|
|
|
|
|
| |
This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.
Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.
We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
|
| |
|
|
|
| |
Add new pseudo-syscall for creating a socket in init netns and connecting to
NVMe-oF/TCP server on 127.0.0.1:4420. Also add descriptions for NVMe-oF/TCP.
|
| |
|
|
|
|
|
|
| |
This parameter barely increases coverage since the tail is always set
to the entry that is written, but it does increase the complexity of
the api and seems to reduce coverage when I run it locally.
Remove it.
|
| |
|
|
|
|
|
|
|
|
| |
In Linux 6.4+ it is not allowed to provide a vma to mmap(2) [1]. Change
the API to request the address from the Kernel.
Note I do not know why this was done in the first place, but it seems
not to be useful.
[1]: https://github.com/torvalds/linux/commit/d808459b2e31bd5123a14258a7a529995db974c8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Its needed for FALLOC_FL_ZERO_RANGE which needs this header, it works
with glibc because fcntl.h includes this header indirectly, however the
failure comes to fore with musl C library where this header is not
included indirectly by other system headers, therefore include it as
required.
Fixes
In file included from executor/common.h:505:
executor/common_linux.h:5604:16: error: use of undeclared identifier 'FALLOC_FL_ZERO_RANGE'
fallocate(fd, FALLOC_FL_ZERO_RANGE, 0, SWAP_FILE_SIZE);
^
|
| |
|
|
|
| |
If the feature is supported on the device, allocate a 128MB swap file
after VM boot and activate it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a long history of executor managing to corrupt itself in various
interesting ways (e.g. using read with a pointer pointing to some
global/stack variable and then kernel overwrites it). Or rt_sigreturn
can corrupt other registers which won't cause immediate SIGSEGV, but
rather some random behavior later. This is the race we can't win.
We can't rely on memory consistency when the test already started, so we
should use exitf instead of fail outside of setup sequence (and relying
more on unit testing to ensure that executor works as expected for sane
programs).
Suggested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
| |
Given that we must chose only one version, fuzzing v1 of itseems to be of
higher value at the moment.
Later we might make it a configurable option and do both version.
|
| | |
|
| |
|
|
| |
The syscall sets PKRU register which is part of protection keys (pkey).
|
| |
|
|
|
|
|
|
| |
Android devices often fail during the initial check with the error:
SYZFAIL: tun: ioctl(TUNSETIFF) failed
We need the same namespacing here that is used for other sandboxing
configurations.
|
| |
|
|
|
|
|
| |
This commit adds a new VM for fuzzing starnix.
The VM will boot a fuchsia image using the `ffx` tool and will connect to an adb server inside it. Fuzzing will be done using HostFuzzer mode due to some features not being implemented yet in starnix. Once this is possible, fuzzing will be performed without HostFuzzer mode.
Co-authored-by: Juampi Miceli <jpmiceli@google.com>
|
| |
|
|
| |
We already suppress them, but the current approach fails if syzkaller
slightly corrupts the options string. Do the check more rigorously.
|
| |
|
|
|
| |
We can close memfd as soon as we passed it to LOOP_SET_FD
(it holds a reference to the file).
|
| |
|
|
|
|
| |
We symlink resulting partitions into the test dir.
If we do LOOP_CLR_FD, device and partitions disappear.
Don't do LOOP_CLR_FD on success.
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
|
| |
In executor code we commonly use the syscall interface for functions:
return -1 on erorr and set errno.
Use this interface for puff_zlib_to_file.
|
| |
|
|
|
|
| |
Update the executor to handle the new `syz_mount_image`/`syz_part_table`
pseudo-syscalls. It now expects compressed images, and decompresses
them using the new `common_zlib.h` header file before mounting.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: the BT initialization logic (`initialize_vhci()` in `common_linux.h`)
expected `HCI_VENDOR_PKT` to be sent first, but this is not always the case as
the kernel sends these two packets almost at the same time (both are sent as
the result of the `open("/dev/vhci", …)` call):
* syscall thread: `HCI_VENDOR_PKT` (in `__vhci_create_device`)
* `power_on` queue thread: `HCI_OP_RESET` (from `hci_reset_sync` <-
`hci_init1_sync` <- `hci_init_sync` <- `hci_dev_open_sync` <-
`hci_dev_do_open` <- `hci_power_on` <- `hdev->power_on` <- (worker queue)
<- `hci_register_dev` <- `__vhci_create_device`)
Solution: handle both `HCI_OP_RESET` and `HCI_VENDOR_PKT` packets in
`initialize_vhci`.
Also instead of waiting for the kernel to send `HCI_VENDOR_PKT` after 1 second,
we initiate the setup by sending `HCI_VENDOR_PKT` (request) to the kernel first.
|
| |
|
|
|
|
|
|
| |
Core dumping known to have bugs. Just few recent kernel commits:
[brown paperbag] fix coredump breakage
[coredump] don't use __kernel_write() on kmap_local_page()
We also also found some info leaks in core dumps before.
No reason to not test them.
|
| |
|
|
|
| |
It will simplify the C code and let us extract the raw images in a more
convenient way.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for moving a NIC PCI pass-through VF into Syzkaller's network
namespace so that it will tested. As DEVLINK support is triggered by
setting the pass-through device to "addr=0x10", NIC PCI pass-through VF
support will be triggered by setting the device to "addr=0x11".
If a NIC PCI pass-through VF is detected in do_sandbox, setup a staging
namespace before the fork() and transfer the NIC VF interface to it.
After the fork() and in the child transfer the NIC VF interface to
Syzkaller's network namespace and rename the interface to netpci0 so
that it will be tested.
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a boolean argument to the `syz_mount_image` pseudo-syscall. When
this is true, `syz_mount_image` will change directory to the mountpoint
after mounting the image passed.
Experimentation suggests that to reproduce many non-`ext4` filesystem
bugs, it is sufficient to mount the filesystem within an `ext4`-based VM
and then change directory to the mountpoint before executing code.
This change aims to increase the probability that a mount operation will
be succeeded by the corresponding change in directory, and so increase
the probability of finding non-`ext4` bugs.
We also have to update the `syz-imagegen` tool. Now it generates seed
`syz_mount_image` calls with change of directory enabled. The previous
behaviour (i.e. no change of directory) will be recovered by use of
existing corpuses and fuzzing the change-of-directory argument.
The next commit will regenerate all `syz_mount_image` seeds.
|
| |
|
|
|
|
|
|
|
|
| |
2 fixed:
1. netdevsim devices cannot be created via NETLINK anymore:
https://elixir.bootlin.com/linux/v6.0-rc4/source/drivers/net/netdevsim/netdev.c#L397
But we already create them via /sys/bus/netdevsim/new_device,
so just remove the netlink creation.
2. These devices are sticky and are not removed on net namspace destruction,
so delete the previous version explicitly.
|
| |
|
|
|
|
|
|
|
|
| |
XFRM device creation will fail w/o IFLA_XFRM_IF_ID attribute:
https://elixir.bootlin.com/linux/v6.0-rc4/source/net/xfrm/xfrm_interface.c#L648
Add this attribute.
This ID is also present in descriptions in at least 2 places.
In one we got it wrong, it's not ifindex (easy to confuse because of the name).
Fix it as well.
|
| |
|
|
|
|
|
| |
This reverts commit 922294abb4c0bc72b24d8526d625110d73fa1b5a.
The commit reported to cause old warnings on s390x:
https://github.com/google/syzkaller/commit/922294abb4c0bc72b24d8526d625110d73fa1b5a#commitcomment-83096994
|
| |
|
|
|
| |
The previous indirection via conditional macros in platform specific
places was needless obfuscation.
|
| |
|
|
| |
syz-manager: introduce a new setting 'sandbox_arg' (#3263)
|
| | |
|
| |
|
|
| |
executor: removed condition around tun init
|
| |
|
|
|
|
| |
If root fs is read-only, mkdir(/syzcgroup) will fail and a later
rmdir(/syzcgroup/unified) will fail with ENOENT which we don't expect and fail.
Return early if mkdir(/syzcgroup) fails.
|
| | |
|
| |
|
|
|
|
| |
Remove /syzcgroup/* if cgroup mount fails. See #3241 for context.
Fixes #3241
|
| |
|
|
|
|
|
|
|
|
| |
net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.
Note: don't set it for setuid sandbox since it's "low privilege".
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syzkaller reports the following error when it tries to create a C reproducer:
<stdin>: In function ‘syz_clone’:
<stdin>:289:48: error: ‘CLONE_VM’ undeclared (first use in this
function)
<stdin>:289:48: note: each undeclared identifier is reported only once
for each function it appears in
compiler invocation: gcc [-o /tmp/syz-executor3459695007 -DGOOS_linux=1
-DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall
-Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384
-Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow
-static-pie -fpermissive -w]
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We cannot expect syscalls to always succeed during fuzzing, especially
when the situation involves a complex interaction with the system.
For the syz_genetlink_get_family_id case, it leads to numerous SYZFAIL
crashes every day.
Don't print a SYZFAIL error for this pseudo syscall.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was found out in #2921, fork bombs are still possible in Linux-based
instances. One of the possible reasons is described below.
An invalid stack can be passed to the clone() call, thus causing it to stumble
on an invalid memory access right during returning from the clone() call. This
is in turn catched by the NONFAILING() macro and the control actually jumps
over it and eventually both the child and the parent continue executing the
same code.
Prevent it by handling SIGSEGV and SIGBUS differently during the clone process.
Co-authored-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| | |
|
