aboutsummaryrefslogtreecommitdiffstats
path: root/executor/executor.cc
Commit message (Collapse)AuthorAgeFilesLines
* syz-fuzzer, executor: Add support for blacklisting data race framesMarco Elver2019-10-221-0/+8
| | | | | This adds support to add frames that have already been in data races, to the KCSAN report blacklist.
* executor, csource: adjust syz_open_dev$hiddev timeoutAndrey Konovalov2019-09-241-0/+2
| | | | Looks like opening hiddev can take up to ~100 ms.
* executor: fix out-of-bounds access to syscalls arrayAndrey Konovalov2019-09-171-20/+20
| | | | | Move accessing syscalls array to check for USB syscalls after we validate the call_num value (it can be e.g. instr_copyin/out).
* executor: add some USB realted TODOs (#1319)Andrey Konovalov2019-08-071-14/+7
| | | Also simplify timeout related code a bit.
* sys/linux, executor: add syz_usb_ep_read syzkallAndrey Konovalov2019-07-011-2/+10
| | | | syz_usb_ep_read reads data from USB endpoints other than #0.
* sys/linux, executor: add basic USB HID fuzzing supportAndrey Konovalov2019-06-241-6/+14
| | | | | This commit adds the necessary descriptions and executor adjustments to enable targeted fuzzing of the enumeration process of USB HID devices.
* executor: improve usb coverage attributionAndrey Konovalov2019-06-121-9/+18
| | | | | Always call write_extra_output() only if the current program or call can produce extra coverage (== is a syz_usb* syzcall).
* executor: Protect the coverage bufferAndrew Turner2019-06-041-0/+6
| | | | | | | | | Add functions to protect and unprotect the coverage buffer. The buffer is protected from being written to while tracing. When the trace data is sorted we need to make it read/write, but can return it to read only after this has completed. Leave the first page as read/write as we need to clear the length field.
* pkg/csource: generate timeouts for USB syzcallsAndrey Konovalov2019-05-311-0/+1
| | | | This patch only covers per call timeouts, per prog one is not adjusted yet.
* executor: implement support for leak checkingDmitry Vyukov2019-05-201-9/+43
| | | | | | | | | | | | | | | | | | | | | | | | | Leak checking support was half done and did not really work. This is heavy-lifting to make it work. 1. Move leak/fault setup into executor. pkg/host was a wrong place for them because we need then in C repros too. The pkg/host periodic callback functionality did not work too, we need it in executor so that we can reuse it in C repros too. Remove setup/callback functions in pkg/host entirely. 2. Do leak setup/checking in C repros. The way leak checking is invoked is slightly different from fuzzer, but much better then no support at all. At least the checking code is shared. 3. Add Leak option to pkg/csource and -leak flag to syz-prog2c. 4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus. It's toooo slow. 5. Fix pkg/repro to do something more sane for leak bugs. Few other minor fixes here and there.
* executor: fix 32-bit buildDmitry Vyukov2019-05-071-3/+3
| | | | | Syscall args can't be printed with %lx now. Cast them to uint64 for now since we have only 2 such places.
* executor: change syscall argument type to intptr_tmunjinoo2019-05-071-4/+4
| | | | | The type size of long depends on compiler. Therefore, changing to intptr_t makes it depends on architecture.
* executor: adjust waiting time for all usb syzcallsAndrey Konovalov2019-04-231-8/+14
| | | | | | Allow 2000 ms of waiting time for syz_usb_connect and and the same time for the whole program is this syzkall is present. Allow 200 ms of waiting time for syz_usb_disconnect. Remove sleep from syz_usb_control_io.
* all: add basic USB fuzzing supportAndrey Konovalov2019-04-111-1/+14
| | | | | | | | | | | | This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control, syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB packets through a custom GadgetFS-like interface (currently exposed at /sys/kernel/debug/usb-fuzzer), which requires special kernel patches. USB fuzzing support is quite basic, as it mostly covers only the USB device enumeration process. Even though the syz_usb_ep_write syzcall does allow to communicate with USB endpoints after the device has been enumerated, no coverage is collected from that code yet.
* all: add optional close_fds feature to reproducersAndrey Konovalov2019-04-091-0/+6
| | | | | | | | Instead of always closing open fds (number 3 to 30) after each program, add an options called EnableCloseFds. It can be passed to syz-execprog, syz-prog2c and syz-stress via the -enable and -disable flags. Set the default value to true. Also minimize C repros over it, except for when repeat is enabled.
* execprog, stress, prog2c: unify flags to enable additional featuresAndrey Konovalov2019-03-051-6/+12
| | | | | | | | | | | This change makes all syz-execprog, syz-prog2c and syz-stress accept -enable and -disable flags to enable or disable additional features (tun, net_dev, net_reset, cgroups and binfmt_misc) instead of having a separate flag for each of them. The default (without any flags) behavior isn't changed: syz-execprog and syz-stress enabled all the features (provided the runtime supports them) and syz-prog2c disables all of them.
* executor: fix detection of blocked callsDmitry Vyukov2019-02-131-2/+1
| | | | | Unfinished calls are always blocked too, so set the blocked flag for unfinished calls.
* executor, pkg/ipc: simplify retry handlingDmitry Vyukov2019-01-311-16/+8
| | | | | | Remove kRetryStatus, it's effectively the same as exiting with 0. Remove ipc.ExecutorFailure, nobody uses it. Simplify few other minor things around exit status handling.
* executor: remove ability to detect kernel bugsDmitry Vyukov2019-01-311-16/+1
| | | | | | | | This ability was never used but we maintain a bunch of code for it. syzkaller also recently learned to spoof this error code with some ptrace magic (probably intercepted control flow again and exploited executor binary). Drop all of it.
* executor: unbreak on OpenBSDAnton Lindqvist2019-01-191-1/+0
| | | | | | | Commit b5df78dc ("all: support extra coverage") broke the executor on OpenBSD: executor/executor.cc:61:11: error: unused variable 'kExtraCoverSize' [-Werror,-Wunused-const-variable] const int kExtraCoverSize = 256 << 10;
* all: detect extra coverage supportAndrey Konovalov2019-01-161-4/+9
| | | | Based on whether the kernel supports KCOV_REMOTE_ENABLE ioctl.
* all: support extra coverageAndrey Konovalov2019-01-161-16/+55
| | | | | | | | | | | | | | | Right now syzkaller only supports coverage collected from the threads that execute syscalls. However some useful things happen in background threads, and it would be nice to collect coverage from those threads as well. This change adds extra coverage support to syzkaller. This coverage is not associated with a particular syscall, but rather with the whole program. Executor passes extra coverage over the same ipc mechanism to syz-fuzzer with syscall number set to -1. syz-fuzzer then passes this coverage to syz-manager with the call name "extra". This change requires the following kcov patch: https://github.com/xairy/linux/pull/2
* executor: fix max number of syscall argsDmitry Vyukov2018-12-261-1/+1
| | | | De-hardcode max number (wrong) of syscall args.
* executor: create more net devices on linuxDmitry Vyukov2018-12-261-6/+6
|
* prog, pkg/csource: more readable serialization for stringsDmitry Vyukov2018-12-151-0/+1
| | | | | | | Always serialize strings in readable format (non-hex). Serialize binary data in readable format in more cases. Fixes #792
* executor: move setrlimit from setup_control_pipes to bsd os_initDmitry Vyukov2018-12-141-6/+0
| | | | This broke fuchsia build. We need setrlimit only for bsd.
* executor: reapply setuid sandbox for bsdGreg Steuck2018-12-111-0/+6
| | | | | | | | | | * Revert "Revert "executor: add setuid sandbox for openbsd"" The problem is the low file descriptor limit. This reverts commit 4093e33b1338f274ae0062f555de9d6af8640d61. * executor/executor make sure the file descriptor limit is sufficient
* executor: fix handling of big-endian bitfieldsDmitry Vyukov2018-12-081-23/+39
| | | | | Currently we apply big-endian-ness and bitfield-ness in the wrong order in copyin. This leads to totally bogus result. Fix this.
* executor: make the debug output useful for race condition debuggingAlexander Popov2018-09-241-26/+38
| | | | | | | | | | | | | | | Sometimes race conditions are reproduced by syz-execprog and are not reproduced by the programs generated with syz-prog2c. In such cases it's very helpful to know when exactly the fuzzing syscalls are executed. Unfortunately, adding timestamps to the output of the original 'debug' mode doesn't work. This mode provides very verbose output, which slows down executor and breaks the repro. So let's make the executor debug output less verbose and add the timestamps. Signed-off-by: Alexander Popov <alex.popov@linux.com>
* executor: fix buildDmitry Vyukov2018-09-201-0/+13
| | | | | | | | Move debug_dump_data back to executor.cc. debug_dump_data in common_linux.h does not play well with pkg/csource debug stripping logic. It strips a large random piece of code since it thinks debug_dump_data definition is actually debug_dump_data call site.
* executor: fix buildDmitry Vyukov2018-09-201-3/+3
| | | | | | Fix build after "executor: remove unused var flag_sandbox_privs". Some variables/functions can't be static as they are unused on some OSes, which produces unused warnings.
* executor: move debug_dump_data() into common_linux.hAnton Lindqvist2018-09-201-13/+0
| | | | | Compiling the executor on OpenBSD currently fails: executor/executor.cc:1316:6: error: unused function 'debug_dump_data'
* executor: remove unused var flag_sandbox_privsDmitry Vyukov2018-09-171-32/+31
| | | | | Remove unused var flag_sandbox_privs (which was used for what?). Decleare all variables as static to detect such cases in future.
* executor: make sandboxes more modularDmitry Vyukov2018-09-171-0/+6
| | | | | | | | Currently we have a global fixed set of sandboxes, which makes it hard to add new OS-specific ones (all OSes need to updated to say that they don't support this sandbox). Let it each OS say what sandboxes it supports instead.
* RFC: android: Add support for untrusted_app sandboxing (#697)Zach Riggle2018-09-171-3/+10
| | | | | | | | | | | | | | | | | | | | | executor: add support for android_untrusted_app sandbox This adds a new sandbox type, 'android_untrusted_app', which restricts syz-executor to the privileges which are available to third-party applications, e.g. those installed from the Google Play store. In particular, this uses the UID space reserved for applications (instead of the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534) as well as a set of groups which the Android-specific kernels are aware of, and finally ensures that the SELinux context is set appropriately. Dependencies on libselinux are avoided by manually implementing the few functions that are needed to change the context of the current process, and arbitrary files. The underlying mechanisms are relatively simple. Fixes google/syzkaller#643 Test: make presubmit Bug: http://b/112900774
* Add mandatory OpenBSD bits (#689)Anton Lindqvist2018-08-281-1/+1
| | | | | | | | | | | | | | | | | | all: add openbsd support squash of the following commits: * openbsd: add mandatory bits * report: add OpenBSD support * executor: skip building kvm on OpenBSD * executor: add OpenBSD support Linking against libutil is necessary due to usage of openpty(3). * executor: fix typo in fail() message * fixup! report: add OpenBSD support * fixup! openbsd: add mandatory bits * fixup! openbsd: add mandatory bits * fixup! openbsd: add mandatory bits * fixup! report: add OpenBSD support * gometalinter: skip sys/openbsd
* executor: mount binfmt_mistDmitry Vyukov2018-08-091-1/+2
| | | | | | We forgot to mount binfmt_misc. Mount it. Add a test. Increase per-call timeout, otherwise last execve timesout. Fix csource waiting for call completion at the end of program.
* executor: remap cover fd's to higher valuesDmitry Vyukov2018-08-081-4/+8
| | | | | | Remap cover fd's to 24x range to prevent interference with fd's used during fuzzing and also to make fd number consistent with/without cover enabled.
* executor: collect coverage from unfinished syscallsDmitry Vyukov2018-07-291-117/+158
| | | | | | | | Write coverage from unfinished syscalls. Also detect when a syscall was blocked during execution, even if it finished. Helpful for fallback coverage. Fixes #580
* pkg/csource: tidy generated codeDmitry Vyukov2018-07-271-1/+0
| | | | | | | | | | | 1. Remove unnecessary includes. 2. Remove thunk function in threaded mode. 3. Inline syscalls into main for the simplest case. 4. Define main in common.h rather than form with printfs. 5. Fix generation for repeat mode (we had 2 infinite loops: in main and in loop). 6. Remove unused functions (setup/reset_loop, setup/reset_test, sandbox_namespace, etc).
* executor: overhaulDmitry Vyukov2018-07-241-0/+1269
| | | | | | | | | | | | | | | | | Make as much code as possible shared between all OSes. In particular main is now common across all OSes. Make more code shared between executor and csource (in particular, loop function and threaded execution logic). Also make loop and threaded logic shared across all OSes. Make more posix/unix code shared across OSes (e.g. signal handling, pthread creation, etc). Plus other changes along similar lines. Also support test OS in executor (based on portable posix) and add 4 arches that cover all execution modes (fork server/no fork server, shmem/no shmem). This change paves way for testing of executor code and allows to preserve consistency across OSes and executor/csource.
* executor: split source per-OSDmitry Vyukov2017-09-201-1001/+0
| | | | Update #191
* executor: remove unused headersDmitry Vyukov2017-09-201-2/+0
|
* syz-manager, syz-fuzzer, executor: ensure that binaries are consistentDmitry Vyukov2017-09-151-0/+9
| | | | | | | Check that manager/fuzzer/executor are build on the same git revision, use the same syscall descriptions and the same target arch. Update #336
* pkg/csource: support archs other than x86_64Dmitry Vyukov2017-09-151-2/+3
|
* executor: fix 32-bit modeDmitry Vyukov2017-09-051-5/+1
| | | | | The correct type is kernel long size, not user-space long size. We approximate it with uint64.
* sys: improve timespec/timeval generationDmitry Vyukov2017-09-051-0/+2
|
* executor, ipc: modify the IO between KCOV<->executor<->fuzzerVictor Chibotaru2017-08-301-37/+116
| | | | | Now executor is able to read comparisons data from KCOV and write them to fuzzer.
* executor, fuzzer: change the way Syzkaller opens the KCOV deviceVictor Chibotaru2017-08-301-18/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have implemented a new version of KCOV, which is able to dump comparison operands' data, obtained from Clang's instrumentation hooks __sanitizer_cov_trace_cmp[1248], __sanitizer_cov_trace_const_cmp[1248] and __sanitizer_cov_trace_switch. Current KCOV implementation can work in two modes: "Dump only the PCs" or "Dump only comparisons' data". Mode selection is done by the following series of calls: fd = open(KCOV_PATH, ...); // works as previous ioctl(fd, KCOV_INIT_TRACE, ...); // works as previous mmap(fd, ...); // works as previous ioctl(fd, KCOV_ENABLE, mode); // mode = KCOV_MODE_TRACE_CMP or mode = KCOV_MODE_TRACE_PC Note that this new interface is backwards compatible, as old KCOV devices will just return -EINVAL for the last ioctl. This way we can distinguish if the KCOV device is able to dump the comparisons. Main changes in this commit: 1. Fuzzer now checks at startup which type (new/old) of KCOV device is running. 2. Executor now receives an additional flag, which indicates if executor should read the comparisons data from KCOV. The flag works on per-call basis, so executor can collect PCs or Comps for each individual syscall.
* executor: split a too long lineDmitry Vyukov2017-08-241-1/+3
|
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-12 08:09:49 +0000