| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Fixes: fcfad4ffcf3a ("ipc: add magic in a call reply")
|
| |
|
|
|
|
|
|
|
|
| |
When a shared memory is used, the executor can corrupt reply messages,
so let's add magic to detect such cases.
It is an attempt to debug issues like this one:
https://syzkaller.appspot.com/bug?id=faca64c3182e9f130ca94b7931dd771be390ef67
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
| |
Allow common_ext.h to provide setup_ext() function that is called during VM setup.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was found out in #2921, fork bombs are still possible in Linux-based
instances. One of the possible reasons is described below.
An invalid stack can be passed to the clone() call, thus causing it to stumble
on an invalid memory access right during returning from the clone() call. This
is in turn catched by the NONFAILING() macro and the control actually jumps
over it and eventually both the child and the parent continue executing the
same code.
Prevent it by handling SIGSEGV and SIGBUS differently during the clone process.
Co-authored-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
| |
Don't print the confuing errno 14 for successful calls.
|
| |
|
|
|
|
|
|
| |
pkg/repro tries to clear the Threaded flag during repro simplification,
so it's easier just to ignore the remaining async flags in that case -
they won't be in the C repro either.
Add a test to pkg/ipc to verify the new behavior.
|
| |
|
|
|
|
|
|
|
| |
Set new kcov count limits: 6 for the default mode and 16 for the
optimized mode (when the instances are mmapped a needed). Don't generate
SYZFAIL when these limits are exhausted.
Just increasing those limits won't help as syzkaller will anyway come up
with programs that overcome them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to collide specific syscalls more precisely, we need to
repeat the process many times.
Introduce the `rerun` call property, which instructs `syz-executor` to
repeat the call the specified number of times. The intended use is:
call1() (rerun: 100, async)
call2() (rerun: 100)
For now, assign rerun values randomly to consecutive pairs of calls,
where the first one is async.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
| |
As all opened kcov instances are mmapped, we don't need to check it one
more time at all.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that the current Linux implementation of KCOV does not
properly handle multiple mmap invocations on the same instance. The
first one succeedes, but the subsequent ones do not actually mmap
anything, yet returning no error at all.
The ability to mmap that memory multiple times allows us to increase
syz-executor performance and it would be a pity to completely lose it
(especially given that mmapping kcov works fine on *BSD).
In some time a patch will be prepared, but still we will have to support
both versions at the same time - the buggy one and the correct one.
Detect whether the bug is present by writing a value at the pointer
returned by mmap. If it is present, disable dynamic kcov mmapping and
pre-mmap 5 instances in the main() function - it should be enough for
all reasonable uses. Otherwise, pre-mmap 3 and let syz-executor mmap
them as needed.
|
| |
|
|
|
| |
Currently it is dup2'd to 0, which is quite likely to be closed by the
fuzzer. Dup2 it to a safer fd instead.
|
| |
|
|
|
|
|
|
|
| |
The previous strategy (delay kcov instance creation) seems not to work
very well in carefully sandboxed environments. Let's see if the new
approach is more versatile.
Open a kcov handle for each thread at syz-executor's initialization, but
don't mmap it right away.
|
| |
|
|
|
|
|
|
|
| |
As now kcov instances may get set up during fuzzing, performing dup2 in
cover_open is no longer safe as it may close some important resource.
Prevent that by reserving most of fds that belong to the kcov fds range.
Unfortunately we must duplicate the code because of the way kcov
implementations are organized.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The amount of virtual memory affects the speed of forking/exiting. As in
most cases we do it for each executed program, the difference may be
substantial.
We don't need 16MB of output data for each execution (in fact,
experiments have shown that we never cross even 8MB on Linux). But
reducing that cap in more than 2 times is a pretty bold decision, and
perhaps it's better to just make the allocation process smarter.
Mmap the output region depending on the exact amount of memory needed
for a specific program. E.g. if comparisons are collected, the expected
amount of output is maximal. If we only collect signals, the output
is minimal.
Mmap the minimally required region in the parent and then re-mmap it in
the forked child if it turns out that a higher amount of memory is
needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Experiments have shown that the amount of allocated memory has a very
big impact on the syz-executor's performance (at least under Linux) -
much bigger than was expected.
One source of that extra virtual memory is kcov and, in fact, usually we
don't need all 16 kcov handles we create. E.g. only 4 are enough for 99.5%
progs that syzkaller executes. The biggest consumer of threads - the
collide mode doesn't need kcov at all.
Let kcov handle be an optional property of a thread, not a mandatory
one. Allocate only 3 kcov instances initially (they'll be preserved over
forks) and let the forked processes create other kcov instances if they
happen to be needed.
|
| |
|
|
|
|
|
| |
Currently we setup cgroups on every test process start
(along with sandbox creation). That's unnecessary because
that's global per-machine setup. Move cgroup setup into setup section
that's executed once per machine from pkg/host.Setup.
|
| |
|
|
|
|
| |
Historically the code base does not use single-line compound statements
({} around single-line blocks). But there are few precedents creeped into
already. Add a check to keep the code base consistent.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have seen cases when a test program re-execed the current binary:
11:53:29 executing program 0:
openat$zero(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0)
lseek(r0, 0x4000000000000000, 0x4)
execveat(r0, &(0x7f0000000080)='\x00', 0x0, 0x0, 0x1000)
In such cases, we have to be sure that executor will not print SYZFAIL
log messages and will not exit with kFailStatus.
Since a659b3f1, syzkaller reports bugs in all these cases.
Fixes: a659b3f1dc88 ("pkg/report: detect executor failures")
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
|
|
|
|
| |
Call properties let us specify how each individual call within a program
must be executed. So far the only way to enforce extra rules was to pass
extra program-level properties (e.g. that is how fault injection was done).
However, it entangles the logic and not flexible enough.
Implement an ability to pass properties along with each individual call.
|
| |
|
|
|
|
|
|
|
| |
Currently the data_offset field of cover_t is only initialized for
per-syscall coverage collection. As a result, remote coverage is read
from an invalid location, fails to pass sanity checks and is not
returned to syzkaller.
Fix the initialization of cover_t fields.
|
| | |
|
| | |
|
| |
|
|
|
| |
See #502
This still happens periodically.
|
| |
|
|
|
|
| |
Detect the case when a program requires more copyout than executor can handle.
Curretnly these result in: "SYZFAIL: command refers to bad result" failures.
Now syz-fuzzer should ignore them.
|
| |
|
|
|
|
|
| |
Print details and errno after SYZFAIL line.
pkg/report captures output after SYZFAIL line,
so it's better to have details after that line
so that they are captured in report.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently all executor fail errors go into "lost connection" bucket.
This is not very useful. First, there are different executor failures.
Second, it's not possible to understand what failures happen how frequently.
Third, there are not authentic lost connection.
Create separate SYZFAIL: bugs for them.
Update #573
Update #502
Update #318
|
| |
|
|
|
|
|
|
|
|
| |
We used to use our own netlink socket and then fail
on any errors. But commit "sys/linux: add ieee802154 descriptions"
made it possible to use fuzzer-provided socket,
and fuzzer can pass any invalid fd.
So don't fail on errors now.
Fixes #2444
|
| | |
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
| |
In preparation for making timeouts tunable based
on OS/arch/VM/etc de-hardcode all (almost) timeouts in executor.
|
| |
|
|
| |
gvisor coverage is not a trace, so producing edges won't work.
|
| |
|
|
|
|
| |
Filter out all comparisons in non-interesting code.
Comparisons are expensive, so it makes lots of sense,
these filtered out can't give us any new interesting signal.
|
| |
|
|
|
|
|
|
|
|
| |
Currently we capture only incoming edges into the interesting code
when code coverage filter is used.
Also capture outgoing edges.
For code without indirect calls this does not matter
as we always get the same edge. But for code with indirect
edges we can capture more interesting coverage, and presumably
different indirect calls are quite important.
|
| |
|
|
|
| |
Slightly reduce number of ifdef's, define coverage_filter only
in shmem mode and remove unnecessary cast.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Apply ignore_return to semctl$GETVAL which produces random errno
values on linux and freebsd.
2. Apply ignore_return to prctl and remove the custom code in executor.
3. Remove the custom errno ignoring code in fuchsia executor.
The calls are already marked as ignore_return, so this is just a leftover.
4. Only reset errno for ignore_return.
The syscall can still return a resource (maybe).
We only need to reset errno for fallback coverage.
|
| |
|
|
|
|
| |
Sysctl's are not captured as part of reproducers.
This can result in failure to reproduce a bug on developer machine.
Include sysctl setup as part of C reproducers.
|
| |
|
|
|
| |
This is required because we can only collect remote kcov coverage for
these injected frames.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fail()'s are often used during the validation of kernel reactions to
queries that were issued by pseudo syscalls implementations. As fault
injection may cause the kernel not to succeed in handling these
queries (e.g. socket writes or reads may fail), this could ultimately
lead to unwanted "lost connection to test machine" crashes.
In order to avoid this and, on the other hand, to still have the
ability to signal a disastrous situation, the exit code of this
function now depends on the current context.
All fail() invocations during system call execution with enabled fault
injection lead to termination with zero exit code. In all other cases,
the exit code is kFailStatus.
This is achieved by introduction of a special thread-specific variable
`current_thread` that allows to access information about the thread in
which the current code is executing.
Also, this commit eliminates current_cover as it is no longer needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
| |
Ensure that we can handle hanging syscalls in all modes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We generally use the newer C99 var declarations combined with initialization because:
- declarations are more local, reduced scope
- fewer lines of code
- less potential for using uninit vars and other bugs
However, we have some relic code from times when we did not understand
if we need to stick with C89 or not. Also some external contributions
that don't follow style around.
Add a static check for C89-style declarations and fix existing precedents.
Akaros toolchain uses -std=gnu89 (or something) and does not allow
variable declarations inside of for init statement. And we can't switch
it to -std=c99 because Akaros headers are C89 themselves.
So in common.h we need to declare loop counters outside of for.
|
| |
|
|
|
|
|
| |
Move the test from pkg/csource to executor/
in order to be able to (1) run it on *.cc files,
(2) run on unprocessed *.h files, (3) produce line numbers.
Add a check for missed space after //.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: initialize vhci in linux
* executor/common_linux.h: improve vhci initialization
* pkg/repro/repro.go: add missing vhci options
* executor/common_linux.h: fix type and add missing header
* executor, pkg: do it like NetInjection
* pkg/csource/csource.go: do not emit syz_emit_vhci if vhci is not enabled
* executor/common_linux.h: fix format string
* executor/common_linux.h: initialize with memset
For som reason {0} gets complains about missing braces...
* executor/common_linux.h: simplify vhci init
* executor/common_linux.h: try to bring all available hci devices up
* executor/common_linux.h: find which hci device has been registered
* executor/common_linux.h: use HCI_VENDOR_PKT response to retrieve device id
* sys/linux/dev_vhci.txt: fix structs of inquiry and report packets
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* sys/linux/dev_vhci.txt: pack extended_inquiry_info_t
* sys/linux/l2cap.txt: add l2cap_conf_opt struct
* executor/common_linux.h: just fill bd addr will 0xaa
* executor/common_linux.h: just fill bd addr will 0xaa
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we sprinkle NONFAILING all over pseudo-syscall code,
around all individual accesses to fuzzer-generated pointers.
This is tedious manual work and subject to errors.
Wrap execute_syscall invocation with NONFAILING in execute_call once instead.
Then we can remove NONFAILING from all pseudo-syscalls and never get back to this.
Potential downsides: (1) this is coarser-grained and we will skip whole syscall
on invalid pointer, but this is how normal syscalls work as well,
so should not be a problem; (2) we will skip any clean up (closing of files, etc)
as well; but this may be fine as well (programs can perfectly leave open file
descriptors as well).
Update #1918
|
