syz - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
*	executor, pkg/ipc: simplify retry handling	Dmitry Vyukov	2019-01-31	1	-16/+8
\| \| \| \| \| \|	Remove kRetryStatus, it's effectively the same as exiting with 0. Remove ipc.ExecutorFailure, nobody uses it. Simplify few other minor things around exit status handling.
*	executor: remove ability to detect kernel bugs	Dmitry Vyukov	2019-01-31	1	-16/+1
\| \| \| \| \| \| \| \|	This ability was never used but we maintain a bunch of code for it. syzkaller also recently learned to spoof this error code with some ptrace magic (probably intercepted control flow again and exploited executor binary). Drop all of it.
*	executor: unbreak on OpenBSD	Anton Lindqvist	2019-01-19	1	-1/+0
\| \| \| \| \| \| \|	Commit b5df78dc ("all: support extra coverage") broke the executor on OpenBSD: executor/executor.cc:61:11: error: unused variable 'kExtraCoverSize' [-Werror,-Wunused-const-variable] const int kExtraCoverSize = 256 << 10;
*	all: detect extra coverage support	Andrey Konovalov	2019-01-16	1	-4/+9
\| \| \| \|	Based on whether the kernel supports KCOV_REMOTE_ENABLE ioctl.
*	all: support extra coverage	Andrey Konovalov	2019-01-16	1	-16/+55
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Right now syzkaller only supports coverage collected from the threads that execute syscalls. However some useful things happen in background threads, and it would be nice to collect coverage from those threads as well. This change adds extra coverage support to syzkaller. This coverage is not associated with a particular syscall, but rather with the whole program. Executor passes extra coverage over the same ipc mechanism to syz-fuzzer with syscall number set to -1. syz-fuzzer then passes this coverage to syz-manager with the call name "extra". This change requires the following kcov patch: https://github.com/xairy/linux/pull/2
*	executor: fix max number of syscall args	Dmitry Vyukov	2018-12-26	1	-1/+1
\| \| \| \|	De-hardcode max number (wrong) of syscall args.
*	executor: create more net devices on linux	Dmitry Vyukov	2018-12-26	1	-6/+6
\|
*	prog, pkg/csource: more readable serialization for strings	Dmitry Vyukov	2018-12-15	1	-0/+1
\| \| \| \| \| \| \|	Always serialize strings in readable format (non-hex). Serialize binary data in readable format in more cases. Fixes #792
*	executor: move setrlimit from setup_control_pipes to bsd os_init	Dmitry Vyukov	2018-12-14	1	-6/+0
\| \| \| \|	This broke fuchsia build. We need setrlimit only for bsd.
*	executor: reapply setuid sandbox for bsd	Greg Steuck	2018-12-11	1	-0/+6
\| \| \| \| \| \| \| \| \| \|	* Revert "Revert "executor: add setuid sandbox for openbsd"" The problem is the low file descriptor limit. This reverts commit 4093e33b1338f274ae0062f555de9d6af8640d61. * executor/executor make sure the file descriptor limit is sufficient
*	executor: fix handling of big-endian bitfields	Dmitry Vyukov	2018-12-08	1	-23/+39
\| \| \| \| \|	Currently we apply big-endian-ness and bitfield-ness in the wrong order in copyin. This leads to totally bogus result. Fix this.
*	executor: make the debug output useful for race condition debugging	Alexander Popov	2018-09-24	1	-26/+38
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Sometimes race conditions are reproduced by syz-execprog and are not reproduced by the programs generated with syz-prog2c. In such cases it's very helpful to know when exactly the fuzzing syscalls are executed. Unfortunately, adding timestamps to the output of the original 'debug' mode doesn't work. This mode provides very verbose output, which slows down executor and breaks the repro. So let's make the executor debug output less verbose and add the timestamps. Signed-off-by: Alexander Popov <alex.popov@linux.com>
*	executor: fix build	Dmitry Vyukov	2018-09-20	1	-0/+13
\| \| \| \| \| \| \| \|	Move debug_dump_data back to executor.cc. debug_dump_data in common_linux.h does not play well with pkg/csource debug stripping logic. It strips a large random piece of code since it thinks debug_dump_data definition is actually debug_dump_data call site.
*	executor: fix build	Dmitry Vyukov	2018-09-20	1	-3/+3
\| \| \| \| \| \|	Fix build after "executor: remove unused var flag_sandbox_privs". Some variables/functions can't be static as they are unused on some OSes, which produces unused warnings.
*	executor: move debug_dump_data() into common_linux.h	Anton Lindqvist	2018-09-20	1	-13/+0
\| \| \| \| \|	Compiling the executor on OpenBSD currently fails: executor/executor.cc:1316:6: error: unused function 'debug_dump_data'
*	executor: remove unused var flag_sandbox_privs	Dmitry Vyukov	2018-09-17	1	-32/+31
\| \| \| \| \|	Remove unused var flag_sandbox_privs (which was used for what?). Decleare all variables as static to detect such cases in future.
*	executor: make sandboxes more modular	Dmitry Vyukov	2018-09-17	1	-0/+6
\| \| \| \| \| \| \| \|	Currently we have a global fixed set of sandboxes, which makes it hard to add new OS-specific ones (all OSes need to updated to say that they don't support this sandbox). Let it each OS say what sandboxes it supports instead.
*	RFC: android: Add support for untrusted_app sandboxing (#697)	Zach Riggle	2018-09-17	1	-3/+10
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	executor: add support for android_untrusted_app sandbox This adds a new sandbox type, 'android_untrusted_app', which restricts syz-executor to the privileges which are available to third-party applications, e.g. those installed from the Google Play store. In particular, this uses the UID space reserved for applications (instead of the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534) as well as a set of groups which the Android-specific kernels are aware of, and finally ensures that the SELinux context is set appropriately. Dependencies on libselinux are avoided by manually implementing the few functions that are needed to change the context of the current process, and arbitrary files. The underlying mechanisms are relatively simple. Fixes google/syzkaller#643 Test: make presubmit Bug: http://b/112900774
*	Add mandatory OpenBSD bits (#689)	Anton Lindqvist	2018-08-28	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	all: add openbsd support squash of the following commits: * openbsd: add mandatory bits * report: add OpenBSD support * executor: skip building kvm on OpenBSD * executor: add OpenBSD support Linking against libutil is necessary due to usage of openpty(3). * executor: fix typo in fail() message * fixup! report: add OpenBSD support * fixup! openbsd: add mandatory bits * fixup! openbsd: add mandatory bits * fixup! openbsd: add mandatory bits * fixup! report: add OpenBSD support * gometalinter: skip sys/openbsd
*	executor: mount binfmt_mist	Dmitry Vyukov	2018-08-09	1	-1/+2
\| \| \| \| \| \|	We forgot to mount binfmt_misc. Mount it. Add a test. Increase per-call timeout, otherwise last execve timesout. Fix csource waiting for call completion at the end of program.
*	executor: remap cover fd's to higher values	Dmitry Vyukov	2018-08-08	1	-4/+8
\| \| \| \| \| \|	Remap cover fd's to 24x range to prevent interference with fd's used during fuzzing and also to make fd number consistent with/without cover enabled.
*	executor: collect coverage from unfinished syscalls	Dmitry Vyukov	2018-07-29	1	-117/+158
\| \| \| \| \| \| \| \|	Write coverage from unfinished syscalls. Also detect when a syscall was blocked during execution, even if it finished. Helpful for fallback coverage. Fixes #580
*	pkg/csource: tidy generated code	Dmitry Vyukov	2018-07-27	1	-1/+0
\| \| \| \| \| \| \| \| \| \| \|	1. Remove unnecessary includes. 2. Remove thunk function in threaded mode. 3. Inline syscalls into main for the simplest case. 4. Define main in common.h rather than form with printfs. 5. Fix generation for repeat mode (we had 2 infinite loops: in main and in loop). 6. Remove unused functions (setup/reset_loop, setup/reset_test, sandbox_namespace, etc).
*	executor: overhaul	Dmitry Vyukov	2018-07-24	1	-0/+1269
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Make as much code as possible shared between all OSes. In particular main is now common across all OSes. Make more code shared between executor and csource (in particular, loop function and threaded execution logic). Also make loop and threaded logic shared across all OSes. Make more posix/unix code shared across OSes (e.g. signal handling, pthread creation, etc). Plus other changes along similar lines. Also support test OS in executor (based on portable posix) and add 4 arches that cover all execution modes (fork server/no fork server, shmem/no shmem). This change paves way for testing of executor code and allows to preserve consistency across OSes and executor/csource.
*	executor: split source per-OS	Dmitry Vyukov	2017-09-20	1	-1001/+0
\| \| \| \|	Update #191
*	executor: remove unused headers	Dmitry Vyukov	2017-09-20	1	-2/+0
\|
*	syz-manager, syz-fuzzer, executor: ensure that binaries are consistent	Dmitry Vyukov	2017-09-15	1	-0/+9
\| \| \| \| \| \| \|	Check that manager/fuzzer/executor are build on the same git revision, use the same syscall descriptions and the same target arch. Update #336
*	pkg/csource: support archs other than x86_64	Dmitry Vyukov	2017-09-15	1	-2/+3
\|
*	executor: fix 32-bit mode	Dmitry Vyukov	2017-09-05	1	-5/+1
\| \| \| \| \|	The correct type is kernel long size, not user-space long size. We approximate it with uint64.
*	sys: improve timespec/timeval generation	Dmitry Vyukov	2017-09-05	1	-0/+2
\|
*	executor, ipc: modify the IO between KCOV<->executor<->fuzzer	Victor Chibotaru	2017-08-30	1	-37/+116
\| \| \| \| \|	Now executor is able to read comparisons data from KCOV and write them to fuzzer.
*	executor, fuzzer: change the way Syzkaller opens the KCOV device	Victor Chibotaru	2017-08-30	1	-18/+38
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	We have implemented a new version of KCOV, which is able to dump comparison operands' data, obtained from Clang's instrumentation hooks __sanitizer_cov_trace_cmp[1248], __sanitizer_cov_trace_const_cmp[1248] and __sanitizer_cov_trace_switch. Current KCOV implementation can work in two modes: "Dump only the PCs" or "Dump only comparisons' data". Mode selection is done by the following series of calls: fd = open(KCOV_PATH, ...); // works as previous ioctl(fd, KCOV_INIT_TRACE, ...); // works as previous mmap(fd, ...); // works as previous ioctl(fd, KCOV_ENABLE, mode); // mode = KCOV_MODE_TRACE_CMP or mode = KCOV_MODE_TRACE_PC Note that this new interface is backwards compatible, as old KCOV devices will just return -EINVAL for the last ioctl. This way we can distinguish if the KCOV device is able to dump the comparisons. Main changes in this commit: 1. Fuzzer now checks at startup which type (new/old) of KCOV device is running. 2. Executor now receives an additional flag, which indicates if executor should read the comparisons data from KCOV. The flag works on per-call basis, so executor can collect PCs or Comps for each individual syscall.
*	executor: split a too long line	Dmitry Vyukov	2017-08-24	1	-1/+3
\|
*	all: support i386 arch	Dmitry Vyukov	2017-08-19	1	-6/+16
\| \| \| \|	Update #191
*	executor: reformat	Dmitry Vyukov	2017-06-13	1	-1/+1
\|
*	executor: don't define SYZ_ENABLE_TUN in executor	Andrey Konovalov	2017-06-12	1	-1/+0
\|
*	executor: split setup_main_process into smaller functions	Andrey Konovalov	2017-06-12	1	-1/+2
\|
*	csource: add EnableTun option	Andrey Konovalov	2017-06-12	1	-0/+1
\|
*	all: cleanup executor/ipc status checking	Michael Pratt	2017-05-30	1	-1/+2
\| \| \| \| \| \| \| \| \| \|	This is mostly a cleanup change with little functional change. In ipc.command.exec, remove the status fallback from the pipe to the exit status. Once the executor is serving, it always writes the status over the pipe; anything else is an error. Remove the panic check in syz-stress, which is no longer needed.
*	csource: reproduce crashes with fault injection	Dmitry Vyukov	2017-05-26	1	-8/+1
\|
*	all: add fault injection capability	Dmitry Vyukov	2017-05-26	1	-7/+48
\| \| \| \| \| \| \|	Systematically inject faults during smashing. Requires kernel patch: "fault-inject: support systematic fault injection" (currently in linux-next).
*	sys, executor: extract tcp sequence numbers from /dev/net/tun	Andrey Konovalov	2017-05-26	1	-0/+5
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
*	executor: increase syscall timeout in debug mode	Dmitry Vyukov	2017-05-23	1	-1/+2
\| \| \| \| \|	Debug output takes time, so 20ms is not enough for almost any syscall. Give a syscall 500ms in debug before considering it blocked.
*	prog, executor: move checksum computation to executor	Andrey Konovalov	2017-05-12	1	-0/+54
\| \| \| \| \|	This commit moves checksum computation to executor. This will allow to embed dynamically generated values (like TCP sequence numbers) into packets.
*	executor: bump per-call timeout	Dmitry Vyukov	2017-04-25	1	-1/+1
\| \| \| \| \| \| \| \| \| \|	We've started seeing lots of vmalloc failures with the 200ms timeout. Turns out vmalloc has a check for fatal signals pending, so we were killing the process which caused vmalloc to fail. If vmalloc can take 200+ms, then we need to dump the timeout as it's not blocking that we want to catch. Bump the timeout to 500ms.
*	executor: support wrapping executor with an external sandbox process	Dmitry Vyukov	2017-02-27	1	-0/+10
\| \| \| \| \| \| \| \|	If an external sandbox process wraps executor, the out pipe will be closed before the sandbox process exits this will make ipc package kill the sandbox. As the result sandbox process will exit with exit status 9 instead of the executor exit status (notably kRetryStatus). Consequently, ipc will treat it as hard failure rather than a temporal failure. So we duplicate the exit status on the pipe.
*	executor: treat KCOV_ENABLE failure as transient	Dmitry Vyukov	2017-02-15	1	-2/+6
\| \| \| \|	It fails with various errors (9, 14, 25), probably fuzzer messes with the fd.
*	executor: increase kMaxCommands and add checks	Andrey Konovalov	2017-02-08	1	-1/+5
\|
*	executor: better protect output region from corruptions	Dmitry Vyukov	2017-02-06	1	-9/+18
\| \| \| \| \|	Fuzzer invented another tricky way to corrupt the region. Map it at a hard to guess address.
*	executor: fix tun initialization when sandbox != none	Andrey Konovalov	2017-01-31	1	-4/+4
\|