aboutsummaryrefslogtreecommitdiffstats
path: root/executor/executor.cc
Commit message (Collapse)AuthorAgeFilesLines
* executor: better protect output region from corruptionsDmitry Vyukov2017-02-061-9/+18
| | | | | Fuzzer invented another tricky way to corrupt the region. Map it at a hard to guess address.
* executor: fix tun initialization when sandbox != noneAndrey Konovalov2017-01-311-4/+4
|
* all: implement edge coverageDmitry Vyukov2017-01-271-47/+122
| | | | | | | | | | | Currently syzkaller uses per-call basic block (BB) coverage. This change implements edge (not-per-call) coverage. Edge coverage is more detailed than BB coverage as it captures not-taken branches, looping, etc. So it provides better feedback signal. This coverage is now called "signal" throughout the code. BB code coverage is also collected as it is required for visualisation. Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K), this has profound effect on fuzzing efficiency.
* adb: executor: Revert to adb rebootBilly Lau2017-01-261-5/+0
| | | | | | | | | Using `adb shell syz-executor reboot` to reboot devices has stopped working with the recent Android update, probably due to the intro of seccomp. I have reverted the device reboot logic to use `adb shell reboot` although it can be flaky at times so that we can continue to fuzz on devices, until a more reliable solution can be sought out.
* executor: protect against memory corruptions betterDmitry Vyukov2017-01-251-1/+1
| | | | | | | | | | | Fuzzer has figured out how to corrupt input/output shmem regions abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative text_size value that causes the memcpy to overwrite shmem regions. Protect better against such cases: 1. Make text_size unsigned (there is already a check that it is less than 1000). 2. Map input region as readable only, we don't write to it. 3. Add address sanity check to segv_handler, if we see that we are writing into executable data, it's better to crash instantly.
* executor: reduce syscall blocking delay from 100ms to 20msDmitry Vyukov2017-01-201-2/+2
| | | | | Syscalls frequently block and this affects fuzzing speed. 20ms should be more than enough for a normal syscall to finish.
* prog: add bitfields to templatesAndrey Konovalov2017-01-171-8/+13
| | | | | | Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field. This fixes #72.
* sys: extend kvm supportDmitry Vyukov2017-01-091-0/+2
| | | | | | Add new pseudo syscall syz_kvm_setup_cpu that setups VCPU into interesting states for execution. KVM is too difficult to setup otherwise. Lots of improvements possible, but this is a starting point.
* executor: increase coverage size from 16K to 64K PCsDmitry Vyukov2017-01-091-1/+1
| | | | On some KVM syscalls soverage reaches 36K+ PCs.
* executor: handle exit failuresDmitry Vyukov2016-12-081-2/+1
| | | | See the added comment for explanation.
* executor: change the way we wait for childrenDmitry Vyukov2016-12-051-6/+8
| | | | | | waitpid(pid) does not work if child invokes ptrace(PTRACE_TRACEME): https://groups.google.com/forum/#!topic/syzkaller/SjWzOnNRRIU Use waitpid(-1) instead.
* executor: don't try to open tun if it's not enabledAndrey Konovalov2016-12-021-1/+3
|
* executor: emit ethernet trafficAndrey Konovalov2016-11-291-1/+3
|
* repro: factor out of syz-repro toolDmitry Vyukov2016-11-191-308/+3
| | | | | | | | Factor out repro logic from syz-repro tool, so that it can be used in syz-manager. Also, support sandboxes in code generated by csoure. This is required to reproduce crashes that require e.g. namespace sandbox.
* csource: teach how to execute pseudo syz_ syscallsDmitry Vyukov2016-08-281-106/+3
| | | | Update #59
* executor, csource: share some common code between executor and csourceDmitry Vyukov2016-08-281-35/+7
|
* executor: add experimental mode to skip paging faultsDmitry Vyukov2016-08-221-27/+65
| | | | | | | Ignore SIGSEGV/SIGBUS during copyin/copyout of arguments. The memory may not be addressable. The ignoring allows to pass partially-addressable input data to kernel. It's unclear if it's a good idea or not yet.
* executor: revive setuid sandboxDmitry Vyukov2016-07-011-15/+76
| | | | | | | | | | | | | | The new namespace-based sanboxing is good, but it's not always what one wants (and also requires special kernel configs). Change dropprivs config value to sandbox, which can have different values (currently: none, setuid, namespace). Setuid mode uses setuid(nobody) before fuzzing as before. In future we can add more sandboxing modes or, say, extend -sandbox=setuid to -sandbox=setuid:johndoe to impersonolate into given user.
* executor: add support for 386 arch (COMPAT syscalls)Dmitry Vyukov2016-06-301-23/+23
| | | | | This is not fully working now: e.g. prog and sys packages assume that pointer size is 8. But at least it compiles and works.
* executor: don't consider failures to remove temp dirs as crashesDmitry Vyukov2016-06-281-6/+6
| | | | | | | There is a number of known, low-frequency reasons for failures in remove_dir. Make the failures non-fatal. Fixes #45
* executor: prevent test processes from ptracing parent processesDmitry Vyukov2016-03-101-0/+17
|
* executor: ignore NOFILE errors during cleanupDmitry Vyukov2016-03-101-1/+8
| | | | This is a common source of false positives.
* executor: ignore the case when test process kills loop processDmitry Vyukov2016-03-101-1/+2
| | | | This lead to lots of false positives.
* executor: make loop killing non-fatalDmitry Vyukov2016-03-101-1/+4
|
* ipc: give executor some time to startupDmitry Vyukov2016-01-271-1/+5
| | | | | | Namespace-based sandbox can take some time to setup. In particular, lots of parallel executors block on net namespace creation.
* sys: open a bunch of new devicesDmitry Vyukov2016-01-261-2/+4
|
* sys: allow to open all devices as stopgapDmitry Vyukov2016-01-241-11/+23
|
* executor: restore nodropprivs modeDmitry Vyukov2016-01-231-15/+24
|
* executor: new namespace-based sandboxDmitry Vyukov2016-01-221-73/+208
|
* vm/adb: use a more reliable way to reboot devicesDmitry Vyukov2016-01-201-1/+6
|
* executor: start moving sandboxing code into executorDmitry Vyukov2016-01-201-0/+14
|
* executor: adopt for new kcovDmitry Vyukov2016-01-191-14/+16
| | | | Now kcov exposes only uintptr-sized PCs.
* sys: describe more dri syscallsDmitry Vyukov2016-01-161-0/+6
|
* executor: reportat after clang-format bug fixDmitry Vyukov2016-01-151-30/+12
| | | | http://reviews.llvm.org/rL257763
* executor: don't create all threads when spot a root syscallDmitry Vyukov2016-01-131-1/+1
|
* executor: don't print all waitpid debug messagesDmitry Vyukov2016-01-131-2/+5
|
* sys: introduce a generic syz_open_dev helper syscallDmitry Vyukov2016-01-131-29/+18
|
* sys: add support for /dev/snd/controlDmitry Vyukov2016-01-131-1/+17
|
* sys: support /dev/snd/seqDmitry Vyukov2016-01-111-0/+6
|
* executor: use mknodat instead of mknod (the latter is not implemented on ↵Dmitry Vyukov2016-01-111-1/+1
| | | | android)
* sys: add kvm supportDmitry Vyukov2016-01-081-17/+31
|
* executor: fix some bugs found by clangDmitry Vyukov2015-12-311-1/+4
|
* executor: get rid of sigtimedwaitDmitry Vyukov2015-12-241-43/+18
| | | | | Wait with spin loop instead. See the comment for explanation.
* executor: don't use WUNTRACED in waitDmitry Vyukov2015-12-241-3/+3
| | | | | | | WUNTRACED wait returns when child has stopped. That's not what we want to wait for. If it's stopped we need to timeout wait and kill the stopped child.
* prog: remove padding checkingDmitry Vyukov2015-12-231-54/+2
| | | | | So far it has found only false positives. Let's leave this to KMSAN.
* executor: fix collide modeDmitry Vyukov2015-12-231-1/+1
| | | | Don't wait for every other call.
* add a flag to disable setpgid syscallDmitry Vyukov2015-12-171-46/+46
| | | | It is broken on some of our test systems.
* executor: export syscall execution resultsDmitry Vyukov2015-12-171-0/+7
| | | | Errno can be used to guide fuzzing, or detect not implemented syscalls.
* executor: allow to wait for child processes without sigtimedwaitDmitry Vyukov2015-12-171-1/+24
| | | | We've hit 2 systems that mishandle sigtimedwait.
* sys: automatically add padding to structsDmitry Vyukov2015-12-171-9/+68
|
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-12 06:18:41 +0000