aboutsummaryrefslogtreecommitdiffstats
path: root/executor/executor.cc
Commit message (Collapse)AuthorAgeFilesLines
* executor: reapply setuid sandbox for bsdGreg Steuck2018-12-111-0/+6
| | | | | | | | | | * Revert "Revert "executor: add setuid sandbox for openbsd"" The problem is the low file descriptor limit. This reverts commit 4093e33b1338f274ae0062f555de9d6af8640d61. * executor/executor make sure the file descriptor limit is sufficient
* executor: fix handling of big-endian bitfieldsDmitry Vyukov2018-12-081-23/+39
| | | | | Currently we apply big-endian-ness and bitfield-ness in the wrong order in copyin. This leads to totally bogus result. Fix this.
* executor: make the debug output useful for race condition debuggingAlexander Popov2018-09-241-26/+38
| | | | | | | | | | | | | | | Sometimes race conditions are reproduced by syz-execprog and are not reproduced by the programs generated with syz-prog2c. In such cases it's very helpful to know when exactly the fuzzing syscalls are executed. Unfortunately, adding timestamps to the output of the original 'debug' mode doesn't work. This mode provides very verbose output, which slows down executor and breaks the repro. So let's make the executor debug output less verbose and add the timestamps. Signed-off-by: Alexander Popov <alex.popov@linux.com>
* executor: fix buildDmitry Vyukov2018-09-201-0/+13
| | | | | | | | Move debug_dump_data back to executor.cc. debug_dump_data in common_linux.h does not play well with pkg/csource debug stripping logic. It strips a large random piece of code since it thinks debug_dump_data definition is actually debug_dump_data call site.
* executor: fix buildDmitry Vyukov2018-09-201-3/+3
| | | | | | Fix build after "executor: remove unused var flag_sandbox_privs". Some variables/functions can't be static as they are unused on some OSes, which produces unused warnings.
* executor: move debug_dump_data() into common_linux.hAnton Lindqvist2018-09-201-13/+0
| | | | | Compiling the executor on OpenBSD currently fails: executor/executor.cc:1316:6: error: unused function 'debug_dump_data'
* executor: remove unused var flag_sandbox_privsDmitry Vyukov2018-09-171-32/+31
| | | | | Remove unused var flag_sandbox_privs (which was used for what?). Decleare all variables as static to detect such cases in future.
* executor: make sandboxes more modularDmitry Vyukov2018-09-171-0/+6
| | | | | | | | Currently we have a global fixed set of sandboxes, which makes it hard to add new OS-specific ones (all OSes need to updated to say that they don't support this sandbox). Let it each OS say what sandboxes it supports instead.
* RFC: android: Add support for untrusted_app sandboxing (#697)Zach Riggle2018-09-171-3/+10
| | | | | | | | | | | | | | | | | | | | | executor: add support for android_untrusted_app sandbox This adds a new sandbox type, 'android_untrusted_app', which restricts syz-executor to the privileges which are available to third-party applications, e.g. those installed from the Google Play store. In particular, this uses the UID space reserved for applications (instead of the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534) as well as a set of groups which the Android-specific kernels are aware of, and finally ensures that the SELinux context is set appropriately. Dependencies on libselinux are avoided by manually implementing the few functions that are needed to change the context of the current process, and arbitrary files. The underlying mechanisms are relatively simple. Fixes google/syzkaller#643 Test: make presubmit Bug: http://b/112900774
* Add mandatory OpenBSD bits (#689)Anton Lindqvist2018-08-281-1/+1
| | | | | | | | | | | | | | | | | | all: add openbsd support squash of the following commits: * openbsd: add mandatory bits * report: add OpenBSD support * executor: skip building kvm on OpenBSD * executor: add OpenBSD support Linking against libutil is necessary due to usage of openpty(3). * executor: fix typo in fail() message * fixup! report: add OpenBSD support * fixup! openbsd: add mandatory bits * fixup! openbsd: add mandatory bits * fixup! openbsd: add mandatory bits * fixup! report: add OpenBSD support * gometalinter: skip sys/openbsd
* executor: mount binfmt_mistDmitry Vyukov2018-08-091-1/+2
| | | | | | We forgot to mount binfmt_misc. Mount it. Add a test. Increase per-call timeout, otherwise last execve timesout. Fix csource waiting for call completion at the end of program.
* executor: remap cover fd's to higher valuesDmitry Vyukov2018-08-081-4/+8
| | | | | | Remap cover fd's to 24x range to prevent interference with fd's used during fuzzing and also to make fd number consistent with/without cover enabled.
* executor: collect coverage from unfinished syscallsDmitry Vyukov2018-07-291-117/+158
| | | | | | | | Write coverage from unfinished syscalls. Also detect when a syscall was blocked during execution, even if it finished. Helpful for fallback coverage. Fixes #580
* pkg/csource: tidy generated codeDmitry Vyukov2018-07-271-1/+0
| | | | | | | | | | | 1. Remove unnecessary includes. 2. Remove thunk function in threaded mode. 3. Inline syscalls into main for the simplest case. 4. Define main in common.h rather than form with printfs. 5. Fix generation for repeat mode (we had 2 infinite loops: in main and in loop). 6. Remove unused functions (setup/reset_loop, setup/reset_test, sandbox_namespace, etc).
* executor: overhaulDmitry Vyukov2018-07-241-0/+1269
| | | | | | | | | | | | | | | | | Make as much code as possible shared between all OSes. In particular main is now common across all OSes. Make more code shared between executor and csource (in particular, loop function and threaded execution logic). Also make loop and threaded logic shared across all OSes. Make more posix/unix code shared across OSes (e.g. signal handling, pthread creation, etc). Plus other changes along similar lines. Also support test OS in executor (based on portable posix) and add 4 arches that cover all execution modes (fork server/no fork server, shmem/no shmem). This change paves way for testing of executor code and allows to preserve consistency across OSes and executor/csource.
* executor: split source per-OSDmitry Vyukov2017-09-201-1001/+0
| | | | Update #191
* executor: remove unused headersDmitry Vyukov2017-09-201-2/+0
|
* syz-manager, syz-fuzzer, executor: ensure that binaries are consistentDmitry Vyukov2017-09-151-0/+9
| | | | | | | Check that manager/fuzzer/executor are build on the same git revision, use the same syscall descriptions and the same target arch. Update #336
* pkg/csource: support archs other than x86_64Dmitry Vyukov2017-09-151-2/+3
|
* executor: fix 32-bit modeDmitry Vyukov2017-09-051-5/+1
| | | | | The correct type is kernel long size, not user-space long size. We approximate it with uint64.
* sys: improve timespec/timeval generationDmitry Vyukov2017-09-051-0/+2
|
* executor, ipc: modify the IO between KCOV<->executor<->fuzzerVictor Chibotaru2017-08-301-37/+116
| | | | | Now executor is able to read comparisons data from KCOV and write them to fuzzer.
* executor, fuzzer: change the way Syzkaller opens the KCOV deviceVictor Chibotaru2017-08-301-18/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have implemented a new version of KCOV, which is able to dump comparison operands' data, obtained from Clang's instrumentation hooks __sanitizer_cov_trace_cmp[1248], __sanitizer_cov_trace_const_cmp[1248] and __sanitizer_cov_trace_switch. Current KCOV implementation can work in two modes: "Dump only the PCs" or "Dump only comparisons' data". Mode selection is done by the following series of calls: fd = open(KCOV_PATH, ...); // works as previous ioctl(fd, KCOV_INIT_TRACE, ...); // works as previous mmap(fd, ...); // works as previous ioctl(fd, KCOV_ENABLE, mode); // mode = KCOV_MODE_TRACE_CMP or mode = KCOV_MODE_TRACE_PC Note that this new interface is backwards compatible, as old KCOV devices will just return -EINVAL for the last ioctl. This way we can distinguish if the KCOV device is able to dump the comparisons. Main changes in this commit: 1. Fuzzer now checks at startup which type (new/old) of KCOV device is running. 2. Executor now receives an additional flag, which indicates if executor should read the comparisons data from KCOV. The flag works on per-call basis, so executor can collect PCs or Comps for each individual syscall.
* executor: split a too long lineDmitry Vyukov2017-08-241-1/+3
|
* all: support i386 archDmitry Vyukov2017-08-191-6/+16
| | | | Update #191
* executor: reformatDmitry Vyukov2017-06-131-1/+1
|
* executor: don't define SYZ_ENABLE_TUN in executorAndrey Konovalov2017-06-121-1/+0
|
* executor: split setup_main_process into smaller functionsAndrey Konovalov2017-06-121-1/+2
|
* csource: add EnableTun optionAndrey Konovalov2017-06-121-0/+1
|
* all: cleanup executor/ipc status checkingMichael Pratt2017-05-301-1/+2
| | | | | | | | | | This is mostly a cleanup change with little functional change. In ipc.command.exec, remove the status fallback from the pipe to the exit status. Once the executor is serving, it always writes the status over the pipe; anything else is an error. Remove the panic check in syz-stress, which is no longer needed.
* csource: reproduce crashes with fault injectionDmitry Vyukov2017-05-261-8/+1
|
* all: add fault injection capabilityDmitry Vyukov2017-05-261-7/+48
| | | | | | | Systematically inject faults during smashing. Requires kernel patch: "fault-inject: support systematic fault injection" (currently in linux-next).
* sys, executor: extract tcp sequence numbers from /dev/net/tunAndrey Konovalov2017-05-261-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
* executor: increase syscall timeout in debug modeDmitry Vyukov2017-05-231-1/+2
| | | | | Debug output takes time, so 20ms is not enough for almost any syscall. Give a syscall 500ms in debug before considering it blocked.
* prog, executor: move checksum computation to executorAndrey Konovalov2017-05-121-0/+54
| | | | | This commit moves checksum computation to executor. This will allow to embed dynamically generated values (like TCP sequence numbers) into packets.
* executor: bump per-call timeoutDmitry Vyukov2017-04-251-1/+1
| | | | | | | | | | We've started seeing lots of vmalloc failures with the 200ms timeout. Turns out vmalloc has a check for fatal signals pending, so we were killing the process which caused vmalloc to fail. If vmalloc can take 200+ms, then we need to dump the timeout as it's not blocking that we want to catch. Bump the timeout to 500ms.
* executor: support wrapping executor with an external sandbox processDmitry Vyukov2017-02-271-0/+10
| | | | | | | | If an external sandbox process wraps executor, the out pipe will be closed before the sandbox process exits this will make ipc package kill the sandbox. As the result sandbox process will exit with exit status 9 instead of the executor exit status (notably kRetryStatus). Consequently, ipc will treat it as hard failure rather than a temporal failure. So we duplicate the exit status on the pipe.
* executor: treat KCOV_ENABLE failure as transientDmitry Vyukov2017-02-151-2/+6
| | | | It fails with various errors (9, 14, 25), probably fuzzer messes with the fd.
* executor: increase kMaxCommands and add checksAndrey Konovalov2017-02-081-1/+5
|
* executor: better protect output region from corruptionsDmitry Vyukov2017-02-061-9/+18
| | | | | Fuzzer invented another tricky way to corrupt the region. Map it at a hard to guess address.
* executor: fix tun initialization when sandbox != noneAndrey Konovalov2017-01-311-4/+4
|
* all: implement edge coverageDmitry Vyukov2017-01-271-47/+122
| | | | | | | | | | | Currently syzkaller uses per-call basic block (BB) coverage. This change implements edge (not-per-call) coverage. Edge coverage is more detailed than BB coverage as it captures not-taken branches, looping, etc. So it provides better feedback signal. This coverage is now called "signal" throughout the code. BB code coverage is also collected as it is required for visualisation. Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K), this has profound effect on fuzzing efficiency.
* adb: executor: Revert to adb rebootBilly Lau2017-01-261-5/+0
| | | | | | | | | Using `adb shell syz-executor reboot` to reboot devices has stopped working with the recent Android update, probably due to the intro of seccomp. I have reverted the device reboot logic to use `adb shell reboot` although it can be flaky at times so that we can continue to fuzz on devices, until a more reliable solution can be sought out.
* executor: protect against memory corruptions betterDmitry Vyukov2017-01-251-1/+1
| | | | | | | | | | | Fuzzer has figured out how to corrupt input/output shmem regions abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative text_size value that causes the memcpy to overwrite shmem regions. Protect better against such cases: 1. Make text_size unsigned (there is already a check that it is less than 1000). 2. Map input region as readable only, we don't write to it. 3. Add address sanity check to segv_handler, if we see that we are writing into executable data, it's better to crash instantly.
* executor: reduce syscall blocking delay from 100ms to 20msDmitry Vyukov2017-01-201-2/+2
| | | | | Syscalls frequently block and this affects fuzzing speed. 20ms should be more than enough for a normal syscall to finish.
* prog: add bitfields to templatesAndrey Konovalov2017-01-171-8/+13
| | | | | | Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field. This fixes #72.
* sys: extend kvm supportDmitry Vyukov2017-01-091-0/+2
| | | | | | Add new pseudo syscall syz_kvm_setup_cpu that setups VCPU into interesting states for execution. KVM is too difficult to setup otherwise. Lots of improvements possible, but this is a starting point.
* executor: increase coverage size from 16K to 64K PCsDmitry Vyukov2017-01-091-1/+1
| | | | On some KVM syscalls soverage reaches 36K+ PCs.
* executor: handle exit failuresDmitry Vyukov2016-12-081-2/+1
| | | | See the added comment for explanation.
* executor: change the way we wait for childrenDmitry Vyukov2016-12-051-6/+8
| | | | | | waitpid(pid) does not work if child invokes ptrace(PTRACE_TRACEME): https://groups.google.com/forum/#!topic/syzkaller/SjWzOnNRRIU Use waitpid(-1) instead.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-12 04:36:42 +0000