| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | executor: split a too long line | Dmitry Vyukov | 2017-08-24 | 1 | -1/+3 |
| | | |||||
| * | all: support i386 arch | Dmitry Vyukov | 2017-08-19 | 1 | -6/+16 |
| | | | | | Update #191 | ||||
| * | executor: reformat | Dmitry Vyukov | 2017-06-13 | 1 | -1/+1 |
| | | |||||
| * | executor: don't define SYZ_ENABLE_TUN in executor | Andrey Konovalov | 2017-06-12 | 1 | -1/+0 |
| | | |||||
| * | executor: split setup_main_process into smaller functions | Andrey Konovalov | 2017-06-12 | 1 | -1/+2 |
| | | |||||
| * | csource: add EnableTun option | Andrey Konovalov | 2017-06-12 | 1 | -0/+1 |
| | | |||||
| * | all: cleanup executor/ipc status checking | Michael Pratt | 2017-05-30 | 1 | -1/+2 |
| | | | | | | | | | | | This is mostly a cleanup change with little functional change. In ipc.command.exec, remove the status fallback from the pipe to the exit status. Once the executor is serving, it always writes the status over the pipe; anything else is an error. Remove the panic check in syz-stress, which is no longer needed. | ||||
| * | csource: reproduce crashes with fault injection | Dmitry Vyukov | 2017-05-26 | 1 | -8/+1 |
| | | |||||
| * | all: add fault injection capability | Dmitry Vyukov | 2017-05-26 | 1 | -7/+48 |
| | | | | | | | | Systematically inject faults during smashing. Requires kernel patch: "fault-inject: support systematic fault injection" (currently in linux-next). | ||||
| * | sys, executor: extract tcp sequence numbers from /dev/net/tun | Andrey Konovalov | 2017-05-26 | 1 | -0/+5 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out | ||||
| * | executor: increase syscall timeout in debug mode | Dmitry Vyukov | 2017-05-23 | 1 | -1/+2 |
| | | | | | | Debug output takes time, so 20ms is not enough for almost any syscall. Give a syscall 500ms in debug before considering it blocked. | ||||
| * | prog, executor: move checksum computation to executor | Andrey Konovalov | 2017-05-12 | 1 | -0/+54 |
| | | | | | | This commit moves checksum computation to executor. This will allow to embed dynamically generated values (like TCP sequence numbers) into packets. | ||||
| * | executor: bump per-call timeout | Dmitry Vyukov | 2017-04-25 | 1 | -1/+1 |
| | | | | | | | | | | | We've started seeing lots of vmalloc failures with the 200ms timeout. Turns out vmalloc has a check for fatal signals pending, so we were killing the process which caused vmalloc to fail. If vmalloc can take 200+ms, then we need to dump the timeout as it's not blocking that we want to catch. Bump the timeout to 500ms. | ||||
| * | executor: support wrapping executor with an external sandbox process | Dmitry Vyukov | 2017-02-27 | 1 | -0/+10 |
| | | | | | | | | | If an external sandbox process wraps executor, the out pipe will be closed before the sandbox process exits this will make ipc package kill the sandbox. As the result sandbox process will exit with exit status 9 instead of the executor exit status (notably kRetryStatus). Consequently, ipc will treat it as hard failure rather than a temporal failure. So we duplicate the exit status on the pipe. | ||||
| * | executor: treat KCOV_ENABLE failure as transient | Dmitry Vyukov | 2017-02-15 | 1 | -2/+6 |
| | | | | | It fails with various errors (9, 14, 25), probably fuzzer messes with the fd. | ||||
| * | executor: increase kMaxCommands and add checks | Andrey Konovalov | 2017-02-08 | 1 | -1/+5 |
| | | |||||
| * | executor: better protect output region from corruptions | Dmitry Vyukov | 2017-02-06 | 1 | -9/+18 |
| | | | | | | Fuzzer invented another tricky way to corrupt the region. Map it at a hard to guess address. | ||||
| * | executor: fix tun initialization when sandbox != none | Andrey Konovalov | 2017-01-31 | 1 | -4/+4 |
| | | |||||
| * | all: implement edge coverage | Dmitry Vyukov | 2017-01-27 | 1 | -47/+122 |
| | | | | | | | | | | | | Currently syzkaller uses per-call basic block (BB) coverage. This change implements edge (not-per-call) coverage. Edge coverage is more detailed than BB coverage as it captures not-taken branches, looping, etc. So it provides better feedback signal. This coverage is now called "signal" throughout the code. BB code coverage is also collected as it is required for visualisation. Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K), this has profound effect on fuzzing efficiency. | ||||
| * | adb: executor: Revert to adb reboot | Billy Lau | 2017-01-26 | 1 | -5/+0 |
| | | | | | | | | | | Using `adb shell syz-executor reboot` to reboot devices has stopped working with the recent Android update, probably due to the intro of seccomp. I have reverted the device reboot logic to use `adb shell reboot` although it can be flaky at times so that we can continue to fuzz on devices, until a more reliable solution can be sought out. | ||||
| * | executor: protect against memory corruptions better | Dmitry Vyukov | 2017-01-25 | 1 | -1/+1 |
| | | | | | | | | | | | | Fuzzer has figured out how to corrupt input/output shmem regions abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative text_size value that causes the memcpy to overwrite shmem regions. Protect better against such cases: 1. Make text_size unsigned (there is already a check that it is less than 1000). 2. Map input region as readable only, we don't write to it. 3. Add address sanity check to segv_handler, if we see that we are writing into executable data, it's better to crash instantly. | ||||
| * | executor: reduce syscall blocking delay from 100ms to 20ms | Dmitry Vyukov | 2017-01-20 | 1 | -2/+2 |
| | | | | | | Syscalls frequently block and this affects fuzzing speed. 20ms should be more than enough for a normal syscall to finish. | ||||
| * | prog: add bitfields to templates | Andrey Konovalov | 2017-01-17 | 1 | -8/+13 |
| | | | | | | | Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field. This fixes #72. | ||||
| * | sys: extend kvm support | Dmitry Vyukov | 2017-01-09 | 1 | -0/+2 |
| | | | | | | | Add new pseudo syscall syz_kvm_setup_cpu that setups VCPU into interesting states for execution. KVM is too difficult to setup otherwise. Lots of improvements possible, but this is a starting point. | ||||
| * | executor: increase coverage size from 16K to 64K PCs | Dmitry Vyukov | 2017-01-09 | 1 | -1/+1 |
| | | | | | On some KVM syscalls soverage reaches 36K+ PCs. | ||||
| * | executor: handle exit failures | Dmitry Vyukov | 2016-12-08 | 1 | -2/+1 |
| | | | | | See the added comment for explanation. | ||||
| * | executor: change the way we wait for children | Dmitry Vyukov | 2016-12-05 | 1 | -6/+8 |
| | | | | | | | waitpid(pid) does not work if child invokes ptrace(PTRACE_TRACEME): https://groups.google.com/forum/#!topic/syzkaller/SjWzOnNRRIU Use waitpid(-1) instead. | ||||
| * | executor: don't try to open tun if it's not enabled | Andrey Konovalov | 2016-12-02 | 1 | -1/+3 |
| | | |||||
| * | executor: emit ethernet traffic | Andrey Konovalov | 2016-11-29 | 1 | -1/+3 |
| | | |||||
| * | repro: factor out of syz-repro tool | Dmitry Vyukov | 2016-11-19 | 1 | -308/+3 |
| | | | | | | | | | Factor out repro logic from syz-repro tool, so that it can be used in syz-manager. Also, support sandboxes in code generated by csoure. This is required to reproduce crashes that require e.g. namespace sandbox. | ||||
| * | csource: teach how to execute pseudo syz_ syscalls | Dmitry Vyukov | 2016-08-28 | 1 | -106/+3 |
| | | | | | Update #59 | ||||
| * | executor, csource: share some common code between executor and csource | Dmitry Vyukov | 2016-08-28 | 1 | -35/+7 |
| | | |||||
| * | executor: add experimental mode to skip paging faults | Dmitry Vyukov | 2016-08-22 | 1 | -27/+65 |
| | | | | | | | | Ignore SIGSEGV/SIGBUS during copyin/copyout of arguments. The memory may not be addressable. The ignoring allows to pass partially-addressable input data to kernel. It's unclear if it's a good idea or not yet. | ||||
| * | executor: revive setuid sandbox | Dmitry Vyukov | 2016-07-01 | 1 | -15/+76 |
| | | | | | | | | | | | | | | | The new namespace-based sanboxing is good, but it's not always what one wants (and also requires special kernel configs). Change dropprivs config value to sandbox, which can have different values (currently: none, setuid, namespace). Setuid mode uses setuid(nobody) before fuzzing as before. In future we can add more sandboxing modes or, say, extend -sandbox=setuid to -sandbox=setuid:johndoe to impersonolate into given user. | ||||
| * | executor: add support for 386 arch (COMPAT syscalls) | Dmitry Vyukov | 2016-06-30 | 1 | -23/+23 |
| | | | | | | This is not fully working now: e.g. prog and sys packages assume that pointer size is 8. But at least it compiles and works. | ||||
| * | executor: don't consider failures to remove temp dirs as crashes | Dmitry Vyukov | 2016-06-28 | 1 | -6/+6 |
| | | | | | | | | There is a number of known, low-frequency reasons for failures in remove_dir. Make the failures non-fatal. Fixes #45 | ||||
| * | executor: prevent test processes from ptracing parent processes | Dmitry Vyukov | 2016-03-10 | 1 | -0/+17 |
| | | |||||
| * | executor: ignore NOFILE errors during cleanup | Dmitry Vyukov | 2016-03-10 | 1 | -1/+8 |
| | | | | | This is a common source of false positives. | ||||
| * | executor: ignore the case when test process kills loop process | Dmitry Vyukov | 2016-03-10 | 1 | -1/+2 |
| | | | | | This lead to lots of false positives. | ||||
| * | executor: make loop killing non-fatal | Dmitry Vyukov | 2016-03-10 | 1 | -1/+4 |
| | | |||||
| * | ipc: give executor some time to startup | Dmitry Vyukov | 2016-01-27 | 1 | -1/+5 |
| | | | | | | | Namespace-based sandbox can take some time to setup. In particular, lots of parallel executors block on net namespace creation. | ||||
| * | sys: open a bunch of new devices | Dmitry Vyukov | 2016-01-26 | 1 | -2/+4 |
| | | |||||
| * | sys: allow to open all devices as stopgap | Dmitry Vyukov | 2016-01-24 | 1 | -11/+23 |
| | | |||||
| * | executor: restore nodropprivs mode | Dmitry Vyukov | 2016-01-23 | 1 | -15/+24 |
| | | |||||
| * | executor: new namespace-based sandbox | Dmitry Vyukov | 2016-01-22 | 1 | -73/+208 |
| | | |||||
| * | vm/adb: use a more reliable way to reboot devices | Dmitry Vyukov | 2016-01-20 | 1 | -1/+6 |
| | | |||||
| * | executor: start moving sandboxing code into executor | Dmitry Vyukov | 2016-01-20 | 1 | -0/+14 |
| | | |||||
| * | executor: adopt for new kcov | Dmitry Vyukov | 2016-01-19 | 1 | -14/+16 |
| | | | | | Now kcov exposes only uintptr-sized PCs. | ||||
| * | sys: describe more dri syscalls | Dmitry Vyukov | 2016-01-16 | 1 | -0/+6 |
| | | |||||
| * | executor: reportat after clang-format bug fix | Dmitry Vyukov | 2016-01-15 | 1 | -30/+12 |
| | | | | | http://reviews.llvm.org/rL257763 | ||||
 |
index : syz | |
| Unnamed repository; edit this file 'description' to name the repository. | root |
| aboutsummaryrefslogtreecommitdiffstats |