| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This makes it easier to figure out where the flags go by grepping for them
by name.
No functional change intended.
|
| |
|
|
|
|
| |
Output area may be remapped from several different processes (i.e. after
forking), so we should not assume that the suggested base address will
be the same.
|
| |
|
|
|
|
|
|
|
|
|
| |
For ASAN builds, assume that the executable is dynamically linked and
that the addresses in HighMem may be occupied by the libraries.
Otherwise, use fixed addresses both for the input and the output area.
Before, input area was mapped at an arbitrary location and the default
output area location for ASAN builds was sometimes overlapping with it.
Use MAP_FIXED_NOREPLACE to prevent such overlappings in the first place.
|
| |
|
|
| |
This reverts commit dce63a35b1bfe856335d8334bcd75f5412157309.
|
| |
|
|
|
|
|
|
|
| |
Right now closing a kcov fd on Linux won't disable coverage, so further
attempts to open an fd and enable coverage on the same thread will
not work.
Add cover_close() which will disable the coverage if necessary, and
close the file descriptor.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
On different platforms and in different coverage collection modes
the pointer to the beginning of kcov buffer may or may not differ
from the pointer to the region that mmap() returned.
Decouple these two pointers, so that the memory is always allocated
and deallocated with cov->mmap_alloc_ptr and cov->mmap_alloc_size, and the
buffer is accessed via cov->data and cov->data_size.
I tried my best to not break Darwin and BSD, but I did not test them.
|
| |
|
|
|
|
|
|
|
|
|
| |
For ASAN builds, assume that the executable is dynamically linked and
that the addresses in HighMem may be occupied by the libraries.
Otherwise, use fixed addresses both for the input and the output area.
Before, input area was mapped at an arbitrary location and the default
output area location for ASAN builds was sometimes overlapping with it.
Use MAP_FIXED_NOREPLACE to prevent such overlappings in the first place.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new vminfo feature, FeatureKcovResetIoctl, that is true if the
kernel supports ioctl(KCOV_RESET_TRACE) making it possible to reset the
coverage buffer on the kernel side. This, in turn, allows us to map the
coverage buffer read-only, which will prevent all sorts of
userspace-generated corruptions at a cost of an extra syscall per program
execution.
The corresponding exec env flag, ExecEnv::ReadOnlyCoverage, turns on
read-only coverage in the executor. It is enabled by default
if FeatureKcovResetIoctl is on.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During machine checks, syzkaller will execute calls with coverage
disabled, in which case per-thread coverage structures are zeroed out.
write_output() will temporarily map the coverage data as writeable via
CoverAccessScope, whether or not cover is enabled. In effect,
write_output() may trigger a call mprotect(0, kCoverSize, PROT_RW).
On FreeBSD, mprotect() silently ignores unmapped regions, so this does
not result in an error. In fact, kCoverSize is now large enough that
this ends up removing the eXecute bit from part of syz-executor's text
region.
Make CoverAccessScope a no-op if coverage is not enabled. Modify BSD
cover_protect() and cover_unprotect() to fail if invoked when coverage
is disabled.
|
| |
|
|
| |
Some environments don't define MAP_FIXED_NOREPLACE.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
MAP_FIXED_NOREPLACE allows to fail early if we happened to overlap with
an existing memory mapping. It should help detects bugs #5674 at an
earlier stage, before it led to memory corruptions.
MAP_FIXED_NOREPLACE is supported from Linux 4.17, which is okay for all
syzkaller use cases on syzbot.
There's no such option for some of the supported OSes, so set it
depending on the configuration we're building for.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We query globs for 2 reasons:
1. Expand glob types in syscall descriptions.
2. Dynamic file probing for automatic descriptions generation.
In both of these contexts are are interested in files
that will be present during test program execution
(rather than normal unsandboxed execution).
For example, some files may not be accessible to test programs
after pivot root. On the other hand, we create and link
some additional files for the test program that don't
normally exist.
Add a new request type for querying of globs that are
executed in the test program context.
|
| |
|
|
|
|
|
| |
Currently we write coverage backwards.
This is visible e.g. when running syz-execprog -coverfile,
and in the manager raw cover mode.
Write it in the right order.
|
| |
|
|
|
|
|
|
|
|
|
| |
The coverage buffer frequently overflows.
We cannot increase it radically b/c they consume lots of memory
(num procs x num kcovs x buffer size) and lead to OOM kills
(at least with 8 procs and 2GB KASAN VM).
So increase it 2x and slightly reduce number of threads/kcov descriptors.
However, in snapshot mode we can be more aggressive (only 1 proc).
This reduces number of overflows by ~~2-4x depending on syscall.
|
| |
|
|
|
| |
If the overflows happen often, it's bad.
Add visibility into this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we kill hanged processes and consider the corresponding test finished.
We don't kill/wait for the actual test subprocess (we don't know its pid to kill,
and waiting will presumably hang). This has 2 problems:
1. If the hanged process causes "task hung" report, we can't reproduce it,
since the test finished too long ago (manager thinks its finished and
discards the request).
2. The test process still consumed per-pid resources.
Explicitly detect and handle such cases:
Manager keeps these hanged tests forever,
and we assign a new proc id for future processes
(don't reuse the hanged one).
|
| |
|
|
|
| |
Reset coverage right before scheduling next syscall for execution.
See the added comment for details.
|
| |
|
|
|
|
|
| |
Protect KCOV regions with pkeys if they are available.
Protect output region with pkeys in snapshot mode.
Snapshot mode is especially sensitive to output buffer corruption
since its location is not randomized.
|
| |
|
|
|
| |
It's not necessary to set process name in snapshot mode
since we execute only 1 program each time.
|
| |
|
|
| |
Fixes #5143
|
| |
|
|
| |
Distribute triage requests to different VMs.
|
| | |
|
| |
|
|
|
|
|
|
| |
We never reset remote coverage, so if there is one block,
we will write it after every call and multiple times at the end.
It can lead to "too many calls in output" and just writes quadratic
amount of coverage/signal.
Reset remote coverage after writing.
|
| |
|
|
| |
Check that we have at least command argument in the beginning.
|
| |
|
|
|
|
|
|
|
| |
We are getting too many generated candidates, the fuzzer may not keep up
with them at all (hints jobs keep growing infinitely). If a hint indeed came
from the input w/o transformation, then we should guess it on the first
attempt (or at least after few attempts). If it did not come from the input,
or came with a non-trivial transformation, then any number of attempts won't
help. So limit the total number of attempts (until the next restart).
|
| |
|
|
|
|
|
|
|
|
|
| |
This kind of deduplication is confusing for the fuzzer, which expects to
control the process itself (by MaxSignal and by specifying the calls for
which full signal must be returned).
There's also a chance that it may contribute to the difficulties during
program triage and minimization.
Let's err on the safe side and deduplicate signal only per-call.
|
| |
|
|
|
| |
This will allow to reuse finish_output function for snapshot mode as well.
NFC
|
| |
|
|
|
|
|
| |
Handle EINTR errors. Sometimes I see them happenning when running in debug mode.
Before the previous commit, each such error was printed to output and detected
as a bug. Without debug these should be retried by restarting the process,
but still better to handle w/o restarting the process (may be expensive).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We see some errors of the form:
SYZFAIL: coverage filter is full
pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156
Executor shouldn't send non kernel addresses in signal,
but somehow it does. It can happen if the VM memory is corrupted,
or if the test program does something very nasty (e.g. discovers
the output region and writes to it).
It's not possible to reliably filter signal in the tested VM.
Move all of the filtering logic to the host.
Fixes #4942
|
| |
|
|
|
|
| |
Currnetly we always write PCs into the buffer even if tracing comparisons.
Such bogus data will fail comparison consistentcy checks (type/pc)
and executor will crash. Don't trace PCs as comparisons.
|
| |
|
|
|
|
| |
We include a number of C++ headers in the runnner.
On FreeBSD some of them mention malloc, and our defines break the build.
Use the style test to check only our files for these things.
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
executor/executor.cc: In function ‘uint64 read_input(uint8**, bool)’:
executor/executor.cc:1487:59: error: format ‘%zu’ expects argument of type
‘size_t’, but argument 3 has type ‘int’
[-Werror=format=]
executor/executor.cc:1495:67: error: format ‘%zu’ expects argument of type
‘size_t’, but argument 3 has type ‘int’
[-Werror=format=]
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
KCOV stores the number of KCOV comparisons in a coverage buffer always
as a 64-bit integer at offset 0 of the coverage buffer. Don't use
the field size of the coverage object which is initialized
in cover_collect() and size of which depends on kernel bitness because
this field is intended only for KCOV PC coverage and not for
KCOV comparisons.
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
|
|
| |
We ignore comparisons of kernel data/physical addresses b/c these
are not coming from user space. Ignore kernel text addresses
for the same reason.
|
| |
|
|
| |
Factor out is_kernel_pc helper and add kernel pc range for test OS for testing.
|
| | |
|
| |
|
|
|
|
|
| |
To receive data, executor relies on changes propagating to its copy of
the shared memory buffer. This is only guaranteed with MAP_SHARED,
whereas behavior is "unspecified" for MAP_PRIVATE (but happened to work
on most implementations).
|
| | |
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
|
|
|
|
|
| |
Asan build with sharem memory mode is broken for a long time
since the address for output region is incompatible with asan
(asan doesn't have shadow for these addresses).
We did not notice it b/c we only tested no shared memory mode
in short test mode used on CI.
Don't use fixed mmap address under asan.
|
| |
|
|
|
|
|
|
|
| |
Fix 2 bugs:
1. We remove low 12 bits of every PC on amd64 b/c use_cover_edges return true.
This results in extremly low signal (gvisor PC are dense integers).
2. We hash prev/next PC on arm64 which does not make sense
since gvisor coverage is not a trace. This results in falsely large signal.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Return failure reason from setup functions rather than crash.
This will provide better error messages, but also allow setup
w/o creating subprocesses which will be needed when we combine
fuzzer and executor.
Also close all resources created during setup.
This is also useful for in-process setup, but also should improve
chances of reproducing a bug with C reproducer. Currently leaked
file descriptors may disturb repro execution (e.g. it may act
on a wrong fd).
|
| |
|
|
|
|
| |
Update the descriptions to mark calls that cause remote coverage
collection.
Remote some hacky code from the executor.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
On 64 bit machine, when CONFIG_RANDOMIZE_BASE enabled,
even [32:64] bits changed across reboot.
And, core kernel and modules can have diff [31:64] bits.
We need to add 64bit pc support and this is to always
send 64bit pc and sig to syz-fuzzer.
Send 64bit pc and sig is compatable with 32bit OS.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feature checking procedure is split into 2 phases:
1. syz-fuzzer invokes "syz-executor setup feature" for each feature one-by-one,
and checks if executor does not fail.
Executor can also return a special "this feature does not need custom setup",
this allows to not call setup of these features in each new VM.
2. pkg/vminfo runs a simple program with ipc.ExecOpts specific for a concrete feature,
e.g. for wifi injection it will try to run a program with wifi feature enabled,
if setup of the feature fails, executor should also exit with an error.
For coverage features we also additionally check that we actually got coverage.
Then pkg/vminfo combines results of these 2 checks into final result.
syz-execprog now also uses vminfo package and mimics the same checking procedure.
Update #1541
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the syscall checking logic to the host.
Diffing sets of disabled syscalls before/after this change
in different configurations (none/setuid sandboxes, amd64/386 arches,
large/small kernel configs) shows only some improvements/bug fixes.
1. socket$inet[6]_icmp are now enabled.
Previously they were disabled due to net.ipv4.ping_group_range sysctl
in the init namespace which prevented creation of ping sockets.
In the new net namespace the sysctl gets default value which allows creation.
2. get_thread_area and set_thread_area are now disabled on amd64.
They are available only in 32-bit mode, but they are present in /proc/kallsyms,
so we enabled them always.
3. socket$bt_{bnep, cmtp, hidp, rfcomm} are now disabled.
They cannot be created in non init net namespace.
bt_sock_create() checks init_net and returns EAFNOSUPPORT immediately.
This is a bug in descriptions we need to fix.
Now we see it due to more precise checks.
4. fstat64/fstatat64/lstat64/stat64 are now enabled in 32-bit mode.
They are not present in /proc/kallsyms as syscalls, so we have not enabled them.
But they are available in 32-bit mode.
5. 78 openat variants + 10 socket variants + mount are now disabled
with setuid sandbox. They are not permitted w/o root permissions,
but we ignored that. This additionally leads to 700 transitively
disabled syscalls.
In all cases checking in the actual executor context/sandbox
looks very positive, esp. for more restrictive sandboxes.
Android sandbox should benefit as well.
The additional benefit is full testability of the new code.
The change includes only a basic test that covers all checks,
and ensures the code does not crash/hang, all generated programs
parse successfully, etc. But it's possible to unit-test
every condition now.
The new version also parallelizes checking across VMs,
checking on a slow emulated qemu drops from 210 seconds
to 140 seconds.
|
