aboutsummaryrefslogtreecommitdiffstats
path: root/executor/executor.cc
Commit message (Collapse)AuthorAgeFilesLines
...
* executor: increase syscall timeout in debug modeDmitry Vyukov2017-05-231-1/+2
| | | | | Debug output takes time, so 20ms is not enough for almost any syscall. Give a syscall 500ms in debug before considering it blocked.
* prog, executor: move checksum computation to executorAndrey Konovalov2017-05-121-0/+54
| | | | | This commit moves checksum computation to executor. This will allow to embed dynamically generated values (like TCP sequence numbers) into packets.
* executor: bump per-call timeoutDmitry Vyukov2017-04-251-1/+1
| | | | | | | | | | We've started seeing lots of vmalloc failures with the 200ms timeout. Turns out vmalloc has a check for fatal signals pending, so we were killing the process which caused vmalloc to fail. If vmalloc can take 200+ms, then we need to dump the timeout as it's not blocking that we want to catch. Bump the timeout to 500ms.
* executor: support wrapping executor with an external sandbox processDmitry Vyukov2017-02-271-0/+10
| | | | | | | | If an external sandbox process wraps executor, the out pipe will be closed before the sandbox process exits this will make ipc package kill the sandbox. As the result sandbox process will exit with exit status 9 instead of the executor exit status (notably kRetryStatus). Consequently, ipc will treat it as hard failure rather than a temporal failure. So we duplicate the exit status on the pipe.
* executor: treat KCOV_ENABLE failure as transientDmitry Vyukov2017-02-151-2/+6
| | | | It fails with various errors (9, 14, 25), probably fuzzer messes with the fd.
* executor: increase kMaxCommands and add checksAndrey Konovalov2017-02-081-1/+5
|
* executor: better protect output region from corruptionsDmitry Vyukov2017-02-061-9/+18
| | | | | Fuzzer invented another tricky way to corrupt the region. Map it at a hard to guess address.
* executor: fix tun initialization when sandbox != noneAndrey Konovalov2017-01-311-4/+4
|
* all: implement edge coverageDmitry Vyukov2017-01-271-47/+122
| | | | | | | | | | | Currently syzkaller uses per-call basic block (BB) coverage. This change implements edge (not-per-call) coverage. Edge coverage is more detailed than BB coverage as it captures not-taken branches, looping, etc. So it provides better feedback signal. This coverage is now called "signal" throughout the code. BB code coverage is also collected as it is required for visualisation. Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K), this has profound effect on fuzzing efficiency.
* adb: executor: Revert to adb rebootBilly Lau2017-01-261-5/+0
| | | | | | | | | Using `adb shell syz-executor reboot` to reboot devices has stopped working with the recent Android update, probably due to the intro of seccomp. I have reverted the device reboot logic to use `adb shell reboot` although it can be flaky at times so that we can continue to fuzz on devices, until a more reliable solution can be sought out.
* executor: protect against memory corruptions betterDmitry Vyukov2017-01-251-1/+1
| | | | | | | | | | | Fuzzer has figured out how to corrupt input/output shmem regions abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative text_size value that causes the memcpy to overwrite shmem regions. Protect better against such cases: 1. Make text_size unsigned (there is already a check that it is less than 1000). 2. Map input region as readable only, we don't write to it. 3. Add address sanity check to segv_handler, if we see that we are writing into executable data, it's better to crash instantly.
* executor: reduce syscall blocking delay from 100ms to 20msDmitry Vyukov2017-01-201-2/+2
| | | | | Syscalls frequently block and this affects fuzzing speed. 20ms should be more than enough for a normal syscall to finish.
* prog: add bitfields to templatesAndrey Konovalov2017-01-171-8/+13
| | | | | | Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field. This fixes #72.
* sys: extend kvm supportDmitry Vyukov2017-01-091-0/+2
| | | | | | Add new pseudo syscall syz_kvm_setup_cpu that setups VCPU into interesting states for execution. KVM is too difficult to setup otherwise. Lots of improvements possible, but this is a starting point.
* executor: increase coverage size from 16K to 64K PCsDmitry Vyukov2017-01-091-1/+1
| | | | On some KVM syscalls soverage reaches 36K+ PCs.
* executor: handle exit failuresDmitry Vyukov2016-12-081-2/+1
| | | | See the added comment for explanation.
* executor: change the way we wait for childrenDmitry Vyukov2016-12-051-6/+8
| | | | | | waitpid(pid) does not work if child invokes ptrace(PTRACE_TRACEME): https://groups.google.com/forum/#!topic/syzkaller/SjWzOnNRRIU Use waitpid(-1) instead.
* executor: don't try to open tun if it's not enabledAndrey Konovalov2016-12-021-1/+3
|
* executor: emit ethernet trafficAndrey Konovalov2016-11-291-1/+3
|
* repro: factor out of syz-repro toolDmitry Vyukov2016-11-191-308/+3
| | | | | | | | Factor out repro logic from syz-repro tool, so that it can be used in syz-manager. Also, support sandboxes in code generated by csoure. This is required to reproduce crashes that require e.g. namespace sandbox.
* csource: teach how to execute pseudo syz_ syscallsDmitry Vyukov2016-08-281-106/+3
| | | | Update #59
* executor, csource: share some common code between executor and csourceDmitry Vyukov2016-08-281-35/+7
|
* executor: add experimental mode to skip paging faultsDmitry Vyukov2016-08-221-27/+65
| | | | | | | Ignore SIGSEGV/SIGBUS during copyin/copyout of arguments. The memory may not be addressable. The ignoring allows to pass partially-addressable input data to kernel. It's unclear if it's a good idea or not yet.
* executor: revive setuid sandboxDmitry Vyukov2016-07-011-15/+76
| | | | | | | | | | | | | | The new namespace-based sanboxing is good, but it's not always what one wants (and also requires special kernel configs). Change dropprivs config value to sandbox, which can have different values (currently: none, setuid, namespace). Setuid mode uses setuid(nobody) before fuzzing as before. In future we can add more sandboxing modes or, say, extend -sandbox=setuid to -sandbox=setuid:johndoe to impersonolate into given user.
* executor: add support for 386 arch (COMPAT syscalls)Dmitry Vyukov2016-06-301-23/+23
| | | | | This is not fully working now: e.g. prog and sys packages assume that pointer size is 8. But at least it compiles and works.
* executor: don't consider failures to remove temp dirs as crashesDmitry Vyukov2016-06-281-6/+6
| | | | | | | There is a number of known, low-frequency reasons for failures in remove_dir. Make the failures non-fatal. Fixes #45
* executor: prevent test processes from ptracing parent processesDmitry Vyukov2016-03-101-0/+17
|
* executor: ignore NOFILE errors during cleanupDmitry Vyukov2016-03-101-1/+8
| | | | This is a common source of false positives.
* executor: ignore the case when test process kills loop processDmitry Vyukov2016-03-101-1/+2
| | | | This lead to lots of false positives.
* executor: make loop killing non-fatalDmitry Vyukov2016-03-101-1/+4
|
* ipc: give executor some time to startupDmitry Vyukov2016-01-271-1/+5
| | | | | | Namespace-based sandbox can take some time to setup. In particular, lots of parallel executors block on net namespace creation.
* sys: open a bunch of new devicesDmitry Vyukov2016-01-261-2/+4
|
* sys: allow to open all devices as stopgapDmitry Vyukov2016-01-241-11/+23
|
* executor: restore nodropprivs modeDmitry Vyukov2016-01-231-15/+24
|
* executor: new namespace-based sandboxDmitry Vyukov2016-01-221-73/+208
|
* vm/adb: use a more reliable way to reboot devicesDmitry Vyukov2016-01-201-1/+6
|
* executor: start moving sandboxing code into executorDmitry Vyukov2016-01-201-0/+14
|
* executor: adopt for new kcovDmitry Vyukov2016-01-191-14/+16
| | | | Now kcov exposes only uintptr-sized PCs.
* sys: describe more dri syscallsDmitry Vyukov2016-01-161-0/+6
|
* executor: reportat after clang-format bug fixDmitry Vyukov2016-01-151-30/+12
| | | | http://reviews.llvm.org/rL257763
* executor: don't create all threads when spot a root syscallDmitry Vyukov2016-01-131-1/+1
|
* executor: don't print all waitpid debug messagesDmitry Vyukov2016-01-131-2/+5
|
* sys: introduce a generic syz_open_dev helper syscallDmitry Vyukov2016-01-131-29/+18
|
* sys: add support for /dev/snd/controlDmitry Vyukov2016-01-131-1/+17
|
* sys: support /dev/snd/seqDmitry Vyukov2016-01-111-0/+6
|
* executor: use mknodat instead of mknod (the latter is not implemented on ↵Dmitry Vyukov2016-01-111-1/+1
| | | | android)
* sys: add kvm supportDmitry Vyukov2016-01-081-17/+31
|
* executor: fix some bugs found by clangDmitry Vyukov2015-12-311-1/+4
|
* executor: get rid of sigtimedwaitDmitry Vyukov2015-12-241-43/+18
| | | | | Wait with spin loop instead. See the comment for explanation.
* executor: don't use WUNTRACED in waitDmitry Vyukov2015-12-241-3/+3
| | | | | | | WUNTRACED wait returns when child has stopped. That's not what we want to wait for. If it's stopped we need to timeout wait and kill the stopped child.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-12 04:49:02 +0000