| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
On different platforms and in different coverage collection modes
the pointer to the beginning of kcov buffer may or may not differ
from the pointer to the region that mmap() returned.
Decouple these two pointers, so that the memory is always allocated
and deallocated with cov->mmap_alloc_ptr and cov->mmap_alloc_size, and the
buffer is accessed via cov->data and cov->data_size.
I tried my best to not break Darwin and BSD, but I did not test them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During machine checks, syzkaller will execute calls with coverage
disabled, in which case per-thread coverage structures are zeroed out.
write_output() will temporarily map the coverage data as writeable via
CoverAccessScope, whether or not cover is enabled. In effect,
write_output() may trigger a call mprotect(0, kCoverSize, PROT_RW).
On FreeBSD, mprotect() silently ignores unmapped regions, so this does
not result in an error. In fact, kCoverSize is now large enough that
this ends up removing the eXecute bit from part of syz-executor's text
region.
Make CoverAccessScope a no-op if coverage is not enabled. Modify BSD
cover_protect() and cover_unprotect() to fail if invoked when coverage
is disabled.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
MAP_FIXED_NOREPLACE allows to fail early if we happened to overlap with
an existing memory mapping. It should help detects bugs #5674 at an
earlier stage, before it led to memory corruptions.
MAP_FIXED_NOREPLACE is supported from Linux 4.17, which is okay for all
syzkaller use cases on syzbot.
There's no such option for some of the supported OSes, so set it
depending on the configuration we're building for.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We see some errors of the form:
SYZFAIL: coverage filter is full
pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156
Executor shouldn't send non kernel addresses in signal,
but somehow it does. It can happen if the VM memory is corrupted,
or if the test program does something very nasty (e.g. discovers
the output region and writes to it).
It's not possible to reliably filter signal in the tested VM.
Move all of the filtering logic to the host.
Fixes #4942
|
| |
|
|
| |
Factor out is_kernel_pc helper and add kernel pc range for test OS for testing.
|
| | |
|
| |
|
|
|
|
|
| |
Currently we sleep only for 1 ms, which may produce some excessive CPU load
(we usually have 6/8 such processes waiting).
Make it sleep for 10 ms, but also make the sleep return immediately on child exit.
This shuold both improve latency and reduce CPU load.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feature checking procedure is split into 2 phases:
1. syz-fuzzer invokes "syz-executor setup feature" for each feature one-by-one,
and checks if executor does not fail.
Executor can also return a special "this feature does not need custom setup",
this allows to not call setup of these features in each new VM.
2. pkg/vminfo runs a simple program with ipc.ExecOpts specific for a concrete feature,
e.g. for wifi injection it will try to run a program with wifi feature enabled,
if setup of the feature fails, executor should also exit with an error.
For coverage features we also additionally check that we actually got coverage.
Then pkg/vminfo combines results of these 2 checks into final result.
syz-execprog now also uses vminfo package and mimics the same checking procedure.
Update #1541
|
| |
|
|
|
| |
This relies on sendsyslog in sys/syslog.h which will be in OpenBSD
HEAD soon.
|
| |
|
|
|
|
| |
A fixed-address mmap can fail completely or return a different address.
Log what it was. Based on:
https://groups.google.com/g/syzkaller/c/lto00RwlDIQ
|
| |
|
|
|
|
|
|
|
| |
The previous strategy (delay kcov instance creation) seems not to work
very well in carefully sandboxed environments. Let's see if the new
approach is more versatile.
Open a kcov handle for each thread at syz-executor's initialization, but
don't mmap it right away.
|
| |
|
|
|
|
|
|
|
| |
As now kcov instances may get set up during fuzzing, performing dup2 in
cover_open is no longer safe as it may close some important resource.
Prevent that by reserving most of fds that belong to the kcov fds range.
Unfortunately we must duplicate the code because of the way kcov
implementations are organized.
|
| |
|
|
|
|
|
| |
Currently we setup cgroups on every test process start
(along with sandbox creation). That's unnecessary because
that's global per-machine setup. Move cgroup setup into setup section
that's executed once per machine from pkg/host.Setup.
|
| |
|
|
|
|
|
|
|
| |
Currently the data_offset field of cover_t is only initialized for
per-syscall coverage collection. As a result, remote coverage is read
from an invalid location, fails to pass sanity checks and is not
returned to syzkaller.
Fix the initialization of cover_t fields.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently all executor fail errors go into "lost connection" bucket.
This is not very useful. First, there are different executor failures.
Second, it's not possible to understand what failures happen how frequently.
Third, there are not authentic lost connection.
Create separate SYZFAIL: bugs for them.
Update #573
Update #502
Update #318
|
| |
|
|
| |
gvisor coverage is not a trace, so producing edges won't work.
|
| |
|
|
|
|
| |
Sysctl's are not captured as part of reproducers.
This can result in failure to reproduce a bug on developer machine.
Include sysctl setup as part of C reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We generally use the newer C99 var declarations combined with initialization because:
- declarations are more local, reduced scope
- fewer lines of code
- less potential for using uninit vars and other bugs
However, we have some relic code from times when we did not understand
if we need to stick with C89 or not. Also some external contributions
that don't follow style around.
Add a static check for C89-style declarations and fix existing precedents.
Akaros toolchain uses -std=gnu89 (or something) and does not allow
variable declarations inside of for init statement. And we can't switch
it to -std=c99 because Akaros headers are C89 themselves.
So in common.h we need to declare loop counters outside of for.
|
| |
|
|
|
| |
The regexp for empty suppressions matches _everything_...
Don't match suppression if it's empty.
|
| |
|
|
| |
This reverts commit 63a7334112fa63edb0c0a3f317d3d92135a6ead9.
|
| |
|
|
|
|
| |
We've had some problems where the default SYZ_DATA_OFFSET collides with
a mapping created by the C runtime. MAP_EXCL ensures that mmap() will
fail in this case, so such problems become a bit easier to diagnose.
|
| |
|
|
|
|
|
| |
Forgot that the build machine must be updated with a newer OpenBSD
snapshot first in order to make the new kcov stuff available.
This reverts commit 96dd36234d97bbf6b403f3a7f03cfc0296422879.
|
| |
|
|
|
|
| |
Recently added[1] to the kcov implementation on OpenBSD.
[1] https://github.com/openbsd/src/commit/8430bc4bce9f93dce843b53971377b7afd96cdb1
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Add functions to protect and unprotect the coverage buffer. The buffer is
protected from being written to while tracing. When the trace data is
sorted we need to make it read/write, but can return it to read only after
this has completed.
Leave the first page as read/write as we need to clear the length field.
|
| | |
|
| |
|
|
|
| |
The type size of long depends on compiler.
Therefore, changing to intptr_t makes it depends on architecture.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now syzkaller only supports coverage collected from the threads that
execute syscalls. However some useful things happen in background threads,
and it would be nice to collect coverage from those threads as well.
This change adds extra coverage support to syzkaller. This coverage is not
associated with a particular syscall, but rather with the whole program.
Executor passes extra coverage over the same ipc mechanism to syz-fuzzer
with syscall number set to -1. syz-fuzzer then passes this coverage to
syz-manager with the call name "extra".
This change requires the following kcov patch:
https://github.com/xairy/linux/pull/2
|
| |
|
|
|
|
| |
KCOV support has been added to FreeBSD in r342962. Use
the header file and update the code to latest changes
introduced in the review process.
|
| |
|
|
|
|
| |
Initialize syz data segment with protection allowed by PaX MPROTECT.
PROT_MPROTECT() registers future potential protection that is allowed
to be enabled in future.
|
| |
|
|
|
|
|
| |
FreeBSD sets the kcov buffer as number of bytes instead of number
of entries. This also fixes the mmap() call, which was failing
due to inconsistent sizes. The failing was hidden due to wrong
error handling.
|
| |
|
|
|
| |
mmap() returns MAP_FAILED, which is (void *)(-1), in case
of an error. This is different from NULL.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Get ioctl() definitions and usage in sync with the upcoming support
reviewed in https://reviews.freebsd.org/D14599.
|
| | |
|
| |
|
|
| |
Since we no longer cross-compile, there's no need to repeat the defines.
|
| |
|
|
| |
This broke fuchsia build. We need setrlimit only for bsd.
|
| |
|
|
|
|
|
|
|
|
| |
* Revert "Revert "executor: add setuid sandbox for openbsd""
The problem is the low file descriptor limit.
This reverts commit 4093e33b1338f274ae0062f555de9d6af8640d61.
* executor/executor make sure the file descriptor limit is sufficient
|
| |
|
|
| |
This reverts commit 6565f24da9f4eb36702339ba290213995fcc902f.
|
| |
|
|
|
|
|
|
|
|
| |
* executor/common_bsd: add setuid sandbox
Fixes #833
cc @mptre
* Reduced duplications, resolved TODO.
|
| | |
|
