| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make as much code as possible shared between all OSes.
In particular main is now common across all OSes.
Make more code shared between executor and csource
(in particular, loop function and threaded execution logic).
Also make loop and threaded logic shared across all OSes.
Make more posix/unix code shared across OSes
(e.g. signal handling, pthread creation, etc).
Plus other changes along similar lines.
Also support test OS in executor (based on portable posix)
and add 4 arches that cover all execution modes
(fork server/no fork server, shmem/no shmem).
This change paves way for testing of executor code
and allows to preserve consistency across OSes and executor/csource.
|
| |
|
|
| |
Lots of assorted heavylifting to support csource on fuchsia.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We have fallback coverage implmentation for freebsd.
1. It's broken after some recent changes.
2. We need it for fuchsia, windows, akaros, linux too.
3. It's painful to work with C code.
Move fallback coverage to ipc package,
fix it and provide for all OSes.
|
| |
|
|
|
|
|
|
|
| |
We see some crashes that suggest corruption of the syscall number:
invalid command number 1296 (errno 11)
invalid command number 107 (errno 110)
Make the table and the number constant to prevent corruption.
|
| |
|
|
|
| |
Turns out it's protection of kcov region that causes coverage drop.
Revert it and re-enable coverage filtering.
|
| |
|
|
|
| |
This causes very significant drop in corpus size. Needs additional debugging.
Revert for now.
|
| |
|
|
|
| |
We only write to the first page of kcov region.
Protect the rest from the fuzzer.
|
| |
|
|
|
| |
Fuzzer manages to corrupt output region and write random coverage again and again.
Do a sanity range check on coverage PCs to filter out invalid ones.
|
| |
|
|
|
| |
Fuzzer manages to corrupt output region and write random coverage again and again.
Randomize output region addr to make it harder.
|
| |
|
|
| |
Detect kernel bitness and properly extract coverage on 32-bit kernels.
|
| |
|
|
|
| |
There is no autodetection yet, but at least bitness
is encapsulated in cover_t type.
|
| | |
|
| | |
|
| |
|
|
| |
Remove executor_pid, enable_tun and setup_tun.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1. mmap all memory always, without explicit mmap calls in the program.
This makes lots of things much easier and removes lots of code.
Makes mmap not a special syscall and allows to fuzz without mmap enabled.
2. Change address assignment algorithm.
Current algorithm allocates unmapped addresses too frequently
and allows collisions between arguments of a single syscall.
The new algorithm analyzes actual allocations in the program
and places new arguments at unused locations.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "define uint64_t unsigned long long" were too good to work.
With a different toolchain I am getting:
cstdint:69:11: error: expected unqualified-id
using ::uint64_t;
^
executor/common.h:34:18: note: expanded from macro 'uint64_t'
Do it the proper way: introduce uint64/32/16/8 types and use them.
pkg/csource then does s/uint64/uint64_t/ to not clutter code with
additional typedefs.
|
| |
|
|
|
|
|
| |
We use exitf on loop failures, anbd exitf is retry-able.
However, we use different status when replying to ipc,
and that different status is what ipc actually uses.
Use kRetryStatus status in case on unexpected loop failures.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I see a crash which says:
#0: too much cover 0 (errno 0)
while the code is:
uint64_t n = ...;
if (n >= kCoverSize)
fail("#%d: too much cover %u", th->id, n);
It seems that the high part of n is set, but we don't see it.
Add printf format attribute to fail and friends and fix all similar cases.
Caught a bunch of similar cases and a missing argument in:
exitf("opendir(%s) failed due to NOFILE, exiting");
|
| |
|
|
|
|
|
|
| |
Currently csource uses completely different, simpler way of scheduling
syscalls onto threads (thread per call with random sleeps).
Mimic the way calls are scheduled in executor.
Fixes #312
|
| |
|
|
|
|
|
| |
__NR_mmap is missing on arm entirely,
so we disable mmap during generate.
Patch mmap to mmap2 right in syz-extract,
so that mmap is never missing.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
executor: changed kOutputDataAddr so that it works on 32-bit kernels
executor: simplified ifdefs for arm in executor_linux.cc
executor: removed empty lines that were accidentally added.
|
| |
|
|
|
|
|
|
| |
When comparisons are enabled fuzzer somehow manages to discover
the output region and corrupt it. It seems to fetch the address
from some memory operations (mmap/munmap).
Don't leak the output region address.
|
| |
|
|
|
|
|
| |
1. remove workaround for pthread attrs (was fixed in akaros)
2. remove workaround for dup2 (was fixed in akaros)
3. check that we receive a program
4. implement timeout for test processes
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently use more complex and functional protocol on linux,
and a simple ad-hoc protocol on other OSes.
This leads to code duplication in both ipc and executor.
Linux supports coverage, shared memory communication and fork server,
which would also be useful for most other OSes.
Unify communication protocol and parametrize it by
(1) use of shmem or only pipes, (2) use of fork server.
This reduces duplication in ipc and executor and will
allow to support the useful features for other OSes easily.
Finally, this fixes akaros support as it currently uses
syz-stress running on host (linux) and executor running on akaros.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Nothing works, but builds.
Update #191
|
|
|
Update #191
|
