| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
|
| |
Trusty is a set of software components supporting
a Trusted Execution Environment (TEE) on mobile devices.
https://source.android.com/security/trusty
Add syscall descriptions and some boilerplate.
|
| |
|
|
|
| |
We use GOOS now to figure out target arch
(which can be different from host arch).
|
| | |
|
| | |
|
| |
|
|
| |
Fixes #783
|
| |
|
|
|
|
|
| |
1. Extract consts on the latest linux tree.
2. Don't manually define O_TMPFILE/O_ACCMODE/_LINUX_CAPABILITY_VERSION_N,
they are defined in kernel headers.
3. Don't use CLOCK_SGI_CYCLE as clock id, it's not implemented.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* sys/openbsd: added minherit, extended/simplified mmap.
Added a script from anton_at_openbsd.org for regenerating syscalls.
Generated by ksh ./sys/openbsd/extract-openbsd.sh
* Undo whitespace change not passing on CI
* No need for magic script.
|
| | |
|
| |
|
|
| |
Fix copy-paste error.
|
| |
|
|
| |
Also remove the second syscall for opening of /dev/fd*.
|
| |
|
|
|
| |
CPU argument can be -1.
It makes sense to mmap perf fd.
|
| |
|
|
|
|
|
|
| |
The latest Linux kernel misses some arch-specific headers on some archs:
asm/a.out.h
asm/prctl.h
asm/mce.h
Support that.
|
| |
|
|
|
|
|
|
|
|
| |
For floppy fuzzing you need to enable:
1) CONFIG_BLK_DEV_FD in your kernel configuration
2) "cmdline": " -fda FLOPPY.img " in syzkaller configuration
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Alexander Popov <alex.popov@linux.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when we get target consts with target.ConstMap["name"]
during target initialization, we just get 0 for missing consts.
This is error-prone as we can mis-type a const, or a const may
be undefined only on some archs (as we have common unix code
shared between several OSes).
Check that all the consts are actually defined.
The check detects several violations, to fix them:
1. move mremap to linux as it's only defined on linux
2. move S_IFMT to openbsd, as it's only defined and used on openbsd
3. define missing MAP_ANONYMOUS for freebsd and netbsd
4. fix extract for netbsd
|
| |
|
|
|
|
|
| |
FAN_OPEN_PERM and FAN_ACCESS_PERM require the program to reply to open requests.
If that does not happen, the program will hang in an unkillable state forever.
See the following bug for details:
https://groups.google.com/d/msg/syzkaller-bugs/pD-vbqJu6U0/kGH30p3lBgAJ
|
| |
|
|
|
|
|
|
|
|
|
| |
My test harness for this code performed some steps that are not
performed when syz-executor is invoked directy.
Specifcally, we need to operate from a directory under /data/data,
and have the correct UID/GID set as the owner of the directory.
My test harness now correctly sets these, all sandbox operations
succeed, and loop() is invoked.
|
| |
|
|
|
| |
zx_task_resume() is deprecated; switch to using
zx_task_resume_from_exception() instead.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The current memcg container seems to lead to lots of hangs/stalls.
Presumably the problem is with oom_score_adj and KASAN.
Executor process tree eats all memory and then the leaf process is killed
but the memory is not returned to memcg due to KASAN quarantine;
and the parent processes are protected from killing with oom_score_adj=-1000.
As the result the kernel locks up.
1. Don't use oom_score_adj=-1000. Instead bump leaf process score to 1000 (kill always).
2. Increase size of memcg to be larger than expected KASAN quarantine size.
|
| |
|
|
|
| |
The Syzkaller IR upstream has been updated, so we can properly update
consts/fidl descriptions now.
|
| |
|
|
|
|
|
| |
This sucks a lot, but ebtables.h is now broken too on Debian 4.17:
ebtables.h: In function ‘ebt_entry_target* ebt_get_target(ebt_entry*)’:
ebtables.h:197:19: error: invalid conversion from ‘void*’ to ‘ebt_entry_target*’
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sometimes race conditions are reproduced by syz-execprog and are not
reproduced by the programs generated with syz-prog2c. In such cases
it's very helpful to know when exactly the fuzzing syscalls are executed.
Unfortunately, adding timestamps to the output of the original 'debug'
mode doesn't work. This mode provides very verbose output, which slows
down executor and breaks the repro.
So let's make the executor debug output less verbose and add
the timestamps.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
|
| |
|
|
| |
Add descriptions for /proc/self/attr/* and known lsm file xattrs.
|
| | |
|
| |
|
|
|
|
|
|
| |
Move debug_dump_data back to executor.cc.
debug_dump_data in common_linux.h does not play well
with pkg/csource debug stripping logic. It strips a large
random piece of code since it thinks debug_dump_data
definition is actually debug_dump_data call site.
|
| |
|
|
|
|
| |
Fix build after "executor: remove unused var flag_sandbox_privs".
Some variables/functions can't be static as they are unused on some OSes,
which produces unused warnings.
|
| |
|
|
|
| |
Compiling the executor on OpenBSD currently fails:
executor/executor.cc:1316:6: error: unused function 'debug_dump_data'
|
| | |
|
| | |
|
| |
|
|
|
| |
Remove unused var flag_sandbox_privs (which was used for what?).
Decleare all variables as static to detect such cases in future.
|
| |
|
|
|
|
|
|
| |
Currently we have a global fixed set of sandboxes,
which makes it hard to add new OS-specific ones
(all OSes need to updated to say that they don't
support this sandbox).
Let it each OS say what sandboxes it supports instead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
executor: add support for android_untrusted_app sandbox
This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.
In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.
Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files. The underlying mechanisms are relatively simple.
Fixes google/syzkaller#643
Test: make presubmit
Bug: http://b/112900774
|
| | |
|
| |
|
|
| |
EXT4_IOC_SHUTDOWN EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways.
|
| | |
|
| |
|
|
|
| |
Add some new bpf descriptions, most notably btf.
Not perfect, but something.
|
| |
|
|
| |
Regerenate files after the previous commit.
|
| |
|
|
|
|
|
|
| |
After generating syscall description for fidl files using fidlgen, prune
all unused structs using the exact same mechanism used by the compiler's
check for unused structs. This allows the FIDL compiler to support
modular compilation; it does not need to have global knowledge of
whether each struct is used or not.
|
| |
|
|
| |
oom_score_adj is inherited, so we need to reset it to 0.
|
| |
|
|
|
|
|
| |
Set limit of 32 pids and 200MB per test process.
This should prevent things like fork bombs and frequent OOMs.
Fixes #589
|
| |
|
|
| |
Update #533
|
| |
|
|
|
|
|
|
|
|
| |
Since the OpenBSD target does not make use of syz_execute_func yet, just drop
PROT_EXEC for now.
Supporting write and exec would require one to edit /etc/fstab during
installation.
Regression introduced in commit a4718693 ("sys/linux: add syz_execute_func").
|
| |
|
|
|
|
| |
The function executes random code.
Update #310
|
| |
|
|
| |
Update #533
|
