| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
unshare(CLONE_NEWPID) was commented out in 4428511d10687cb446ad705148333478437d3f23 accidentially.
Uncomment it.
Spotted by @xairy:
https://github.com/google/syzkaller/commit/4428511d10687cb446ad705148333478437d3f23#r37456572
|
| |
|
|
| |
Incomplete, but something.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
These are not present in linux-next.
|
| |
|
|
| |
Update #1594
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Code in net/ethernet/eth.c does this:
__be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
{
...
if (unlikely(!ether_addr_equal_64bits(eth->h_dest,
dev->dev_addr))) {
if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) {
if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast))
skb->pkt_type = PACKET_BROADCAST;
else
skb->pkt_type = PACKET_MULTICAST;
} else {
skb->pkt_type = PACKET_OTHERHOST;
}
}
Multicast and broadcast are distinct and dev->broadcast seems to be ffffffffffff
by default, so add another multicast mac address that will serve as PACKET_MULTICAST.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One observation is that checking for extra cover is very fast
(effectively a memory load), so we can simplify code by removing
th->extra_cover and just check for it always. Additionally, we may
grab some coverage that we would miss otherwise.
Don't sleep for 500 ms at the end if colliding,
we are not going to use the extra coverage in that case anyway.
Check for extra coverage at the end every 100ms to avoid
being killed on timeout before we write any.
Make the 500ms sleep at the end parametrizable.
Enable it for syz_usb syscalls, so we get the same behavior for usb.
But this also allows to get extra coverage for other subsystems.
Some subsystems don't have a good way to detect if we will get any
extra coverage or not. Sleeping for 500ms for all programs slows down
fuzzing too much. So we check for extra coverage at the end for all
programs (cheap anyway), but sleep only for usb program.
This allows to collect extra coverage for vhost and maybe wireguard in future.
Update #806
|
| |
|
|
|
|
| |
Create individual file for futex syscall and add description for the new
operation FUTEX_WAIT_MULTIPLE.
Signed-off-by: André Almeida <andrealmeid@collabora.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* wireguard: setup some initial devices in a triangle
The fuzzer will wind up undoing some of this, which is fine, but at
least it now has the chance of hitting some other paths it wasn't
before.
Closes: #1599
* wireguard: make code ugly after `make generate` pass
* wireguard: get rid of unused structs that are still interesting
* wireguard: compile in C++ mode with gcc 7
Complex designated initializers are only supported in C++ mode from gcc
8, and for whatever reason syzkaller wants to be compiled in C++ mode.
* wireguard: add braces around debug statements for checker
* wireguard: regenerate go source
|
| |
|
|
|
|
|
| |
SO_BINDTODEVICE for wg devices allows to reach very important
part of functionality (wg_xmit).
Update #806
|
| |
|
|
| |
By keeping this small, it means much greater probability that a randomly
generated packet that hits xmit will match an existing peer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The stringnozescapes does not make sense with filename,
also we may need similar escaping for string flags.
Handle escaped strings on ast level instead.
This avoids introducing new type and works seamleassly with flags.
As alternative I've also tried using strconv.Quote/Unquote
but it leads to ugly half-escaped strings:
"\xb0\x80s\xe8\xd4N\x91\xe3ڒ,\"C\x82D\xbb\x88\\i\xe2i\xc8\xe9\xd85\xb1\x14):M\xdcn"
Make hex-encoded strings a separate string format instead.
|
| |
|
|
|
| |
Commit "wireguard: use wg0, wg1, wg2" added wg2,
bump netdev_addr_id accordingly.
|
| |
|
|
|
|
|
| |
I bumped input buffer size on Go side in:
a2af37f0 prog: increase encodingexec buffer size
But I forgot to increase the size on the executor side.
Do this and add comments re keeping them in sync.
|
| |
|
|
|
| |
This adds stringnozescapes to allow parsing of escape sequences in
strings.
|
| |
|
|
|
| |
This matches more closely what people are used to dealing with. We also
add one additional device for interesting multi-interface effects.
|
| |
|
|
|
| |
This tests more edge cases, as well as allowing for potentially a
correponding public and private key to be installed.
|
| |
|
|
| |
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
|
| | |
|
| |
|
|
|
| |
Adding support for IPPROTO_MPTCP. Like SMC, it is on top of TCP and can
thus be treated like a regular TCP socket.
|
| | |
|
| |
|
|
| |
Update #806
|
| |
|
|
|
|
| |
Thanks to syz-check for catching this.
Update #590
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
If we are going to write all values, don't write field names.
This only increases size of generated files.
The change reduces size of generated files by 5.8%
(62870496-59410354=3460142 bytes saved).
|
| |
|
|
|
|
| |
+ disable binderfs (see comments)
+ add few more missing tty ioctls
+ improve few minor things in hci descriptions
|
| |
|
|
|
| |
They are being fixed in kernel:
https://lists.openwall.net/netdev/2020/01/23/122
|
| | |
|
| |
|
|
|
|
|
|
| |
Stop at the fist varlen field, but check the preceeding ones.
Frequently the varlen array is the last field,
so we should get good checking for these cases.
Update #590
|
| |
|
|
| |
Update #590
|
| |
|
|
|
|
|
|
|
|
| |
Handle NLA_BITFIELD32.
Match string attribtues better.
Calculate and check min size for varlen structs.
Fix NLA_UNSPEC size check.
Fix some things in descriptions.
Update #590
|
| |
|
|
| |
Update #590
|
| |
|
|
| |
Update #590
|
| |
|
|
|
|
|
|
|
|
|
| |
As far as I understand most subsystems don't care about
the nest flag, but some do. But marking them as nest
won't harm (?). Let's mark all of them.
Caught several cases where should have been used array[policy]
but used just policy.
Update #590
|
| |
|
|
|
|
|
|
|
|
| |
1. Match policies that has a _suffix in our descriptions
(we frequently do this to improve precision or avoid dup names).
2. Rename policies in descriptions to match kernel names.
3. Match policy if there are several such names in kernel.
4. Recognize policies with helper sub-policies.
Update #590
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
They can't be a bitmask. This fixes important cases
of "0, 1" and "0, 1, 2" flags. Fix some descriptions
that added 0 to bitmasks explicitly (we should do it
automatically instead).
|
| |
|
|
|
|
| |
Will simplify runtime analysis of flags.
Also just no reason to make it more deterministic
and avoid unnecessary diffs in future if values are reordered.
|
| |
|
|
|
|
|
| |
Generate const[0] for flags without values and for flags
with a single value which is 0.
This is the intention in all existing cases (e.g. an enum with types
of something, but there is really only 1 type exists).
|
| |
|
|
| |
Update #590
|
