| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
The type size of long depends on compiler.
Therefore, changing to intptr_t makes it depends on architecture.
|
| |
|
|
|
|
|
|
| |
Not using `elif GOOS_freebsd' since it could cause breakage on other *BSDs
due to unused variables.
Regression introduced in commit c7c3f772 (executor: improve setup for packet
handling on *BSD).
|
| |
|
|
|
|
|
| |
Most probably limited to input validation for now. In the future, it
could be extended to provide a bootable kernel during vm create (/bsd)
and turn vmid into a proper resource.
The OpenBSD VMs on GCE does support vmm(4).
|
| |
|
|
|
|
|
|
| |
Improve the handling of packets by:
* setting the local MAC address.
* configuring the local IPv4 address with prefix /24.
* adding an entry in the arp cache for the remote IPv4 address.
* adding an entry in the IPv6 neighbour cache for the remote
IPv6 address.
|
| |
|
|
|
| |
Add support for Ethernet, IPv4, ICMP, IPv6, ICMP6, TCP, and UDP.
This work is based on the corresponding Linux support.
|
| |
|
|
| |
This is needed for the IORW() macros.
|
| | |
|
| | |
|
| |
|
|
| |
Also move some code to helper functions.
|
| |
|
|
|
|
| |
Allow 2000 ms of waiting time for syz_usb_connect and and the same time for
the whole program is this syzkall is present. Allow 200 ms of waiting time
for syz_usb_disconnect. Remove sleep from syz_usb_control_io.
|
| |
|
|
|
| |
Tweak the building of the FreeBSD vm image to ensure pf is loaded at
startup, so that we can test it.
|
| |
|
|
|
|
|
|
|
| |
* sys/fuchsia: update all syscalls.
This commit modifies all the existing syscalls definitions to match more
closely the documentation in the Fuchsia repo.
* run make extract && make generate
|
| | |
|
| | |
|
| |
|
|
|
| |
We don't actually communicate with the uring yet,
but this already finds a bunch of bugs.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
|
| |
|
|
|
|
|
|
| |
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
|
| |
|
|
| |
The latter differently confuses different versions of clang-format.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit moves the definition of the `syz_execute_func` after the
block of code that imports all the OS specific common headers.
This is required because after commit
dfd3394d42ddd333c68cf355273b312da8c65a51 `syz_execute_func` started
using the `NONFAILING` macro, which is defined in those header files for
each OS.
I also ran `make generate`.
TEST=I only tested that the executor works for Fuchsia with:
```shell
$ make executor TARGETOS=fuchsia TARGETARCH=amd64 SOURCEDIR=~/fuchsia
```
|
| |
|
|
|
|
| |
This commit modifies the common_fuchsia.h file changing the behavior of
the `syz_future_time function`. Before, the function used to have a switch
case that would fallthrough, making it always set the delta_ms to 10000.
The fix is to add a `break;` statement after each switch case.
|
| |
|
|
|
|
|
|
| |
Those syscalls were removed from Zircon in a recent CL[0].
This commit runs make extract && make generate to update syscalls and
fidl interfaces.
[0]: https://fuchsia-review.googlesource.com/c/fuchsia/+/249349
|
| |
|
|
|
|
|
|
|
| |
The fuzzer gained control over host machines again with something like:
syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030062e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02")
Let's see if perturbing syz_execute_func a bit and wiping registers
will stop the outbreak.
|
| |
|
|
|
|
|
|
|
|
|
| |
Ptr type has special handling of direction (pointers are always input).
But buffer type missed this special case all the time.
Make buffer less special by aliasing to the ptr[array[int8]] type.
As the result buffer type can't have optional trailing "opt" attribute
because we don't have such support for templates yet.
Change such cases to use ptr type directly.
Fixes #1097
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Initial description of the kernel's RDMA subsystem.
This patch covers most of the older write() interface as well as the
some ioctl functions.
Also disable rdma_cm's ib_qp_type flags as it conflicts with rdma's
definition, and rdma builds first.
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
|
| |
|
|
|
|
|
|
|
|
| |
Apparently, sysroot/include doesn't exist in the build-zircon path
anymore. I changed the path in sys-extract to make it point to the
exported sdk include path.
I also ran make extract and make generate to add new fidl definitions.
TEST=ran make extract and make generate.
|
| |
|
|
| |
move openat$rtc to rtc_dev and change return type to fd_rtc
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The added test triggers warnings like these:
<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
extern int mkdir (const char *__path, __mode_t __mode)
^~~~~
cc1: all warnings being treated as errors
<stdin>: In function ‘syz_open_procfs.constprop’:
<stdin>:530:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:532:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:534:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
Use volatile for all arguments of syz_ functions to prevent
compiler from treating the arguments as constants in reproducers.
Popped up during bisection that used a repro that previously worked.
Update #501
|
| |
|
|
|
|
|
|
|
|
|
| |
The Fuchsia team is going to remove the `lib/fdio/util.h` library. They
have already moved all the functions to new header files.
I have seen that fuchsia uses `fdio_service_connect`, which has been
moved to the `lib/fdio/directory.h` header file.
This commit just changes the import path in the fuchsia executor, and in
the corresponding generated go file (I made that change by running `make
generate`).
|
| |
|
|
|
| |
For context see:
https://groups.google.com/d/msg/syzkaller/8nUJCnMfark/y8HOM_vrCQAJ
|
| |
|
|
|
| |
Fuzzer must not mess with console, turn it on/off, change log level, etc.
Otherwise it turns off kernel output on console.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
1. Move fsverity descriptions to a separate file which
is not regenerated automatically. It was dropped from linux-next.
2. Fix tlk_device.txt name in syz-extract.
3. Update some socket consts e.g. s/SO_TIMESTAMPING/SO_TIMESTAMPING_OLD/.
4. Regenerate const files on current upstream head.
|
| |
|
|
|
|
| |
The problem is stupid: <endian.h> should be included as <sys/endian.h> on freebsd.
Pass actual host OS to executor build as HOSTGOOS and use it to figure out
how we should include this header.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz-extract was removing certain prefixes from syscall names, but this
caused some problems:
- freebsd* prefixes are for compatibility syscalls when the syscall ABI
has changed. For instance, we have both fstat() and
freebsd11_fstat(), and it is desirable to fuzz them both.
- Stripping prefixes may leave us with undefined SYS_ constants. This
resulted in some test failures in pkg/csource, which emitted code
referencing SYS_semctl when it should have been SYS___semctl.
Fix the problem by updating syscall descriptions to match the names
given by the FreeBSD kernel. Add some new descriptions for
compatibility syscalls, fix the mknodat() description (dev_t is now 64
bits wide on FreeBSD), and remove mknod$loop, which appears to be
Linux-specific.
|
| |
|
|
|
|
|
|
|
|
|
| |
This change makes all syz-execprog, syz-prog2c and syz-stress accept
-enable and -disable flags to enable or disable additional features
(tun, net_dev, net_reset, cgroups and binfmt_misc) instead of having
a separate flag for each of them.
The default (without any flags) behavior isn't changed: syz-execprog
and syz-stress enabled all the features (provided the runtime supports
them) and syz-prog2c disables all of them.
|
| |
|
|
| |
debug does not add newlines.
|
| |
|
|
|
|
|
| |
Fuchsia recently changed such that zx_vmar_map can't be declared
executable and writeable at the same time; use a new syscall for this
purpose.
Also made a few errors more informative.
|
| |
|
|
|
|
|
|
| |
Garnet-layer FIDL descriptions are in a new subdirectory.
This CL changes it to the proper directory, and performed a "make
extract" shortly after.
This should fix some of the errors on the Syzkaller hub.
|
| |
|
|
|
|
|
|
|
|
| |
* Add files via upload
* Add files via upload
* Add files via upload
* Add files via upload
|
| |
|
|
| |
clang complains that we pass an int to %hx. Fix it.
|
| |
|
|
|
| |
Unfinished calls are always blocked too,
so set the blocked flag for unfinished calls.
|
| |
|
|
|
|
|
| |
Add [very] basic support for testing Hafnium:
https://hafnium.googlesource.com/hafnium
Update #996
|
| |
|
|
| |
Regenereate consts on latest linux-next.
|
