| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The feature gets enabled when /dev/raw-gadget is present and accessible.
With this feature enabled, executor will do chmod 0666 /dev/raw-gadget on
startup, which makes it possible to do USB fuzzing in setuid and namespace
sandboxes. There should be no backwards compatibility issues with syz
reproducers that don't explicitly enable this feature, as they currently only
work in none sandbox.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
We do similar truncation for values in the prog package (truncateToBitSize).
Truncating them in the generated descriptions makes it possible
to directly compare values (otherwise -1 and truncated -1 don't match).
|
| |
|
|
|
|
|
|
| |
flags[foo, int8]
foo = 0x12345678
is always an error, detect these cases.
Found some bugs in mptcp, packet sockets, kvm.
|
| |
|
|
|
| |
const[0x12345678, int8] is always an error, detect these cases.
Found some bugs in mptcp, socket proto and fuchsia fidl descriptions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we have:
ioctl(fd fd, cmd int32)
ioctl$FOO(fd fd, cmd const[FOO])
Currently we assume that cmd size in ioctl$FOO is sizeof(void*).
However, we know that in ioctl it's specified as int32,
so we can infer that the actual syscall size is 4.
This massively reduces sizes of socket/setsockopt/getsockopt/ioctl
and some other syscalls, which is good because we now use physical
size in mutation/hints and some other places.
This will also enable not morphing ioctl's into other ioctl's.
Update #477
Update #502
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that we don't have conflicting sizes for the same argument
of the same syscall, e.g.:
foo$1(a int16)
foo$2(a int32)
This is useful for several reasons:
- we will be able avoid morphing syscalls into other syscalls
- we will be able to figure out more precise sizes for args
(lots of them are implicitly intptr, which is the largest
type on most important arches)
- found few bugs in linux descriptions
Update #477
Update #502
|
| |
|
|
| |
This is just tedious. Fabricate them on the fly.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ThreadSanitizer says:
WARNING: ThreadSanitizer: data race (pid=3)
Atomic read of size 4 at 0x56360e562f08 by main thread:
#0 __tsan_atomic32_load <null> (libtsan.so.0+0x64249)
#1 event_isset executor/common_linux.h:51 (syz-executor.0+0x2cf1f)
#2 handle_completion executor/executor.cc:886 (syz-executor.0+0x2cf1f)
#3 execute_one executor/executor.cc:732 (syz-executor.0+0x2da3b)
#4 loop executor/common.h:581 (syz-executor.0+0x2f1aa)
#5 do_sandbox_none executor/common_linux.h:2694 (syz-executor.0+0x189d6)
#6 main executor/executor.cc:407 (syz-executor.0+0x189d6)
Previous write of size 4 at 0x56360e562f08 by thread T1:
#0 event_reset executor/common_linux.h:32 (syz-executor.0+0x1f5af)
#1 worker_thread executor/executor.cc:1048 (syz-executor.0+0x1f5af)
#2 <null> <null> (libtsan.so.0+0x2b0b6)
Location is global 'threads' of size 2560 at 0x56360e562f00 (syz-executor.0+0x00000008bf08)
Thread T1 (tid=6, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2d55b)
#1 thread_start executor/common.h:256 (syz-executor.0+0x2d707)
#2 thread_create executor/executor.cc:1037 (syz-executor.0+0x2d707)
#3 schedule_call executor/executor.cc:811 (syz-executor.0+0x2d707)
#4 execute_one executor/executor.cc:719 (syz-executor.0+0x2d707)
#5 loop executor/common.h:581 (syz-executor.0+0x2f1aa)
#6 do_sandbox_none executor/common_linux.h:2694 (syz-executor.0+0x189d6)
#7 main executor/executor.cc:407 (syz-executor.0+0x189d6)
|
| |
|
|
|
|
|
|
| |
The running=-1 check fires periodically for the past 2 years.
I can't reproduce nor understand how this happens.
Add more debugging output, maybe it will shed some light.
Update #502
|
| |
|
|
|
|
|
| |
Among other things this changes timeout for USB programs from 2 to 3 seconds.
ath9k fuzzing also requires ath9k firmware to be present, so system images
need to be regenerated with the updated script.
|
| |
|
|
| |
Fix code formatting, clang-tidy warnings, minor style nits.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This adds support for the seccomp filters that are part of Android into
the sandbox. A process running as untrusted_app in Android has a
restricted set of syscalls that it is allow to run. This is
accomplished by setting seccomp filters in the zygote process prior to
forking into the application process. The seccomp filter list comes
directly from the Android source, it cannot be dynamically loaded from
an Android phone because libseccomp_policy.so does not exist as a
library on the system partition.
|
| |
|
|
|
|
|
|
| |
nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
It happens a lot in qemu, and the messages are frequently corrupted
(intermixed with other kernel output as they are printed from NMI)
and are not matched against the suppression in pkg/report.
This write prevents these messages from being printed.
|
| |
|
|
|
|
|
|
|
|
| |
This is one of the root causes of the 'no output from test machine'
panic. Issuing a DIOCKILLSTATES ioctl on a /dev/pf file descriptor will
cause state associated with ongoing connections to be purged;
effectively killing the ssh connection to the VM.
Including net/pfvar.h is necessary in order to make use of the
DIOCKILLSTATES define.
|
| |
|
|
|
|
|
| |
NETLINK_GENERIC isn't supported in gVisor.
Fixes: c5ed587f4af5 ("wireguard: setup some initial devices in a triangle")
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
| |
unshare(CLONE_NEWPID) was commented out in 4428511d10687cb446ad705148333478437d3f23 accidentially.
Uncomment it.
Spotted by @xairy:
https://github.com/google/syzkaller/commit/4428511d10687cb446ad705148333478437d3f23#r37456572
|
| |
|
|
| |
Incomplete, but something.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
These are not present in linux-next.
|
| |
|
|
| |
Update #1594
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Code in net/ethernet/eth.c does this:
__be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
{
...
if (unlikely(!ether_addr_equal_64bits(eth->h_dest,
dev->dev_addr))) {
if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) {
if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast))
skb->pkt_type = PACKET_BROADCAST;
else
skb->pkt_type = PACKET_MULTICAST;
} else {
skb->pkt_type = PACKET_OTHERHOST;
}
}
Multicast and broadcast are distinct and dev->broadcast seems to be ffffffffffff
by default, so add another multicast mac address that will serve as PACKET_MULTICAST.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One observation is that checking for extra cover is very fast
(effectively a memory load), so we can simplify code by removing
th->extra_cover and just check for it always. Additionally, we may
grab some coverage that we would miss otherwise.
Don't sleep for 500 ms at the end if colliding,
we are not going to use the extra coverage in that case anyway.
Check for extra coverage at the end every 100ms to avoid
being killed on timeout before we write any.
Make the 500ms sleep at the end parametrizable.
Enable it for syz_usb syscalls, so we get the same behavior for usb.
But this also allows to get extra coverage for other subsystems.
Some subsystems don't have a good way to detect if we will get any
extra coverage or not. Sleeping for 500ms for all programs slows down
fuzzing too much. So we check for extra coverage at the end for all
programs (cheap anyway), but sleep only for usb program.
This allows to collect extra coverage for vhost and maybe wireguard in future.
Update #806
|
| |
|
|
|
|
| |
Create individual file for futex syscall and add description for the new
operation FUTEX_WAIT_MULTIPLE.
Signed-off-by: André Almeida <andrealmeid@collabora.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
