| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
| |
This patch only covers per call timeouts, per prog one is not adjusted yet.
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
| |
Add support to fuzz 32 bit FreeBSD system calls.
|
| |
|
|
|
|
| |
Simply
make extract TARGETOS=fuchsia SOURCEDIR=<FUCHSIA_DIR>/fuchsia
|
| | |
|
| |
|
|
| |
Otherwise C repros print infinite stream of the same leaks again and again.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.
1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.
2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.
3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.
4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.
5. Fix pkg/repro to do something more sane for leak bugs.
Few other minor fixes here and there.
|
| |
|
|
|
| |
Refine some consts to increase changes of correct programs.
Fix some types. Add comments and a test.
|
| |
|
|
|
|
| |
Always pass 3 objects in a transaction.
This allows to specify correct offsets for objects.
Let's see if this improves coverage.
|
| |
|
|
| |
Resolve 2 TODOs in ebtables using the new offsetof type.
|
| |
|
|
|
|
| |
Similar to C offsetof gives offset of a field
from the beginning of the parent struct.
We have several TODOs in descriptions asking for this.
|
| |
|
|
|
|
|
| |
A const can be used as array size. Then if the const is not present
on all arches, compiler will produce an error about 0-sized-array.
There is no easy way to work around this for a user.
Use value of 1 for missing consts. It's just a bit safer.
|
| |
|
|
|
|
|
|
|
| |
Using a build tag to exclude files for golangci-lint
reduces memory consumption (it does not parse them).
The naive attempt with skip-dirs did not work.
So add codeanalysis build tag and use it in auto-generated files.
Update #977
|
| |
|
|
| |
Add few new ioctl's. Add some typedefs for clarity.
|
| |
|
|
| |
Use the len paths to resolve pending TODOs.
|
| |
|
|
| |
This allows to use len[syscall:arg] expressions.
|
| |
|
|
| |
In preparation for making syscall a reserved name.
|
| |
|
|
|
|
|
|
| |
Now that we have the len path expressions we can fix the TODO
in btf descriptions to properly specify offsets of btf sections.
Also add proper descriptions for btf type section
and few other minor things around.
|
| |
|
|
|
| |
This actually implements support for complex len targets
during program generation and mutation.
|
| |
|
|
| |
Change the generated format for len type to support multiple path elements.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make extract recently broke for powerpc on linux-next with:
include/uapi/linux/byteorder/big_endian.h:6:2: error: #error "Unsupported endianness, check your toolchain"
#error "Unsupported endianness, check your toolchain"
Turns out we always built ppc64le headers as big-endian.
First, kernel was configured as BE.
Then, we used gcc to build an executable program for host
and on x86 gcc does not define __LITTLE_ENDIAN__ so kernel
thought that the toolchain is BE too.
Configure kernel as LE and define __LITTLE_ENDIAN__.
This actually changes values of some consts,
but fortunately just few of them.
|
| |
|
|
|
|
|
|
|
| |
Due to missing padding arguments, stack garbage could end up being used as
actual arguments. More reading for the curious[1].
While here, add missing descriptions for pread and pwrite.
[1] https://flak.tedunangst.com/post/syzkaller-found-a-bug
|
| | |
|
| |
|
|
| |
syscalls
|
| |
|
|
| |
Add a bunch of new small interfaces in 5.2: new consts, flags, fields, etc.
|
| | |
|
| | |
|
| |
|
|
| |
Fuse version was bumped.
|
| |
|
|
| |
All cmsg's must be intptr aligned within the array.
|
| |
|
|
| |
Fix the descriptions of cmsghdr.
Add sendmsg$sock and sendmmsg$sock for __sock_cmsg_send.
|
| |
|
|
|
| |
Syscall args can't be printed with %lx now.
Cast them to uint64 for now since we have only 2 such places.
|
| |
|
|
|
| |
The type size of long depends on compiler.
Therefore, changing to intptr_t makes it depends on architecture.
|
| |
|
|
|
|
|
|
| |
Not using `elif GOOS_freebsd' since it could cause breakage on other *BSDs
due to unused variables.
Regression introduced in commit c7c3f772 (executor: improve setup for packet
handling on *BSD).
|
| |
|
|
|
|
|
| |
Most probably limited to input validation for now. In the future, it
could be extended to provide a bootable kernel during vm create (/bsd)
and turn vmid into a proper resource.
The OpenBSD VMs on GCE does support vmm(4).
|
| |
|
|
|
|
|
|
| |
Improve the handling of packets by:
* setting the local MAC address.
* configuring the local IPv4 address with prefix /24.
* adding an entry in the arp cache for the remote IPv4 address.
* adding an entry in the IPv6 neighbour cache for the remote
IPv6 address.
|
| |
|
|
|
| |
Add support for Ethernet, IPv4, ICMP, IPv6, ICMP6, TCP, and UDP.
This work is based on the corresponding Linux support.
|
| |
|
|
| |
This is needed for the IORW() macros.
|
| | |
|
| | |
|
| |
|
|
| |
Also move some code to helper functions.
|
| |
|
|
|
|
| |
Allow 2000 ms of waiting time for syz_usb_connect and and the same time for
the whole program is this syzkall is present. Allow 200 ms of waiting time
for syz_usb_disconnect. Remove sleep from syz_usb_control_io.
|
| |
|
|
|
| |
Tweak the building of the FreeBSD vm image to ensure pf is loaded at
startup, so that we can test it.
|
| |
|
|
|
|
|
|
|
| |
* sys/fuchsia: update all syscalls.
This commit modifies all the existing syscalls definitions to match more
closely the documentation in the Fuchsia repo.
* run make extract && make generate
|
| | |
|
| | |
|
| |
|
|
|
| |
We don't actually communicate with the uring yet,
but this already finds a bunch of bugs.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
|
| |
|
|
|
|
|
|
| |
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
|
