| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
This commit adds a new VM for fuzzing starnix.
The VM will boot a fuchsia image using the `ffx` tool and will connect to an adb server inside it. Fuzzing will be done using HostFuzzer mode due to some features not being implemented yet in starnix. Once this is possible, fuzzing will be performed without HostFuzzer mode.
Co-authored-by: Juampi Miceli <jpmiceli@google.com>
|
| |
|
|
| |
We already suppress them, but the current approach fails if syzkaller
slightly corrupts the options string. Do the check more rigorously.
|
| |
|
|
|
|
|
|
| |
When we decompress images for mutation or hints,
we always specially check for empty compressed data
(I assume it can apper after minimization).
Treat it as correct compressed and return empty decompressed data.
This removes the need in special handling in users.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Benchmark results:
name old time/op new time/op delta
Decompress-8 24.7ms ± 1% 13.4ms ± 4% -45.81% (p=0.000 n=16+19)
name old alloc/op new alloc/op delta
Decompress-8 67.2MB ± 0% 0.0MB ± 1% -99.98% (p=0.000 n=18+20)
name old allocs/op new allocs/op delta
Decompress-8 188 ± 0% 167 ± 0% -11.17% (p=0.000 n=20+20)
Test process memory consumption drops from 220MB to 80MB.
|
| |
|
|
|
| |
We can close memfd as soon as we passed it to LOOP_SET_FD
(it holds a reference to the file).
|
| |
|
|
|
|
| |
We symlink resulting partitions into the test dir.
If we do LOOP_CLR_FD, device and partitions disappear.
Don't do LOOP_CLR_FD on success.
|
| |
|
|
|
|
|
| |
The images we unpack has huge ranges of 0s.
Currently we write all bytes and as the result page in whole unpacked image.
Don't write 0s since we just mmaped zero memory.
This reduces btrfs_0 seed memory consumption from 130MB to 6MB.
|
| |
|
|
| |
We don't use C89 style.
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
| |
zlib can calculate uncompressed output size if given NULL destination buffer.
We don't use that. Remove.
|
| | |
|
| |
|
|
|
|
| |
In executor code we commonly use the syscall interface for functions:
return -1 on erorr and set errno.
Use this interface for puff_zlib_to_file.
|
| |
|
|
|
|
| |
Update the executor to handle the new `syz_mount_image`/`syz_part_table`
pseudo-syscalls. It now expects compressed images, and decompresses
them using the new `common_zlib.h` header file before mounting.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a header file to provide a clean entrypoint `puff_zlib_to_file()`,
which decompresses `zlib` data from an array to a file. This will be
used for pseudo-syscalls which accept compressed data, e.g.
`syz_mount_image`. The implementation uses a slightly-modified version
of `puff.{c,h}`, found in the `zlib` repository.
We have to be careful to ensure the copyright information from
`puff.{c,h}` gets included in generated C code and C reproducers.
Therefore, introduce the `//%` pattern to indicate comments which should
not be removed by code generation, and use this pattern for the
copyright notice.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: the BT initialization logic (`initialize_vhci()` in `common_linux.h`)
expected `HCI_VENDOR_PKT` to be sent first, but this is not always the case as
the kernel sends these two packets almost at the same time (both are sent as
the result of the `open("/dev/vhci", …)` call):
* syscall thread: `HCI_VENDOR_PKT` (in `__vhci_create_device`)
* `power_on` queue thread: `HCI_OP_RESET` (from `hci_reset_sync` <-
`hci_init1_sync` <- `hci_init_sync` <- `hci_dev_open_sync` <-
`hci_dev_do_open` <- `hci_power_on` <- `hdev->power_on` <- (worker queue)
<- `hci_register_dev` <- `__vhci_create_device`)
Solution: handle both `HCI_OP_RESET` and `HCI_VENDOR_PKT` packets in
`initialize_vhci`.
Also instead of waiting for the kernel to send `HCI_VENDOR_PKT` after 1 second,
we initiate the setup by sending `HCI_VENDOR_PKT` (request) to the kernel first.
|
| | |
|
| |
|
|
|
| |
The extension point allows to setup the test process in a custom way
without overwriting any of the existing files.
|
| |
|
|
| |
Test that extension points keep stable interface and work.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Pages residing in the BSS section are by now flagged as immutable on OpenBSD.
Meaning that their corresponding permissions cannot change. The input_data
therefore needs to be explicitly marked as mutable. Should hopefully bring
syzbot on OpenBSD back.
|
| |
|
|
|
|
| |
A fixed-address mmap can fail completely or return a different address.
Log what it was. Based on:
https://groups.google.com/g/syzkaller/c/lto00RwlDIQ
|
| |
|
|
|
|
|
|
| |
Core dumping known to have bugs. Just few recent kernel commits:
[brown paperbag] fix coredump breakage
[coredump] don't use __kernel_write() on kmap_local_page()
We also also found some info leaks in core dumps before.
No reason to not test them.
|
| |
|
|
|
| |
It will simplify the C code and let us extract the raw images in a more
convenient way.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for moving a NIC PCI pass-through VF into Syzkaller's network
namespace so that it will tested. As DEVLINK support is triggered by
setting the pass-through device to "addr=0x10", NIC PCI pass-through VF
support will be triggered by setting the device to "addr=0x11".
If a NIC PCI pass-through VF is detected in do_sandbox, setup a staging
namespace before the fork() and transfer the NIC VF interface to it.
After the fork() and in the child transfer the NIC VF interface to
Syzkaller's network namespace and rename the interface to netpci0 so
that it will be tested.
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
|
| |
|
|
|
|
| |
const sock_filter needs to be const struct sock_filter
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a boolean argument to the `syz_mount_image` pseudo-syscall. When
this is true, `syz_mount_image` will change directory to the mountpoint
after mounting the image passed.
Experimentation suggests that to reproduce many non-`ext4` filesystem
bugs, it is sufficient to mount the filesystem within an `ext4`-based VM
and then change directory to the mountpoint before executing code.
This change aims to increase the probability that a mount operation will
be succeeded by the corresponding change in directory, and so increase
the probability of finding non-`ext4` bugs.
We also have to update the `syz-imagegen` tool. Now it generates seed
`syz_mount_image` calls with change of directory enabled. The previous
behaviour (i.e. no change of directory) will be recovered by use of
existing corpuses and fuzzing the change-of-directory argument.
The next commit will regenerate all `syz_mount_image` seeds.
|
| |
|
|
|
|
|
|
|
|
| |
2 fixed:
1. netdevsim devices cannot be created via NETLINK anymore:
https://elixir.bootlin.com/linux/v6.0-rc4/source/drivers/net/netdevsim/netdev.c#L397
But we already create them via /sys/bus/netdevsim/new_device,
so just remove the netlink creation.
2. These devices are sticky and are not removed on net namspace destruction,
so delete the previous version explicitly.
|
| |
|
|
|
|
|
|
|
|
| |
XFRM device creation will fail w/o IFLA_XFRM_IF_ID attribute:
https://elixir.bootlin.com/linux/v6.0-rc4/source/net/xfrm/xfrm_interface.c#L648
Add this attribute.
This ID is also present in descriptions in at least 2 places.
In one we got it wrong, it's not ifindex (easy to confuse because of the name).
Fix it as well.
|
| |
|
|
|
|
|
| |
This reverts commit 922294abb4c0bc72b24d8526d625110d73fa1b5a.
The commit reported to cause old warnings on s390x:
https://github.com/google/syzkaller/commit/922294abb4c0bc72b24d8526d625110d73fa1b5a#commitcomment-83096994
|
| |
|
|
|
| |
The previous indirection via conditional macros in platform specific
places was needless obfuscation.
|
| |
|
|
|
|
| |
Commit 4ce69996ec362f8dd9762dcc1643d13cebaab44a changed the logic
for processing results for fuchsia system calls. That change seems
to be fault, as it sets syscalls that return with ZX_OK to return -1
instead. I am reverting that commit for now.
|
| |
|
|
| |
syz-manager: introduce a new setting 'sandbox_arg' (#3263)
|
| | |
|
| |
|
|
| |
executor: removed condition around tun init
|
| |
|
|
|
|
| |
If root fs is read-only, mkdir(/syzcgroup) will fail and a later
rmdir(/syzcgroup/unified) will fail with ENOENT which we don't expect and fail.
Return early if mkdir(/syzcgroup) fails.
|
| | |
|
| |
|
|
|
|
| |
Remove /syzcgroup/* if cgroup mount fails. See #3241 for context.
Fixes #3241
|
| | |
|
| |
|
|
| |
The APPEND flag also prevents file removal.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.
Note: don't set it for setuid sandbox since it's "low privilege".
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is a BSD syscall, chflags(2), which lets one set various flags on
a file, including several that prevent unlinking. The use of this flag
can cause the executor to fail to clean up tmpdirs, which can lead to
spurious reports.
Thus, when unlinking fails, try again after clearing relevant flags. I
suspect this would be useful on other BSDs but I can't easily verify
that this change works there. It may eventually be worth having a
BSD-specific remove_dir() implementation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 12.1 reports the following -Werror=array-bounds error:
///
In function 'bool lookup_connect_response_in(...)'
executor/common_usb.h:632:66:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
632 | qual->bNumConfigurations = index->dev->bNumConfigurations;
| ~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
|
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
...
In function 'bool lookup_connect_response_in(...)',
executor/common_usb.h:633:57:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
633 | qual->bRESERVED = 0;
| ~~~~~~~~~~~~~~~~^~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
///
Current code in USB_DT_DEVICE_QUALIFIER case treats respose_data as a buffer,
but in reality it is just a pointer, as detailed in the error trace above. In
order to allow passing a usb_qualifier_descriptor struct back to the caller
(via response_data), add a new parameter to lookup_connect_response_in().
Build tested only.
Fixes: 0c00210ff32 ("executor: always provide DEVICE_QUALIFIER USB descriptor")
Signed-off-by: Ovidiu Panait <ovpanait@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
These were last updated for Android Q in or around 2020. These were
re-generated using the 'genseccomppy.py' script in the Android build
tree.
Since the filters have changed during the intervening time, fuzzing with
'sandbox: android' no longer accurately reflected what untrusted apps
can access on the device.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syzkaller reports the following error when it tries to create a C reproducer:
<stdin>: In function ‘syz_clone’:
<stdin>:289:48: error: ‘CLONE_VM’ undeclared (first use in this
function)
<stdin>:289:48: note: each undeclared identifier is reported only once
for each function it appears in
compiler invocation: gcc [-o /tmp/syz-executor3459695007 -DGOOS_linux=1
-DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall
-Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384
-Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow
-static-pie -fpermissive -w]
|
