aboutsummaryrefslogtreecommitdiffstats
path: root/executor
Commit message (Collapse)AuthorAgeFilesLines
* Update syscalls (#1116)Marco Vanotti2019-04-222-4/+28
| | | | | | | | | * sys/fuchsia: update all syscalls. This commit modifies all the existing syscalls definitions to match more closely the documentation in the Fuchsia repo. * run make extract && make generate
* sys/linux: add pidfd_send_signalDmitry Vyukov2019-04-122-5/+13
|
* sys/linux: more tty descriptionsDmitry Vyukov2019-04-122-5/+114
|
* sys/linux: add simple io_uring descriptionsDmitry Vyukov2019-04-122-5/+38
| | | | | We don't actually communicate with the uring yet, but this already finds a bunch of bugs.
* all: run make generateAndrey Konovalov2019-04-112-5/+25
|
* all: add basic USB fuzzing supportAndrey Konovalov2019-04-114-3/+484
| | | | | | | | | | | | This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control, syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB packets through a custom GadgetFS-like interface (currently exposed at /sys/kernel/debug/usb-fuzzer), which requires special kernel patches. USB fuzzing support is quite basic, as it mostly covers only the USB device enumeration process. Even though the syz_usb_ep_write syzcall does allow to communicate with USB endpoints after the device has been enumerated, no coverage is collected from that code yet.
* all: add optional close_fds feature to reproducersAndrey Konovalov2019-04-093-4/+28
| | | | | | | | Instead of always closing open fds (number 3 to 30) after each program, add an options called EnableCloseFds. It can be passed to syz-execprog, syz-prog2c and syz-stress via the -enable and -disable flags. Set the default value to true. Also minimize C repros over it, except for when repeat is enabled.
* csource: use /*FOO*/ instead of [[FOO]]Andrey Konovalov2019-04-091-13/+10
| | | | The latter differently confuses different versions of clang-format.
* sys/openbsd: add pci descriptionsAnton Lindqvist2019-04-052-1/+5
|
* executor: move syz_execute_func after os imports. (#1107)Marco Vanotti2019-04-031-16/+16
| | | | | | | | | | | | | | | | | This commit moves the definition of the `syz_execute_func` after the block of code that imports all the OS specific common headers. This is required because after commit dfd3394d42ddd333c68cf355273b312da8c65a51 `syz_execute_func` started using the `NONFAILING` macro, which is defined in those header files for each OS. I also ran `make generate`. TEST=I only tested that the executor works for Fuchsia with: ```shell $ make executor TARGETOS=fuchsia TARGETARCH=amd64 SOURCEDIR=~/fuchsia ```
* executor: don't fallthrough in switches in fuchsia (#1103)Marco Vanotti2019-04-031-0/+3
| | | | | | This commit modifies the common_fuchsia.h file changing the behavior of the `syz_future_time function`. Before, the function used to have a switch case that would fallthrough, making it always set the delta_ms to 10000. The fix is to add a `break;` statement after each switch case.
* sys/fuchsia: Remove object_*_cookie syscalls. (#1099)Marco Vanotti2019-04-032-6/+2
| | | | | | | | Those syscalls were removed from Zircon in a recent CL[0]. This commit runs make extract && make generate to update syscalls and fidl interfaces. [0]: https://fuchsia-review.googlesource.com/c/fuchsia/+/249349
* executor: try to prevent machine outbreakDmitry Vyukov2019-04-021-1/+13
| | | | | | | | | The fuzzer gained control over host machines again with something like: syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030062e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02") Let's see if perturbing syz_execute_func a bit and wiping registers will stop the outbreak.
* pkg/compiler: make buffer alias to ptr[array[int8]]Dmitry Vyukov2019-04-011-12/+12
| | | | | | | | | | | Ptr type has special handling of direction (pointers are always input). But buffer type missed this special case all the time. Make buffer less special by aliasing to the ptr[array[int8]] type. As the result buffer type can't have optional trailing "opt" attribute because we don't have such support for templates yet. Change such cases to use ptr type directly. Fixes #1097
* executor: connect tun and bpf devices on OpenBSDAnton Lindqvist2019-04-011-1/+1
|
* sys/openbsd: add common ioctl() commandsAnton Lindqvist2019-04-012-1/+6
|
* sys/openbsd: add bpf descriptionsAnton Lindqvist2019-03-292-1/+26
|
* modifyhoujingyi2019-03-291-5/+5
|
* Sys/linux: Add rdma.txtNoa Osherovich2019-03-272-5/+265
| | | | | | | | | | Initial description of the kernel's RDMA subsystem. This patch covers most of the older write() interface as well as the some ioctl functions. Also disable rdma_cm's ib_qp_type flags as it conflicts with rdma's definition, and rdma builds first. Signed-off-by: Noa Osherovich <noaos@mellanox.com>
* sys/sys-extract: update import path for fuchsia.Marco Vanotti2019-03-271-2/+2
| | | | | | | | | | Apparently, sysroot/include doesn't exist in the build-zircon path anymore. I changed the path in sys-extract to make it point to the exported sdk include path. I also ran make extract and make generate to add new fidl definitions. TEST=ran make extract and make generate.
* sys/linux: move openat to dev_rtc.txtShankara Pailoor2019-03-241-5/+5
| | | | move openat$rtc to rtc_dev and change return type to fd_rtc
* executor: prevent non-null expected warningsDmitry Vyukov2019-03-217-22/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | The added test triggers warnings like these: <stdin>: In function ‘syz_mount_image.constprop’: <stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull] In file included from <stdin>:26:0: /usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here extern int mkdir (const char *__path, __mode_t __mode) ^~~~~ cc1: all warnings being treated as errors <stdin>: In function ‘syz_open_procfs.constprop’: <stdin>:530:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=] <stdin>:85:110: note: in definition of macro ‘NONFAILING’ <stdin>:532:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=] <stdin>:85:110: note: in definition of macro ‘NONFAILING’ <stdin>:534:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=] <stdin>:85:110: note: in definition of macro ‘NONFAILING’ Use volatile for all arguments of syz_ functions to prevent compiler from treating the arguments as constants in reproducers. Popped up during bisection that used a repro that previously worked. Update #501
* executor: update fdio import pathMarco Vanotti2019-03-201-1/+1
| | | | | | | | | | | The Fuchsia team is going to remove the `lib/fdio/util.h` library. They have already moved all the functions to new header files. I have seen that fuchsia uses `fdio_service_connect`, which has been moved to the `lib/fdio/directory.h` header file. This commit just changes the import path in the fuchsia executor, and in the corresponding generated go file (I made that change by running `make generate`).
* sys/linux: disable SYSLOG_ACTION_CLEARDmitry Vyukov2019-03-191-5/+5
| | | | | For context see: https://groups.google.com/d/msg/syzkaller/8nUJCnMfark/y8HOM_vrCQAJ
* sys/linux: restrict SYSLOG_ACTION_CONSOLE_LEVELDmitry Vyukov2019-03-181-5/+5
| | | | | Fuzzer must not mess with console, turn it on/off, change log level, etc. Otherwise it turns off kernel output on console.
* sys/openbsd: add chflags descriptionsAnton Lindqvist2019-03-182-1/+4
|
* sys/linux: Add rfkill description for LinuxAlexander Popov2019-03-182-5/+20
|
* sys/linux: regenerate and fix const filesDmitry Vyukov2019-03-142-5/+81
| | | | | | | | 1. Move fsverity descriptions to a separate file which is not regenerated automatically. It was dropped from linux-next. 2. Fix tlk_device.txt name in syz-extract. 3. Update some socket consts e.g. s/SO_TIMESTAMPING/SO_TIMESTAMPING_OLD/. 4. Regenerate const files on current upstream head.
* pkg/runtest: make tests pass on freebsdDmitry Vyukov2019-03-071-1/+1
| | | | | | The problem is stupid: <endian.h> should be included as <sys/endian.h> on freebsd. Pass actual host OS to executor build as HOSTGOOS and use it to figure out how we should include this header.
* sys/freebsd: avoid mangling syscall namesMark Johnston2019-03-072-21/+22
| | | | | | | | | | | | | | | | | syz-extract was removing certain prefixes from syscall names, but this caused some problems: - freebsd* prefixes are for compatibility syscalls when the syscall ABI has changed. For instance, we have both fstat() and freebsd11_fstat(), and it is desirable to fuzz them both. - Stripping prefixes may leave us with undefined SYS_ constants. This resulted in some test failures in pkg/csource, which emitted code referencing SYS_semctl when it should have been SYS___semctl. Fix the problem by updating syscall descriptions to match the names given by the FreeBSD kernel. Add some new descriptions for compatibility syscalls, fix the mknodat() description (dev_t is now 64 bits wide on FreeBSD), and remove mknod$loop, which appears to be Linux-specific.
* execprog, stress, prog2c: unify flags to enable additional featuresAndrey Konovalov2019-03-053-87/+150
| | | | | | | | | | | This change makes all syz-execprog, syz-prog2c and syz-stress accept -enable and -disable flags to enable or disable additional features (tun, net_dev, net_reset, cgroups and binfmt_misc) instead of having a separate flag for each of them. The default (without any flags) behavior isn't changed: syz-execprog and syz-stress enabled all the features (provided the runtime supports them) and syz-prog2c disables all of them.
* executor: add newline in debug callDmitry Vyukov2019-02-271-1/+1
| | | | debug does not add newlines.
* executor: update syntax for making W+X fuchsia memoryJulia Hansbrough2019-02-272-3/+8
| | | | | | | Fuchsia recently changed such that zx_vmar_map can't be declared executable and writeable at the same time; use a new syscall for this purpose. Also made a few errors more informative.
* sys/fuchsia/fidlgen: update FIDL path & extract new descriptionsJulia Hansbrough2019-02-211-2/+2
| | | | | | | | Garnet-layer FIDL descriptions are in a new subdirectory. This CL changes it to the proper directory, and performed a "make extract" shortly after. This should fix some of the errors on the Syzkaller hub.
* sys/linux: add netlink seg6 descriptionshoujingyi2019-02-212-5/+30
| | | | | | | | | | * Add files via upload * Add files via upload * Add files via upload * Add files via upload
* executor: fix format stringsDmitry Vyukov2019-02-191-2/+2
| | | | clang complains that we pass an int to %hx. Fix it.
* executor: fix detection of blocked callsDmitry Vyukov2019-02-131-2/+1
| | | | | Unfinished calls are always blocked too, so set the blocked flag for unfinished calls.
* hafnium: add basic supportDmitry Vyukov2019-02-122-5/+25
| | | | | | | Add [very] basic support for testing Hafnium: https://hafnium.googlesource.com/hafnium Update #996
* sys/linux: regenerate constsDmitry Vyukov2019-02-122-79/+103
| | | | Regenereate consts on latest linux-next.
* sys/linux: add NDISC packet formats to vnet.txtDan Robertson2019-02-111-5/+5
| | | | Add the basic NDISC (RFC 4861) packet formats to sys/linux/vnet.txt.
* sys/linux: prohibit EXT4_IOC_RESIZE_FSDmitry Vyukov2019-02-082-10/+5
| | | | | | | | | | | | | | | When we run with sandbox=none, test program can do EXT4_IOC_RESIZE_FS which shrinks rootfs basically to 0. This breaks the machine as all tests then fail with: failed to create temp dir: mkdir syzkaller-testdir077269498: no space left on device This is the most common source of "lost connection" crashes overall and they are not actually kernel bugs. Prohibit EXT4_IOC_RESIZE_FS for now. Alternatively we can mount tmpfs with sandbox=none. Update #971
* sys/linux: extend key descriptionsDmitry Vyukov2019-02-072-5/+35
|
* sys/linux: move {i,fa}notify into own filesDmitry Vyukov2019-02-072-7/+81
|
* sys/fuchsia: fix fidlgen issuesMarco Vanotti2019-02-062-94/+82
| | | | | | | | | | | | | | | | | | | | | | | | | * sys/fuchsia: fix fidlgen issues. This change modifies fidlgen removing fuchsia.mediacodec and renaming zircon-ethernet to fuchsia-hardware-ethernet. fuchsia.mediacodec has most of its functionality merged into fuchsia.media and it's not included in the default amd64 builds. zircon-ethernet has been renamed to fuchsia-hardware-ethernet recently: https://fuchsia-review.googlesource.com/c/zircon/+/237178 * docs/fuchsia: Add troubleshooting sections This commit adds a troubleshooting section in the fuchsia syzkaller docs that mentions how to solve fidlgen issues when fidl interfaces are removed or renamed. * sys/fuchsia: remove stale autogenerated files. * sys/fucsia run make extract && make generate.
* sys/openbsd: add missing wscons descriptions (#976)Anton Lindqvist2019-02-012-1/+7
|
* executor: add missing includeDmitry Vyukov2019-02-011-0/+1
| | | | thread_start now uses errno, so include <errno.h>
* executor, pkg/ipc: simplify retry handlingDmitry Vyukov2019-01-312-18/+11
| | | | | | Remove kRetryStatus, it's effectively the same as exiting with 0. Remove ipc.ExecutorFailure, nobody uses it. Simplify few other minor things around exit status handling.
* executor: remove ability to detect kernel bugsDmitry Vyukov2019-01-312-19/+2
| | | | | | | | This ability was never used but we maintain a bunch of code for it. syzkaller also recently learned to spoof this error code with some ptrace magic (probably intercepted control flow again and exploited executor binary). Drop all of it.
* sys/test/test: add tests for test exiting in the middle of executionDmitry Vyukov2019-01-313-4/+17
|
* executor: fix do_sandbox_none on akaros and testDmitry Vyukov2019-01-314-5/+3
| | | | do_sandbox_none must not exit, it needs to return.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-30 21:20:34 +0000