| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Remove /syzcgroup/* if cgroup mount fails. See #3241 for context.
Fixes #3241
|
| | |
|
| |
|
|
| |
The APPEND flag also prevents file removal.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.
Note: don't set it for setuid sandbox since it's "low privilege".
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is a BSD syscall, chflags(2), which lets one set various flags on
a file, including several that prevent unlinking. The use of this flag
can cause the executor to fail to clean up tmpdirs, which can lead to
spurious reports.
Thus, when unlinking fails, try again after clearing relevant flags. I
suspect this would be useful on other BSDs but I can't easily verify
that this change works there. It may eventually be worth having a
BSD-specific remove_dir() implementation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 12.1 reports the following -Werror=array-bounds error:
///
In function 'bool lookup_connect_response_in(...)'
executor/common_usb.h:632:66:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
632 | qual->bNumConfigurations = index->dev->bNumConfigurations;
| ~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
|
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
...
In function 'bool lookup_connect_response_in(...)',
executor/common_usb.h:633:57:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
633 | qual->bRESERVED = 0;
| ~~~~~~~~~~~~~~~~^~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
///
Current code in USB_DT_DEVICE_QUALIFIER case treats respose_data as a buffer,
but in reality it is just a pointer, as detailed in the error trace above. In
order to allow passing a usb_qualifier_descriptor struct back to the caller
(via response_data), add a new parameter to lookup_connect_response_in().
Build tested only.
Fixes: 0c00210ff32 ("executor: always provide DEVICE_QUALIFIER USB descriptor")
Signed-off-by: Ovidiu Panait <ovpanait@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
These were last updated for Android Q in or around 2020. These were
re-generated using the 'genseccomppy.py' script in the Android build
tree.
Since the filters have changed during the intervening time, fuzzing with
'sandbox: android' no longer accurately reflected what untrusted apps
can access on the device.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syzkaller reports the following error when it tries to create a C reproducer:
<stdin>: In function ‘syz_clone’:
<stdin>:289:48: error: ‘CLONE_VM’ undeclared (first use in this
function)
<stdin>:289:48: note: each undeclared identifier is reported only once
for each function it appears in
compiler invocation: gcc [-o /tmp/syz-executor3459695007 -DGOOS_linux=1
-DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall
-Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384
-Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow
-static-pie -fpermissive -w]
|
| |
|
|
| |
Fixes: fcfad4ffcf3a ("ipc: add magic in a call reply")
|
| |
|
|
|
|
|
|
|
|
| |
When a shared memory is used, the executor can corrupt reply messages,
so let's add magic to detect such cases.
It is an attempt to debug issues like this one:
https://syzkaller.appspot.com/bug?id=faca64c3182e9f130ca94b7931dd771be390ef67
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
| |
Allow common_ext.h to provide setup_ext() function that is called during VM setup.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We cannot expect syscalls to always succeed during fuzzing, especially
when the situation involves a complex interaction with the system.
For the syz_genetlink_get_family_id case, it leads to numerous SYZFAIL
crashes every day.
Don't print a SYZFAIL error for this pseudo syscall.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was found out in #2921, fork bombs are still possible in Linux-based
instances. One of the possible reasons is described below.
An invalid stack can be passed to the clone() call, thus causing it to stumble
on an invalid memory access right during returning from the clone() call. This
is in turn catched by the NONFAILING() macro and the control actually jumps
over it and eventually both the child and the parent continue executing the
same code.
Prevent it by handling SIGSEGV and SIGBUS differently during the clone process.
Co-authored-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add an empty common_ext.h which is included into executor and C reproducers
and can be used to add non-mainline pseudo-syscalls w/o changing any other files
(by replacing common_ext.h file).
It would be good to finish #2274 which allows to add pseudo-syscalls
along with *.txt descriptions, but #2274 is large and there are several
open design questions. So add this simple extension point for now.
|
| |
|
|
|
| |
Currently only 4 are created by default. This limits the maximum number
of simultaneously running syz-executors.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| | |
|
| |
|
|
|
| |
Add memfd_create as a dependency to syz_mount_image and
syz_read_part_table.
|
| |
|
|
|
| |
Otherwise the pseudo syscalls there won't be able to access those
definitions.
|
| |
|
|
|
|
|
|
|
| |
As the comiling machine may have a kernel version different from the
tested one, not all definitions might be present. Generate sequences of
ifndef in defs.h to avoid potential issues.
Restrict __NR-related style checking rules to only checking common*.h
files.
|
| |
|
|
| |
Don't print the confuing errno 14 for successful calls.
|
| |
|
|
|
|
|
| |
syz-execprog now uses twice the number of CPU cores as the number
of processes. Each process might use a tun device. So bump the
maximum number of tun devices to the maximum of 256, which allows
syz-execprog to run with default settings on systems with up to
128 cores.
|
| | |
|
| |
|
|
|
|
|
|
| |
pkg/repro tries to clear the Threaded flag during repro simplification,
so it's easier just to ignore the remaining async flags in that case -
they won't be in the C repro either.
Add a test to pkg/ipc to verify the new behavior.
|
| |
|
|
|
|
|
|
|
| |
Set new kcov count limits: 6 for the default mode and 16 for the
optimized mode (when the instances are mmapped a needed). Don't generate
SYZFAIL when these limits are exhausted.
Just increasing those limits won't help as syzkaller will anyway come up
with programs that overcome them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to collide specific syscalls more precisely, we need to
repeat the process many times.
Introduce the `rerun` call property, which instructs `syz-executor` to
repeat the call the specified number of times. The intended use is:
call1() (rerun: 100, async)
call2() (rerun: 100)
For now, assign rerun values randomly to consecutive pairs of calls,
where the first one is async.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
| |
As all opened kcov instances are mmapped, we don't need to check it one
more time at all.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that the current Linux implementation of KCOV does not
properly handle multiple mmap invocations on the same instance. The
first one succeedes, but the subsequent ones do not actually mmap
anything, yet returning no error at all.
The ability to mmap that memory multiple times allows us to increase
syz-executor performance and it would be a pity to completely lose it
(especially given that mmapping kcov works fine on *BSD).
In some time a patch will be prepared, but still we will have to support
both versions at the same time - the buggy one and the correct one.
Detect whether the bug is present by writing a value at the pointer
returned by mmap. If it is present, disable dynamic kcov mmapping and
pre-mmap 5 instances in the main() function - it should be enough for
all reasonable uses. Otherwise, pre-mmap 3 and let syz-executor mmap
them as needed.
|
| |
|
|
|
|
|
| |
There's a chance that the methods from common_bsd.h and common_linux.h
could dup2 (and thus close) an fd belonging to a kcov instance.
Prevent this by adjusting fd consts.
|
| |
|
|
|
| |
Currently it is dup2'd to 0, which is quite likely to be closed by the
fuzzer. Dup2 it to a safer fd instead.
|
| |
|
|
|
|
|
|
|
| |
The previous strategy (delay kcov instance creation) seems not to work
very well in carefully sandboxed environments. Let's see if the new
approach is more versatile.
Open a kcov handle for each thread at syz-executor's initialization, but
don't mmap it right away.
|
| |
|
|
|
|
|
|
|
| |
As now kcov instances may get set up during fuzzing, performing dup2 in
cover_open is no longer safe as it may close some important resource.
Prevent that by reserving most of fds that belong to the kcov fds range.
Unfortunately we must duplicate the code because of the way kcov
implementations are organized.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The amount of virtual memory affects the speed of forking/exiting. As in
most cases we do it for each executed program, the difference may be
substantial.
We don't need 16MB of output data for each execution (in fact,
experiments have shown that we never cross even 8MB on Linux). But
reducing that cap in more than 2 times is a pretty bold decision, and
perhaps it's better to just make the allocation process smarter.
Mmap the output region depending on the exact amount of memory needed
for a specific program. E.g. if comparisons are collected, the expected
amount of output is maximal. If we only collect signals, the output
is minimal.
Mmap the minimally required region in the parent and then re-mmap it in
the forked child if it turns out that a higher amount of memory is
needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Experiments have shown that the amount of allocated memory has a very
big impact on the syz-executor's performance (at least under Linux) -
much bigger than was expected.
One source of that extra virtual memory is kcov and, in fact, usually we
don't need all 16 kcov handles we create. E.g. only 4 are enough for 99.5%
progs that syzkaller executes. The biggest consumer of threads - the
collide mode doesn't need kcov at all.
Let kcov handle be an optional property of a thread, not a mandatory
one. Allocate only 3 kcov instances initially (they'll be preserved over
forks) and let the forked processes create other kcov instances if they
happen to be needed.
|
| |
|
|
|
|
|
| |
Initializing the VMCS fields Pin-based VM-execution controls and
Primary processor-based VM-execution controls to 0 and setting
their reserved bits using the appropriate MSRs increase coverage
for arch/x86/kvm/vmx/nested.c from 19% to 43%.
|
| |
|
|
|
|
| |
SYZ_* constants are always defined and one must not check them via
ifdef. Add a check to prevent such problems during development (inspired
by the discussion in #2882).
|
| |
|
|
|
| |
Add a UMOUNT_NOFOLLOW flag to umount2 in order to prevent remove_dir
from unmounting what was not mounted by the executed program.
|
| |
|
|
|
|
|
|
| |
Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.
Keep descriptions compatible with the legacy mode (when devices are
created at boot time).
|
| |
|
|
|
|
|
| |
Leave some controllers unbound so that the fuzzer can mount them during fuzzing.
This is suboptimal because all controllers are global (so different test
processes will collide, state accumulate, etc), but this still should give
at least some new coverage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On stretch images setup_cgroups fails as:
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, net_cls) failed: 22
mount(/syzcgroup/net, net_prio) failed: 22
mount(/syzcgroup/net, blkio) failed: 22
SYZFAIL: mount cgroup failed
(/syzcgroup/net, devices,freezer): 16
(errno 16: Device or resource busy)
It seems that systemd starts messing with these mounts somehow
and repeated mounting fails with EBUSY.
Don't hard fail on that error.
|
| |
|
|
|
|
|
| |
Currently we setup cgroups on every test process start
(along with sandbox creation). That's unnecessary because
that's global per-machine setup. Move cgroup setup into setup section
that's executed once per machine from pkg/host.Setup.
|
| |
|
|
|
|
|
| |
pkg/host.Setup never asks to setup "sysctl" feature explicitly,
sysctl's are assumed to be setup whenever "syz-executor setup" is executed.
Thus "sysctl" does not need to be present in the list of available
things to setup.
|
| |
|
|
|
|
|
|
| |
Currently we enable all controllers at once.
As the result if one of them fails (b/c of older kernel
or not enabled configs), all will fail.
Enable them one-by-one instead. This way we can support kernels
that don't have all of the controllers.
|
