aboutsummaryrefslogtreecommitdiffstats
path: root/executor
Commit message (Collapse)AuthorAgeFilesLines
* sys: use consistent icmp socket syscall namesAndrey Konovalov2017-06-141-36/+30
|
* executor: handle EACCES errno when opening /dev/kvm in testDmitry Vyukov2017-06-141-1/+1
|
* executor: fix compiler warnings in testDmitry Vyukov2017-06-141-21/+24
|
* executor: fix csum testDmitry Vyukov2017-06-141-1/+1
|
* makefile: list generated packagesAndrey Konovalov2017-06-141-1/+1
|
* executor: fix clang-tidy warningsDmitry Vyukov2017-06-132-18/+18
| | | | | A single check is enabled for now (misc-definitions-in-headers). But it's always fixable and found 2 bugs in csource.
* sys: check in generated filesDmitry Vyukov2017-06-131-0/+4542
| | | | | | | | | | | | | | | | | | We used to have all generated files checked in. Later we removed them (now users are supposed to run make to generate them). This causes several problems: - go get does not work as it tries to build everything straight away (go get -d works, but users are confused) - users don't run make and complain that build is broken - users don't re-run make after updates and complain that build is broken - hard to integrate into other build system (even if they support building Go, they don't support running sysgen out-of-the-box) Fixes #216
* Merge pull request #223 from xairy/up-makedev-fixAndrey Konovalov2017-06-131-0/+1
|\ | | | | executor: add sys/sysmacros.h include for makedev in newer gcc
| * executor: add sys/sysmacros.h include for makedev in newer gccAndrey Konovalov2017-06-131-0/+1
| |
* | executor: reformatDmitry Vyukov2017-06-131-1/+1
|/
* csource: don't use guard macros for debug() and NONFAILING()Andrey Konovalov2017-06-122-109/+69
|
* repro: always minimize over EnableTunAndrey Konovalov2017-06-121-1/+1
|
* csource: generate includes when necessaryAndrey Konovalov2017-06-121-25/+102
|
* csource: don't generate execute_syscall callsAndrey Konovalov2017-06-121-0/+2
|
* csource: use tmp dir in repeat loop when tmpdir flag is onAndrey Konovalov2017-06-121-1/+9
|
* csource: only emit fail(), exitf() and doexit() when necessaryAndrey Konovalov2017-06-121-1/+15
|
* csourse: don't generate debug printfsAndrey Konovalov2017-06-121-2/+32
|
* csource: try to simplify repeat loopAndrey Konovalov2017-06-121-3/+10
|
* csource: use sandbox only when requiredAndrey Konovalov2017-06-121-0/+2
|
* csource: emit bitmasks only when requiredAndrey Konovalov2017-06-121-14/+16
|
* csource: force enable tun flag when requiredAndrey Konovalov2017-06-121-10/+2
|
* csource: only handle SIGSEGV when necessaryAndrey Konovalov2017-06-122-9/+29
|
* executor: don't define SYZ_ENABLE_TUN in executorAndrey Konovalov2017-06-122-17/+16
|
* csource: use tmp dir only when necessaryAndrey Konovalov2017-06-121-0/+2
|
* executor: split setup_main_process into smaller functionsAndrey Konovalov2017-06-122-23/+23
|
* csource: add EnableTun optionAndrey Konovalov2017-06-122-31/+36
|
* executor: call flush_tun for repeat reprosAndrey Konovalov2017-06-121-7/+12
|
* executor: move inet checksum code under ifdefAndrey Konovalov2017-06-121-30/+32
|
* executor: limit stack frame sizeDmitry Vyukov2017-05-311-1/+3
| | | | | | | | | Stack usage warning currently breaks our internal build (with 16K frame limit). Executor uses stacks of limited size, that's another reason to not allow frames of arbitrary size. Limit stack frame size to 8K. Reduce tun packet size. We don't need to read out whole packet.
* all: cleanup executor/ipc status checkingMichael Pratt2017-05-301-1/+2
| | | | | | | | | | This is mostly a cleanup change with little functional change. In ipc.command.exec, remove the status fallback from the pipe to the exit status. Once the executor is serving, it always writes the status over the pipe; anything else is an error. Remove the panic check in syz-stress, which is no longer needed.
* csource: reproduce crashes with fault injectionDmitry Vyukov2017-05-262-15/+27
|
* all: add fault injection capabilityDmitry Vyukov2017-05-261-7/+48
| | | | | | | Systematically inject faults during smashing. Requires kernel patch: "fault-inject: support systematic fault injection" (currently in linux-next).
* sys, executor: extract tcp sequence numbers from /dev/net/tunAndrey Konovalov2017-05-262-11/+146
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
* executor: increase syscall timeout in debug modeDmitry Vyukov2017-05-231-1/+2
| | | | | Debug output takes time, so 20ms is not enough for almost any syscall. Give a syscall 500ms in debug before considering it blocked.
* executor: mount /proc in namespaceDmitry Vyukov2017-05-231-0/+9
| | | | | | /proc is useful for fault injection and there is probably some interesting stuff to fuzz as well.
* prog, executor: move checksum computation to executorAndrey Konovalov2017-05-125-9/+277
| | | | | This commit moves checksum computation to executor. This will allow to embed dynamically generated values (like TCP sequence numbers) into packets.
* executor: rename test_kvm.cc to test_executor.ccAndrey Konovalov2017-05-101-0/+0
|
* executor: bump per-call timeoutDmitry Vyukov2017-04-251-1/+1
| | | | | | | | | | We've started seeing lots of vmalloc failures with the 200ms timeout. Turns out vmalloc has a check for fatal signals pending, so we were killing the process which caused vmalloc to fail. If vmalloc can take 200+ms, then we need to dump the timeout as it's not blocking that we want to catch. Bump the timeout to 500ms.
* vm: add Odroid supportAndrey Konovalov2017-03-101-1/+1
| | | | | | | | | | | This commit adds Odroid C2 support to syzkaller. It's now possible to specify "type": "odroid" in manager config. Documentation on how to setup fuzzing with Odroid C2 board is here: https://github.com/google/syzkaller/wiki/Setup:-Odroid-C2 Note, that after this change libusb-1.0-0-dev package should be installed to build syzkaller.
* executor: fix ppc64le buildDmitry Vyukov2017-03-021-0/+5
|
* executor: support wrapping executor with an external sandbox processDmitry Vyukov2017-02-271-0/+10
| | | | | | | | If an external sandbox process wraps executor, the out pipe will be closed before the sandbox process exits this will make ipc package kill the sandbox. As the result sandbox process will exit with exit status 9 instead of the executor exit status (notably kRetryStatus). Consequently, ipc will treat it as hard failure rather than a temporal failure. So we duplicate the exit status on the pipe.
* executor: treat KCOV_ENABLE failure as transientDmitry Vyukov2017-02-151-2/+6
| | | | It fails with various errors (9, 14, 25), probably fuzzer messes with the fd.
* executor: treat EAGAIN as transient failure as ENOMEMDmitry Vyukov2017-02-151-2/+2
|
* executor: increase kMaxCommands and add checksAndrey Konovalov2017-02-081-1/+5
|
* executor: better protect output region from corruptionsDmitry Vyukov2017-02-061-9/+18
| | | | | Fuzzer invented another tricky way to corrupt the region. Map it at a hard to guess address.
* executor: fix undefined setup_tun() function error in c reprosAndrey Konovalov2017-02-011-2/+6
|
* csource: regenerate and reformatDmitry Vyukov2017-02-011-1/+1
|
* executor: fix tun initialization when sandbox != noneAndrey Konovalov2017-01-312-18/+32
|
* sys: improve kvm descriptionDmitry Vyukov2017-01-284-67/+120
| | | | | | Allow fuzzer to change types of segment descriptors. Alter more flags. Allow fuzzer to do a random vmwrite.
* all: implement edge coverageDmitry Vyukov2017-01-271-47/+122
| | | | | | | | | | | Currently syzkaller uses per-call basic block (BB) coverage. This change implements edge (not-per-call) coverage. Edge coverage is more detailed than BB coverage as it captures not-taken branches, looping, etc. So it provides better feedback signal. This coverage is now called "signal" throughout the code. BB code coverage is also collected as it is required for visualisation. Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K), this has profound effect on fuzzing efficiency.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-12 04:43:33 +0000