| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
mount() in gVisor returns EFAULT if source is NULL. It is a gVisor issue
and we will fix it. Let's explicitly sets a string source for the proc
mount to unblock gVisor jobs. The source string will additionally be
useful for troubleshooting mount-related problems in the future, because
it is shown in /prod/pid/mountinfo.
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
| |
Android sets fs.mount-max to 100, making it impossible to create new chroots.
Relax the limit, setting it to a value used on desktops.
Tracking bug: https://github.com/google/syzkaller/issues/4972
|
| |
|
|
|
|
|
| |
Signal rotation is intended to make the fuzzer re-discover flaky coverage
in non flaky way. However, taking into accout that we get effectively
the same effect after each manager restart, and that the fuzzer is overloaded
with triage/smash jobs, it does not look to be worth it.
|
| |
|
|
|
|
|
|
|
|
|
| |
To prevent the executor from accidentally making the whole root file system
immutable (which breaks fuzzing), modify sandbox=none to create a tmpfs mount
and chroot into it before executing programs in a process.
According to `syz-manager -mode=smoke-test`, the number of enabled syscalls on
x86 doesn't change with this patch.
Fixes #4939, #2933, #971.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We see some errors of the form:
SYZFAIL: coverage filter is full
pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156
Executor shouldn't send non kernel addresses in signal,
but somehow it does. It can happen if the VM memory is corrupted,
or if the test program does something very nasty (e.g. discovers
the output region and writes to it).
It's not possible to reliably filter signal in the tested VM.
Move all of the filtering logic to the host.
Fixes #4942
|
| |
|
|
|
|
| |
SIGBUS means OOM on Linux.
Most of the crashes that happen during fuzzing are SIGBUS,
so separate them from SIGSEGV and suppress.
|
| |
|
|
|
|
|
|
|
|
| |
Flatbuffers represents each scalar in little-endian format
(https://flatbuffers.dev/flatbuffers_internals.html). Therefore,
the size of the received root table must be converted to the host endianness
format before its first usage.
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
Fixes: e16e2c9a4cb6 ("executor: add runner mode")
|
| |
|
|
|
|
| |
It's a more general name that says what happened
rather than a detail of what excutor should do.
We can use this notification for other things as well.
|
| |
|
|
| |
This allows to enable test executor with coverage.
|
| |
|
|
|
|
| |
Currnetly we always write PCs into the buffer even if tracing comparisons.
Such bogus data will fail comparison consistentcy checks (type/pc)
and executor will crash. Don't trace PCs as comparisons.
|
| |
|
|
|
|
|
|
|
|
|
| |
There is a quirk related to posix_spawn_file_actions_adddup2:
it just executes the specified dup's in order in the child process.
In our case we do dups as follows:
20 -> 4 (output region)
4 -> 5 (max signal)
So we dup the output region onto 4 first, and then dup the same output region
(fd 4 becomes the output region) onto 5 (max signal).
So we have output region as both output region and max signal.
|
| |
|
|
|
| |
Fail some features in various ways for test OS,
and check that features are detected properly.
|
| |
|
|
|
|
|
| |
Coverage setup fails with exitf if not supported.
Currently we consider it as transient error that needs to be retried.
As the result we reach 20 attempts and crash the VM.
Return an error in such case instead.
|
| |
|
|
|
| |
Somehow it's very slow in syzbot arm64 image.
This speeds up pkg/runtest tests a hundred of times.
|
| |
|
|
|
|
|
| |
Otherwise we may leave orphaned executor process children, which prevent
the cleanup of the executor directory.
Closes #4920.
|
| |
|
|
|
|
|
| |
FreeBSD says:
executor/conn.h:100:3: error: unknown type name 'sockaddr_in'; did you mean 'sockaddr'?
sockaddr_in saddr4 = {};
|
| |
|
|
|
|
|
|
| |
OpenBSD says:
executor/executor_runner.h:750:51: error: no member named 'uc_mcontext' in 'sigcontext'
auto& mctx = static_cast<ucontext_t*>(ucontext)->uc_mcontext;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
|
| |
|
|
| |
Otherwise, it fails with "SYZFAIL: failed to parse manager port".
|
| |
|
|
| |
OpenBSD has neither fallocate nor posix_fallocate.
|
| |
|
|
|
|
| |
We include a number of C++ headers in the runnner.
On FreeBSD some of them mention malloc, and our defines break the build.
Use the style test to check only our files for these things.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 215eef4ad85fb6124af70d1e5c9729b69554a32b.
The gvisor "stdin" address still crashes in executor
Connection::Connect on atoi(ports) with ports == NULL.
The gvisor "stdin" address is not tested, so it's better to make it less
special rather than add more special cases in manager, executor,
and now also in Connection to handle it.
It still may crash in future after some changes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
My gcc-10 in testing vm compainls during reproducer [0] build with
following error:
rep.c: In function ‘remove_dir’:
rep.c:662:3: error: a label can only be part of a statement and a declaration is not a statement
662 | const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW;
| ^~~~~
Label followed by declaration is C23 extension, so only new compilers
support it.
Fix it by moving declaration above `retry` label and put unused attribute
to suppress possible warning.
[0] https://syzkaller.appspot.com/bug?extid=dcc068159182a4c31ca3
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
|
| |
|
|
| |
It is returned from vm/gvisor.
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| | |
|
| |
|
|
| |
The address ranges in is_kernel_data/pc are only true for normal Linux.
|
| |
|
|
|
| |
There were some cases where the return value was not checked, allowing
errors to propagate. This fixes them to return early with a message.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
executor/executor.cc: In function ‘uint64 read_input(uint8**, bool)’:
executor/executor.cc:1487:59: error: format ‘%zu’ expects argument of type
‘size_t’, but argument 3 has type ‘int’
[-Werror=format=]
executor/executor.cc:1495:67: error: format ‘%zu’ expects argument of type
‘size_t’, but argument 3 has type ‘int’
[-Werror=format=]
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
KCOV stores the number of KCOV comparisons in a coverage buffer always
as a 64-bit integer at offset 0 of the coverage buffer. Don't use
the field size of the coverage object which is initialized
in cover_collect() and size of which depends on kernel bitness because
this field is intended only for KCOV PC coverage and not for
KCOV comparisons.
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
| |
strconst["foo"] was replaced by ptr[in, string["foo"]].
|
| |
|
|
|
|
| |
We ignore comparisons of kernel data/physical addresses b/c these
are not coming from user space. Ignore kernel text addresses
for the same reason.
|
| |
|
|
| |
Factor out is_kernel_pc helper and add kernel pc range for test OS for testing.
|
| | |
|
| |
|
|
|
|
|
| |
To receive data, executor relies on changes propagating to its copy of
the shared memory buffer. This is only guaranteed with MAP_SHARED,
whereas behavior is "unspecified" for MAP_PRIVATE (but happened to work
on most implementations).
|
| |
|
|
|
|
|
| |
Currently we sleep only for 1 ms, which may produce some excessive CPU load
(we usually have 6/8 such processes waiting).
Make it sleep for 10 ms, but also make the sleep return immediately on child exit.
This shuold both improve latency and reduce CPU load.
|
| |
|
|
| |
Close_range is faster.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
|
|
|
|
|
| |
Asan build with sharem memory mode is broken for a long time
since the address for output region is incompatible with asan
(asan doesn't have shadow for these addresses).
We did not notice it b/c we only tested no shared memory mode
in short test mode used on CI.
Don't use fixed mmap address under asan.
|
| |
|
|
|
|
|
|
|
| |
Fix 2 bugs:
1. We remove low 12 bits of every PC on amd64 b/c use_cover_edges return true.
This results in extremly low signal (gvisor PC are dense integers).
2. We hash prev/next PC on arm64 which does not make sense
since gvisor coverage is not a trace. This results in falsely large signal.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Return failure reason from setup functions rather than crash.
This will provide better error messages, but also allow setup
w/o creating subprocesses which will be needed when we combine
fuzzer and executor.
Also close all resources created during setup.
This is also useful for in-process setup, but also should improve
chances of reproducing a bug with C reproducer. Currently leaked
file descriptors may disturb repro execution (e.g. it may act
on a wrong fd).
|
| |
|
|
|
|
| |
Manager was switched to 64-bit PCs, but executor still expected
4-byte PC start in the header.
Fix it and switch size to uint64 for simplicity as well.
|
| |
|
|
|
|
| |
Update the descriptions to mark calls that cause remote coverage
collection.
Remote some hacky code from the executor.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
On 64 bit machine, when CONFIG_RANDOMIZE_BASE enabled,
even [32:64] bits changed across reboot.
And, core kernel and modules can have diff [31:64] bits.
We need to add 64bit pc support and this is to always
send 64bit pc and sig to syz-fuzzer.
Send 64bit pc and sig is compatable with 32bit OS.
|
| |
|
|
|
|
| |
It seems to be redundant and moreover it lets us
compile on musl which does not provide this system
header.
|
| |
|
|
| |
Enable it unconditionally.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feature checking procedure is split into 2 phases:
1. syz-fuzzer invokes "syz-executor setup feature" for each feature one-by-one,
and checks if executor does not fail.
Executor can also return a special "this feature does not need custom setup",
this allows to not call setup of these features in each new VM.
2. pkg/vminfo runs a simple program with ipc.ExecOpts specific for a concrete feature,
e.g. for wifi injection it will try to run a program with wifi feature enabled,
if setup of the feature fails, executor should also exit with an error.
For coverage features we also additionally check that we actually got coverage.
Then pkg/vminfo combines results of these 2 checks into final result.
syz-execprog now also uses vminfo package and mimics the same checking procedure.
Update #1541
|
