| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
KVM was removed for arm architecture.
Latest Linux headers don't contain <asm/kvm.h> for arm.
So don't even include them.
|
| |
|
|
|
| |
kcov_remote_arg was changed to a portable format
so we don't need to handle differences between 64/32-bits anymore.
|
| |
|
|
|
| |
dashboard link: https://syzkaller.appspot.com/bug?extid=38fe37bc451a42e6c9a4
Reported-by: syzbot+38fe37bc451a42e6c9a4@syzkaller.appspotmail.com
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
| |
In preparation for making timeouts tunable based
on OS/arch/VM/etc de-hardcode all (almost) timeouts in executor.
|
| |
|
|
| |
gvisor coverage is not a trace, so producing edges won't work.
|
| |
|
|
|
|
| |
Filter out all comparisons in non-interesting code.
Comparisons are expensive, so it makes lots of sense,
these filtered out can't give us any new interesting signal.
|
| |
|
|
|
|
|
|
|
|
| |
Currently we capture only incoming edges into the interesting code
when code coverage filter is used.
Also capture outgoing edges.
For code without indirect calls this does not matter
as we always get the same edge. But for code with indirect
edges we can capture more interesting coverage, and presumably
different indirect calls are quite important.
|
| |
|
|
|
| |
Slightly reduce number of ifdef's, define coverage_filter only
in shmem mode and remove unnecessary cast.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Lately, I've been looking into why such low amount of syz reproducers on
OpenBSD are turned into C reproducers. One thing I did notice is that
such syz reproducers have one thing in common: they use the
threaded=true and sandbox=none parameters. Such C reproducer always
exits non-zero early on since the call to setsid() fails with EPERM.
Meaning, the calling process is already a process group leader.
Not sure if the preprocessor conditional should be tweaked in order to
avoid unwanted side effects on other BSDs or configurations.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Apply ignore_return to semctl$GETVAL which produces random errno
values on linux and freebsd.
2. Apply ignore_return to prctl and remove the custom code in executor.
3. Remove the custom errno ignoring code in fuchsia executor.
The calls are already marked as ignore_return, so this is just a leftover.
4. Only reset errno for ignore_return.
The syscall can still return a resource (maybe).
We only need to reset errno for fallback coverage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Faster gc (1 second) is intended to make tests more repeatable.
{"/proc/sys/kernel/keys/gc_delay", "1"},
Huge page overcommit is disabled by default, allowing some
overcommit is intended to give more coverage.
{"/proc/sys/vm/nr_overcommit_hugepages", "4"},
We always want to prefer killing the allocating test process
rather than somebody else (sshd or another random test process).
{"/proc/sys/vm/oom_kill_allocating_task", "1"},
|
| |
|
|
|
|
|
|
|
| |
Move the remaining sysctls from image creation scripts into executor.
We have the rest in executor now, and these are captured in reproducers
and are not duplicated.
It seems that ping_group_range was accidentially lost along the way,
re-add it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds KVM's syz_kvm_setup_cpu pseudo syscall. This adds placeholder
for options (none implemented yet).
This adds instruction generator for ifuzz; this also adds a few pseudo
instructions to simulate super/hyper/ultracalls
(a PPC64/pseries platform thing).
The insns.go is generated from PowerISA_public.v3.0B.pdf [1] by
a horrendous python3 script on top of pdftotext. The ISA covers POWER9
which is the latest available POWER CPU at the moment. The next ISA
for POWER10 is quite different and we will deal with it later.
The // comment after every instruction is a fixed opcode list for
verification purposes.
This does not define DecodeExt as there is no obvious replacement of
the Intel XED library for POWERPC (gapstone-capstone, later, may be).
[1] https://openpowerfoundation.org/?resource_lib=power-isa-version-3-0
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
| |
write_file() is needed for setup_sysctl() and syz_usbip_server_init().
setup_sysctl() also misses some header includes.
|
| |
|
|
| |
Fixes #1989
|
| |
|
|
|
|
| |
Sysctl's are not captured as part of reproducers.
This can result in failure to reproduce a bug on developer machine.
Include sysctl setup as part of C reproducers.
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently we assume that sysctl's are setup as part of machine boot.
This introduces a non-trivial dependency on image creation
and sysctl's are not captured by as part of C reproducers
and are not captured by syzbot dashboard. This can make some
reproducers fail on developer machines or on syzbot later
when sysctl's change.
Setup sysctl's in executor as part of machine setup.
It makes it much more controllable and hermetic.
|
| |
|
|
| |
Process group leader is not allowed to call setsid, thus remove setpgrp.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes an error in printf() format for __u64:
gcc -o ./bin/linux_ppc64le/syz-executor executor/executor.cc \
-D__powerpc64__ -O2 -pthread -Wall -Werror -Wparentheses \
-Wunused-const-variable -Wframe-larger-than=16384
-static -DGOOS_linux=1 -DGOARCH_ppc64le=1 \
-DHOSTGOOS_linux=1 \
-DGIT_REVISION=\"82d2e60626ef1f43e557ca2933aee53bd5265eaf+\"
In file included from executor/test.h:5:0,
from executor/executor.cc:343:
executor/test_linux.h: In function ‘int test_one(int, const char*, int, \
int, unsigned int, bool)’:
executor/test_linux.h:74:60: error: format ‘%llx’ expects argument of type \
‘long long unsigned int’, but argument
2 has type ‘__u64 {aka long unsigned int}’ [-Werror=format=]
cpu_mem->fail_entry.hardware_entry_failure_reason);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
The arp netfilter entry contains u64,
but we used only void* to enforce alignment.
This worked everywhere except for arm,
which is 32-bits and has 8-byte alignment for u64.
Use u64 to enforce correct alignment.
Fixes #2188
|
| |
|
|
|
|
|
| |
The parent-death signal is set in sandbox_common, but then setresuid and
setresgid clear it and we need to set it again.
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
| |
This is required because we can only collect remote kcov coverage for
these injected frames.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Since ENOENT problem was solved by commit 318430cbb3b2ceef ("executor/linux:
change mount propagation type to private"), remove the debug code for this problem.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fail()'s are often used during the validation of kernel reactions to
queries that were issued by pseudo syscalls implementations. As fault
injection may cause the kernel not to succeed in handling these
queries (e.g. socket writes or reads may fail), this could ultimately
lead to unwanted "lost connection to test machine" crashes.
In order to avoid this and, on the other hand, to still have the
ability to signal a disastrous situation, the exit code of this
function now depends on the current context.
All fail() invocations during system call execution with enabled fault
injection lead to termination with zero exit code. In all other cases,
the exit code is kFailStatus.
This is achieved by introduction of a special thread-specific variable
`current_thread` that allows to access information about the thread in
which the current code is executing.
Also, this commit eliminates current_cover as it is no longer needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
|
|
| |
As netlink helpers now include a function to query generic netlink
familty id, it makes no sense to duplicate implementation of
essentially the same function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
nonpositive error codes
The code in common_linux.h assumes that nlmsgerr can either be 0 or a
negative value in case of an error. However, this is not always the
case. For example, some commands of mac80211_hwsim use nonnegative
values to indicate success (e.g. HWSIM_CMD_NEW_RADIO returns either a
negative error or a nonnegative radio index). Therefore, negation of
error code inside netlink_send_ext is not correct.
This patch changes this behavior. Now netlink_send_ext returns the
exact value it received via netlink.
|
| |
|
|
|
|
|
| |
netlink_wireguard_id_get by a more generic function
These two functions are almost entirely idential. In order to avoid
adding similar functions later on, a generic one is created.
|
| |
|
|
|
|
|
| |
This global variable cannot be used for pseudo syscalls as they can
run concurrently (in threaded mode). It can only be used during
initialization, and if initialization routines are not enabled, nlmsg
will become an unused variable.
|
| |
|
|
|
|
|
| |
attributes (flags)
This is required for 802.11 pseudo syscalls (that will be added
later).
|
| |
|
|
|
| |
1024 bytes are not enough to contain an arbirary 802.11 MAC frame
together with netlink protocol overhead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the issue with gcc 10 on Fedora 32 s390x:
In file included from ../../executor/executor.cc:147:
../../executor/common.h: In function ‘void remove_dir(const char*)’:
../../executor/common.h:229:44: error: ‘%s’ directive output may be
truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=]
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
| ^~
../../executor/common.h:229:11: note: ‘snprintf’ output between 2 and 4352 bytes into a destination of size 4096
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
../../executor/common.h:243:1: error: the frame size of 21200 bytes is larger than 16384 bytes
[-Werror=frame-larger-than=]
243 | }
| ^
cc1plus: all warnings being treated as errors
compiler invocation: gcc [-o /tmp/syz-executor383272105 -DGOOS_test=1 -DGOARCH_64_fork=1 -DHOSTGOOS_linux=1
../../executor/executor.cc -m64 -no-pie -O2 -pthread -Wall -Werror -Wparentheses
-Wunused-const-variable -Wframe-larger-than=16384]
FAIL
FAIL github.com/google/syzkaller/pkg/runtest 0.998s
FAIL
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Sone syzbot instances broke with:
<stdin>: In function ‘syz_io_uring_setup’:
<stdin>:476:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function)
<stdin>:476:33: note: each undeclared identifier is reported only once for each function it appears in
pkg/csource resolves #ifdef's at generation time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While investigating an OpenBSD reproducer[1][2] I discovered the
following:
* All threads are stuck on the last `sleep(1000000)` syscall in main(),
hence no output for the test machine.
* Each executor process created in loop() performs one iteration but
exits abnormally during the call to remove_dir().
* Calling remove_dir() will eventually invoke itself recursively since
one of the executed syscall is `mkdir("./file0", 0)` meaning that it
will try to remove the directory created by execute_one(). However,
`opendir(3)` fails with `EACCES` due to the permissions passed to
`mkdir(2)` is zero.
Instead of exiting, trying to remove the problematic directory in a best
effort manner makes the reproducer continue executing the generated
syscalls. This work around might be considered to narrow. Another option
would be to replace the `sleep(1000000)` with `waitpid(-1, NULL, 0)`
until ECHILD is hit.
[1] https://syzkaller.appspot.com/bug?id=6f7ce2a0536580a94f65f44e478732ec505e88af
[2] https://syzkaller.appspot.com/text?tag=ReproC&x=10fd1a71900000
|
| |
|
|
|
|
| |
gvisor coverage is not in the range of linux kernel coverage.
So the coverage filter does not work. Detect if running under gvisor
and skip the coverage filter.
|
| |
|
|
| |
Ensure that we can handle hanging syscalls in all modes.
|
| |
|
|
|
|
| |
Add the following missing FUSE opcodes to the syz_fuse_handle_req
pseudo-syscall: FUSE_COPY_FILE_RANGE, FUSE_UNLINK, FUSE_DESTROY and
FUSE_BATCH_FORGET.
|
| |
|
|
|
|
|
| |
unshare(CLONE_NEWNS) might not be sufficient for making all test processes run in
separate mount namespace, for "mount --make-rshared /" request issued by systemd
causes mount operations issued by test processes visible from outside of test
processes. Issue "mount --make-rprivate /" request after unshare(CLONE_NEWNS).
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
old-env is based on Ubuntu 16.04 and allows to test
executor build on older distributions.
Fixes #2055
|
| |
|
|
|
|
|
| |
Locally define structures and constants required by
syz_fuse_handle_req() and remove linux/fuse.h. dependency.
Reported-by: syzbot+f5f98e1608b272285aa5@syzkaller.appspotmail.com
|
| |
|
|
|
|
|
|
|
|
| |
Refactor syz_mount_image() to support filesystems not requiring a
backing device and filesystem image (e.g. FUSE). To do that, we check for
the presence of the pointer to the array of struct fs_image_segment: if
missingi, there is no need to setup the loop device and we can proceed
directly with the mount() syscall.
Add syz_mount_image$fuse() (specialization for FUSE) inside
sys/linux/fs_fuse.txt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment syzkaller is able to respond to FUSE with a syntactically
correct response using the specific write$FUSE_*() syscalls, but most of
the times these responses are not related to the type of request that
was received.
With this pseudo-syscall we are able to provide the correct response
type while still allowing the fuzzer to fuzz its content. This is done
by requiring each type of response as an input parameter and then
choosing the correct one based on the request opcode.
Notice that the fuzzer is still free to mix write$FUSE_*() and
syz_fuse_handle_req() syscalls, so it is not losing any degree of
freedom.
syz_fuse_handle_req() retrieves the FUSE request and resource
fuse_unique internally (by performing a read() on the /dev/fuse file
descriptor provided as input). For this reason, a new template argument has
been added to fuse_out (renamed to _fuse_out) so that the unique field
can be both an int64 (used by syz_fuse_handle_req()) and a fuse_unique
resource (used by the write$FUSE_*() syscalls) without any code
duplication.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"#if not" does not seem to be a thing in C:
$ cpp -undef -fdirectives-only -dDI -E -P -DSYZ_REPEAT -DSYZ_USE_TMP_DIR executor/common_linux.h 1>/dev/null
executor/common_linux.h:3776:9: error: missing binary operator before token "SYZ_SANDBOX_ANDROID"
3776 | #if not SYZ_SANDBOX_ANDROID
| ^~~~~~~~~~~~~~~~~~~
executor/common_linux.h:3801:9: error: missing binary operator before token "SYZ_SANDBOX_ANDROID"
3801 | #if not SYZ_SANDBOX_ANDROID
| ^~~~~~~~~~~~~~~~~~~
executor/common_linux.h:3837:9: error: missing binary operator before token "SYZ_SANDBOX_ANDROID"
3837 | #if not SYZ_SANDBOX_ANDROID
| ^~~~~~~~~~~~~~~~~~~
executor/common_linux.h:3868:9: error: missing binary operator before token "SYZ_SANDBOX_ANDROID"
3868 | #if not SYZ_SANDBOX_ANDROID
| ^~~~~~~~~~~~~~~~~~~
Currently parts under "#if not SYZ_SANDBOX_ANDROID" are always stripped from
reproducers under all sandboxes. Use the standard !SYZ_SANDBOX_ANDROID.
We also need SYZ_EXECUTOR part because sandbox is not statically known
when we are building syz-executor.
And we also need to remove the use of flag_sandbox_android for C reproducers
because for these sandbox is statically known and we don't have flag_sandbox_*.
|
