| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
Fuzzer invented another tricky way to corrupt the region.
Map it at a hard to guess address.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Allow fuzzer to change types of segment descriptors.
Alter more flags.
Allow fuzzer to do a random vmwrite.
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently syzkaller uses per-call basic block (BB) coverage.
This change implements edge (not-per-call) coverage.
Edge coverage is more detailed than BB coverage as it captures
not-taken branches, looping, etc. So it provides better feedback signal.
This coverage is now called "signal" throughout the code.
BB code coverage is also collected as it is required for visualisation.
Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K),
this has profound effect on fuzzing efficiency.
|
| |
|
|
| |
SMM is now supported for real code instead of prot16.
|
| |
|
|
|
|
|
|
|
| |
Using `adb shell syz-executor reboot` to reboot devices has stopped
working with the recent Android update, probably due to the intro
of seccomp. I have reverted the device reboot logic to use `adb
shell reboot` although it can be flaky at times so that we can
continue to fuzz on devices, until a more reliable solution can be
sought out.
|
| |
|
|
|
|
|
|
|
|
|
| |
Fuzzer has figured out how to corrupt input/output shmem regions
abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative
text_size value that causes the memcpy to overwrite shmem regions.
Protect better against such cases:
1. Make text_size unsigned (there is already a check that it is less than 1000).
2. Map input region as readable only, we don't write to it.
3. Add address sanity check to segv_handler, if we see that we are writing
into executable data, it's better to crash instantly.
|
| | |
|
| |
|
|
|
| |
Syscalls frequently block and this affects fuzzing speed.
20ms should be more than enough for a normal syscall to finish.
|
| | |
|
| |
|
|
|
|
| |
Currently non-bitfield values are copied incorrectly.
Probably all turned into zeros or something.
Fix that. Add test.
|
| |
|
|
|
|
| |
Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field.
This fixes #72.
|
| |
|
|
|
|
|
| |
1. Basic support for arm64 kvm testing.
2. Fix compiler warnings in x86 kvm code.
3. Test all pseudo syz calls in csource.
4. Fix handling of real code in x86.
|
| |
|
|
|
|
| |
Add new pseudo syscall syz_kvm_setup_cpu that setups VCPU into
interesting states for execution. KVM is too difficult to setup otherwise.
Lots of improvements possible, but this is a starting point.
|
| |
|
|
| |
The source is fuzzer provided memory, it can be non-addressable.
|
| |
|
|
|
|
| |
Check for compiler warnings during compilation.
Don't require -std=c99.
Fix existing compiler warnings.
|
| |
|
|
| |
On some KVM syscalls soverage reaches 36K+ PCs.
|
| | |
|
| |
|
|
| |
See the added comment for explanation.
|
| |
|
|
|
| |
Otherwise it does not compile as C.
Also regenerate csource/common.go (it misses the MAX_PIDS change).
|
| |
|
|
|
| |
IP addresses like 192.168.0.1/192.168.1.1 are often used for routing between VM and the host.
Offset our IP addresses to start from 192.168.218.0 to reduce potential conflicts.
|
| |
|
|
|
|
| |
waitpid(pid) does not work if child invokes ptrace(PTRACE_TRACEME):
https://groups.google.com/forum/#!topic/syzkaller/SjWzOnNRRIU
Use waitpid(-1) instead.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Need to chmod(0777) the work dir before we do setuid(nobody).
Otherwise nobody user won't have rights to use the temp dir.
|
| | |
|
| |
|
|
|
|
|
|
| |
Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.
|
| |
|
|
|
|
|
|
|
|
| |
Add sys/test.txt file with description of syscalls for tests.
These descriptions can be used to ensure that we can parse everything we clain we can parse.
Use these descriptions to write several tests for exec serialization
(one test shows that alignment handling is currently incorrect).
These test descriptions can also be used to write e.g. mutation tests.
Update #78
|
| |
|
|
|
|
|
|
| |
They were necessary when they were the source of constant values
extracted from kernel code (hard to do). Now constants are checked-in
separately, and these large files can be easily regenerated with 'make generate'.
Now they are only a source of large uninteresting diffs in commits.
Remove them.
|
| |
|
|
| |
Update #59
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This splits generation process into two phases:
1. Extract values of constants from linux kernel sources.
2. Generate Go code.
Constant values are checked in.
The advantage is that the second phase is now completely independent
from linux source files, kernel version, presence of headers for
particular drivers, etc. This allows to change what Go code we generate
any time without access to all kernel headers (which in future won't be
limited to only upstream headers).
Constant extraction process does require proper kernel sources,
but this can be done only once by the person who added the driver
and has access to the required sources. Then the constant values
are checked in for others to use.
Consant extraction process is per-file/per-arch. That is,
if I am adding a driver that is not present upstream and that
works only on a single arch, I will check in constants only for
that driver and for that arch.
|
| |
|
|
|
|
|
| |
Ignore SIGSEGV/SIGBUS during copyin/copyout of arguments.
The memory may not be addressable. The ignoring allows to
pass partially-addressable input data to kernel.
It's unclear if it's a good idea or not yet.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new namespace-based sanboxing is good,
but it's not always what one wants
(and also requires special kernel configs).
Change dropprivs config value to sandbox,
which can have different values (currently: none, setuid, namespace).
Setuid mode uses setuid(nobody) before fuzzing as before.
In future we can add more sandboxing modes or, say,
extend -sandbox=setuid to -sandbox=setuid:johndoe
to impersonolate into given user.
|
| |
|
|
|
| |
This is not fully working now: e.g. prog and sys packages assume
that pointer size is 8. But at least it compiles and works.
|
| |
|
|
|
|
|
| |
There is a number of known, low-frequency reasons for failures in remove_dir.
Make the failures non-fatal.
Fixes #45
|
| | |
|
| | |
|
| |
|
|
| |
This is a common source of false positives.
|
| |
|
|
| |
This lead to lots of false positives.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Namespace-based sandbox can take some time to setup.
In particular, lots of parallel executors block on net
namespace creation.
|
| | |
|
| | |
|
