| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
The include path in Zircon has changed; updated syz-extract/fuchsia.go
to include this, and re-ran extract to get updated *.const files.
|
| |
|
|
| |
Fix typos, non-canonical code, remove dead code, etc.
|
| |
|
|
|
|
|
| |
There is test failure on travis:
https://travis-ci.org/google/syzkaller/jobs/349948391
I can't reproduce it locally, and it only happened on 1.8, but not on 1.9?
But this seems to be what could have provoked such failure.
|
| |
|
|
| |
Also fix uffd and bluetooth consts while we are here.
|
| | |
|
| |
|
|
|
|
| |
We use errno, vaargs, printf in all of fail/error/exitf,
but we include the corresponding headers only when SYZ_USE_TMP_DIR.
Include them whenever fail/error/exitf are used.
|
| |
|
|
|
|
|
|
|
|
|
| |
The new pseudo syscall allows opening sockets that can only
be created in init net namespace (BLUETOOTH, NFC, LLC).
Use it to open these sockets.
Unfortunately this only works with sandbox none at the moment.
The problem is that setns of a network namespace requires CAP_SYS_ADMIN
in the target namespace, and we've lost all privs in the init namespace
during creation of a user namespace.
|
| | |
|
| |
|
|
|
|
|
| |
Handle most of type changes, e.g. const is changed to struct,
or struct to pointers. In all these cases we create default args.
They may not give the coverage anymore, but still better than
losing them right away.
|
| |
|
|
|
| |
Tolerate excessive args and fields during program parsing.
This is useful after description changes to not lose corpus.
|
| |
|
|
|
|
|
|
|
|
|
| |
1. Add size attribte on sockaddr.
2. Remove sockaddr's that are larger than 16 bytes from sockaddr.
3. Add size attribute on sockaddr_storage which wasn't actually 128 bytes.
4. Add size attribute to ifreq.
5. Fix ifmap field types as uncovered by the size attributes.
6. Fix sockaddr_storage_tcp from struct to union which is should be.
7. Make sockaddr_un_file fixed size as it should be.
8. Fix some explicit paddings that were only correct for 64 bits.
|
| |
|
|
| |
Sometimes filenames are embed into structs and need to take fixed space.
|
| | |
|
| |
|
|
| |
The size attribute allows to pad a struct up to the specified size.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Remove executor_pid, enable_tun and setup_tun.
|
| |
|
|
|
|
|
|
|
|
| |
We now always create net namespace for testing,
so socket ports and other IDs do not overlap between
different test processes.
Proc types play badly with squashing packets to ANYBLOB.
To squash into a block we need concrete value, but it depends
on process id.
Removing proc also makes tun setup and address descriptions simpler.
|
| |
|
|
|
|
| |
Currently it's 0x42424242 so it's not possible to understand
the value endianess in hints code.
Make it assymmetric so that endinaness is clear.
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently when executor creates fd's it gets: 0, 3, 4.
When tun is enabled: 3, 4, 5.
For C programs: 3, 4, 5.
When run is enabled: 4, 5, 6.
Theoretically it should not matter,
but these fd numbers are probably sometimes are used as data.
So make them consistent in all these cases (3, 4, 5).
|
| |
|
|
|
|
|
|
|
| |
We currently use -1 as default value for resources
when the actual value is not available.
-1 is good for fd's, but is not the right default
value for pointers/keys/etc.
Pass from prog and use in executor proper default
value for resources.
|
| |
|
|
|
|
| |
Squash complex structs into flat byte array and mutate this array
with generic blob mutations. This allows to mutate what we currently
consider as paddings and add/remove paddings from structs, etc.
|
| |
|
|
|
| |
Fix alignemnt calculation for packed structs with alignment and bitfields.
Amusingly this affected only a single real struct -- ipv6_fragment_ext_header.
|
| |
|
|
|
|
| |
IDs change whenever a call is added or removed,
this leads to large diffs unnecessarly.
Assign IDs dynamically.
|
| |
|
|
|
| |
If all union options can be syscall arguments,
allow the union itself as syscall argument.
|
| |
|
|
|
| |
Mostly remove vma as return from some mm syscalls.
This is unnecessary and we never used these.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1. mmap all memory always, without explicit mmap calls in the program.
This makes lots of things much easier and removes lots of code.
Makes mmap not a special syscall and allows to fuzz without mmap enabled.
2. Change address assignment algorithm.
Current algorithm allocates unmapped addresses too frequently
and allows collisions between arguments of a single syscall.
The new algorithm analyzes actual allocations in the program
and places new arguments at unused locations.
|
| |
|
|
| |
Older versions of linux require an additional header.
|
| | |
|
| |
|
|
|
| |
All netfilter subsystems use this unfortunately,
so demote this to a warning.
|
| |
|
|
|
|
|
| |
1. Fix connlimit netfilter match version.
2. Fix xt_time_info layout.
3. Introduce mac_addr_mask type.
4. Limit vlan id's for better matches between them.
|
| | |
|
| |
|
|
|
| |
We don't frequently debug it and it does some intensive computations
on coverage, so no reason to not compile with -O2.
|
| |
|
|
| |
debug calls are only properly stripped if they are on a single line.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Put the underflow entry at the end.
Entries must end on an unconditional, non-goto entry,
otherwise fallthrough from the last entry is invalid.
Add arp tables support.
Split unspec matches/targets to unspec and inet.
Reset ipv6 and arp tables in executor.
Fix number of counters in tables.
Plus a bunch of assorted fixes for matches/targets.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
We currently print unsupported consts to console during make extract.
But this is not very useful as there are too many output now.
This also does not allow to understand what's unsupported
in newly checked-in descriptions, or what's unsupported in all current
decriptions.
Save unsupported consts to the const files instead.
This solves all of the above problems.
|
| |
|
|
|
| |
ipt_get_entries.entrytable must be pointer aligned,
so in 32-bit build there is no padding before it.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Unions with only 1 field are not actually unions,
and can always be replaced with the option type.
However, they are still useful when there will be
more options in future but currently only 1 is described.
Alternatives are:
- not using union (but then all existing programs will be
broken when union is finally introduced)
- adding a fake field (ugly and reduces fuzzer efficiency)
Allow unions with only 1 field.
|
| |
|
|
|
|
| |
Since we use int64, it has 8-byte alignment.
It's wrong, it must have 1-byte alignment.
Use int8 instead.
|
| | |
|
| |
|
|
|
|
|
| |
It's possible that a struct can have 2+ parents,
which is the same template (differs only by arguments).
See the new test case.
Support such case.
|
