| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
copyin is already NONFAILING.
|
| |
|
|
|
|
|
| |
Currently threaded/collide are global environment flags.
It can be useful to turn off collider during some executions
(minimization, triage, etc).
Make them per-program options.
|
| |
|
|
|
|
|
|
| |
Fixes #188
We now will write just ""/1000 to denote a 1000-byte output buffer.
Also we now don't store 1000-byte buffer in memory just to denote size.
Old format is still parsed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes #460
File names, crypto algorithm names, etc in programs are completely unreadable:
bind$alg(r0, &(0x7f0000408000)={0x26, "6861736800000000000000000000",
0x0, 0x0, "6d6435000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000
00000000000"}, 0x58)
Introduce another format for printable strings.
New args are denoted by '' ("" for old args).
New format is enabled for printable chars, \x00
and \t, \r, \n.
Example:
`serialize(&(0x7f0000408000)={"6861736800000000000000000000", "4849000000"})`,
vs:
`serialize(&(0x7f0000408000)={'hash\x00', 'HI\x00'})`,
|
| |
|
|
|
|
| |
Now works fast enough even for short mode.
Fixes #208
|
| |
|
|
|
|
| |
We have them in linux solely for historical reasons.
Fixes #462
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Hints for data args don't work.
We do all the work, but at the final stage we patch
arg in the _old_ program, not in the _new_ one.
So programs passed to the callback are all the same
and don't contain any mutations.
Tests did not catch this because they work right before that point
(don't test the actual interface function MutateWithHints).
Fix that and add a test that catches this.
|
| | |
|
| |
|
|
|
|
| |
exitf function was not defined with some combinations of options in csource.
Fix defines and switch exitf back to fail, fail already checks ENOMEM/EAGAIN,
so there is no reason to use exitf in this particular case.
|
| |
|
|
|
|
|
|
| |
Unshare as much as we can for all sandboxing modes.
This fixes "kernel panic: Attempted to kill init!" crashes
under sandbox=none. And should just generally improve
reproducibility, e.g. if we unshare SYSVSEM fuzzer won't
collide with any existing semaphores.
|
| |
|
|
|
| |
We see occasional ENOENT/EACCES errors returned.
It seems that fuzzer somehow gets its hands to it.
|
| |
|
|
|
|
| |
I guess this is currently unused,
but ignoring bytesizeN for vma looks wrong.
If user asks for bytesizeN for vma, divide vma size by N.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For string[N] we successfully deserialize a string of any length.
Similarly for a fixed-size array[T, N] we successfully deserialize
an array of any size.
Such programs later crash in foreachSubargOffset because static size
Type.Size() does not match what we've calculated iterating over fields.
The crash happens only in SerializeForExec in syz-fuzzer,
which is especially bad.
Fix this from both sides:
1. Validate sizes of arrays/buffers in Validate.
2. Repair incorrect sizes in Deserialize.
|
| |
|
|
|
| |
This [almost] always means a bug in descriptions.
Fix all bugs identified by the check.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Contol len is in bytes, not array elements.
|
| |
|
|
|
|
|
| |
KEYCTL_DH_COMPUTE used the old fixed list of algorithm names.
Use the new code for algorithm generation.
+ it needs only SHASH algs, but we passed in all alg names.
Pass only SHASH algs.
|
| | |
|
| | |
|
| |
|
|
| |
Makes code slightly simpler.
|
| |
|
|
|
|
|
|
|
| |
There is effectively infinite number of possible crypto
algorithm names due to templates. Plus there is tricky
relation between algorithms and algorithm type names.
This change adds custom mutator for sockaddr_alg struct
to improve variance in generated algorithms.
|
| |
|
|
|
|
|
| |
__NR_mmap is missing on arm entirely,
so we disable mmap during generate.
Patch mmap to mmap2 right in syz-extract,
so that mmap is never missing.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
executor: changed kOutputDataAddr so that it works on 32-bit kernels
executor: simplified ifdefs for arm in executor_linux.cc
executor: removed empty lines that were accidentally added.
|
| |
|
|
|
|
| |
get_kernel_syms does not seem to be present upstream.
Describe an old quotactl syscall.
Also fix umount/umount2 names in kallsyms.
|
| |
|
|
|
|
|
|
|
| |
For some racy bugs syzkaller can generate a C reproducer with tun
enabled, when it's not actuallly required to trigger the bug.
Some kernel developers (that don't have CONFIG_TUN=y on their setups)
complain about such C repros.
When tun is not available, instead of exiting, print a message that tun
initialization failed and proceed.
|
| | |
|
| |
|
|
| |
The v4.14 kernel will support a new loop ioctl, LOOP_SET_BLOCK_SIZE.
|
| |
|
|
|
|
|
| |
Fix a couple apparent copy-and-paste errors:
- ioctl$LOOP_CHANGE_FD should use LOOP_CHANGE_FD
- ioctl$LOOP_CTL_REMOVE should use LOOP_CTL_REMOVE
|
| |
|
|
|
| |
Add a definition for keyctl_restrict_keyring(), which was added in the
v4.12 kernel.
|
| |
|
|
|
|
| |
Add a definition for keyctl_dh_compute(), which was added in the v4.7
kernel, then in the v4.12 kernel extended to take in an optional
'keyctl_kdf_params' argument. (Requires CONFIG_KEY_DH_OPERATIONS=y.)
|
| |
|
|
|
|
|
|
|
|
|
| |
Many functions in the keys API take in an ID parameter that is expected
to refer to a keyring, not to any key. Therefore, define a resource
subtype 'keyring' which can be created by add_key("keyring", ...) or by
using one of the special keyring IDs.
Also define a resource subtype 'user_key', since we'll be adding a
definition for KEYCTL_DH_COMPUTE which takes in a struct containing
"user" key IDs.
|
| |
|
|
|
|
|
| |
Add to key.txt all key types that currently might be present in the
kernel. It was missing a few important ones such as "asymmetric", which
has a significant attack surface since the payloads are run through an
ASN.1 decoder.
|
| |
|
|
| |
As defined in the header files.
|
| |
|
|
| |
and other related files.
|
| | |
|
| | |
|
| |
|
|
| |
mmap syscall has 7 arguments (one unused padding)
|
| |
|
|
|
|
|
|
|
|
| |
RLIMIT_AS auses frequent random aborts on netbsd.
Reason unknown. Disable it for now.
Documentation says that __syscall should be used
for syscalls with 64-bit arguments. On amd64 most
syscalls have 64-bit arguments (incl mmap),
so switch to it.
|
| |
|
|
|
|
| |
executor_netbsd.cc was including syscalls_freebsd.h,
which completely messed up syscall numbers and names.
Include the right syscalls header.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Lots of changes to sys/netbsd:
- Removed a few syscalls that did not have proper constants defined.
- Autogenerated *.const files.
- Removed a few types like uid and gid, that were not available.
- Ran make generate
* Few changes for NetBSD support:
- Added sys/netbsd/init.go
- Added netbsd to sys/sys.go
* Fix order in sys/sys.go
* Update documentation for NetBSD
|
| |
|
|
| |
mkdtemp return NULL on failure.
|
| |
|
|
|
| |
This just makes make TARGETOS=netbsd succeed.
We don't yet have prog target for netbsd.
|
| |
|
|
|
|
|
|
| |
When comparisons are enabled fuzzer somehow manages to discover
the output region and corrupt it. It seems to fetch the address
from some memory operations (mmap/munmap).
Don't leak the output region address.
|
| |
|
|
|
| |
Some standard libraries contain "using ::exit;",
which breaks with the current redefinition of exit.
|
