aboutsummaryrefslogtreecommitdiffstats
path: root/executor
Commit message (Collapse)AuthorAgeFilesLines
...
* executor: split a too long lineDmitry Vyukov2017-08-241-1/+3
|
* all: support i386 archDmitry Vyukov2017-08-192-6/+1537
| | | | Update #191
* sys: support arm archDmitry Vyukov2017-08-191-0/+1521
| | | | | | | Not tested, but const extraction and build works. Update #324 Update #191
* sys: describe clone/execve callsDmitry Vyukov2017-08-121-0/+9
| | | | | Update #211 Update #310
* sys: describe chroot/getcwd/chdir/fchdirDmitry Vyukov2017-08-121-0/+12
| | | | Update #211
* executor: sandbox with RLIMIT_MEMLOCKDmitry Vyukov2017-08-081-0/+2
| | | | | | | Locking memory is a reasonably legitimate local DoS vector. E.g. bpf maps allow allocation of large chunks of kernel memory without RLIMIT_MEMLOCK, which leads to hangups. Set RLIMIT_MEMLOCK=8MB in executor.
* prog: fix encoding for exec of result argsAndrey Konovalov2017-08-011-0/+6
| | | | | | ResultArg might have const value. Also add a test.
* prog: return error instead of panic when parsingAndrey Konovalov2017-07-241-0/+3
|
* pkg/csource: make all usleeps randomAndrey Konovalov2017-07-241-2/+0
| | | | | | We can't know the exact values of those sleeps in advance, they can be different for different bugs. Making them random increases the chance that the C repro executes with the right timings at some point.
* prog: allow recursion for optional pointersAndrey Konovalov2017-07-191-0/+9
| | | | | | | | When syzkaller generates arg that uses a few structs that reference each other via pointers, it can go into infinite recursion and crash. Fix this by forcing pointer args to be null when the depth of recursion reaches 3 for some struct.
* Makefile: actually cross-compile during presubmitDmitry Vyukov2017-06-261-0/+7
|
* Port console to Darwin (#253)Zach Riggle2017-06-261-0/+2
| | | | | | | | | | | | * Port console to Darwin * Get syz-executor to build correctly * Do not export unix and syscall constants * Add presubmit test * Add myself to contributors
* sys: add ETHTOOL ioctl in socket.txtJB Cayrou2017-06-191-0/+3
| | | | | | Add ioctl$sock_SIOCETHTOOL and ETHTOOL structures defined in uapi/linux/ethtool.h http://elixir.free-electrons.com/linux/latest/source/include/uapi/linux/ethtool.h
* sys: use consistent icmp socket syscall namesAndrey Konovalov2017-06-141-36/+30
|
* executor: handle EACCES errno when opening /dev/kvm in testDmitry Vyukov2017-06-141-1/+1
|
* executor: fix compiler warnings in testDmitry Vyukov2017-06-141-21/+24
|
* executor: fix csum testDmitry Vyukov2017-06-141-1/+1
|
* makefile: list generated packagesAndrey Konovalov2017-06-141-1/+1
|
* executor: fix clang-tidy warningsDmitry Vyukov2017-06-132-18/+18
| | | | | A single check is enabled for now (misc-definitions-in-headers). But it's always fixable and found 2 bugs in csource.
* sys: check in generated filesDmitry Vyukov2017-06-131-0/+4542
| | | | | | | | | | | | | | | | | | We used to have all generated files checked in. Later we removed them (now users are supposed to run make to generate them). This causes several problems: - go get does not work as it tries to build everything straight away (go get -d works, but users are confused) - users don't run make and complain that build is broken - users don't re-run make after updates and complain that build is broken - hard to integrate into other build system (even if they support building Go, they don't support running sysgen out-of-the-box) Fixes #216
* Merge pull request #223 from xairy/up-makedev-fixAndrey Konovalov2017-06-131-0/+1
|\ | | | | executor: add sys/sysmacros.h include for makedev in newer gcc
| * executor: add sys/sysmacros.h include for makedev in newer gccAndrey Konovalov2017-06-131-0/+1
| |
* | executor: reformatDmitry Vyukov2017-06-131-1/+1
|/
* csource: don't use guard macros for debug() and NONFAILING()Andrey Konovalov2017-06-122-109/+69
|
* repro: always minimize over EnableTunAndrey Konovalov2017-06-121-1/+1
|
* csource: generate includes when necessaryAndrey Konovalov2017-06-121-25/+102
|
* csource: don't generate execute_syscall callsAndrey Konovalov2017-06-121-0/+2
|
* csource: use tmp dir in repeat loop when tmpdir flag is onAndrey Konovalov2017-06-121-1/+9
|
* csource: only emit fail(), exitf() and doexit() when necessaryAndrey Konovalov2017-06-121-1/+15
|
* csourse: don't generate debug printfsAndrey Konovalov2017-06-121-2/+32
|
* csource: try to simplify repeat loopAndrey Konovalov2017-06-121-3/+10
|
* csource: use sandbox only when requiredAndrey Konovalov2017-06-121-0/+2
|
* csource: emit bitmasks only when requiredAndrey Konovalov2017-06-121-14/+16
|
* csource: force enable tun flag when requiredAndrey Konovalov2017-06-121-10/+2
|
* csource: only handle SIGSEGV when necessaryAndrey Konovalov2017-06-122-9/+29
|
* executor: don't define SYZ_ENABLE_TUN in executorAndrey Konovalov2017-06-122-17/+16
|
* csource: use tmp dir only when necessaryAndrey Konovalov2017-06-121-0/+2
|
* executor: split setup_main_process into smaller functionsAndrey Konovalov2017-06-122-23/+23
|
* csource: add EnableTun optionAndrey Konovalov2017-06-122-31/+36
|
* executor: call flush_tun for repeat reprosAndrey Konovalov2017-06-121-7/+12
|
* executor: move inet checksum code under ifdefAndrey Konovalov2017-06-121-30/+32
|
* executor: limit stack frame sizeDmitry Vyukov2017-05-311-1/+3
| | | | | | | | | Stack usage warning currently breaks our internal build (with 16K frame limit). Executor uses stacks of limited size, that's another reason to not allow frames of arbitrary size. Limit stack frame size to 8K. Reduce tun packet size. We don't need to read out whole packet.
* all: cleanup executor/ipc status checkingMichael Pratt2017-05-301-1/+2
| | | | | | | | | | This is mostly a cleanup change with little functional change. In ipc.command.exec, remove the status fallback from the pipe to the exit status. Once the executor is serving, it always writes the status over the pipe; anything else is an error. Remove the panic check in syz-stress, which is no longer needed.
* csource: reproduce crashes with fault injectionDmitry Vyukov2017-05-262-15/+27
|
* all: add fault injection capabilityDmitry Vyukov2017-05-261-7/+48
| | | | | | | Systematically inject faults during smashing. Requires kernel patch: "fault-inject: support systematic fault injection" (currently in linux-next).
* sys, executor: extract tcp sequence numbers from /dev/net/tunAndrey Konovalov2017-05-262-11/+146
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
* executor: increase syscall timeout in debug modeDmitry Vyukov2017-05-231-1/+2
| | | | | Debug output takes time, so 20ms is not enough for almost any syscall. Give a syscall 500ms in debug before considering it blocked.
* executor: mount /proc in namespaceDmitry Vyukov2017-05-231-0/+9
| | | | | | /proc is useful for fault injection and there is probably some interesting stuff to fuzz as well.
* prog, executor: move checksum computation to executorAndrey Konovalov2017-05-125-9/+277
| | | | | This commit moves checksum computation to executor. This will allow to embed dynamically generated values (like TCP sequence numbers) into packets.
* executor: rename test_kvm.cc to test_executor.ccAndrey Konovalov2017-05-101-0/+0
|
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-14 15:09:53 +0000