| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Add a SYZOS call to write to one of the debug registers
(DR0-DR7).
|
| |
|
|
| |
Implement a pseudo-syscall to check the value of kvm_run.exit_reason
|
| |
|
|
|
|
|
|
|
|
|
| |
When compiling the executor in syz-env-old, -fstack-protector may
kick in and introduce global accesses that tools/check-syzos.sh reports.
To prevent this, introduce the __no_stack_protector macro attribute that
disable stack protection for the function in question, and use it for
guest code.
While at it, factor out some common definitions into common_kvm_syzos.h
|
| |
|
|
|
| |
Replace the switch statement in guest_handle_wr_crn() with a series of
if statements.
|
| |
|
|
|
|
| |
This makes it easier to figure out where the flags go by grepping for them
by name.
No functional change intended.
|
| |
|
|
| |
This will reduce code duplication and simplify adding new fields.
|
| |
|
|
|
|
|
|
| |
ARMv8-A architecture mandates how caches should be flushed when
writing self-modifying code.
Although it would be nice to catch some bugs caused by omitting this
synchronization, we want it to happen in most cases, so that our code
actually works.
|
| |
|
|
|
|
| |
Somehow we were using an input constraint instead of an output one
in the assembly code performing a read of ICC_SRE_EL1 into a GP
register.
|
| |
|
|
|
| |
In fact this function does not clobber any registers, they all are
restored. Therefore, just delete the registers from the clobber list.
|
| |
|
|
|
|
| |
Output area may be remapped from several different processes (i.e. after
forking), so we should not assume that the suggested base address will
be the same.
|
| |
|
|
|
|
|
|
|
|
|
| |
For ASAN builds, assume that the executable is dynamically linked and
that the addresses in HighMem may be occupied by the libraries.
Otherwise, use fixed addresses both for the input and the output area.
Before, input area was mapped at an arbitrary location and the default
output area location for ASAN builds was sometimes overlapping with it.
Use MAP_FIXED_NOREPLACE to prevent such overlappings in the first place.
|
| |
|
|
| |
This reverts commit dce63a35b1bfe856335d8334bcd75f5412157309.
|
| |
|
|
|
|
|
|
|
| |
Right now closing a kcov fd on Linux won't disable coverage, so further
attempts to open an fd and enable coverage on the same thread will
not work.
Add cover_close() which will disable the coverage if necessary, and
close the file descriptor.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
On different platforms and in different coverage collection modes
the pointer to the beginning of kcov buffer may or may not differ
from the pointer to the region that mmap() returned.
Decouple these two pointers, so that the memory is always allocated
and deallocated with cov->mmap_alloc_ptr and cov->mmap_alloc_size, and the
buffer is accessed via cov->data and cov->data_size.
I tried my best to not break Darwin and BSD, but I did not test them.
|
| |
|
|
|
|
|
|
|
|
|
| |
For ASAN builds, assume that the executable is dynamically linked and
that the addresses in HighMem may be occupied by the libraries.
Otherwise, use fixed addresses both for the input and the output area.
Before, input area was mapped at an arbitrary location and the default
output area location for ASAN builds was sometimes overlapping with it.
Use MAP_FIXED_NOREPLACE to prevent such overlappings in the first place.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new vminfo feature, FeatureKcovResetIoctl, that is true if the
kernel supports ioctl(KCOV_RESET_TRACE) making it possible to reset the
coverage buffer on the kernel side. This, in turn, allows us to map the
coverage buffer read-only, which will prevent all sorts of
userspace-generated corruptions at a cost of an extra syscall per program
execution.
The corresponding exec env flag, ExecEnv::ReadOnlyCoverage, turns on
read-only coverage in the executor. It is enabled by default
if FeatureKcovResetIoctl is on.
|
| |
|
|
|
| |
Add a SYZOS call to write to one of the system registers
(CR0, CR2, CR3, CR4, CR8).
|
| |
|
|
|
|
| |
Let's try to stick to the convention of naming every SYZOS API handler
syzos_handle_something().
No functional change.
|
| |
|
|
| |
Let SYZOS execute RDMSR and WRMSR on x86.
|
| | |
|
| |
|
|
|
|
| |
Like we already do on ARM, use prime numbers multiplied by 10 for
SYZOS API IDs to prevent the compiler from emitting a jump table in
guest_main().
|
| |
|
|
|
|
|
| |
Append errors=withdraw to the mount options so that gfs2 withdrawals
don't lead to kernel panics.
Closes #6189.
|
| |
|
|
|
|
| |
It used to fail because we cannot mmap 0 bytes.
Closes #6148.
|
| |
|
|
| |
We expect these commands to reach some NV coverage
|
| |
|
|
|
|
| |
The logic in that branch of the code relies on replacing # characters
with numbers. There's a comment in the code which shows a clarifying
example but it misses the # which I found mildly confusing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We noticed that syzkaller left some files with fairly unusual file names
under /dev. Eg:
---------- 1 root root 0 May 30 14:42 vcs-
---------- 1 root root 0 May 30 14:48 vcs.
---------- 1 root root 136317631 May 30 14:42 vcs'
---------- 1 root root 0 May 30 14:48 vcs(
---------- 1 root root 0 May 30 14:43 vcs)
---------- 1 root root 0 May 30 14:43 vcs*
---------- 1 root root 136317633 May 30 14:46 vcs+
Funnily enough the characters after "vcs" are always within the '0'-10
to '0' ASCII range. We noticed that the syz_open_dev logic uses a modulo
10 on a signed number (the volatile long a1 argument) and in C the
modulo of a negative number stays negative, so the result of this
operation is in the '0'-10 to '0'+10 range. This is in turn casted to a
char which is also signed and doesn't fix the glitch.
By casting a1 to an unsigned long first, this keeps the result of the
modulo operation signed and therefore the virtual file name suffix a
number.
|
| |
|
|
|
| |
This commit adds support for CPUID instructions on AMD64. It also adds a
relevant test.
|
| |
|
|
|
|
|
|
|
| |
When compiling SYZOS into the executor binary, the compiler often
attempts to emit a jump table, putting it into the data section
of the executor. SYZOS is unable to access that data and crashes.
Use primes multiplied by 10 to defeat the compiler's heuristics
for jump table emission.
|
| |
|
|
|
|
|
|
|
| |
clang-tidy-20 generates many more failures, many of which are in the
flartrpc library. Let's disable clang-analyzer-optin.core.EnumCastOutOfRange
for now.
It also complained about PROT_EXEC in the executor, but that is
necessary to support syz_execute_func().
|
| |
|
|
| |
The tests began to fail after pushing the new env container.
|
| |
|
|
|
|
| |
This commit adds the actual SyzOS fuzzer for x86-64 and a small test. It
also updates some necessary parts of the ARM version and adds some glue
for i386.
|
| |
|
|
|
| |
This commit prepares adding the X86-64 SYZOS by declaring the relevant
functions, updating their ARM64 versions and adding placeholders.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fixes a bug when setting up a 64-bit guest by making the bit
manipulation macros produce unsigned long long: To create a VCPU that
has paging enabled, one needs to set the CR0.PE and CR0.PG bits in
CR0. The latter is problematic when setting up a 64-bit guest since if
the macro is not using 1ULL, it sign extends the output (in 64-bit
mode the control registers are extended to 64-bits with some of the
CR0[32:63] bits reserved). This results in either failing the
KVM_SET_SREGS ioctl (in newer kernel versions) or just failing the
KVM_RUN ioctl with EXIT_REASON_INVALID_STATE.
* Moved the bit manipulation definitions from the amd64 specific to the generic
kvm header to consolidate them with the already existing ones.
Prefixed them with X86_ to avoid confusion.
|
| |
|
|
|
| |
The error handling for the setsid() call in sandbox_common() requires
it. Without it, some csource builds fail.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During machine checks, syzkaller will execute calls with coverage
disabled, in which case per-thread coverage structures are zeroed out.
write_output() will temporarily map the coverage data as writeable via
CoverAccessScope, whether or not cover is enabled. In effect,
write_output() may trigger a call mprotect(0, kCoverSize, PROT_RW).
On FreeBSD, mprotect() silently ignores unmapped regions, so this does
not result in an error. In fact, kCoverSize is now large enough that
this ends up removing the eXecute bit from part of syz-executor's text
region.
Make CoverAccessScope a no-op if coverage is not enabled. Modify BSD
cover_protect() and cover_unprotect() to fail if invoked when coverage
is disabled.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As we figured out in #5805, syz-manager treats random incoming RPC
connections as trusted, and will crash if a non-executor client sends
an invalid packet to it.
To address this issue, we introduce another stage of handshake, which
includes a cookie exchange:
- upon connection from an executor, the manager sends a ConnectHello RPC
message to it, which contains a random 64-bit cookie;
- the executor calculates a hash of that cookie and includes it into
its ConnectRequest together with the other information;
- before checking the validity of ConnectRequest, the manager ensures
client sanity (passed ID didn't change, hashed cookie has the expected
value)
We deliberately pick a random cookie instead of a magic number: if the
fuzzer somehow learns to send packets to the manager, we don't want it to
crash multiple managers on the same machine.
|
| |
|
|
| |
Some environments don't define MAP_FIXED_NOREPLACE.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
MAP_FIXED_NOREPLACE allows to fail early if we happened to overlap with
an existing memory mapping. It should help detects bugs #5674 at an
earlier stage, before it led to memory corruptions.
MAP_FIXED_NOREPLACE is supported from Linux 4.17, which is okay for all
syzkaller use cases on syzbot.
There's no such option for some of the supported OSes, so set it
depending on the configuration we're building for.
|
| |
|
|
|
|
| |
Proper glob resolution is required for fuzzing.
If it times out, it does so silently, and fuzzing dictionary will be smaller then expected, without any obvious errors.
Given that, it makes sense to increase glob timeouts.
|
| |
|
|
|
|
|
|
| |
Syzkaller allows user to specify filepath arguments in syscalls via globs.
However, on linux, you are effectivly limited to some /sys and /dev paths due to sandboxing.
With this change, user can supply their custom fuzzing artifacts to /syz-inputs to use those in globs.
They are mounted read-only to increase reproducibility.
|
| | |
|
| |
|
|
| |
Add support for the MRS instruction in a similar manner to MSR.
|
| |
|
|
|
|
| |
Make sure operands passed to 64-bit MOV, MSR and MRS instructions are
actually 64-bit.
This fixes compiler warnings in certain build configurations.
|
| |
|
|
| |
Add a pseudo-syscall to assert on register values.
|
| |
|
|
|
|
|
|
|
|
|
| |
In some build environments (notably Yocto), syzkaller host and target
binaries end up in separate packages for each built architecture, which
are then shipped with the respective image/SDK.
Add the "Execprog/ExecutorBinOnTarget" and "StraceBinOnTarget" options
to the manager config, which when set expects the respective binaries to
be shipped with the target image and does not attempt to copy them from
the host.
|
| |
|
|
| |
We can reach it at least with automatic descriptions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We query globs for 2 reasons:
1. Expand glob types in syscall descriptions.
2. Dynamic file probing for automatic descriptions generation.
In both of these contexts are are interested in files
that will be present during test program execution
(rather than normal unsandboxed execution).
For example, some files may not be accessible to test programs
after pivot root. On the other hand, we create and link
some additional files for the test program that don't
normally exist.
Add a new request type for querying of globs that are
executed in the test program context.
|
| |
|
|
|
| |
The new pseudo-syscall will serve as a test assertion, checking the uexit
return value. This is going to help us validate SyzOS code.
|
| |
|
|
|
|
|
|
|
| |
When running syscalls asynchronously, syz_kvm_add_vcpu() sometimes
receives a zero VM handle, on which it then crashes.
Check for the zero value to ensure stability of the tests in sys/linux/tests.
Also make sure to set errno for the pseudo-syscall in the cases where it's not
done by the underlying syscalls.
|
