| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
We do similar truncation for values in the prog package (truncateToBitSize).
Truncating them in the generated descriptions makes it possible
to directly compare values (otherwise -1 and truncated -1 don't match).
|
| |
|
|
|
|
|
|
| |
flags[foo, int8]
foo = 0x12345678
is always an error, detect these cases.
Found some bugs in mptcp, packet sockets, kvm.
|
| |
|
|
|
| |
const[0x12345678, int8] is always an error, detect these cases.
Found some bugs in mptcp, socket proto and fuchsia fidl descriptions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we have:
ioctl(fd fd, cmd int32)
ioctl$FOO(fd fd, cmd const[FOO])
Currently we assume that cmd size in ioctl$FOO is sizeof(void*).
However, we know that in ioctl it's specified as int32,
so we can infer that the actual syscall size is 4.
This massively reduces sizes of socket/setsockopt/getsockopt/ioctl
and some other syscalls, which is good because we now use physical
size in mutation/hints and some other places.
This will also enable not morphing ioctl's into other ioctl's.
Update #477
Update #502
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that we don't have conflicting sizes for the same argument
of the same syscall, e.g.:
foo$1(a int16)
foo$2(a int32)
This is useful for several reasons:
- we will be able avoid morphing syscalls into other syscalls
- we will be able to figure out more precise sizes for args
(lots of them are implicitly intptr, which is the largest
type on most important arches)
- found few bugs in linux descriptions
Update #477
Update #502
|
| |
|
|
| |
This is just tedious. Fabricate them on the fly.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ThreadSanitizer says:
WARNING: ThreadSanitizer: data race (pid=3)
Atomic read of size 4 at 0x56360e562f08 by main thread:
#0 __tsan_atomic32_load <null> (libtsan.so.0+0x64249)
#1 event_isset executor/common_linux.h:51 (syz-executor.0+0x2cf1f)
#2 handle_completion executor/executor.cc:886 (syz-executor.0+0x2cf1f)
#3 execute_one executor/executor.cc:732 (syz-executor.0+0x2da3b)
#4 loop executor/common.h:581 (syz-executor.0+0x2f1aa)
#5 do_sandbox_none executor/common_linux.h:2694 (syz-executor.0+0x189d6)
#6 main executor/executor.cc:407 (syz-executor.0+0x189d6)
Previous write of size 4 at 0x56360e562f08 by thread T1:
#0 event_reset executor/common_linux.h:32 (syz-executor.0+0x1f5af)
#1 worker_thread executor/executor.cc:1048 (syz-executor.0+0x1f5af)
#2 <null> <null> (libtsan.so.0+0x2b0b6)
Location is global 'threads' of size 2560 at 0x56360e562f00 (syz-executor.0+0x00000008bf08)
Thread T1 (tid=6, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x2d55b)
#1 thread_start executor/common.h:256 (syz-executor.0+0x2d707)
#2 thread_create executor/executor.cc:1037 (syz-executor.0+0x2d707)
#3 schedule_call executor/executor.cc:811 (syz-executor.0+0x2d707)
#4 execute_one executor/executor.cc:719 (syz-executor.0+0x2d707)
#5 loop executor/common.h:581 (syz-executor.0+0x2f1aa)
#6 do_sandbox_none executor/common_linux.h:2694 (syz-executor.0+0x189d6)
#7 main executor/executor.cc:407 (syz-executor.0+0x189d6)
|
| |
|
|
|
|
|
|
| |
The running=-1 check fires periodically for the past 2 years.
I can't reproduce nor understand how this happens.
Add more debugging output, maybe it will shed some light.
Update #502
|
| |
|
|
|
|
|
| |
Among other things this changes timeout for USB programs from 2 to 3 seconds.
ath9k fuzzing also requires ath9k firmware to be present, so system images
need to be regenerated with the updated script.
|
| |
|
|
| |
Fix code formatting, clang-tidy warnings, minor style nits.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This adds support for the seccomp filters that are part of Android into
the sandbox. A process running as untrusted_app in Android has a
restricted set of syscalls that it is allow to run. This is
accomplished by setting seccomp filters in the zygote process prior to
forking into the application process. The seccomp filter list comes
directly from the Android source, it cannot be dynamically loaded from
an Android phone because libseccomp_policy.so does not exist as a
library on the system partition.
|
| |
|
|
|
|
|
|
| |
nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
It happens a lot in qemu, and the messages are frequently corrupted
(intermixed with other kernel output as they are printed from NMI)
and are not matched against the suppression in pkg/report.
This write prevents these messages from being printed.
|
| |
|
|
|
|
|
|
|
|
| |
This is one of the root causes of the 'no output from test machine'
panic. Issuing a DIOCKILLSTATES ioctl on a /dev/pf file descriptor will
cause state associated with ongoing connections to be purged;
effectively killing the ssh connection to the VM.
Including net/pfvar.h is necessary in order to make use of the
DIOCKILLSTATES define.
|
| |
|
|
|
|
|
| |
NETLINK_GENERIC isn't supported in gVisor.
Fixes: c5ed587f4af5 ("wireguard: setup some initial devices in a triangle")
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
| |
unshare(CLONE_NEWPID) was commented out in 4428511d10687cb446ad705148333478437d3f23 accidentially.
Uncomment it.
Spotted by @xairy:
https://github.com/google/syzkaller/commit/4428511d10687cb446ad705148333478437d3f23#r37456572
|
| |
|
|
| |
Incomplete, but something.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
These are not present in linux-next.
|
| |
|
|
| |
Update #1594
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Code in net/ethernet/eth.c does this:
__be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
{
...
if (unlikely(!ether_addr_equal_64bits(eth->h_dest,
dev->dev_addr))) {
if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) {
if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast))
skb->pkt_type = PACKET_BROADCAST;
else
skb->pkt_type = PACKET_MULTICAST;
} else {
skb->pkt_type = PACKET_OTHERHOST;
}
}
Multicast and broadcast are distinct and dev->broadcast seems to be ffffffffffff
by default, so add another multicast mac address that will serve as PACKET_MULTICAST.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One observation is that checking for extra cover is very fast
(effectively a memory load), so we can simplify code by removing
th->extra_cover and just check for it always. Additionally, we may
grab some coverage that we would miss otherwise.
Don't sleep for 500 ms at the end if colliding,
we are not going to use the extra coverage in that case anyway.
Check for extra coverage at the end every 100ms to avoid
being killed on timeout before we write any.
Make the 500ms sleep at the end parametrizable.
Enable it for syz_usb syscalls, so we get the same behavior for usb.
But this also allows to get extra coverage for other subsystems.
Some subsystems don't have a good way to detect if we will get any
extra coverage or not. Sleeping for 500ms for all programs slows down
fuzzing too much. So we check for extra coverage at the end for all
programs (cheap anyway), but sleep only for usb program.
This allows to collect extra coverage for vhost and maybe wireguard in future.
Update #806
|
| |
|
|
|
|
| |
Create individual file for futex syscall and add description for the new
operation FUTEX_WAIT_MULTIPLE.
Signed-off-by: André Almeida <andrealmeid@collabora.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* wireguard: setup some initial devices in a triangle
The fuzzer will wind up undoing some of this, which is fine, but at
least it now has the chance of hitting some other paths it wasn't
before.
Closes: #1599
* wireguard: make code ugly after `make generate` pass
* wireguard: get rid of unused structs that are still interesting
* wireguard: compile in C++ mode with gcc 7
Complex designated initializers are only supported in C++ mode from gcc
8, and for whatever reason syzkaller wants to be compiled in C++ mode.
* wireguard: add braces around debug statements for checker
* wireguard: regenerate go source
|
| |
|
|
|
|
|
| |
SO_BINDTODEVICE for wg devices allows to reach very important
part of functionality (wg_xmit).
Update #806
|
| |
|
|
| |
By keeping this small, it means much greater probability that a randomly
generated packet that hits xmit will match an existing peer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The stringnozescapes does not make sense with filename,
also we may need similar escaping for string flags.
Handle escaped strings on ast level instead.
This avoids introducing new type and works seamleassly with flags.
As alternative I've also tried using strconv.Quote/Unquote
but it leads to ugly half-escaped strings:
"\xb0\x80s\xe8\xd4N\x91\xe3ڒ,\"C\x82D\xbb\x88\\i\xe2i\xc8\xe9\xd85\xb1\x14):M\xdcn"
Make hex-encoded strings a separate string format instead.
|
| |
|
|
|
| |
Commit "wireguard: use wg0, wg1, wg2" added wg2,
bump netdev_addr_id accordingly.
|
| |
|
|
|
|
|
| |
I bumped input buffer size on Go side in:
a2af37f0 prog: increase encodingexec buffer size
But I forgot to increase the size on the executor side.
Do this and add comments re keeping them in sync.
|
| |
|
|
|
| |
This adds stringnozescapes to allow parsing of escape sequences in
strings.
|
| |
|
|
|
| |
This matches more closely what people are used to dealing with. We also
add one additional device for interesting multi-interface effects.
|
| |
|
|
|
| |
This tests more edge cases, as well as allowing for potentially a
correponding public and private key to be installed.
|
| |
|
|
| |
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
|
| | |
|
| |
|
|
|
| |
Adding support for IPPROTO_MPTCP. Like SMC, it is on top of TCP and can
thus be treated like a regular TCP socket.
|
| | |
|
| |
|
|
| |
Update #806
|
| |
|
|
|
|
| |
Thanks to syz-check for catching this.
Update #590
|
| | |
|
