| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This is mostly a cleanup change with little functional change.
In ipc.command.exec, remove the status fallback from the pipe to the
exit status. Once the executor is serving, it always writes the status
over the pipe; anything else is an error.
Remove the panic check in syz-stress, which is no longer needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mark tests as parallel where makes sense.
Speed up sys.TransitivelyEnabledCalls.
Execution time is now:
ok github.com/google/syzkaller/config 0.172s
ok github.com/google/syzkaller/cover 0.060s
ok github.com/google/syzkaller/csource 3.081s
ok github.com/google/syzkaller/db 0.395s
ok github.com/google/syzkaller/executor 0.060s
ok github.com/google/syzkaller/fileutil 0.106s
ok github.com/google/syzkaller/host 1.530s
ok github.com/google/syzkaller/ifuzz 0.491s
ok github.com/google/syzkaller/ipc 1.374s
ok github.com/google/syzkaller/log 0.014s
ok github.com/google/syzkaller/prog 2.604s
ok github.com/google/syzkaller/report 0.045s
ok github.com/google/syzkaller/symbolizer 0.062s
ok github.com/google/syzkaller/sys 0.365s
ok github.com/google/syzkaller/syz-dash 0.014s
ok github.com/google/syzkaller/syz-hub/state 0.427s
ok github.com/google/syzkaller/vm 0.052s
However, main time is still taken by rebuilding sys package.
Fixes #182
|
| |
|
|
|
|
|
| |
Systematically inject faults during smashing.
Requires kernel patch:
"fault-inject: support systematic fault injection"
(currently in linux-next).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If an external sandbox program wraps the executor, it may include much
more log output than the standard executor, making 128k of logs
insufficient to get full context. Add a flag to allow increasing the
size of the buffer.
The current buffering mechanism isn't ideal, as it allocates the entire
size up front and may include as little as half of the buffer size of
output, but it works for now when you just need a bit more space.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If an external sandbox process wraps the executor, it may be helpful to
send a signal other than SIGKILL to the sandbox when the program times
out or fails to respond. This gives the sandbox the opportunity to emit
additional debugging information before exiting.
Add an 'abort' signal to ipc, which is sent to the executor before
SIGKILL. If the executor fails to exit within 5s, the signal is upgraded
to SIGKILL.
The default abort signal remains SIGKILL, maintaining existing behavior.
|
| |
|
|
|
|
|
|
| |
If an external sandbox process wraps executor, the out pipe will be closed
before the sandbox process exits this will make ipc package kill the sandbox.
As the result sandbox process will exit with exit status 9 instead of the executor
exit status (notably kRetryStatus). Consequently, ipc will treat it as hard
failure rather than a temporal failure. So we duplicate the exit status on the pipe.
|
| | |
|
| |
|
|
|
| |
exec waits for readDone channel, but it is not closed in debug mode.
Close readDone in debug mode.
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently syzkaller uses per-call basic block (BB) coverage.
This change implements edge (not-per-call) coverage.
Edge coverage is more detailed than BB coverage as it captures
not-taken branches, looping, etc. So it provides better feedback signal.
This coverage is now called "signal" throughout the code.
BB code coverage is also collected as it is required for visualisation.
Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K),
this has profound effect on fuzzing efficiency.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A bunch of spot optmizations after cpu/memory profiling:
1. Optimize hot-path coverage comparison in fuzzer.
2. Don't allocate and copy serialized program, serialize directly into shmem.
3. Reduce allocations during parsing of output shmem (encoding/binary sucks).
4. Don't allocate and copy coverage arrays, refer directly to the shmem region
(we are not going to mutate them).
5. Don't validate programs outside of tests, validation allocates tons of memory.
6. Replace the choose primitive with simpler switches.
Choose allocates fullload of memory (for int, func, and everything the func refers).
7. Other minor optimizations.
|
| |
|
|
|
|
| |
Check for compiler warnings during compilation.
Don't require -std=c99.
Fix existing compiler warnings.
|
| |
|
|
|
|
| |
Always prepend executor PID to error messages,
so it is clear what program triggered a bug.
Extend coverage parsing error messages.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
1. Logical executor failures were not handled in waitServing.
2. Fuzzer did not distinguish temporal errors and logical errors
and always waited for 10 errors before crashing.
Fix that.
|
| |
|
|
|
|
|
| |
E.g. if binary is 'syz-executor' and pid=15,
we create a link from 'syz-executor15' to 'syz-executor' and use 'syz-executor15' as binary.
This allows to easily identify program that lead to a crash in the log.
Log contains pid in "executing program 15" and crashes usually contain "Comm: syz-executor15".
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
If executor constantly prints something, it will eventually hang
since the pipe will overflow. Read out executor output to prevent the hang.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new namespace-based sanboxing is good,
but it's not always what one wants
(and also requires special kernel configs).
Change dropprivs config value to sandbox,
which can have different values (currently: none, setuid, namespace).
Setuid mode uses setuid(nobody) before fuzzing as before.
In future we can add more sandboxing modes or, say,
extend -sandbox=setuid to -sandbox=setuid:johndoe
to impersonolate into given user.
|
| |
|
|
| |
This lead to lots of false positives.
|
| |
|
|
|
|
|
|
|
|
|
| |
Kmemleak has false positives. To mitigate most of them, it checksums
potentially leaked objects, and reports them only on the next scan
iff the checksum does not change. Because of that we do the following
intricate dance:
Scan, sleep, scan again. At this point we can get some leaks.
If there are leaks, we sleep and scan again, this can remove
false leaks. Then, read kmemleak again. If we get leaks now, then
hopefully these are true positives during the previous testing cycle.
|
| | |
|
| |
|
|
|
|
| |
Namespace-based sandbox can take some time to setup.
In particular, lots of parallel executors block on net
namespace creation.
|
| |
|
|
| |
It was duplicated in 3 programs.
|
| |
|
|
|
| |
It is not working and not tested,
and can't be restored with new namespace sandboxing code.
|
| | |
|
| | |
|
| |
|
|
|
| |
This is needed if unshare(CLONE_NEWNS) is not implemented.
Otherwise, os.RemoveAll fails.
|
| |
|
|
|
|
| |
IPC timeout must be larger than executor timeout.
Otherwise IPC kills parent executor but does not
kill child executor.
|
| |
|
|
|
| |
So far it has found only false positives.
Let's leave this to KMSAN.
|
| |
|
|
| |
Move some file utilities into a separate package.
|
| |
|
|
|
| |
Move C source generation into a separate package.
Prog is too bloated already.
|
| |
|
|
| |
It is broken on some of our test systems.
|
| |
|
|
| |
Errno can be used to guide fuzzing, or detect not implemented syscalls.
|
| |
|
|
| |
This allows to print what programs stress executes.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This avoids exec per test.
Also allows to pre-map shared memory regions.
And will allow to pre-map coverage regions, etc.
Seems to work already, but probably there are still some bugs.
|
| |
|
|
|
| |
In this mode we execute pairs of syscalls concurrently
to provoke data races in kernel.
|
| | |
|
| |
|
|
| |
Otherwise there is no way to see the output if executor hangs dead.
|
