| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
| |
There's a chance that the methods from common_bsd.h and common_linux.h
could dup2 (and thus close) an fd belonging to a kcov instance.
Prevent this by adjusting fd consts.
|
| |
|
|
|
|
|
| |
Initializing the VMCS fields Pin-based VM-execution controls and
Primary processor-based VM-execution controls to 0 and setting
their reserved bits using the appropriate MSRs increase coverage
for arch/x86/kvm/vmx/nested.c from 19% to 43%.
|
| |
|
|
|
| |
Add a UMOUNT_NOFOLLOW flag to umount2 in order to prevent remove_dir
from unmounting what was not mounted by the executed program.
|
| |
|
|
|
|
|
|
| |
Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.
Keep descriptions compatible with the legacy mode (when devices are
created at boot time).
|
| |
|
|
|
|
|
| |
Leave some controllers unbound so that the fuzzer can mount them during fuzzing.
This is suboptimal because all controllers are global (so different test
processes will collide, state accumulate, etc), but this still should give
at least some new coverage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On stretch images setup_cgroups fails as:
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, net_cls) failed: 22
mount(/syzcgroup/net, net_prio) failed: 22
mount(/syzcgroup/net, blkio) failed: 22
SYZFAIL: mount cgroup failed
(/syzcgroup/net, devices,freezer): 16
(errno 16: Device or resource busy)
It seems that systemd starts messing with these mounts somehow
and repeated mounting fails with EBUSY.
Don't hard fail on that error.
|
| |
|
|
|
|
|
| |
Currently we setup cgroups on every test process start
(along with sandbox creation). That's unnecessary because
that's global per-machine setup. Move cgroup setup into setup section
that's executed once per machine from pkg/host.Setup.
|
| |
|
|
|
|
|
|
| |
Currently we enable all controllers at once.
As the result if one of them fails (b/c of older kernel
or not enabled configs), all will fail.
Enable them one-by-one instead. This way we can support kernels
that don't have all of the controllers.
|
| |
|
|
| |
Mount net, blkio, rlimit cgroups.
|
| |
|
|
|
|
|
|
| |
clang-format mis-formats #elif:
https://bugs.llvm.org/show_bug.cgi?id=48664
and then clang fails with:
error: misleading indentation; statement is not part of the previous 'if'
Split #elif into nested #if/else.
|
| |
|
|
|
|
| |
Historically the code base does not use single-line compound statements
({} around single-line blocks). But there are few precedents creeped into
already. Add a check to keep the code base consistent.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment syzkaller only fuzzes the platform architecture defined
hypercalls. However there are custom defined hypercalls which KVM handles,
they make 2 groups - an extension of hypercalls and so-called ultracalls
which are handled by the secure VM firmware but in absense of the secure
VM facility, KVM gets to handle those as errors.
This enables the two extra groups of hypercalls in KVM. If not enabled,
KVM exits to let the userspace handle them (which syzkaller does not do).
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
| |
This is necessary to make KVM actually execute the instructions.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is impossible to compile a number of definitions in
include/uapi/linux/kvm.h for other platforms, which leads
to syz-extract failing to update constants.
Skip processing of this file for all arches except i386 and
amd64.
This is a hacky and (hopefully) temporary solution until #2754
is implemented.
|
| |
|
|
|
|
|
|
| |
At least on OpenBSD this is the behavior:
% doas ifconfig tun5 create
% doas ifconfig tun5 destroy
% doas ifconfig tun5 create
% doas ifconfig /dev/tun5 destroy
ifconfig: SIOCIFDESTROY: Invalid argument
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RunTime Abstraction Services (RTAS) is an API used by the Linux
powerpc/pseries platform to talk to the hypervisor. Under KVM, this
is implemented as a custom hypercall (which we have support for) and
an in memory array of parameters. The hypercall is H_RTAS and its only
parameter is a pointer to the mentioned array. The vast majority of
RTAS calls are handled normally by QEMU and only a handful by KVM.
This adds fuzzing of 4 RTAS calls. This uses a chunk from main 256MB RAM
for parameters. The parameters are big endian hence "<<24" for the token.
To allow more targeted fuzzing, use iset.GenerateInt().
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets up a page table to map the text in order to exercise
more code paths in the KVM.
This defines flags to control the MMU state. When enabled, this
creates a simple page table at the 64K offset and maps all the RAM.
The fuzzer code is placed right after the table.
The flags are:
IR - enables MMU for instruction fetches
DR - enables MMU for data loads/stores
PR - "problem state", i.e. userspace (implies DR and IR)
PID1 - initializes a process table for PID>0 (PID#0 is used by the VM OS
normally)
This adds a simple "syz_kvm_setup_cpu_ppc64" syz-test with MSR=IR|DR|LE
which is a typical Linux kernel mode.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Turns out the ifuzz on powerpc did not ever properly work. This fixes
syz_kvm_setup_cpu$ppc64:
Enable the PAPR KVM capability (otherwise KVM_RUN fails right away).
Finish generated sequences with the software debug breakpoint as
there is no x86's "hlt" variant on POWER and otherwise KVM won't exit.
Add exception handlers, use the software debug breakpoint instruction
to trigger immediate exit from KVM with the only exception of
the decrementer interrupt handler (timer) to recharge the timer and
continue.
Define and use endianness selection flag (Big vs. Little endian).
Define the code generator similar to kvm_gen.cc which for now contains
2 simple tests and the decrementer interrupt handler code.
Add test cases to the executor so "bin/linux_ppc64le/syz-executor test"
can run some sensible tests. The tests copy 0xbadc0de around similar
to x86 and uses gpr[3] is a return value register (similar to EAX).
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
| |
The "scope" field of struct fault_ioc_info is an input to the ioctl,
so initialize it to FAULT_SCOPE_LWP to match other fault_ioc_* usage.
|
| |
|
|
| |
Pretty much ripped from freebsd +/- what isn't applicable to darwin.
|
| | |
|
| |
|
|
|
| |
Move the sysctl into config, so that kernels can opt out of it if necessary
(not all kernels enable it and interested in testing).
|
| |
|
|
|
|
|
| |
This blocks some of the ways the fuzzer can trigger a reboot.
ctrl-alt-del=0 tells kernel to signal cad_pid instead of rebooting
and setting cad_pid to the current pid (transient "syz-executor setup") makes it a no-op.
For context see: https://groups.google.com/g/syzkaller-bugs/c/WqOY4TiRnFg/m/6P9u8lWZAQAJ
|
| |
|
|
| |
The `driver.h` header moved from `ddk/driver.h` to `lib/ddk/driver.h`.
|
| |
|
|
|
| |
Currently we enable JIT always and don't test interpreter.
Enable JIT on subset of instances and disable on others using kernel config.
|
| |
|
|
|
| |
/sys/kernel/debug/x86/nmi_longest_ns is x86 specific,
don't set it on non-x86 arches.
|
| |
|
|
|
| |
If rfkill is enabled by the fuzzer, wifi setup will fail.
Disable rfkill to initial state during setup.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently all executor fail errors go into "lost connection" bucket.
This is not very useful. First, there are different executor failures.
Second, it's not possible to understand what failures happen how frequently.
Third, there are not authentic lost connection.
Create separate SYZFAIL: bugs for them.
Update #573
Update #502
Update #318
|
| |
|
|
|
|
|
|
|
|
| |
We used to use our own netlink socket and then fail
on any errors. But commit "sys/linux: add ieee802154 descriptions"
made it possible to use fuzzer-provided socket,
and fuzzer can pass any invalid fd.
So don't fail on errors now.
Fixes #2444
|
| | |
|
| |
|
|
|
|
| |
KVM was removed for arm architecture.
Latest Linux headers don't contain <asm/kvm.h> for arm.
So don't even include them.
|
| |
|
|
|
| |
dashboard link: https://syzkaller.appspot.com/bug?extid=38fe37bc451a42e6c9a4
Reported-by: syzbot+38fe37bc451a42e6c9a4@syzkaller.appspotmail.com
|
| |
|
|
|
| |
In preparation for making timeouts tunable based
on OS/arch/VM/etc de-hardcode all (almost) timeouts in executor.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Lately, I've been looking into why such low amount of syz reproducers on
OpenBSD are turned into C reproducers. One thing I did notice is that
such syz reproducers have one thing in common: they use the
threaded=true and sandbox=none parameters. Such C reproducer always
exits non-zero early on since the call to setsid() fails with EPERM.
Meaning, the calling process is already a process group leader.
Not sure if the preprocessor conditional should be tweaked in order to
avoid unwanted side effects on other BSDs or configurations.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Faster gc (1 second) is intended to make tests more repeatable.
{"/proc/sys/kernel/keys/gc_delay", "1"},
Huge page overcommit is disabled by default, allowing some
overcommit is intended to give more coverage.
{"/proc/sys/vm/nr_overcommit_hugepages", "4"},
We always want to prefer killing the allocating test process
rather than somebody else (sshd or another random test process).
{"/proc/sys/vm/oom_kill_allocating_task", "1"},
|
| |
|
|
|
|
|
|
|
| |
Move the remaining sysctls from image creation scripts into executor.
We have the rest in executor now, and these are captured in reproducers
and are not duplicated.
It seems that ping_group_range was accidentially lost along the way,
re-add it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds KVM's syz_kvm_setup_cpu pseudo syscall. This adds placeholder
for options (none implemented yet).
This adds instruction generator for ifuzz; this also adds a few pseudo
instructions to simulate super/hyper/ultracalls
(a PPC64/pseries platform thing).
The insns.go is generated from PowerISA_public.v3.0B.pdf [1] by
a horrendous python3 script on top of pdftotext. The ISA covers POWER9
which is the latest available POWER CPU at the moment. The next ISA
for POWER10 is quite different and we will deal with it later.
The // comment after every instruction is a fixed opcode list for
verification purposes.
This does not define DecodeExt as there is no obvious replacement of
the Intel XED library for POWERPC (gapstone-capstone, later, may be).
[1] https://openpowerfoundation.org/?resource_lib=power-isa-version-3-0
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
| |
write_file() is needed for setup_sysctl() and syz_usbip_server_init().
setup_sysctl() also misses some header includes.
|
| |
|
|
| |
Fixes #1989
|
| |
|
|
|
|
| |
Sysctl's are not captured as part of reproducers.
This can result in failure to reproduce a bug on developer machine.
Include sysctl setup as part of C reproducers.
|
| |
|
|
| |
Process group leader is not allowed to call setsid, thus remove setpgrp.
|
| |
|
|
|
|
|
|
|
|
| |
The arp netfilter entry contains u64,
but we used only void* to enforce alignment.
This worked everywhere except for arm,
which is 32-bits and has 8-byte alignment for u64.
Use u64 to enforce correct alignment.
Fixes #2188
|
| |
|
|
|
|
|
| |
The parent-death signal is set in sandbox_common, but then setresuid and
setresgid clear it and we need to set it again.
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| | |
|
| | |
|
| | |
|
