| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't specify trailing unused args for some syscalls
(e.g. ioctl that does not use its arg).
Executor always filled tailing unsed args with 0's
but pkg/csource didn't. Some such syscalls actually
check that the unsed arg is 0 and as the result failed with C repro.
We could statically check and eliminate all such cases,
but it turns out the warning fires in 1500+ cases:
https://gist.githubusercontent.com/dvyukov/e59ba1d9a211ee32fa0ba94fab86a943/raw/a3ace5a63f7281f0298f51ea9842ead1e4713418/gistfile1.txt
So instead fill such args with 0's in pkg/csource too.
|
| | |
|
| |
|
|
|
| |
For context see:
https://groups.google.com/d/msg/syzkaller-bugs/ZaBzAJbn6i8/Py9FVlAqDQAJ
|
| | |
|
| |
|
|
|
|
| |
* expose procid on BSD for tun, always declare loop()
* deal with terrible bsd includes
* replicate loop() declaration
|
| |
|
|
|
|
|
|
|
|
| |
* Revert "Revert "executor: add setuid sandbox for openbsd""
The problem is the low file descriptor limit.
This reverts commit 4093e33b1338f274ae0062f555de9d6af8640d61.
* executor/executor make sure the file descriptor limit is sufficient
|
| |
|
|
| |
This reverts commit 6565f24da9f4eb36702339ba290213995fcc902f.
|
| |
|
|
|
|
|
|
|
|
| |
* executor/common_bsd: add setuid sandbox
Fixes #833
cc @mptre
* Reduced duplications, resolved TODO.
|
| |
|
|
|
| |
Currently we apply big-endian-ness and bitfield-ness in the wrong order in copyin.
This leads to totally bogus result. Fix this.
|
| |
|
| |
Fixes #841
|
| | |
|
| | |
|
| |
|
|
| |
Suggested by Dmitry Vyukov.
|
| |
|
|
|
|
|
| |
This is an autogenerated file, but it seem that changes to it
resulting from changes in executor/common_bsd.h must also be
committed.
e
|
| |
|
|
| |
The include statement for endian.h failed on FreeBSD. Changed include statement to syz/endian.h for FreeBSD.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sys/fuchsia: update vmar syscalls.
In a previous zircon commit[0], the vmar related syscalls (like
`zx_vmar_map`, `zx_vmar_protect` and `zx_vmar_allocate`) changed the
order of their parameters, making putting the flags parameter as the
second parameter, and renaming it to "options".
This commit modifies vmars.txt so that it reflects the latest state of
the syscalls in zircon. I also modified the usage in
`executor/common_fuchsia.h`
I ran make extract, make generate and compiled syzkaller to test this
change.
[0]: https://fuchsia-review.googlesource.com/c/zircon/+/168060
* sys/fuchsia run make generate
This commit is just the result of running make generate after its
parent. This regenerates the definitions for the modified VMAR syscalls.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Squash of:
* Doc typo
* Ported some tun related functions.
* Copy vnet.txt from linux to openbsd.
* Simplified syz_emit_ethernet and stubbed out vnet.txt.
* Undo clang-format header sorting: headers are order sensitive.
* Uniquify tap devices by pid.
* clang-format off for includes
* Happier clang-format.
* Partially revert "Uniquify tap devices by pid."
Just rely on procid magic instead of getting it from a flag.
|
| |
|
|
|
| |
We use GOOS now to figure out target arch
(which can be different from host arch).
|
| |
|
|
|
|
|
|
|
|
|
| |
My test harness for this code performed some steps that are not
performed when syz-executor is invoked directy.
Specifcally, we need to operate from a directory under /data/data,
and have the correct UID/GID set as the owner of the directory.
My test harness now correctly sets these, all sandbox operations
succeed, and loop() is invoked.
|
| |
|
|
|
| |
zx_task_resume() is deprecated; switch to using
zx_task_resume_from_exception() instead.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The current memcg container seems to lead to lots of hangs/stalls.
Presumably the problem is with oom_score_adj and KASAN.
Executor process tree eats all memory and then the leaf process is killed
but the memory is not returned to memcg due to KASAN quarantine;
and the parent processes are protected from killing with oom_score_adj=-1000.
As the result the kernel locks up.
1. Don't use oom_score_adj=-1000. Instead bump leaf process score to 1000 (kill always).
2. Increase size of memcg to be larger than expected KASAN quarantine size.
|
| |
|
|
|
|
|
| |
This sucks a lot, but ebtables.h is now broken too on Debian 4.17:
ebtables.h: In function ‘ebt_entry_target* ebt_get_target(ebt_entry*)’:
ebtables.h:197:19: error: invalid conversion from ‘void*’ to ‘ebt_entry_target*’
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sometimes race conditions are reproduced by syz-execprog and are not
reproduced by the programs generated with syz-prog2c. In such cases
it's very helpful to know when exactly the fuzzing syscalls are executed.
Unfortunately, adding timestamps to the output of the original 'debug'
mode doesn't work. This mode provides very verbose output, which slows
down executor and breaks the repro.
So let's make the executor debug output less verbose and add
the timestamps.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
|
| |
|
|
|
|
|
|
| |
Move debug_dump_data back to executor.cc.
debug_dump_data in common_linux.h does not play well
with pkg/csource debug stripping logic. It strips a large
random piece of code since it thinks debug_dump_data
definition is actually debug_dump_data call site.
|
| |
|
|
|
| |
Compiling the executor on OpenBSD currently fails:
executor/executor.cc:1316:6: error: unused function 'debug_dump_data'
|
| |
|
|
|
|
|
|
| |
Currently we have a global fixed set of sandboxes,
which makes it hard to add new OS-specific ones
(all OSes need to updated to say that they don't
support this sandbox).
Let it each OS say what sandboxes it supports instead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
executor: add support for android_untrusted_app sandbox
This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.
In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.
Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files. The underlying mechanisms are relatively simple.
Fixes google/syzkaller#643
Test: make presubmit
Bug: http://b/112900774
|
| |
|
|
| |
oom_score_adj is inherited, so we need to reset it to 0.
|
| |
|
|
|
|
|
| |
Set limit of 32 pids and 200MB per test process.
This should prevent things like fork bombs and frequent OOMs.
Fixes #589
|
| |
|
|
|
|
| |
The function executes random code.
Update #310
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
all: add openbsd support
squash of the following commits:
* openbsd: add mandatory bits
* report: add OpenBSD support
* executor: skip building kvm on OpenBSD
* executor: add OpenBSD support
Linking against libutil is necessary due to usage of openpty(3).
* executor: fix typo in fail() message
* fixup! report: add OpenBSD support
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! report: add OpenBSD support
* gometalinter: skip sys/openbsd
|
| |
|
|
|
|
| |
gcc complains about function declarations not being prototypes,
signed/unsigned cast mismatch and casts between incompatible functions.
Fix them.
|
| |
|
|
| |
FS_IOC_FSSETXATTR is not supported in compat mode, use FS_IOC_SETFLAGS instead.
|
| |
|
|
|
|
|
| |
1. Create per-proc cgroup in executor.
2. Setup cgroups after chdir into test dir
(it assumes relative paths against test dir).
3. Add test.
|
| |
|
|
|
|
| |
We forgot to mount binfmt_misc. Mount it. Add a test.
Increase per-call timeout, otherwise last execve timesout.
Fix csource waiting for call completion at the end of program.
|
| |
|
|
|
|
| |
Turns out dirs can be immutable too.
Update #650
|
| |
|
|
| |
These are not needed now.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It should be in <linux/fs.h> but is not there on some distros/arches as expected.
Travis build fails with:
<stdin>: In function ‘remove_dir’:
<stdin>:152:13: error: variable ‘attr’ has initializer but incomplete type
<stdin>:152:13: error: excess elements in struct initializer [-Werror]
<stdin>:152:13: error: (near initialization for ‘attr’) [-Werror]
<stdin>:152:21: error: storage size of ‘attr’ isn’t known
<stdin>:153:20: error: ‘FS_IOC_FSSETXATTR’ undeclared (first use in this function)
<stdin>:153:20: note: each undeclared identifier is reported only once for each function it appears in
<stdin>:152:21: error: unused variable ‘attr’ [-Werror=unused-variable]
cc1: all warnings being treated as errors
https://travis-ci.org/google/syzkaller/jobs/413574080
|
| |
|
|
| |
Fixes #650
|
| |
|
|
|
|
| |
After setuid the process won't have rights to reset net namespace,
but it should not be able to change it during fuzzing too.
So just skip that part.
|
| |
|
|
|
|
|
| |
With checkpoint_net_namespace moved to setup_common,
and Android fuzzing session terminates prematurely due to
ipv4_tables not being initialized at this time.
Moving the call back to loop fixes this behavior.
|
| |
|
|
|
|
|
|
| |
gcc complains:
error: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Werror=unused-result]
Also fix includes.
|
| |
|
|
|
|
|
| |
If the test process is not dying after 100ms,
abort all fuse connections in the system.
This gets rid at least of simple fuse deadlocks,
let's see how well this works in all cases.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add syz_errno syscall which sets errno to the argument,
and add a test with different errno values.
This mostly tests the testing infrastructure itself.
Add syz_compare syscall which compare two blobs,
this can be used for testing of argument memory layout.
Implement syz_mmap and fix Makefile to allow building syz-execprog for test OS.
Useful for debugging.
Update #603
|
| |
|
|
|
| |
We see some failures there, extend logging so that it's least
possible to understand what exactly call has failed.
|
| |
|
|
|
| |
Fix conditions for when current_time_ms/sleep_ms are used
and make them static.
|
| |
|
|
|
| |
clang-format badly mishandles this part,
moreover different versions mishandle it differently.
|
| |
|
|
|
|
|
|
|
|
| |
Shell files cause portability problems.
On Linux it's hard to install /bin/sh,
/bin/bash is not present on *BSD.
Any solution is hard to test on Darwin.
Don't even want to mention Windows.
Just do it in Go.
|
| |
|
|
| |
This will be needed for testing of generated programs.
|
