aboutsummaryrefslogtreecommitdiffstats
path: root/pkg/csource/generated.go
Commit message (Collapse)AuthorAgeFilesLines
* executor: don't fail on setns() in pseudo syscallsAleksandr Nogikh2024-02-081-4/+6
| | | | | | | The fd may be closed by an async close() call, it's not a reason to report a failure. Reported-by: Andrei Vagin <avagin@google.com>
* executor: don't hold a loop device fdAleksandr Nogikh2024-01-121-5/+24
| | | | | | When BLK_DEV_WRITE_MOUNTED is enabled, the kernel treats the loopfd reference as a writer and does not let us issue mount() calls over the same block device.
* executor: prevent netlink_send_ext with dofail=trueAleksandr Nogikh2024-01-051-0/+5
| | | | | This should never be happening during fuzzing. Otherwise we let syz-executor silently crash and restart insane number of times.
* syz-executor: don't fail on netlink errors during fuzzingAleksandr Nogikh2024-01-051-21/+23
| | | | | | During fuzzing, it's expected that certain operations might return errors. Don't abort the whole syz-executor process in this case, this is too expensive.
* executor: introduce syz_pidfd_open()Aleksandr Nogikh2023-12-191-0/+12
| | | | | | | | | | | This kernel interface provides access to fds of other processes, which is readily abused by the fuzzer to mangle parent syz-executor fds. Pid=1 is the parent syz-executor process when PID namespace is created. Sanitize it in the new syz_pidfd_open() pseudo-syscall. We could not patch the argument in sys/linux/init.go because the first argument is a resource.
* sys/linux, pkg/host, executor: add NVMe-oF/TCP subsystem supportAlon Zahavi2023-12-071-2/+45
| | | | | Add new pseudo-syscall for creating a socket in init netns and connecting to NVMe-oF/TCP server on 127.0.0.1:4420. Also add descriptions for NVMe-oF/TCP.
* executor/common_zlib: fix an mmap leakZhiyao Feng2023-10-061-2/+2
| | | | | The `mmap` size is `max_destlen`, but `munmap` size is `destlen`, which causes a memory leak.
* sys/io_uring, executor/common_linux: remove sqes_index in syz_io_uring_submitDylan Yudaken2023-07-301-12/+9
| | | | | | | | This parameter barely increases coverage since the tail is always set to the entry that is written, but it does increase the complexity of the api and seems to reduce coverage when I run it locally. Remove it.
* sys/linux/io_uring, executor/common_linux: fix io_uring segfaultDylan Yudaken2023-07-301-7/+5
| | | | | | | | | | In Linux 6.4+ it is not allowed to provide a vma to mmap(2) [1]. Change the API to request the address from the Kernel. Note I do not know why this was done in the first place, but it seems not to be useful. [1]: https://github.com/torvalds/linux/commit/d808459b2e31bd5123a14258a7a529995db974c8
* executor/android: updated x86 seccomp policyLiz Prucka2023-07-251-495/+478
| | | | | | | | | | The recent docker upgrade to debian `bookworm` caused x86_64 instances to fail in `pthread_create()` due to the android seccomp filter. On `bookworm`, `pthread_create()` calls `clone3()` and `set_robust_list()` which aren't on the seccomp filter (instead of `clone()`), which is. Added these calls to the seccomp policy.
* executor: fix loop condition in lookup_endpointAndrey Konovalov2023-07-181-1/+1
| | | | | | | | | The loop in lookup_endpoint incorrectly iterates over endpoints. Fixes #4038. Reported-by: @cyruscyliu Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
* executor: include missing linux/falloc.hKhem Raj2023-06-201-0/+1
| | | | | | | | | | | | | | Its needed for FALLOC_FL_ZERO_RANGE which needs this header, it works with glibc because fcntl.h includes this header indirectly, however the failure comes to fore with musl C library where this header is not included indirectly by other system headers, therefore include it as required. Fixes In file included from executor/common.h:505: executor/common_linux.h:5604:16: error: use of undeclared identifier 'FALLOC_FL_ZERO_RANGE' fallocate(fd, FALLOC_FL_ZERO_RANGE, 0, SWAP_FILE_SIZE); ^
* all: support swap feature on LinuxAleksandr Nogikh2023-06-151-9/+51
| | | | | If the feature is supported on the device, allocate a 128MB swap file after VM boot and activate it.
* executor: move setup_ext() below other featuresAleksandr Nogikh2023-06-151-4/+3
| | | | | It makes these extentions much more flexible as they can now also customize what other features set up.
* executor: use exitf instead of fail outside of setup sequence (#3959)Andrei Vagin2023-06-151-4/+4
| | | | | | | | | | | | | | | We have a long history of executor managing to corrupt itself in various interesting ways (e.g. using read with a pointer pointing to some global/stack variable and then kernel overwrites it). Or rt_sigreturn can corrupt other registers which won't cause immediate SIGSEGV, but rather some random behavior later. This is the race we can't win. We can't rely on memory consistency when the test already started, so we should use exitf instead of fail outside of setup sequence (and relying more on unit testing to ensure that executor works as expected for sane programs). Suggested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrei Vagin <avagin@google.com>
* executor: use v1 memory cgroup controllerAleksandr Nogikh2023-06-141-8/+6
| | | | | | | Given that we must chose only one version, fuzzing v1 of itseems to be of higher value at the moment. Later we might make it a configurable option and do both version.
* executor: resolve pseudo syscall compilation problemsAleksandr Nogikh2023-05-041-57/+100
|
* executor: remove openbsd bits out of common_bsd.hGreg Steuck2023-04-271-41/+1
|
* executor: detangle common_openbsd.h out of common_bsd.hGreg Steuck2023-04-271-1/+345
|
* sys/targets: switch openbsd to SyscallNumbers: falseGreg Steuck2023-04-271-1/+21
| | | | | This relies on sendsyslog in sys/syslog.h which will be in OpenBSD HEAD soon.
* sys/linux: add syz_pkey_set syscallsDmitry Vyukov2023-04-031-0/+19
| | | | The syscall sets PKRU register which is part of protection keys (pkey).
* executor: use valid temporary dir on AndroidKris Alder2023-03-211-1/+1
| | | | | | | The call to mkdtemp() will fail when given /data/data/syzkaller/syzkaller-XXXXXX, since /data/data/syzkaller/ doesn't exist. The correct temporary dir on Android is /data/local/tmp, which exists by default.
* executor: fix initialize_tun() for Android (#3656)kalder2023-02-061-0/+4
| | | | | | | | Android devices often fail during the initial check with the error: SYZFAIL: tun: ioctl(TUNSETIFF) failed We need the same namespacing here that is used for other sandboxing configurations.
* vm/starnix: add support for fuzzing starnix (#3624)juanPabloMiceli2023-01-191-7/+7
| | | | | | | This commit adds a new VM for fuzzing starnix. The VM will boot a fuchsia image using the `ffx` tool and will connect to an adb server inside it. Fuzzing will be done using HostFuzzer mode due to some features not being implemented yet in starnix. Once this is possible, fuzzing will be performed without HostFuzzer mode. Co-authored-by: Juampi Miceli <jpmiceli@google.com>
* executor: better prevent the panic on ext4 errors (#3604)Aleksandr Nogikh2023-01-031-1/+8
| | | | We already suppress them, but the current approach fails if syzkaller slightly corrupts the options string. Do the check more rigorously.
* pkg/image: treat empty compressed image as valid imageDmitry Vyukov2022-12-221-10/+4
| | | | | | | | When we decompress images for mutation or hints, we always specially check for empty compressed data (I assume it can apper after minimization). Treat it as correct compressed and return empty decompressed data. This removes the need in special handling in users.
* executor: simplify setup_loop_deviceDmitry Vyukov2022-11-231-8/+6
| | | | | We can close memfd as soon as we passed it to LOOP_SET_FD (it holds a reference to the file).
* executor: don't reset loop device on partition scan successDmitry Vyukov2022-11-231-1/+2
| | | | | | We symlink resulting partitions into the test dir. If we do LOOP_CLR_FD, device and partitions disappear. Don't do LOOP_CLR_FD on success.
* executor: reduce zlib memory consumptionDmitry Vyukov2022-11-231-10/+16
| | | | | | | The images we unpack has huge ranges of 0s. Currently we write all bytes and as the result page in whole unpacked image. Don't write 0s since we just mmaped zero memory. This reduces btrfs_0 seed memory consumption from 130MB to 6MB.
* executor: declare variables locally in zlibDmitry Vyukov2022-11-231-126/+90
| | | | We don't use C89 style.
* executor: don't pass uncompressed zlib sizeDmitry Vyukov2022-11-231-34/+36
| | | | | | This will allow us to mutate the image size. Fixes #3527
* executor: remove support for zlib length calculationDmitry Vyukov2022-11-231-48/+28
| | | | | zlib can calculate uncompressed output size if given NULL destination buffer. We don't use that. Remove.
* executor: add test for zlib decompressionDmitry Vyukov2022-11-231-0/+389
|
* executor: fix puff_zlib_to_file signatureDmitry Vyukov2022-11-231-13/+14
| | | | | | In executor code we commonly use the syscall interface for functions: return -1 on erorr and set errno. Use this interface for puff_zlib_to_file.
* executor: update to match the new `syz_mount_image` callHrutvik Kanabar2022-11-211-20/+392
| | | | | | Update the executor to handle the new `syz_mount_image`/`syz_part_table` pseudo-syscalls. It now expects compressed images, and decompresses them using the new `common_zlib.h` header file before mounting.
* executor: fix "wrong response packet" in BT fuzzing (#3493)Tamas Koczka2022-11-071-11/+37
| | | | | | | | | | | | | | | | | | Problem: the BT initialization logic (`initialize_vhci()` in `common_linux.h`) expected `HCI_VENDOR_PKT` to be sent first, but this is not always the case as the kernel sends these two packets almost at the same time (both are sent as the result of the `open("/dev/vhci", …)` call): * syscall thread: `HCI_VENDOR_PKT` (in `__vhci_create_device`) * `power_on` queue thread: `HCI_OP_RESET` (from `hci_reset_sync` <- `hci_init1_sync` <- `hci_init_sync` <- `hci_dev_open_sync` <- `hci_dev_do_open` <- `hci_power_on` <- `hdev->power_on` <- (worker queue) <- `hci_register_dev` <- `__vhci_create_device`) Solution: handle both `HCI_OP_RESET` and `HCI_VENDOR_PKT` packets in `initialize_vhci`. Also instead of waiting for the kernel to send `HCI_VENDOR_PKT` after 1 second, we initiate the setup by sending `HCI_VENDOR_PKT` (request) to the kernel first.
* executor: add setup_ext_test extension pointDmitry Vyukov2022-11-011-0/+3
| | | | | The extension point allows to setup the test process in a custom way without overwriting any of the existing files.
* executor: test extension pointsDmitry Vyukov2022-11-011-0/+5
| | | | Test that extension points keep stable interface and work.
* executor: enable core dumpsDmitry Vyukov2022-10-071-1/+1
| | | | | | | | Core dumping known to have bugs. Just few recent kernel commits: [brown paperbag] fix coredump breakage [coredump] don't use __kernel_write() on kmap_local_page() We also also found some info leaks in core dumps before. No reason to not test them.
* executor: move syz_mount_image's sanity checks to syz-fuzzerAleksandr Nogikh2022-09-271-23/+0
| | | | | It will simplify the C code and let us extract the raw images in a more convenient way.
* pkg/csource: update generated.go with 'make generate'George Kennedy2022-09-211-75/+216
| | | | Signed-off-by: George Kennedy <george.kennedy@oracle.com>
* sys/linux, tools/syz-imagegen: allow `syz_mount_image` to change directoryHrutvik Kanabar2022-09-131-1/+9
| | | | | | | | | | | | | | | | | | | | Add a boolean argument to the `syz_mount_image` pseudo-syscall. When this is true, `syz_mount_image` will change directory to the mountpoint after mounting the image passed. Experimentation suggests that to reproduce many non-`ext4` filesystem bugs, it is sufficient to mount the filesystem within an `ext4`-based VM and then change directory to the mountpoint before executing code. This change aims to increase the probability that a mount operation will be succeeded by the corresponding change in directory, and so increase the probability of finding non-`ext4` bugs. We also have to update the `syz-imagegen` tool. Now it generates seed `syz_mount_image` calls with change of directory enabled. The previous behaviour (i.e. no change of directory) will be recovered by use of existing corpuses and fuzzing the change-of-directory argument. The next commit will regenerate all `syz_mount_image` seeds.
* executor: fix setup of netdevsim deviceDmitry Vyukov2022-09-091-6/+4
| | | | | | | | | | 2 fixed: 1. netdevsim devices cannot be created via NETLINK anymore: https://elixir.bootlin.com/linux/v6.0-rc4/source/drivers/net/netdevsim/netdev.c#L397 But we already create them via /sys/bus/netdevsim/new_device, so just remove the netlink creation. 2. These devices are sticky and are not removed on net namspace destruction, so delete the previous version explicitly.
* executor: fix setup of xfrm deviceDmitry Vyukov2022-09-091-12/+28
| | | | | | | | | | XFRM device creation will fail w/o IFLA_XFRM_IF_ID attribute: https://elixir.bootlin.com/linux/v6.0-rc4/source/net/xfrm/xfrm_interface.c#L648 Add this attribute. This ID is also present in descriptions in at least 2 places. In one we got it wrong, it's not ifindex (easy to confuse because of the name). Fix it as well.
* Revert "pkg/csource: inline void* cast into generated code"Dmitry Vyukov2022-09-061-0/+2
| | | | | | | This reverts commit 922294abb4c0bc72b24d8526d625110d73fa1b5a. The commit reported to cause old warnings on s390x: https://github.com/google/syzkaller/commit/922294abb4c0bc72b24d8526d625110d73fa1b5a#commitcomment-83096994
* pkg/csource: inline void* cast into generated codeGreg Steuck2022-09-051-2/+0
| | | | | The previous indirection via conditional macros in platform specific places was needless obfuscation.
* pkg/csource, pkg/instance, pkg/ipc, pkg/mgrconfig, tools/syz-prog2c, ↵Andrey Artemiev2022-08-061-5/+6
| | | | syz-manager: introduce a new setting 'sandbox_arg' (#3263)
* executor: fixed fuzzing with System account in Android sandbox (#3275)Andrey Artemiev2022-08-051-1/+2
|
* vm/adb: wait for Android boot to finishAndrey Artemiev2022-07-251-3/+1
| | | | executor: removed condition around tun init
* executor: fix mounting of cgroups on read-only fsDmitry Vyukov2022-07-211-15/+24
| | | | | | If root fs is read-only, mkdir(/syzcgroup) will fail and a later rmdir(/syzcgroup/unified) will fail with ENOENT which we don't expect and fail. Return early if mkdir(/syzcgroup) fails.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-04-05 08:19:12 +0000