| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
This is necessary to make KVM actually execute the instructions.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is impossible to compile a number of definitions in
include/uapi/linux/kvm.h for other platforms, which leads
to syz-extract failing to update constants.
Skip processing of this file for all arches except i386 and
amd64.
This is a hacky and (hopefully) temporary solution until #2754
is implemented.
|
| |
|
|
|
|
|
|
| |
At least on OpenBSD this is the behavior:
% doas ifconfig tun5 create
% doas ifconfig tun5 destroy
% doas ifconfig tun5 create
% doas ifconfig /dev/tun5 destroy
ifconfig: SIOCIFDESTROY: Invalid argument
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RunTime Abstraction Services (RTAS) is an API used by the Linux
powerpc/pseries platform to talk to the hypervisor. Under KVM, this
is implemented as a custom hypercall (which we have support for) and
an in memory array of parameters. The hypercall is H_RTAS and its only
parameter is a pointer to the mentioned array. The vast majority of
RTAS calls are handled normally by QEMU and only a handful by KVM.
This adds fuzzing of 4 RTAS calls. This uses a chunk from main 256MB RAM
for parameters. The parameters are big endian hence "<<24" for the token.
To allow more targeted fuzzing, use iset.GenerateInt().
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets up a page table to map the text in order to exercise
more code paths in the KVM.
This defines flags to control the MMU state. When enabled, this
creates a simple page table at the 64K offset and maps all the RAM.
The fuzzer code is placed right after the table.
The flags are:
IR - enables MMU for instruction fetches
DR - enables MMU for data loads/stores
PR - "problem state", i.e. userspace (implies DR and IR)
PID1 - initializes a process table for PID>0 (PID#0 is used by the VM OS
normally)
This adds a simple "syz_kvm_setup_cpu_ppc64" syz-test with MSR=IR|DR|LE
which is a typical Linux kernel mode.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Turns out the ifuzz on powerpc did not ever properly work. This fixes
syz_kvm_setup_cpu$ppc64:
Enable the PAPR KVM capability (otherwise KVM_RUN fails right away).
Finish generated sequences with the software debug breakpoint as
there is no x86's "hlt" variant on POWER and otherwise KVM won't exit.
Add exception handlers, use the software debug breakpoint instruction
to trigger immediate exit from KVM with the only exception of
the decrementer interrupt handler (timer) to recharge the timer and
continue.
Define and use endianness selection flag (Big vs. Little endian).
Define the code generator similar to kvm_gen.cc which for now contains
2 simple tests and the decrementer interrupt handler code.
Add test cases to the executor so "bin/linux_ppc64le/syz-executor test"
can run some sensible tests. The tests copy 0xbadc0de around similar
to x86 and uses gpr[3] is a return value register (similar to EAX).
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
| |
The "scope" field of struct fault_ioc_info is an input to the ioctl,
so initialize it to FAULT_SCOPE_LWP to match other fault_ioc_* usage.
|
| |
|
|
| |
Pretty much ripped from freebsd +/- what isn't applicable to darwin.
|
| | |
|
| |
|
|
|
| |
Move the sysctl into config, so that kernels can opt out of it if necessary
(not all kernels enable it and interested in testing).
|
| |
|
|
|
|
|
| |
This blocks some of the ways the fuzzer can trigger a reboot.
ctrl-alt-del=0 tells kernel to signal cad_pid instead of rebooting
and setting cad_pid to the current pid (transient "syz-executor setup") makes it a no-op.
For context see: https://groups.google.com/g/syzkaller-bugs/c/WqOY4TiRnFg/m/6P9u8lWZAQAJ
|
| |
|
|
| |
The `driver.h` header moved from `ddk/driver.h` to `lib/ddk/driver.h`.
|
| |
|
|
|
| |
Currently we enable JIT always and don't test interpreter.
Enable JIT on subset of instances and disable on others using kernel config.
|
| |
|
|
|
| |
/sys/kernel/debug/x86/nmi_longest_ns is x86 specific,
don't set it on non-x86 arches.
|
| |
|
|
|
| |
If rfkill is enabled by the fuzzer, wifi setup will fail.
Disable rfkill to initial state during setup.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently all executor fail errors go into "lost connection" bucket.
This is not very useful. First, there are different executor failures.
Second, it's not possible to understand what failures happen how frequently.
Third, there are not authentic lost connection.
Create separate SYZFAIL: bugs for them.
Update #573
Update #502
Update #318
|
| |
|
|
|
|
|
|
|
|
| |
We used to use our own netlink socket and then fail
on any errors. But commit "sys/linux: add ieee802154 descriptions"
made it possible to use fuzzer-provided socket,
and fuzzer can pass any invalid fd.
So don't fail on errors now.
Fixes #2444
|
| | |
|
| |
|
|
|
|
| |
KVM was removed for arm architecture.
Latest Linux headers don't contain <asm/kvm.h> for arm.
So don't even include them.
|
| |
|
|
|
| |
dashboard link: https://syzkaller.appspot.com/bug?extid=38fe37bc451a42e6c9a4
Reported-by: syzbot+38fe37bc451a42e6c9a4@syzkaller.appspotmail.com
|
| |
|
|
|
| |
In preparation for making timeouts tunable based
on OS/arch/VM/etc de-hardcode all (almost) timeouts in executor.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Lately, I've been looking into why such low amount of syz reproducers on
OpenBSD are turned into C reproducers. One thing I did notice is that
such syz reproducers have one thing in common: they use the
threaded=true and sandbox=none parameters. Such C reproducer always
exits non-zero early on since the call to setsid() fails with EPERM.
Meaning, the calling process is already a process group leader.
Not sure if the preprocessor conditional should be tweaked in order to
avoid unwanted side effects on other BSDs or configurations.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Faster gc (1 second) is intended to make tests more repeatable.
{"/proc/sys/kernel/keys/gc_delay", "1"},
Huge page overcommit is disabled by default, allowing some
overcommit is intended to give more coverage.
{"/proc/sys/vm/nr_overcommit_hugepages", "4"},
We always want to prefer killing the allocating test process
rather than somebody else (sshd or another random test process).
{"/proc/sys/vm/oom_kill_allocating_task", "1"},
|
| |
|
|
|
|
|
|
|
| |
Move the remaining sysctls from image creation scripts into executor.
We have the rest in executor now, and these are captured in reproducers
and are not duplicated.
It seems that ping_group_range was accidentially lost along the way,
re-add it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds KVM's syz_kvm_setup_cpu pseudo syscall. This adds placeholder
for options (none implemented yet).
This adds instruction generator for ifuzz; this also adds a few pseudo
instructions to simulate super/hyper/ultracalls
(a PPC64/pseries platform thing).
The insns.go is generated from PowerISA_public.v3.0B.pdf [1] by
a horrendous python3 script on top of pdftotext. The ISA covers POWER9
which is the latest available POWER CPU at the moment. The next ISA
for POWER10 is quite different and we will deal with it later.
The // comment after every instruction is a fixed opcode list for
verification purposes.
This does not define DecodeExt as there is no obvious replacement of
the Intel XED library for POWERPC (gapstone-capstone, later, may be).
[1] https://openpowerfoundation.org/?resource_lib=power-isa-version-3-0
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
| |
write_file() is needed for setup_sysctl() and syz_usbip_server_init().
setup_sysctl() also misses some header includes.
|
| |
|
|
| |
Fixes #1989
|
| |
|
|
|
|
| |
Sysctl's are not captured as part of reproducers.
This can result in failure to reproduce a bug on developer machine.
Include sysctl setup as part of C reproducers.
|
| |
|
|
| |
Process group leader is not allowed to call setsid, thus remove setpgrp.
|
| |
|
|
|
|
|
|
|
|
| |
The arp netfilter entry contains u64,
but we used only void* to enforce alignment.
This worked everywhere except for arm,
which is 32-bits and has 8-byte alignment for u64.
Use u64 to enforce correct alignment.
Fixes #2188
|
| |
|
|
|
|
|
| |
The parent-death signal is set in sandbox_common, but then setresuid and
setresgid clear it and we need to set it again.
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
|
|
| |
As netlink helpers now include a function to query generic netlink
familty id, it makes no sense to duplicate implementation of
essentially the same function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
nonpositive error codes
The code in common_linux.h assumes that nlmsgerr can either be 0 or a
negative value in case of an error. However, this is not always the
case. For example, some commands of mac80211_hwsim use nonnegative
values to indicate success (e.g. HWSIM_CMD_NEW_RADIO returns either a
negative error or a nonnegative radio index). Therefore, negation of
error code inside netlink_send_ext is not correct.
This patch changes this behavior. Now netlink_send_ext returns the
exact value it received via netlink.
|
| |
|
|
|
|
|
| |
netlink_wireguard_id_get by a more generic function
These two functions are almost entirely idential. In order to avoid
adding similar functions later on, a generic one is created.
|
| |
|
|
|
|
|
| |
This global variable cannot be used for pseudo syscalls as they can
run concurrently (in threaded mode). It can only be used during
initialization, and if initialization routines are not enabled, nlmsg
will become an unused variable.
|
| |
|
|
|
|
|
| |
attributes (flags)
This is required for 802.11 pseudo syscalls (that will be added
later).
|
| |
|
|
|
| |
1024 bytes are not enough to contain an arbirary 802.11 MAC frame
together with netlink protocol overhead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the issue with gcc 10 on Fedora 32 s390x:
In file included from ../../executor/executor.cc:147:
../../executor/common.h: In function ‘void remove_dir(const char*)’:
../../executor/common.h:229:44: error: ‘%s’ directive output may be
truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=]
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
| ^~
../../executor/common.h:229:11: note: ‘snprintf’ output between 2 and 4352 bytes into a destination of size 4096
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
../../executor/common.h:243:1: error: the frame size of 21200 bytes is larger than 16384 bytes
[-Werror=frame-larger-than=]
243 | }
| ^
cc1plus: all warnings being treated as errors
compiler invocation: gcc [-o /tmp/syz-executor383272105 -DGOOS_test=1 -DGOARCH_64_fork=1 -DHOSTGOOS_linux=1
../../executor/executor.cc -m64 -no-pie -O2 -pthread -Wall -Werror -Wparentheses
-Wunused-const-variable -Wframe-larger-than=16384]
FAIL
FAIL github.com/google/syzkaller/pkg/runtest 0.998s
FAIL
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Sone syzbot instances broke with:
<stdin>: In function ‘syz_io_uring_setup’:
<stdin>:476:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function)
<stdin>:476:33: note: each undeclared identifier is reported only once for each function it appears in
pkg/csource resolves #ifdef's at generation time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While investigating an OpenBSD reproducer[1][2] I discovered the
following:
* All threads are stuck on the last `sleep(1000000)` syscall in main(),
hence no output for the test machine.
* Each executor process created in loop() performs one iteration but
exits abnormally during the call to remove_dir().
* Calling remove_dir() will eventually invoke itself recursively since
one of the executed syscall is `mkdir("./file0", 0)` meaning that it
will try to remove the directory created by execute_one(). However,
`opendir(3)` fails with `EACCES` due to the permissions passed to
`mkdir(2)` is zero.
Instead of exiting, trying to remove the problematic directory in a best
effort manner makes the reproducer continue executing the generated
syscalls. This work around might be considered to narrow. Another option
would be to replace the `sleep(1000000)` with `waitpid(-1, NULL, 0)`
until ECHILD is hit.
[1] https://syzkaller.appspot.com/bug?id=6f7ce2a0536580a94f65f44e478732ec505e88af
[2] https://syzkaller.appspot.com/text?tag=ReproC&x=10fd1a71900000
|
| |
|
|
| |
Ensure that we can handle hanging syscalls in all modes.
|
| |
|
|
|
|
| |
Add the following missing FUSE opcodes to the syz_fuse_handle_req
pseudo-syscall: FUSE_COPY_FILE_RANGE, FUSE_UNLINK, FUSE_DESTROY and
FUSE_BATCH_FORGET.
|
| |
|
|
|
|
|
| |
unshare(CLONE_NEWNS) might not be sufficient for making all test processes run in
separate mount namespace, for "mount --make-rshared /" request issued by systemd
causes mount operations issued by test processes visible from outside of test
processes. Issue "mount --make-rprivate /" request after unshare(CLONE_NEWNS).
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
old-env is based on Ubuntu 16.04 and allows to test
executor build on older distributions.
Fixes #2055
|
