| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
It will simplify the C code and let us extract the raw images in a more
convenient way.
|
| |
|
|
| |
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a boolean argument to the `syz_mount_image` pseudo-syscall. When
this is true, `syz_mount_image` will change directory to the mountpoint
after mounting the image passed.
Experimentation suggests that to reproduce many non-`ext4` filesystem
bugs, it is sufficient to mount the filesystem within an `ext4`-based VM
and then change directory to the mountpoint before executing code.
This change aims to increase the probability that a mount operation will
be succeeded by the corresponding change in directory, and so increase
the probability of finding non-`ext4` bugs.
We also have to update the `syz-imagegen` tool. Now it generates seed
`syz_mount_image` calls with change of directory enabled. The previous
behaviour (i.e. no change of directory) will be recovered by use of
existing corpuses and fuzzing the change-of-directory argument.
The next commit will regenerate all `syz_mount_image` seeds.
|
| |
|
|
|
|
|
|
|
|
| |
2 fixed:
1. netdevsim devices cannot be created via NETLINK anymore:
https://elixir.bootlin.com/linux/v6.0-rc4/source/drivers/net/netdevsim/netdev.c#L397
But we already create them via /sys/bus/netdevsim/new_device,
so just remove the netlink creation.
2. These devices are sticky and are not removed on net namspace destruction,
so delete the previous version explicitly.
|
| |
|
|
|
|
|
|
|
|
| |
XFRM device creation will fail w/o IFLA_XFRM_IF_ID attribute:
https://elixir.bootlin.com/linux/v6.0-rc4/source/net/xfrm/xfrm_interface.c#L648
Add this attribute.
This ID is also present in descriptions in at least 2 places.
In one we got it wrong, it's not ifindex (easy to confuse because of the name).
Fix it as well.
|
| |
|
|
|
|
|
| |
This reverts commit 922294abb4c0bc72b24d8526d625110d73fa1b5a.
The commit reported to cause old warnings on s390x:
https://github.com/google/syzkaller/commit/922294abb4c0bc72b24d8526d625110d73fa1b5a#commitcomment-83096994
|
| |
|
|
|
| |
The previous indirection via conditional macros in platform specific
places was needless obfuscation.
|
| |
|
|
| |
syz-manager: introduce a new setting 'sandbox_arg' (#3263)
|
| | |
|
| |
|
|
| |
executor: removed condition around tun init
|
| |
|
|
|
|
| |
If root fs is read-only, mkdir(/syzcgroup) will fail and a later
rmdir(/syzcgroup/unified) will fail with ENOENT which we don't expect and fail.
Return early if mkdir(/syzcgroup) fails.
|
| | |
|
| |
|
|
|
|
| |
Remove /syzcgroup/* if cgroup mount fails. See #3241 for context.
Fixes #3241
|
| | |
|
| |
|
|
| |
The APPEND flag also prevents file removal.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.
Note: don't set it for setuid sandbox since it's "low privilege".
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is a BSD syscall, chflags(2), which lets one set various flags on
a file, including several that prevent unlinking. The use of this flag
can cause the executor to fail to clean up tmpdirs, which can lead to
spurious reports.
Thus, when unlinking fails, try again after clearing relevant flags. I
suspect this would be useful on other BSDs but I can't easily verify
that this change works there. It may eventually be worth having a
BSD-specific remove_dir() implementation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 12.1 reports the following -Werror=array-bounds error:
///
In function 'bool lookup_connect_response_in(...)'
executor/common_usb.h:632:66:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
632 | qual->bNumConfigurations = index->dev->bNumConfigurations;
| ~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
|
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
...
In function 'bool lookup_connect_response_in(...)',
executor/common_usb.h:633:57:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
633 | qual->bRESERVED = 0;
| ~~~~~~~~~~~~~~~~^~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
///
Current code in USB_DT_DEVICE_QUALIFIER case treats respose_data as a buffer,
but in reality it is just a pointer, as detailed in the error trace above. In
order to allow passing a usb_qualifier_descriptor struct back to the caller
(via response_data), add a new parameter to lookup_connect_response_in().
Build tested only.
Fixes: 0c00210ff32 ("executor: always provide DEVICE_QUALIFIER USB descriptor")
Signed-off-by: Ovidiu Panait <ovpanait@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
These were last updated for Android Q in or around 2020. These were
re-generated using the 'genseccomppy.py' script in the Android build
tree.
Since the filters have changed during the intervening time, fuzzing with
'sandbox: android' no longer accurately reflected what untrusted apps
can access on the device.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syzkaller reports the following error when it tries to create a C reproducer:
<stdin>: In function ‘syz_clone’:
<stdin>:289:48: error: ‘CLONE_VM’ undeclared (first use in this
function)
<stdin>:289:48: note: each undeclared identifier is reported only once
for each function it appears in
compiler invocation: gcc [-o /tmp/syz-executor3459695007 -DGOOS_linux=1
-DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall
-Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384
-Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow
-static-pie -fpermissive -w]
|
| |
|
|
| |
Allow common_ext.h to provide setup_ext() function that is called during VM setup.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We cannot expect syscalls to always succeed during fuzzing, especially
when the situation involves a complex interaction with the system.
For the syz_genetlink_get_family_id case, it leads to numerous SYZFAIL
crashes every day.
Don't print a SYZFAIL error for this pseudo syscall.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was found out in #2921, fork bombs are still possible in Linux-based
instances. One of the possible reasons is described below.
An invalid stack can be passed to the clone() call, thus causing it to stumble
on an invalid memory access right during returning from the clone() call. This
is in turn catched by the NONFAILING() macro and the control actually jumps
over it and eventually both the child and the parent continue executing the
same code.
Prevent it by handling SIGSEGV and SIGBUS differently during the clone process.
Co-authored-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add an empty common_ext.h which is included into executor and C reproducers
and can be used to add non-mainline pseudo-syscalls w/o changing any other files
(by replacing common_ext.h file).
It would be good to finish #2274 which allows to add pseudo-syscalls
along with *.txt descriptions, but #2274 is large and there are several
open design questions. So add this simple extension point for now.
|
| |
|
|
|
| |
Currently only 4 are created by default. This limits the maximum number
of simultaneously running syz-executors.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| | |
|
| |
|
|
|
| |
Add memfd_create as a dependency to syz_mount_image and
syz_read_part_table.
|
| |
|
|
|
| |
Otherwise the pseudo syscalls there won't be able to access those
definitions.
|
| |
|
|
|
|
|
| |
syz-execprog now uses twice the number of CPU cores as the number
of processes. Each process might use a tun device. So bump the
maximum number of tun devices to the maximum of 256, which allows
syz-execprog to run with default settings on systems with up to
128 cores.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
| |
There's a chance that the methods from common_bsd.h and common_linux.h
could dup2 (and thus close) an fd belonging to a kcov instance.
Prevent this by adjusting fd consts.
|
| |
|
|
|
|
|
| |
Initializing the VMCS fields Pin-based VM-execution controls and
Primary processor-based VM-execution controls to 0 and setting
their reserved bits using the appropriate MSRs increase coverage
for arch/x86/kvm/vmx/nested.c from 19% to 43%.
|
| |
|
|
|
| |
Add a UMOUNT_NOFOLLOW flag to umount2 in order to prevent remove_dir
from unmounting what was not mounted by the executed program.
|
| |
|
|
|
|
|
|
| |
Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.
Keep descriptions compatible with the legacy mode (when devices are
created at boot time).
|
| |
|
|
|
|
|
| |
Leave some controllers unbound so that the fuzzer can mount them during fuzzing.
This is suboptimal because all controllers are global (so different test
processes will collide, state accumulate, etc), but this still should give
at least some new coverage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On stretch images setup_cgroups fails as:
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, net_cls) failed: 22
mount(/syzcgroup/net, net_prio) failed: 22
mount(/syzcgroup/net, blkio) failed: 22
SYZFAIL: mount cgroup failed
(/syzcgroup/net, devices,freezer): 16
(errno 16: Device or resource busy)
It seems that systemd starts messing with these mounts somehow
and repeated mounting fails with EBUSY.
Don't hard fail on that error.
|
| |
|
|
|
|
|
| |
Currently we setup cgroups on every test process start
(along with sandbox creation). That's unnecessary because
that's global per-machine setup. Move cgroup setup into setup section
that's executed once per machine from pkg/host.Setup.
|
| |
|
|
|
|
|
|
| |
Currently we enable all controllers at once.
As the result if one of them fails (b/c of older kernel
or not enabled configs), all will fail.
Enable them one-by-one instead. This way we can support kernels
that don't have all of the controllers.
|
| |
|
|
| |
Mount net, blkio, rlimit cgroups.
|
| |
|
|
|
|
|
|
| |
clang-format mis-formats #elif:
https://bugs.llvm.org/show_bug.cgi?id=48664
and then clang fails with:
error: misleading indentation; statement is not part of the previous 'if'
Split #elif into nested #if/else.
|
| |
|
|
|
|
| |
Historically the code base does not use single-line compound statements
({} around single-line blocks). But there are few precedents creeped into
already. Add a check to keep the code base consistent.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment syzkaller only fuzzes the platform architecture defined
hypercalls. However there are custom defined hypercalls which KVM handles,
they make 2 groups - an extension of hypercalls and so-called ultracalls
which are handled by the secure VM firmware but in absense of the secure
VM facility, KVM gets to handle those as errors.
This enables the two extra groups of hypercalls in KVM. If not enabled,
KVM exits to let the userspace handle them (which syzkaller does not do).
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
