| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
This patch only covers per call timeouts, per prog one is not adjusted yet.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).
This commit introduces an optional annotate function on a per target basis.
Example for the OpenBSD target:
$ cat prog.in
mknod(0x0, 0x0, 0x4503)
getpid()
$ syz-prog2c -prog prog.in
int main(void)
{
syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
syscall(SYS_getpid);
return 0;
}
|
| |
|
|
| |
Otherwise C repros print infinite stream of the same leaks again and again.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.
1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.
2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.
3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.
4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.
5. Fix pkg/repro to do something more sane for leak bugs.
Few other minor fixes here and there.
|
| |
|
|
| |
This hacky way to install 386 packages seems to unbreak executor build.
|
| |
|
|
| |
arm build seems to work now on Travis since we switched to xenial.
|
| |
|
|
|
| |
The type size of long depends on compiler.
Therefore, changing to intptr_t makes it depends on architecture.
|
| |
|
|
|
|
|
|
| |
Not using `elif GOOS_freebsd' since it could cause breakage on other *BSDs
due to unused variables.
Regression introduced in commit c7c3f772 (executor: improve setup for packet
handling on *BSD).
|
| |
|
|
|
|
|
|
| |
Improve the handling of packets by:
* setting the local MAC address.
* configuring the local IPv4 address with prefix /24.
* adding an entry in the arp cache for the remote IPv4 address.
* adding an entry in the IPv6 neighbour cache for the remote
IPv6 address.
|
| | |
|
| | |
|
| |
|
|
| |
Also move some code to helper functions.
|
| |
|
|
|
|
| |
Allow 2000 ms of waiting time for syz_usb_connect and and the same time for
the whole program is this syzkall is present. Allow 200 ms of waiting time
for syz_usb_disconnect. Remove sleep from syz_usb_control_io.
|
| |
|
|
|
|
| |
Fix warnings produced by golangci-lint.
Update #977
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
|
| |
|
|
|
|
|
|
| |
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
|
| |
|
|
| |
The latter differently confuses different versions of clang-format.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit moves the definition of the `syz_execute_func` after the
block of code that imports all the OS specific common headers.
This is required because after commit
dfd3394d42ddd333c68cf355273b312da8c65a51 `syz_execute_func` started
using the `NONFAILING` macro, which is defined in those header files for
each OS.
I also ran `make generate`.
TEST=I only tested that the executor works for Fuchsia with:
```shell
$ make executor TARGETOS=fuchsia TARGETARCH=amd64 SOURCEDIR=~/fuchsia
```
|
| |
|
|
|
|
| |
This commit modifies the common_fuchsia.h file changing the behavior of
the `syz_future_time function`. Before, the function used to have a switch
case that would fallthrough, making it always set the delta_ms to 10000.
The fix is to add a `break;` statement after each switch case.
|
| |
|
|
|
|
|
|
|
| |
The fuzzer gained control over host machines again with something like:
syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030062e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02")
Let's see if perturbing syz_execute_func a bit and wiping registers
will stop the outbreak.
|
| |
|
|
| |
Update #977
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running bisection using an older repro failed with:
<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
extern int mkdir (const char *__path, __mode_t __mode)
Let's be safe and ignore warnings during repro/bisect.
Everything that runs during tests still has all warnings.
Update #501
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The added test triggers warnings like these:
<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
extern int mkdir (const char *__path, __mode_t __mode)
^~~~~
cc1: all warnings being treated as errors
<stdin>: In function ‘syz_open_procfs.constprop’:
<stdin>:530:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:532:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:534:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
Use volatile for all arguments of syz_ functions to prevent
compiler from treating the arguments as constants in reproducers.
Popped up during bisection that used a repro that previously worked.
Update #501
|
| |
|
|
|
|
|
|
|
|
|
| |
The Fuchsia team is going to remove the `lib/fdio/util.h` library. They
have already moved all the functions to new header files.
I have seen that fuchsia uses `fdio_service_connect`, which has been
moved to the `lib/fdio/directory.h` header file.
This commit just changes the import path in the fuchsia executor, and in
the corresponding generated go file (I made that change by running `make
generate`).
|
| |
|
|
|
|
| |
The problem is stupid: <endian.h> should be included as <sys/endian.h> on freebsd.
Pass actual host OS to executor build as HOSTGOOS and use it to figure out
how we should include this header.
|
| |
|
|
|
| |
sys/types.h is a special header that is required by many other system
headers on FreeBSD.
|
| |
|
|
|
|
|
|
|
|
|
| |
This change makes all syz-execprog, syz-prog2c and syz-stress accept
-enable and -disable flags to enable or disable additional features
(tun, net_dev, net_reset, cgroups and binfmt_misc) instead of having
a separate flag for each of them.
The default (without any flags) behavior isn't changed: syz-execprog
and syz-stress enabled all the features (provided the runtime supports
them) and syz-prog2c disables all of them.
|
| |
|
|
| |
debug does not add newlines.
|
| |
|
|
|
|
|
| |
Fuchsia recently changed such that zx_vmar_map can't be declared
executable and writeable at the same time; use a new syscall for this
purpose.
Also made a few errors more informative.
|
| |
|
|
| |
clang complains that we pass an int to %hx. Fix it.
|
| |
|
|
|
|
| |
See #991 and added comments.
Fixes #991
|
| |
|
|
| |
thread_start now uses errno, so include <errno.h>
|
| |
|
|
|
|
| |
Remove kRetryStatus, it's effectively the same as exiting with 0.
Remove ipc.ExecutorFailure, nobody uses it.
Simplify few other minor things around exit status handling.
|
| |
|
|
|
|
|
|
| |
This ability was never used but we maintain a bunch of code for it.
syzkaller also recently learned to spoof this error code
with some ptrace magic (probably intercepted control flow again
and exploited executor binary).
Drop all of it.
|
| | |
|
| |
|
|
| |
do_sandbox_none must not exit, it needs to return.
|
| |
|
|
| |
See the added comment for explanation.
|
| |
|
|
| |
stdout is not flushed on abnormal exit.
|
| |
|
|
|
|
|
| |
See discussion in PR #942.
Extend support for optional flags in sys/targets
as this flag is not supported by gcc 5.
Make flags consistent across Makefile and pkg/csource.
|
| |
|
|
|
|
|
| |
Commit b5df78dc ("all: support extra coverage") broke the executor on OpenBSD:
executor/executor.cc:61:11: error: unused variable 'kExtraCoverSize' [-Werror,-Wunused-const-variable]
const int kExtraCoverSize = 256 << 10;
|
| |
|
|
|
|
|
| |
-Wunused-const-variable shows it.
No idea now if it should be used or not,
seems to be the same as kvm_asm32_paged_vm86.
So let's just remove it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now syzkaller only supports coverage collected from the threads that
execute syscalls. However some useful things happen in background threads,
and it would be nice to collect coverage from those threads as well.
This change adds extra coverage support to syzkaller. This coverage is not
associated with a particular syscall, but rather with the whole program.
Executor passes extra coverage over the same ipc mechanism to syz-fuzzer
with syscall number set to -1. syz-fuzzer then passes this coverage to
syz-manager with the call name "extra".
This change requires the following kcov patch:
https://github.com/xairy/linux/pull/2
|
| |
|
|
|
|
|
|
|
| |
NetBSD uses different uid/gid than FreeBSD/OpenBSD for the user
nobody. Instead of hardcoding the values, retrieve it from the
password entry database.
While there, switch to setuid(2) and setgid(2) calls as they are
good enough and portable. setresgid(2) and setresuid(2) aren't
available on NetBSD.
|
| |
|
| |
Setting the limit caused abnormal failure during early init on NetBSD.
|
| |
|
|
|
| |
Don't use random seed on travis as it produces flaky coverage reports,
and probably generally better for CI setting.
|
| |
|
|
|
|
|
|
|
|
|
| |
Builds in one distro, but another says:
In file included from <stdin>:39:0:
/usr/powerpc64le-linux-gnu/include/linux/if.h:143:8: error: redefinition of ‘struct ifmap’
/usr/powerpc64le-linux-gnu/include/net/if.h:111:8: note: originally defined here
Mess. Try to fix it.
Not sure what's the right solution and it it even exists.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ip command caused several problems:
1. It is installed in different locations or
not installed at all in different distros.
2. It does not support latest kernel devices,
e.g. setup of hsr currently fails because
our ip does not understand its custom prose.
3. ip command is slow, unbearably slow in emulator
(full setup takes tens of seconds). This change
reduces setup from ~2s to ~400ms.
4. ip is not present in gvisor, but it will support netlink.
Use netlink directly to solve all these problems.
|
| |
|
|
|
|
| |
Almost all callers of write_file just log the failure.
Log the failure in write_file directly to remove
lots of "error handling" code.
|
| |
|
|
|
| |
gometalinter points that emitCall is too complex.
Factor out call name emission.
|
