| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
KVM was removed for arm architecture.
Latest Linux headers don't contain <asm/kvm.h> for arm.
So don't even include them.
|
| |
|
|
|
| |
dashboard link: https://syzkaller.appspot.com/bug?extid=38fe37bc451a42e6c9a4
Reported-by: syzbot+38fe37bc451a42e6c9a4@syzkaller.appspotmail.com
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
| |
In preparation for making timeouts tunable based
on OS/arch/VM/etc de-hardcode all (almost) timeouts in executor.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Lately, I've been looking into why such low amount of syz reproducers on
OpenBSD are turned into C reproducers. One thing I did notice is that
such syz reproducers have one thing in common: they use the
threaded=true and sandbox=none parameters. Such C reproducer always
exits non-zero early on since the call to setsid() fails with EPERM.
Meaning, the calling process is already a process group leader.
Not sure if the preprocessor conditional should be tweaked in order to
avoid unwanted side effects on other BSDs or configurations.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Faster gc (1 second) is intended to make tests more repeatable.
{"/proc/sys/kernel/keys/gc_delay", "1"},
Huge page overcommit is disabled by default, allowing some
overcommit is intended to give more coverage.
{"/proc/sys/vm/nr_overcommit_hugepages", "4"},
We always want to prefer killing the allocating test process
rather than somebody else (sshd or another random test process).
{"/proc/sys/vm/oom_kill_allocating_task", "1"},
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Move the remaining sysctls from image creation scripts into executor.
We have the rest in executor now, and these are captured in reproducers
and are not duplicated.
It seems that ping_group_range was accidentially lost along the way,
re-add it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds KVM's syz_kvm_setup_cpu pseudo syscall. This adds placeholder
for options (none implemented yet).
This adds instruction generator for ifuzz; this also adds a few pseudo
instructions to simulate super/hyper/ultracalls
(a PPC64/pseries platform thing).
The insns.go is generated from PowerISA_public.v3.0B.pdf [1] by
a horrendous python3 script on top of pdftotext. The ISA covers POWER9
which is the latest available POWER CPU at the moment. The next ISA
for POWER10 is quite different and we will deal with it later.
The // comment after every instruction is a fixed opcode list for
verification purposes.
This does not define DecodeExt as there is no obvious replacement of
the Intel XED library for POWERPC (gapstone-capstone, later, may be).
[1] https://openpowerfoundation.org/?resource_lib=power-isa-version-3-0
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
| |
write_file() is needed for setup_sysctl() and syz_usbip_server_init().
setup_sysctl() also misses some header includes.
|
| |
|
|
| |
Fixes #1989
|
| |
|
|
|
|
| |
Sysctl's are not captured as part of reproducers.
This can result in failure to reproduce a bug on developer machine.
Include sysctl setup as part of C reproducers.
|
| |
|
|
| |
Process group leader is not allowed to call setsid, thus remove setpgrp.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
|
|
|
| |
The arp netfilter entry contains u64,
but we used only void* to enforce alignment.
This worked everywhere except for arm,
which is 32-bits and has 8-byte alignment for u64.
Use u64 to enforce correct alignment.
Fixes #2188
|
| |
|
|
|
|
|
| |
The parent-death signal is set in sandbox_common, but then setresuid and
setresgid clear it and we need to set it again.
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
|
|
| |
As netlink helpers now include a function to query generic netlink
familty id, it makes no sense to duplicate implementation of
essentially the same function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
nonpositive error codes
The code in common_linux.h assumes that nlmsgerr can either be 0 or a
negative value in case of an error. However, this is not always the
case. For example, some commands of mac80211_hwsim use nonnegative
values to indicate success (e.g. HWSIM_CMD_NEW_RADIO returns either a
negative error or a nonnegative radio index). Therefore, negation of
error code inside netlink_send_ext is not correct.
This patch changes this behavior. Now netlink_send_ext returns the
exact value it received via netlink.
|
| |
|
|
|
|
|
| |
netlink_wireguard_id_get by a more generic function
These two functions are almost entirely idential. In order to avoid
adding similar functions later on, a generic one is created.
|
| |
|
|
|
|
|
| |
This global variable cannot be used for pseudo syscalls as they can
run concurrently (in threaded mode). It can only be used during
initialization, and if initialization routines are not enabled, nlmsg
will become an unused variable.
|
| |
|
|
|
|
|
| |
attributes (flags)
This is required for 802.11 pseudo syscalls (that will be added
later).
|
| |
|
|
|
| |
1024 bytes are not enough to contain an arbirary 802.11 MAC frame
together with netlink protocol overhead.
|
| |
|
|
|
|
| |
syz_mount_image tests are very large and TestSysTests takes too long.
syz-imagegen that generates them does some of this testing
(Deserialize/SerializeForExec).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the issue with gcc 10 on Fedora 32 s390x:
In file included from ../../executor/executor.cc:147:
../../executor/common.h: In function ‘void remove_dir(const char*)’:
../../executor/common.h:229:44: error: ‘%s’ directive output may be
truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=]
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
| ^~
../../executor/common.h:229:11: note: ‘snprintf’ output between 2 and 4352 bytes into a destination of size 4096
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
../../executor/common.h:243:1: error: the frame size of 21200 bytes is larger than 16384 bytes
[-Werror=frame-larger-than=]
243 | }
| ^
cc1plus: all warnings being treated as errors
compiler invocation: gcc [-o /tmp/syz-executor383272105 -DGOOS_test=1 -DGOARCH_64_fork=1 -DHOSTGOOS_linux=1
../../executor/executor.cc -m64 -no-pie -O2 -pthread -Wall -Werror -Wparentheses
-Wunused-const-variable -Wframe-larger-than=16384]
FAIL
FAIL github.com/google/syzkaller/pkg/runtest 0.998s
FAIL
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Sone syzbot instances broke with:
<stdin>: In function ‘syz_io_uring_setup’:
<stdin>:476:33: error: ‘__NR_io_uring_setup’ undeclared (first use in this function)
<stdin>:476:33: note: each undeclared identifier is reported only once for each function it appears in
pkg/csource resolves #ifdef's at generation time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While investigating an OpenBSD reproducer[1][2] I discovered the
following:
* All threads are stuck on the last `sleep(1000000)` syscall in main(),
hence no output for the test machine.
* Each executor process created in loop() performs one iteration but
exits abnormally during the call to remove_dir().
* Calling remove_dir() will eventually invoke itself recursively since
one of the executed syscall is `mkdir("./file0", 0)` meaning that it
will try to remove the directory created by execute_one(). However,
`opendir(3)` fails with `EACCES` due to the permissions passed to
`mkdir(2)` is zero.
Instead of exiting, trying to remove the problematic directory in a best
effort manner makes the reproducer continue executing the generated
syscalls. This work around might be considered to narrow. Another option
would be to replace the `sleep(1000000)` with `waitpid(-1, NULL, 0)`
until ECHILD is hit.
[1] https://syzkaller.appspot.com/bug?id=6f7ce2a0536580a94f65f44e478732ec505e88af
[2] https://syzkaller.appspot.com/text?tag=ReproC&x=10fd1a71900000
|
| |
|
|
| |
Ensure that we can handle hanging syscalls in all modes.
|
| |
|
|
|
|
| |
Add the following missing FUSE opcodes to the syz_fuse_handle_req
pseudo-syscall: FUSE_COPY_FILE_RANGE, FUSE_UNLINK, FUSE_DESTROY and
FUSE_BATCH_FORGET.
|
| |
|
|
|
|
|
| |
unshare(CLONE_NEWNS) might not be sufficient for making all test processes run in
separate mount namespace, for "mount --make-rshared /" request issued by systemd
causes mount operations issued by test processes visible from outside of test
processes. Issue "mount --make-rprivate /" request after unshare(CLONE_NEWNS).
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
old-env is based on Ubuntu 16.04 and allows to test
executor build on older distributions.
Fixes #2055
|
| |
|
|
|
|
|
| |
Locally define structures and constants required by
syz_fuse_handle_req() and remove linux/fuse.h. dependency.
Reported-by: syzbot+f5f98e1608b272285aa5@syzkaller.appspotmail.com
|
| |
|
|
|
|
|
|
|
|
| |
Refactor syz_mount_image() to support filesystems not requiring a
backing device and filesystem image (e.g. FUSE). To do that, we check for
the presence of the pointer to the array of struct fs_image_segment: if
missingi, there is no need to setup the loop device and we can proceed
directly with the mount() syscall.
Add syz_mount_image$fuse() (specialization for FUSE) inside
sys/linux/fs_fuse.txt.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment syzkaller is able to respond to FUSE with a syntactically
correct response using the specific write$FUSE_*() syscalls, but most of
the times these responses are not related to the type of request that
was received.
With this pseudo-syscall we are able to provide the correct response
type while still allowing the fuzzer to fuzz its content. This is done
by requiring each type of response as an input parameter and then
choosing the correct one based on the request opcode.
Notice that the fuzzer is still free to mix write$FUSE_*() and
syz_fuse_handle_req() syscalls, so it is not losing any degree of
freedom.
syz_fuse_handle_req() retrieves the FUSE request and resource
fuse_unique internally (by performing a read() on the /dev/fuse file
descriptor provided as input). For this reason, a new template argument has
been added to fuse_out (renamed to _fuse_out) so that the unique field
can be both an int64 (used by syz_fuse_handle_req()) and a fuse_unique
resource (used by the write$FUSE_*() syscalls) without any code
duplication.
|
| |
|
|
| |
Clarify why we ignore cpp errors.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"#if not" does not seem to be a thing in C:
$ cpp -undef -fdirectives-only -dDI -E -P -DSYZ_REPEAT -DSYZ_USE_TMP_DIR executor/common_linux.h 1>/dev/null
executor/common_linux.h:3776:9: error: missing binary operator before token "SYZ_SANDBOX_ANDROID"
3776 | #if not SYZ_SANDBOX_ANDROID
| ^~~~~~~~~~~~~~~~~~~
executor/common_linux.h:3801:9: error: missing binary operator before token "SYZ_SANDBOX_ANDROID"
3801 | #if not SYZ_SANDBOX_ANDROID
| ^~~~~~~~~~~~~~~~~~~
executor/common_linux.h:3837:9: error: missing binary operator before token "SYZ_SANDBOX_ANDROID"
3837 | #if not SYZ_SANDBOX_ANDROID
| ^~~~~~~~~~~~~~~~~~~
executor/common_linux.h:3868:9: error: missing binary operator before token "SYZ_SANDBOX_ANDROID"
3868 | #if not SYZ_SANDBOX_ANDROID
| ^~~~~~~~~~~~~~~~~~~
Currently parts under "#if not SYZ_SANDBOX_ANDROID" are always stripped from
reproducers under all sandboxes. Use the standard !SYZ_SANDBOX_ANDROID.
We also need SYZ_EXECUTOR part because sandbox is not statically known
when we are building syz-executor.
And we also need to remove the use of flag_sandbox_android for C reproducers
because for these sandbox is statically known and we don't have flag_sandbox_*.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We generally use the newer C99 var declarations combined with initialization because:
- declarations are more local, reduced scope
- fewer lines of code
- less potential for using uninit vars and other bugs
However, we have some relic code from times when we did not understand
if we need to stick with C89 or not. Also some external contributions
that don't follow style around.
Add a static check for C89-style declarations and fix existing precedents.
Akaros toolchain uses -std=gnu89 (or something) and does not allow
variable declarations inside of for init statement. And we can't switch
it to -std=c99 because Akaros headers are C89 themselves.
So in common.h we need to declare loop counters outside of for.
|
| |
|
|
|
|
|
|
|
| |
We added initialize_vhci to all sandboxes so that we don't have
unused function warnings. We assumed it will fail silently,
but it fails loudly and crashes the whole machine on init,
so no fuzzing can happen with sandboxes other than none.
Initialize vhci earlier while we still have CAP_ADMIN.
As a nice side effect we now don't need to use syz_init_net_socket.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
syz-executor uses a heuristic to help fail closed if an invalid access
might corrupt the output region. This heuristic fails on FreeBSD, where
SIGBUS is delievered with si_addr equal to address of the faulting
instruction, rather than 0 when the fault address cannot be determined
(e.g., an amd64 protection fault). Always handle SIGBUS quietly on
FreeBSD.
This fixes pkg/runtest tests for sys/test/test/nonfailing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit includes the following changes:
* executor: add a new syz_btf_id_by_name psuedo-syscall
* sys/linux: add descriptions for BPF LSM subsystem
* sys/linux: add instructions on how to dump vmlinux and install
bpftool
* sys/linux/test: add tests for the new psuedo-syscall
* pkg/host: add support detection for the new psuedo-syscall
* pkg/runtest: skip the coverage test when invoking the new
psuedo-syscall
Update #533.
|
| |
|
|
|
|
|
| |
Move the test from pkg/csource to executor/
in order to be able to (1) run it on *.cc files,
(2) run on unprocessed *.h files, (3) produce line numbers.
Add a check for missed space after //.
|
| |
|
|
|
| |
Fix all errors it points to.
The one in netlink_send_ext is concerning.
|
| |
|
|
|
|
|
|
|
| |
1. We don't generally use /* */ block comments,
few precedents we have are inconsistent with the rest of the code.
2. pkg/csource does not strip them from the resulting code.
Remove the cases we have and add a test to prevent new ones being added.
|
