| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
The fd may be closed by an async close() call, it's not a reason to
report a failure.
Reported-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
| |
This factorizes const arguments into the shortest flags OR bitmask
possible so they are easy to read. E.g:
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul
|
| |
|
|
|
|
| |
When BLK_DEV_WRITE_MOUNTED is enabled, the kernel treats the loopfd
reference as a writer and does not let us issue mount() calls over the
same block device.
|
| |
|
|
|
| |
This should never be happening during fuzzing. Otherwise we let
syz-executor silently crash and restart insane number of times.
|
| |
|
|
|
|
| |
During fuzzing, it's expected that certain operations might return
errors. Don't abort the whole syz-executor process in this case, this is
too expensive.
|
| |
|
|
|
|
|
|
|
|
|
| |
This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.
Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.
We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
|
| |
|
|
|
| |
Add new pseudo-syscall for creating a socket in init netns and connecting to
NVMe-oF/TCP server on 127.0.0.1:4420. Also add descriptions for NVMe-oF/TCP.
|
| |
|
|
| |
It contributes to #4285 unblocking.
|
| |
|
|
|
| |
The `mmap` size is `max_destlen`, but `munmap` size is `destlen`, which
causes a memory leak.
|
| |
|
|
|
|
|
|
| |
This parameter barely increases coverage since the tail is always set
to the entry that is written, but it does increase the complexity of
the api and seems to reduce coverage when I run it locally.
Remove it.
|
| |
|
|
|
|
|
|
|
|
| |
In Linux 6.4+ it is not allowed to provide a vma to mmap(2) [1]. Change
the API to request the address from the Kernel.
Note I do not know why this was done in the first place, but it seems
not to be useful.
[1]: https://github.com/torvalds/linux/commit/d808459b2e31bd5123a14258a7a529995db974c8
|
| |
|
|
|
|
|
|
|
|
| |
The recent docker upgrade to debian `bookworm` caused
x86_64 instances to fail in `pthread_create()` due to the
android seccomp filter.
On `bookworm`, `pthread_create()` calls `clone3()` and
`set_robust_list()` which aren't on the seccomp filter (instead
of `clone()`), which is. Added these calls to the seccomp policy.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The loop in lookup_endpoint incorrectly iterates over endpoints.
Fixes #4038.
Reported-by: @cyruscyliu
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Its needed for FALLOC_FL_ZERO_RANGE which needs this header, it works
with glibc because fcntl.h includes this header indirectly, however the
failure comes to fore with musl C library where this header is not
included indirectly by other system headers, therefore include it as
required.
Fixes
In file included from executor/common.h:505:
executor/common_linux.h:5604:16: error: use of undeclared identifier 'FALLOC_FL_ZERO_RANGE'
fallocate(fd, FALLOC_FL_ZERO_RANGE, 0, SWAP_FILE_SIZE);
^
|
| |
|
|
|
| |
If the feature is supported on the device, allocate a 128MB swap file
after VM boot and activate it.
|
| |
|
|
|
| |
It makes these extentions much more flexible as they can now also
customize what other features set up.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a long history of executor managing to corrupt itself in various
interesting ways (e.g. using read with a pointer pointing to some
global/stack variable and then kernel overwrites it). Or rt_sigreturn
can corrupt other registers which won't cause immediate SIGSEGV, but
rather some random behavior later. This is the race we can't win.
We can't rely on memory consistency when the test already started, so we
should use exitf instead of fail outside of setup sequence (and relying
more on unit testing to ensure that executor works as expected for sane
programs).
Suggested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
| |
Given that we must chose only one version, fuzzing v1 of itseems to be of
higher value at the moment.
Later we might make it a configurable option and do both version.
|
| |
|
|
|
|
|
|
|
| |
This annotates syscall arguments so they are easier to read without
having to pull out the syscall's man page. E.g:
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul,
/*prot=*/0ul, ...
Signed-off-by: Florent Revest <revest@chromium.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
There seem to be a lot of unclear dependencies between pseudo syscall
code and global methods. By testing them only together we have little
chance to detect these problems because implementations can indiretly
help one another.
In addition to existing tests, also compile all pseudo syscalls
independently.
|
| | |
|
| | |
|
| |
|
|
|
| |
This relies on sendsyslog in sys/syslog.h which will be in OpenBSD
HEAD soon.
|
| |
|
|
| |
This centralizes all strings.HasPrefix(callName, "syz_") checks.
|
| |
|
|
|
|
| |
While there, return a fully formed call expression instead of
piecing into a Buffer. There's hardly a good reason to do this
and not mutating state from outside is more readable.
|
| | |
|
| |
|
|
| |
It belongs to targets.Target.
|
| |
|
|
| |
The syscall sets PKRU register which is part of protection keys (pkey).
|
| |
|
|
|
|
|
| |
The call to mkdtemp() will fail when given
/data/data/syzkaller/syzkaller-XXXXXX, since /data/data/syzkaller/
doesn't exist. The correct temporary dir on Android is /data/local/tmp,
which exists by default.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Android devices often fail during the initial check with the error:
SYZFAIL: tun: ioctl(TUNSETIFF) failed
We need the same namespacing here that is used for other sandboxing
configurations.
|
| |
|
|
|
|
|
| |
This commit adds a new VM for fuzzing starnix.
The VM will boot a fuchsia image using the `ffx` tool and will connect to an adb server inside it. Fuzzing will be done using HostFuzzer mode due to some features not being implemented yet in starnix. Once this is possible, fuzzing will be performed without HostFuzzer mode.
Co-authored-by: Juampi Miceli <jpmiceli@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was introduced in 4620c2d9bc4f ("sys/targets: take DataOffset
from reference targets").
Example of the problem on s390x
-------------------------------
--- FAIL: TestSource (0.00s)
--- FAIL: TestSource/1 (0.00s)
csource_test.go:221: input:
csource2(&AUTO="12345678")
csource3(&AUTO)
csource4(&AUTO)
csource5(&AUTO)
csource6(&AUTO)
want:
NONFAILING(memcpy((void*)0x20000040, "\x12\x34\x56\x78", 4));
syscall(SYS_csource2, 0x20000040ul);
NONFAILING(memset((void*)0x20000080, 0, 10));
syscall(SYS_csource3, 0x20000080ul);
NONFAILING(memset((void*)0x200000c0, 48, 10));
syscall(SYS_csource4, 0x200000c0ul);
NONFAILING(memcpy((void*)0x20000100, "0101010101", 10));
syscall(SYS_csource5, 0x20000100ul);
NONFAILING(memcpy((void*)0x20000140, "101010101010", 12));
syscall(SYS_csource6, 0x20000140ul);
got:
NONFAILING(memcpy((void*)0xfffff040, "\x12\x34\x56\x78", 4));
syscall(SYS_csource2, 0xfffff040ul);
NONFAILING(memset((void*)0xfffff080, 0, 10));
syscall(SYS_csource3, 0xfffff080ul);
NONFAILING(memset((void*)0xfffff0c0, 48, 10));
syscall(SYS_csource4, 0xfffff0c0ul);
NONFAILING(memcpy((void*)0xfffff100, "0101010101", 10));
syscall(SYS_csource5, 0xfffff100ul);
NONFAILING(memcpy((void*)0xfffff140, "101010101010", 12));
syscall(SYS_csource6, 0xfffff140ul);
FAIL
coverage: 79.6% of statements
FAIL github.com/google/syzkaller/pkg/csource 9.930s
Fixes: 4620c2d9bc4f ("sys/targets: take DataOffset from reference targets")
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
| |
We already suppress them, but the current approach fails if syzkaller
slightly corrupts the options string. Do the check more rigorously.
|
| |
|
|
|
|
|
|
| |
When we decompress images for mutation or hints,
we always specially check for empty compressed data
(I assume it can apper after minimization).
Treat it as correct compressed and return empty decompressed data.
This removes the need in special handling in users.
|
| |
|
|
|
| |
We can close memfd as soon as we passed it to LOOP_SET_FD
(it holds a reference to the file).
|
| |
|
|
|
|
| |
We symlink resulting partitions into the test dir.
If we do LOOP_CLR_FD, device and partitions disappear.
Don't do LOOP_CLR_FD on success.
|
| |
|
|
|
|
|
| |
The images we unpack has huge ranges of 0s.
Currently we write all bytes and as the result page in whole unpacked image.
Don't write 0s since we just mmaped zero memory.
This reduces btrfs_0 seed memory consumption from 130MB to 6MB.
|
| |
|
|
| |
We don't use C89 style.
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
| |
zlib can calculate uncompressed output size if given NULL destination buffer.
We don't use that. Remove.
|
| | |
|
| |
|
|
|
|
| |
In executor code we commonly use the syscall interface for functions:
return -1 on erorr and set errno.
Use this interface for puff_zlib_to_file.
|
| |
|
|
|
| |
The code to send rand source is dublicated in several packages.
Move it to testutil package.
|
| |
|
|
|
|
| |
Update the executor to handle the new `syz_mount_image`/`syz_part_table`
pseudo-syscalls. It now expects compressed images, and decompresses
them using the new `common_zlib.h` header file before mounting.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a header file to provide a clean entrypoint `puff_zlib_to_file()`,
which decompresses `zlib` data from an array to a file. This will be
used for pseudo-syscalls which accept compressed data, e.g.
`syz_mount_image`. The implementation uses a slightly-modified version
of `puff.{c,h}`, found in the `zlib` repository.
We have to be careful to ensure the copyright information from
`puff.{c,h}` gets included in generated C code and C reproducers.
Therefore, introduce the `//%` pattern to indicate comments which should
not be removed by code generation, and use this pattern for the
copyright notice.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: the BT initialization logic (`initialize_vhci()` in `common_linux.h`)
expected `HCI_VENDOR_PKT` to be sent first, but this is not always the case as
the kernel sends these two packets almost at the same time (both are sent as
the result of the `open("/dev/vhci", …)` call):
* syscall thread: `HCI_VENDOR_PKT` (in `__vhci_create_device`)
* `power_on` queue thread: `HCI_OP_RESET` (from `hci_reset_sync` <-
`hci_init1_sync` <- `hci_init_sync` <- `hci_dev_open_sync` <-
`hci_dev_do_open` <- `hci_power_on` <- `hdev->power_on` <- (worker queue)
<- `hci_register_dev` <- `__vhci_create_device`)
Solution: handle both `HCI_OP_RESET` and `HCI_VENDOR_PKT` packets in
`initialize_vhci`.
Also instead of waiting for the kernel to send `HCI_VENDOR_PKT` after 1 second,
we initiate the setup by sending `HCI_VENDOR_PKT` (request) to the kernel first.
|
