| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
The previous indirection via conditional macros in platform specific
places was needless obfuscation.
|
| |
|
|
| |
The cast had a wrong signature failing to account for padding.
|
| |
|
|
| |
syz-manager: introduce a new setting 'sandbox_arg' (#3263)
|
| | |
|
| |
|
|
| |
executor: removed condition around tun init
|
| |
|
|
|
|
| |
If root fs is read-only, mkdir(/syzcgroup) will fail and a later
rmdir(/syzcgroup/unified) will fail with ENOENT which we don't expect and fail.
Return early if mkdir(/syzcgroup) fails.
|
| | |
|
| |
|
|
|
|
| |
Remove /syzcgroup/* if cgroup mount fails. See #3241 for context.
Fixes #3241
|
| | |
|
| |
|
|
| |
The APPEND flag also prevents file removal.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.
Note: don't set it for setuid sandbox since it's "low privilege".
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is a BSD syscall, chflags(2), which lets one set various flags on
a file, including several that prevent unlinking. The use of this flag
can cause the executor to fail to clean up tmpdirs, which can lead to
spurious reports.
Thus, when unlinking fails, try again after clearing relevant flags. I
suspect this would be useful on other BSDs but I can't easily verify
that this change works there. It may eventually be worth having a
BSD-specific remove_dir() implementation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 12.1 reports the following -Werror=array-bounds error:
///
In function 'bool lookup_connect_response_in(...)'
executor/common_usb.h:632:66:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
632 | qual->bNumConfigurations = index->dev->bNumConfigurations;
| ~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
|
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
...
In function 'bool lookup_connect_response_in(...)',
executor/common_usb.h:633:57:
error: array subscript 'usb_qualifier_descriptor[0]' is partly outside array
bounds of 'char [8]' [-Werror=array-bounds]
|
633 | qual->bRESERVED = 0;
| ~~~~~~~~~~~~~~~~^~~
In function 'volatile long int syz_usb_connect_impl(...)':
executor/common_usb_linux.h:332:23: note: object 'response_data' of size 8
332 | char* response_data = NULL;
| ^~~~~~~~~~~~~
///
Current code in USB_DT_DEVICE_QUALIFIER case treats respose_data as a buffer,
but in reality it is just a pointer, as detailed in the error trace above. In
order to allow passing a usb_qualifier_descriptor struct back to the caller
(via response_data), add a new parameter to lookup_connect_response_in().
Build tested only.
Fixes: 0c00210ff32 ("executor: always provide DEVICE_QUALIFIER USB descriptor")
Signed-off-by: Ovidiu Panait <ovpanait@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
These were last updated for Android Q in or around 2020. These were
re-generated using the 'genseccomppy.py' script in the Android build
tree.
Since the filters have changed during the intervening time, fuzzing with
'sandbox: android' no longer accurately reflected what untrusted apps
can access on the device.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syzkaller reports the following error when it tries to create a C reproducer:
<stdin>: In function ‘syz_clone’:
<stdin>:289:48: error: ‘CLONE_VM’ undeclared (first use in this
function)
<stdin>:289:48: note: each undeclared identifier is reported only once
for each function it appears in
compiler invocation: gcc [-o /tmp/syz-executor3459695007 -DGOOS_linux=1
-DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall
-Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384
-Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow
-static-pie -fpermissive -w]
|
| |
|
|
| |
Allow common_ext.h to provide setup_ext() function that is called during VM setup.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We cannot expect syscalls to always succeed during fuzzing, especially
when the situation involves a complex interaction with the system.
For the syz_genetlink_get_family_id case, it leads to numerous SYZFAIL
crashes every day.
Don't print a SYZFAIL error for this pseudo syscall.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was found out in #2921, fork bombs are still possible in Linux-based
instances. One of the possible reasons is described below.
An invalid stack can be passed to the clone() call, thus causing it to stumble
on an invalid memory access right during returning from the clone() call. This
is in turn catched by the NONFAILING() macro and the control actually jumps
over it and eventually both the child and the parent continue executing the
same code.
Prevent it by handling SIGSEGV and SIGBUS differently during the clone process.
Co-authored-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add an empty common_ext.h which is included into executor and C reproducers
and can be used to add non-mainline pseudo-syscalls w/o changing any other files
(by replacing common_ext.h file).
It would be good to finish #2274 which allows to add pseudo-syscalls
along with *.txt descriptions, but #2274 is large and there are several
open design questions. So add this simple extension point for now.
|
| |
|
|
|
| |
Currently only 4 are created by default. This limits the maximum number
of simultaneously running syz-executors.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| |
|
|
| |
This prevents syzkaller from replacing /*{{{NAME}}}*/ within them.
|
| | |
|
| |
|
|
|
| |
Add memfd_create as a dependency to syz_mount_image and
syz_read_part_table.
|
| |
|
|
|
|
|
|
|
|
|
| |
Pseudo syscalls can (and most of the time) do invoke normal system
calls. However, when there's a risk that those calls might not be
present, syzkaller needs to take preventive actions - prepend the
corresponding defines. Otherwise syz-executor or C reproducers might
not compile on the host machine.
List those dependencies in sys/targets, check them during machine check
and add the corresponding defines during C source generation.
|
| |
|
|
|
| |
Otherwise the pseudo syscalls there won't be able to access those
definitions.
|
| |
|
|
|
|
|
| |
syz-execprog now uses twice the number of CPU cores as the number
of processes. Each process might use a tun device. So bump the
maximum number of tun devices to the maximum of 256, which allows
syz-execprog to run with default settings on systems with up to
128 cores.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add package with RaceEnabled const that can be used in test
to skip long tests in race mode.
Switch existing tests to use the new package.
Update #2886
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to collide specific syscalls more precisely, we need to
repeat the process many times.
Introduce the `rerun` call property, which instructs `syz-executor` to
repeat the call the specified number of times. The intended use is:
call1() (rerun: 100, async)
call2() (rerun: 100)
For now, assign rerun values randomly to consecutive pairs of calls,
where the first one is async.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
| |
There's a chance that the methods from common_bsd.h and common_linux.h
could dup2 (and thus close) an fd belonging to a kcov instance.
Prevent this by adjusting fd consts.
|
| |
|
|
|
|
|
| |
Initializing the VMCS fields Pin-based VM-execution controls and
Primary processor-based VM-execution controls to 0 and setting
their reserved bits using the appropriate MSRs increase coverage
for arch/x86/kvm/vmx/nested.c from 19% to 43%.
|
| |
|
|
|
| |
Add a UMOUNT_NOFOLLOW flag to umount2 in order to prevent remove_dir
from unmounting what was not mounted by the executed program.
|
| |
|
|
|
|
|
|
| |
Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.
Keep descriptions compatible with the legacy mode (when devices are
created at boot time).
|
| |
|
|
|
|
|
| |
Leave some controllers unbound so that the fuzzer can mount them during fuzzing.
This is suboptimal because all controllers are global (so different test
processes will collide, state accumulate, etc), but this still should give
at least some new coverage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On stretch images setup_cgroups fails as:
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, net_cls) failed: 22
mount(/syzcgroup/net, net_prio) failed: 22
mount(/syzcgroup/net, blkio) failed: 22
SYZFAIL: mount cgroup failed
(/syzcgroup/net, devices,freezer): 16
(errno 16: Device or resource busy)
It seems that systemd starts messing with these mounts somehow
and repeated mounting fails with EBUSY.
Don't hard fail on that error.
|
| |
|
|
|
|
|
| |
Currently we setup cgroups on every test process start
(along with sandbox creation). That's unnecessary because
that's global per-machine setup. Move cgroup setup into setup section
that's executed once per machine from pkg/host.Setup.
|
| |
|
|
|
|
|
|
| |
Currently we enable all controllers at once.
As the result if one of them fails (b/c of older kernel
or not enabled configs), all will fail.
Enable them one-by-one instead. This way we can support kernels
that don't have all of the controllers.
|
| |
|
|
| |
Mount net, blkio, rlimit cgroups.
|
| |
|
|
|
|
|
|
|
|
| |
There is a bug in the current implementation that leads to csource using
the original and the new call lists at the same time.
That has led to a bunch of TestGenerate failures.
Enforce the module only to use variables put into the csource context in
order to avoid similar mistakes in the future.
|
| |
|
|
|
|
|
|
| |
clang-format mis-formats #elif:
https://bugs.llvm.org/show_bug.cgi?id=48664
and then clang fails with:
error: misleading indentation; statement is not part of the previous 'if'
Split #elif into nested #if/else.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently csource skips calls at the very last moment, which has an
unpleasant consequence - if we make choice of enabled defines depend on
the individual calls or call properties, we may end up with defined yet
unused functions.
The perfect solution would be to untie
syz_emit_ethernet/syz_extract_tcp_res and NetInjection, and also to
untie VhciInjection and syz_emit_vhci.
For the time being, move these checks to the very beginning of csource
processing, so that these calls could be removed before we construct our
defines.
Adjust pkg/csource/csource_test.go to better cover fault injection
generation problems.
|
| |
|
|
|
|
| |
Historically the code base does not use single-line compound statements
({} around single-line blocks). But there are few precedents creeped into
already. Add a check to keep the code base consistent.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| | |
|
