| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* pkg/csource: fix failing syz-runtest for NetBSD
* update common.go
|
| | |
|
| | |
|
| |
|
| |
Also simplify timeout related code a bit.
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenBSD instance failed with:
--- FAIL: TestSysTests (12.50s)
--- FAIL: TestSysTests/linux/386 (0.16s)
csource_test.go:145: failed to generate C source for ../../sys/linux/test/binder: cpp failed: exec: "cant-build-linux-on-openbsd": executable file not found in $PATH
...
Skip unsupported cross-builds in TestSysTests.
|
| |
|
|
|
|
|
|
|
|
| |
A process with CAP_SYS_NICE can bring kernel down by asking for too high SCHED_DEADLINE priority,
as the result rcu and other system services that use kernel threads will stop functioning.
Some parameters for SCHED_DEADLINE should be OK, but we don't have means to enforce
values of indirect syscall arguments. Peter Zijlstra proposed sysctl_deadline_period_{min,max}
which could be used to enfore safe limits without droppping CAP_SYS_NICE, but we don't have it yet.
See the following bug for details:
https://groups.google.com/forum/#!topic/syzkaller-bugs/G6Wl_PKPIWI
|
| |
|
|
|
|
| |
We only drop CAP_SYS_PTRACE for sandbox=namespace,
but it can equally affect testing with sandbox=none.
Drop it for sandbox=none, add a test.
|
| |
|
|
|
|
| |
Running sys/*/test programs requires real machines and kernels for each OS.
We can't do that in unit tests, but at least try to deserialize these programs
so that they don't get rotten.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* sys/fuchsia: update zx_clock_get.
zx_clock_get was deprecated and replaced by zx_clock_get_new. In a
recent CL[0], they replaced the zx_clock_get by zx_clock_get_new and
moved all client. This commit updates syzkaller to use the new function.
[0]: https://fuchsia-review.googlesource.com/c/fuchsia/+/298575
* run make extract && make generate
|
| |
|
|
|
| |
1. Change HID descriptions to allow devices to have two interrupt endpoints.
2. Remove unneeded responses to OUT control requests from descriptions.
3. Add some debugging code to detect and report missing descriptions.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Initial Commit
* working build of network packet fuzzing
* Add missed csource file
* pkg/csource: fix build
* executor/common_bsd.h: Add comment stating reason for ifconfig create
|
| |
|
|
|
| |
We might not have any string descriptors provided at all, use a hardcoded
string in this case.
|
| |
|
|
|
| |
The kernel API has changed and now differentiates between IN and OUT
control requests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
On OpenBSD, the executor sometimes manages to set the memory resource
limit 0 causing any following memory allocation to fail. Since threads
are potentially created from such a thread which cannot allocate any
memory, the executor will exit non-zero which in turn will cause
false-positive panics to be reported. For more info see the
discussion[1] in PR #1243.
Instead, if hitting a fatal error during thread creation exit zero.
[1] https://github.com/google/syzkaller/pull/1243
|
| | |
|
| |
|
|
| |
syz_usb_ep_read reads data from USB endpoints other than #0.
|
| | |
|
| |
|
|
|
| |
This commit adds the necessary descriptions and executor adjustments to
enable targeted fuzzing of the enumeration process of USB HID devices.
|
| |
|
|
| |
This patch only covers per call timeouts, per prog one is not adjusted yet.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).
This commit introduces an optional annotate function on a per target basis.
Example for the OpenBSD target:
$ cat prog.in
mknod(0x0, 0x0, 0x4503)
getpid()
$ syz-prog2c -prog prog.in
int main(void)
{
syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
syscall(SYS_getpid);
return 0;
}
|
| |
|
|
| |
Otherwise C repros print infinite stream of the same leaks again and again.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.
1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.
2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.
3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.
4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.
5. Fix pkg/repro to do something more sane for leak bugs.
Few other minor fixes here and there.
|
| |
|
|
| |
This hacky way to install 386 packages seems to unbreak executor build.
|
| |
|
|
| |
arm build seems to work now on Travis since we switched to xenial.
|
| |
|
|
|
| |
The type size of long depends on compiler.
Therefore, changing to intptr_t makes it depends on architecture.
|
| |
|
|
|
|
|
|
| |
Not using `elif GOOS_freebsd' since it could cause breakage on other *BSDs
due to unused variables.
Regression introduced in commit c7c3f772 (executor: improve setup for packet
handling on *BSD).
|
| |
|
|
|
|
|
|
| |
Improve the handling of packets by:
* setting the local MAC address.
* configuring the local IPv4 address with prefix /24.
* adding an entry in the arp cache for the remote IPv4 address.
* adding an entry in the IPv6 neighbour cache for the remote
IPv6 address.
|
| | |
|
| | |
|
| |
|
|
| |
Also move some code to helper functions.
|
| |
|
|
|
|
| |
Allow 2000 ms of waiting time for syz_usb_connect and and the same time for
the whole program is this syzkall is present. Allow 200 ms of waiting time
for syz_usb_disconnect. Remove sleep from syz_usb_control_io.
|
| |
|
|
|
|
| |
Fix warnings produced by golangci-lint.
Update #977
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
|
| |
|
|
|
|
|
|
| |
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
|
| |
|
|
| |
The latter differently confuses different versions of clang-format.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit moves the definition of the `syz_execute_func` after the
block of code that imports all the OS specific common headers.
This is required because after commit
dfd3394d42ddd333c68cf355273b312da8c65a51 `syz_execute_func` started
using the `NONFAILING` macro, which is defined in those header files for
each OS.
I also ran `make generate`.
TEST=I only tested that the executor works for Fuchsia with:
```shell
$ make executor TARGETOS=fuchsia TARGETARCH=amd64 SOURCEDIR=~/fuchsia
```
|
| |
|
|
|
|
| |
This commit modifies the common_fuchsia.h file changing the behavior of
the `syz_future_time function`. Before, the function used to have a switch
case that would fallthrough, making it always set the delta_ms to 10000.
The fix is to add a `break;` statement after each switch case.
|
| |
|
|
|
|
|
|
|
| |
The fuzzer gained control over host machines again with something like:
syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030062e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02")
Let's see if perturbing syz_execute_func a bit and wiping registers
will stop the outbreak.
|
| |
|
|
| |
Update #977
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running bisection using an older repro failed with:
<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
extern int mkdir (const char *__path, __mode_t __mode)
Let's be safe and ignore warnings during repro/bisect.
Everything that runs during tests still has all warnings.
Update #501
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The added test triggers warnings like these:
<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
extern int mkdir (const char *__path, __mode_t __mode)
^~~~~
cc1: all warnings being treated as errors
<stdin>: In function ‘syz_open_procfs.constprop’:
<stdin>:530:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:532:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:534:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
Use volatile for all arguments of syz_ functions to prevent
compiler from treating the arguments as constants in reproducers.
Popped up during bisection that used a repro that previously worked.
Update #501
|
| |
|
|
|
|
|
|
|
|
|
| |
The Fuchsia team is going to remove the `lib/fdio/util.h` library. They
have already moved all the functions to new header files.
I have seen that fuchsia uses `fdio_service_connect`, which has been
moved to the `lib/fdio/directory.h` header file.
This commit just changes the import path in the fuchsia executor, and in
the corresponding generated go file (I made that change by running `make
generate`).
|
| |
|
|
|
|
| |
The problem is stupid: <endian.h> should be included as <sys/endian.h> on freebsd.
Pass actual host OS to executor build as HOSTGOOS and use it to figure out
how we should include this header.
|
| |
|
|
|
| |
sys/types.h is a special header that is required by many other system
headers on FreeBSD.
|
