| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
This sucks a lot, but ebtables.h is now broken too on Debian 4.17:
ebtables.h: In function ‘ebt_entry_target* ebt_get_target(ebt_entry*)’:
ebtables.h:197:19: error: invalid conversion from ‘void*’ to ‘ebt_entry_target*’
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sometimes race conditions are reproduced by syz-execprog and are not
reproduced by the programs generated with syz-prog2c. In such cases
it's very helpful to know when exactly the fuzzing syscalls are executed.
Unfortunately, adding timestamps to the output of the original 'debug'
mode doesn't work. This mode provides very verbose output, which slows
down executor and breaks the repro.
So let's make the executor debug output less verbose and add
the timestamps.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
|
| |
|
|
|
|
|
|
| |
Move debug_dump_data back to executor.cc.
debug_dump_data in common_linux.h does not play well
with pkg/csource debug stripping logic. It strips a large
random piece of code since it thinks debug_dump_data
definition is actually debug_dump_data call site.
|
| |
|
|
|
| |
Compiling the executor on OpenBSD currently fails:
executor/executor.cc:1316:6: error: unused function 'debug_dump_data'
|
| |
|
|
|
|
|
|
| |
Currently we have a global fixed set of sandboxes,
which makes it hard to add new OS-specific ones
(all OSes need to updated to say that they don't
support this sandbox).
Let it each OS say what sandboxes it supports instead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
executor: add support for android_untrusted_app sandbox
This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.
In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.
Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files. The underlying mechanisms are relatively simple.
Fixes google/syzkaller#643
Test: make presubmit
Bug: http://b/112900774
|
| |
|
|
| |
The tests are currently broken on openbsd.
|
| |
|
|
| |
oom_score_adj is inherited, so we need to reset it to 0.
|
| |
|
|
|
|
|
| |
Set limit of 32 pids and 200MB per test process.
This should prevent things like fork bombs and frequent OOMs.
Fixes #589
|
| |
|
|
|
|
|
| |
Add simple fuchsia program, the one that is run during image testing.
Fix csource errno printing for fuchsia.
Fix creation of executable files (chmod is not implemented on fuchsia).
Check that we get signal/coverage from all syscalls.
|
| |
|
|
|
|
| |
The function executes random code.
Update #310
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
all: add openbsd support
squash of the following commits:
* openbsd: add mandatory bits
* report: add OpenBSD support
* executor: skip building kvm on OpenBSD
* executor: add OpenBSD support
Linking against libutil is necessary due to usage of openpty(3).
* executor: fix typo in fail() message
* fixup! report: add OpenBSD support
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! report: add OpenBSD support
* gometalinter: skip sys/openbsd
|
| |
|
|
|
|
| |
gcc complains about function declarations not being prototypes,
signed/unsigned cast mismatch and casts between incompatible functions.
Fix them.
|
| |
|
|
| |
FS_IOC_FSSETXATTR is not supported in compat mode, use FS_IOC_SETFLAGS instead.
|
| |
|
|
|
|
| |
syscall accepts args as ellipsis, resources are uint64
and take 2 slots without the cast, which is wrong.
Cast resources to long when passing to syscall.
|
| |
|
|
|
|
|
| |
1. Create per-proc cgroup in executor.
2. Setup cgroups after chdir into test dir
(it assumes relative paths against test dir).
3. Add test.
|
| |
|
|
|
|
| |
We forgot to mount binfmt_misc. Mount it. Add a test.
Increase per-call timeout, otherwise last execve timesout.
Fix csource waiting for call completion at the end of program.
|
| |
|
|
|
|
| |
Turns out dirs can be immutable too.
Update #650
|
| |
|
|
| |
These are not needed now.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It should be in <linux/fs.h> but is not there on some distros/arches as expected.
Travis build fails with:
<stdin>: In function ‘remove_dir’:
<stdin>:152:13: error: variable ‘attr’ has initializer but incomplete type
<stdin>:152:13: error: excess elements in struct initializer [-Werror]
<stdin>:152:13: error: (near initialization for ‘attr’) [-Werror]
<stdin>:152:21: error: storage size of ‘attr’ isn’t known
<stdin>:153:20: error: ‘FS_IOC_FSSETXATTR’ undeclared (first use in this function)
<stdin>:153:20: note: each undeclared identifier is reported only once for each function it appears in
<stdin>:152:21: error: unused variable ‘attr’ [-Werror=unused-variable]
cc1: all warnings being treated as errors
https://travis-ci.org/google/syzkaller/jobs/413574080
|
| |
|
|
| |
Fixes #650
|
| |
|
|
|
| |
Missing part of
"executor: don't checkpoint/reset net namespace with setuid sandbox"
|
| |
|
|
|
|
| |
After setuid the process won't have rights to reset net namespace,
but it should not be able to change it during fuzzing too.
So just skip that part.
|
| |
|
|
|
|
|
| |
With checkpoint_net_namespace moved to setup_common,
and Android fuzzing session terminates prematurely due to
ipv4_tables not being initialized at this time.
Moving the call back to loop fixes this behavior.
|
| |
|
|
|
|
|
|
| |
gcc complains:
error: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Werror=unused-result]
Also fix includes.
|
| |
|
|
|
|
|
| |
If the test process is not dying after 100ms,
abort all fuse connections in the system.
This gets rid at least of simple fuse deadlocks,
let's see how well this works in all cases.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add syz_errno syscall which sets errno to the argument,
and add a test with different errno values.
This mostly tests the testing infrastructure itself.
Add syz_compare syscall which compare two blobs,
this can be used for testing of argument memory layout.
Implement syz_mmap and fix Makefile to allow building syz-execprog for test OS.
Useful for debugging.
Update #603
|
| |
|
|
|
|
| |
1. Print errno with %u instead of %d
2. Avoid unused var warning for syz_emit_ethernet
when tracing is enabled.
|
| |
|
|
|
| |
We see some failures there, extend logging so that it's least
possible to understand what exactly call has failed.
|
| |
|
|
|
|
| |
Move call generation into a separate function.
Update #538
|
| |
|
|
|
|
| |
Make it simpler and shorter.
Update #538
|
| |
|
|
|
|
|
|
| |
mgrconfig was used only by syz-manager initially,
but now it's used by a dozen of packages and it's
weird to import from under a binary dir.
pkg/ is much more reasonable dir for a widely used
helper package.
|
| |
|
|
| |
Update #538
|
| |
|
|
|
|
| |
Slightly reduce cyclomatic complexity.
Update #538
|
| |
|
|
|
|
|
| |
The part that we want from gofmt is simplify (-s).
Fix all code that needs fixing.
Update #538
|
| |
|
|
|
| |
Fix conditions for when current_time_ms/sleep_ms are used
and make them static.
|
| |
|
|
| |
Test OS fails the same was as linux on travis.
|
| |
|
|
|
| |
clang-format badly mishandles this part,
moreover different versions mishandle it differently.
|
| |
|
|
|
|
|
|
|
|
| |
Shell files cause portability problems.
On Linux it's hard to install /bin/sh,
/bin/bash is not present on *BSD.
Any solution is hard to test on Darwin.
Don't even want to mention Windows.
Just do it in Go.
|
| |
|
|
| |
This will be needed for testing of generated programs.
|
| |
|
|
|
|
|
|
|
|
|
| |
1. Remove unnecessary includes.
2. Remove thunk function in threaded mode.
3. Inline syscalls into main for the simplest case.
4. Define main in common.h rather than form with printfs.
5. Fix generation for repeat mode
(we had 2 infinite loops: in main and in loop).
6. Remove unused functions (setup/reset_loop, setup/reset_test,
sandbox_namespace, etc).
|
| |
|
|
|
|
| |
We always have current_time_ms in event_timedwait
so use it instead of manual clock_gettime calls
which tend to be bulkier.
|
| |
|
|
| |
We already do this in sandbox=none, but forgot about setuid.
|
| | |
|
| | |
|
| |
|
|
|
| |
OpenBSD and probably other BSDs does not ship with /bin/bash. This particular
script runs fine with regular /bin/sh.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make as much code as possible shared between all OSes.
In particular main is now common across all OSes.
Make more code shared between executor and csource
(in particular, loop function and threaded execution logic).
Also make loop and threaded logic shared across all OSes.
Make more posix/unix code shared across OSes
(e.g. signal handling, pthread creation, etc).
Plus other changes along similar lines.
Also support test OS in executor (based on portable posix)
and add 4 arches that cover all execution modes
(fork server/no fork server, shmem/no shmem).
This change paves way for testing of executor code
and allows to preserve consistency across OSes and executor/csource.
|
| |
|
|
|
|
| |
Linux executor sets up some network devices for testing,
detect when that's supported on the machine and don't
do it if it's not supported.
|
| |
|
|
|
| |
Remove syz_fuse* and implement them as normal syscalls.
We not have enough expressive power to form mount options.
|
