| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Auto-generated syscall descriptions currently do not properly mark
arch-specific syscalls like socketcall (which is only available on 32
bit systems), which leads to TestGenerate breakages.
Until the syz-declextract tool is fixed and descriptions are
re-generated, don't use such calls in TestGenerate tests. It has
recently caused numerous syzkaller update erorrs on syzbot.
Cc #5410.
Closes #6468.
|
| |
|
|
| |
Drop all lines matching `#define [A-Z0-9_]*_H` from the reproducers
|
| |
|
|
| |
Make sure arches with the broken compiler are correctly skipped.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously in the -short configuration testPseudoSyscalls() was only
executed for the first supported target, which in most cases ended up
being linux/386 (the least popular configuration).
As a result, platform-specific pseudo-syscalls were never executed on
the CI.
Fix this by testing the pseudo-syscalls on all available platforms.
This increases the execution time of TestGenerate from 18s to 36s,
but also helps to discover bugs in pseudo-syscalls quicker.
As a result of this change, 3 distinct latent bugs were found on
amd64, arm64 and ppc64.
|
| |
|
|
|
|
|
|
|
|
|
| |
The structure of arguments passed into syscalls is often hard to parse
since it is memcpy'd into mmap'd regions. Structural relations are often
lost in translation, resulting in reproducers that take longer for a
developer to understand.
This patch adds functionality for parsing syscall arguments semantically and
emitting a structured and human-readable comment which is inserted before each
syscall in the resulting C-source.
|
| |
|
|
|
|
|
|
| |
1. recover the removed comment
2. unnecessary leading newline
3. unnecessary brackets
4. restore dropped "..."
5. use bytes.Equal instead of conversion to string
|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new C23 embed built-in defines cause build errors in executor with
GCC 15.
<stdin>:3:9: error: ‘__STDC_EMBED_NOT_FOUND__’ redefined [-Werror]
<built-in>: note: this is the location of the previous definition
<stdin>:4:9: error: ‘__STDC_EMBED_FOUND__’ redefined [-Werror]
<built-in>: note: this is the location of the previous definition
<stdin>:5:9: error: ‘__STDC_EMBED_EMPTY__’ redefined [-Werror]
<built-in>: note: this is the location of the previous definition
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
syscall() is a variadic function, so we need to be careful when passing
const values in there without specifying their type.
For -1, we did not specify it, and on 64 bit architectures the de facto
passed value was 0xFFFFFFFF instead of 0xFFFFFFFFFFFFFFFF. Fix it and
add a test.
Closes #5921.
|
| |
|
|
| |
We don't use go:generate in this package anymore.
|
| | |
|
| |
|
|
|
|
| |
TestExecutorMacros"
This reverts commit 1763a1862f3468b4b1a5cedef9d61ddd8d0e58e8.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All callers shouldn't control lots of internal details of minimization
(if we have more params, that's just more variations to test,
and we don't have more, params is just a more convoluted way to say
if we minimize for corpus or a crash).
2 bools also allow to express 4 options, but only 3 make sense.
Also when I see MinimizeParams{} in the code, it's unclear what it means.
Replace params with mode.
And potentially "crash" minimization is not "light", it's just different.
E.g. we can simplify int arguments for reproducers (esp in snapshot mode),
but we don't need that for corpus.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Build executor w/o optimizations for tests.
Tests can build lots of versions of executor in parallel,
and on overloaded machines it can be slow. On my machine
this reduces executor build time from ~7.5 to ~3.5 secs.
Reduces pkg/runtest tests time considerably.
Before:
--- PASS: TestExecutor (8.89s)
--- SKIP: TestExecutor/386 (0.00s)
--- PASS: TestExecutor/riscv64 (30.76s)
--- PASS: TestExecutor/arm (32.56s)
--- PASS: TestExecutor/arm64 (33.01s)
--- PASS: TestExecutor/amd64 (31.83s)
--- SKIP: TestExecutor/ppc64le (26.56s)
--- PASS: TestExecutor/s390x (25.53s)
--- PASS: TestExecutor/mips64le (25.65s)
After:
--- PASS: TestExecutor (4.74s)
--- SKIP: TestExecutor/386 (0.00s)
--- PASS: TestExecutor/s390x (12.27s)
--- SKIP: TestExecutor/ppc64le (12.59s)
--- PASS: TestExecutor/amd64 (12.84s)
--- PASS: TestExecutor/riscv64 (12.89s)
--- PASS: TestExecutor/arm (11.53s)
--- PASS: TestExecutor/arm64 (11.88s)
--- PASS: TestExecutor/mips64le (12.82s)
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
| |
Litte-endian is kind of default (except for s390).
So instead of saying that each arch is litte-endian,
mark only s390 as big-endian.
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
| |
Add an explicit parameter to only run call removal.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add C++ compiler and flags to the target
and build executor with the C++ compiler.
This will be needed to merge syz-fuzzer in to syz-executor
since it will be beefier and will most likely require linking in libc++.
But also this should fix #4821 since we won't use C++ flags
when building C sources (we already had work-around in pkg/csource,
but not in syz-extract).
Fixes #4821
|
| |
|
|
| |
Enable it unconditionally.
|
| |
|
|
|
|
|
| |
go:embed is a more modern way to do this and it does
not require a special Makefile step.
Since go:embed cannot use paths that contains "..",
the actual embeding is moved to executor package.
|
| |
|
|
|
|
| |
Currently we fail in some cases, but ignore errors in other cases.
Consistently fail when feature setup fails.
This will be required for relying on setup failure to detect feature presence.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Fix checking of Logf, it has string in 0-th arg.
Add checking of t.Errorf/Fatalf.
|
| |
|
|
|
|
| |
If we send exec encoding to the fuzzer, it's not necessary to serialize
exec encoding into existing buffer (currnetly we serialize directly into shmem).
So simplify code by serializing into a new slice.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fuzzer managed to do:
executing program 0:
...
close_range(r5, 0xffffffffffffffff, 0x0)
...
SYZFATAL: executor 0 failed 11 times: executor 0: exit status 67
SYZFAIL: tun read failed
(errno 9: Bad file descriptor)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fuzzer managed to do:
executing program 4:
...
prlimit64(0x0, 0x7, &(0x7f0000000000), 0x0)
...
syz_usbip_server_init(0x3)
...
SYZFATAL: executor 4 failed 11 times: executor 4: exit status 67
SYZFAIL: syz_usbip_server_init: socketpair failed
(errno 24: Too many open files)
|
| |
|
|
|
|
|
|
| |
Allow to profile how many bytes are consumed for what in the exec encoding.
The profile shows there are not many opportunities left.
53% are consumed by data blobs.
13% for const args.
18% for non-arg things (syscall number, copyout index, props, etc).
|
| | |
|
| |
|
|
|
|
|
| |
Akaros support is unused, it was shutdown on syzbot for a while,
the akaros development seems to be frozen for years as well.
We have a bunch of hacks for Akaros since it supported
only super old gcc and haven't supported Go. Remove it.
|
| |
|
|
|
|
|
|
|
|
| |
Starting from v6.9, we can no longer reuse a loop device while some
filesystem is mounted on it. It conflicts with the MNT_DETACH approach
we were previously using.
Let's umount synchronously instead, but also with a MNT_FORCE flag to
abort potentially long graceful cleanup operations. We don't need them
for the filesystems mounted only for fuzzing purposes.
|
| |
|
|
|
|
|
|
| |
The "avl" fields (variable type is u8) of the kvm_segment structure variables such as
seg_cs16 and seg_ldt are not initialized to zero. During creation, there is a chance that
they are set to values other than 0 or 1, which can cause the "avl" fields to overwrite
other fields when executing the fill_segment_descriptor function, leading to erroneous
results.
|
| |
|
|
|
|
| |
Don't treat ENOENT from socket call as fatal.
Fuzzer manages to make all socket calls for a particular
protocol fail using NLBL_MGMT_C_REMOVE netlink function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first step for #1541.
Move the fuzzing engine that used to be interleaved with other syz-fuzzer
code into a separate package.
For now, the algorithm is more or less the same as it was, the only
difference is that a pkg/fuzzer instance scales to the available
computing power.
Add an executor-based test that performs real fuzzing.
|
| |
|
|
|
|
|
|
|
|
| |
IORING_SETUP_CQE32 and IORING_SETUP_SQE128 may lead to incorrect
assumptions about the ring buffer size, causing the kernel to write
outside of the mapped memory, smashing whatever follows it.
This is a hotfix for https://github.com/google/syzkaller/issues/4531
that will stop the ci-upstream-gce-arm64 from generating random
coverage.
|
| |
|
|
|
|
|
| |
The fd may be closed by an async close() call, it's not a reason to
report a failure.
Reported-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
| |
This factorizes const arguments into the shortest flags OR bitmask
possible so they are easy to read. E.g:
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul
|
| |
|
|
|
|
| |
When BLK_DEV_WRITE_MOUNTED is enabled, the kernel treats the loopfd
reference as a writer and does not let us issue mount() calls over the
same block device.
|
| |
|
|
|
| |
This should never be happening during fuzzing. Otherwise we let
syz-executor silently crash and restart insane number of times.
|
| |
|
|
|
|
| |
During fuzzing, it's expected that certain operations might return
errors. Don't abort the whole syz-executor process in this case, this is
too expensive.
|
| |
|
|
|
|
|
|
|
|
|
| |
This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.
Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.
We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
|
| |
|
|
|
| |
Add new pseudo-syscall for creating a socket in init netns and connecting to
NVMe-oF/TCP server on 127.0.0.1:4420. Also add descriptions for NVMe-oF/TCP.
|
| |
|
|
| |
It contributes to #4285 unblocking.
|
| |
|
|
|
| |
The `mmap` size is `max_destlen`, but `munmap` size is `destlen`, which
causes a memory leak.
|
| |
|
|
|
|
|
|
| |
This parameter barely increases coverage since the tail is always set
to the entry that is written, but it does increase the complexity of
the api and seems to reduce coverage when I run it locally.
Remove it.
|
