| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new vminfo feature, FeatureKcovResetIoctl, that is true if the
kernel supports ioctl(KCOV_RESET_TRACE) making it possible to reset the
coverage buffer on the kernel side. This, in turn, allows us to map the
coverage buffer read-only, which will prevent all sorts of
userspace-generated corruptions at a cost of an extra syscall per program
execution.
The corresponding exec env flag, ExecEnv::ReadOnlyCoverage, turns on
read-only coverage in the executor. It is enabled by default
if FeatureKcovResetIoctl is on.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As we figured out in #5805, syz-manager treats random incoming RPC
connections as trusted, and will crash if a non-executor client sends
an invalid packet to it.
To address this issue, we introduce another stage of handshake, which
includes a cookie exchange:
- upon connection from an executor, the manager sends a ConnectHello RPC
message to it, which contains a random 64-bit cookie;
- the executor calculates a hash of that cookie and includes it into
its ConnectRequest together with the other information;
- before checking the validity of ConnectRequest, the manager ensures
client sanity (passed ID didn't change, hashed cookie has the expected
value)
We deliberately pick a random cookie instead of a magic number: if the
fuzzer somehow learns to send packets to the manager, we don't want it to
crash multiple managers on the same machine.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We query globs for 2 reasons:
1. Expand glob types in syscall descriptions.
2. Dynamic file probing for automatic descriptions generation.
In both of these contexts are are interested in files
that will be present during test program execution
(rather than normal unsandboxed execution).
For example, some files may not be accessible to test programs
after pivot root. On the other hand, we create and link
some additional files for the test program that don't
normally exist.
Add a new request type for querying of globs that are
executed in the test program context.
|
| |
|
|
|
| |
If the overflows happen often, it's bad.
Add visibility into this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we kill hanged processes and consider the corresponding test finished.
We don't kill/wait for the actual test subprocess (we don't know its pid to kill,
and waiting will presumably hang). This has 2 problems:
1. If the hanged process causes "task hung" report, we can't reproduce it,
since the test finished too long ago (manager thinks its finished and
discards the request).
2. The test process still consumed per-pid resources.
Explicitly detect and handle such cases:
Manager keeps these hanged tests forever,
and we assign a new proc id for future processes
(don't reuse the hanged one).
|
| |
|
|
|
|
| |
Using actual VM indices for VM identification allows to match these indices to VMs in the pool,
allows to use dense arrays to store information about runners (e.g. in queue.Distributor),
and just removes string names as unnecessary additional entities.
|
| |
|
|
| |
Distribute triage requests to different VMs.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
We are getting too many generated candidates, the fuzzer may not keep up
with them at all (hints jobs keep growing infinitely). If a hint indeed came
from the input w/o transformation, then we should guess it on the first
attempt (or at least after few attempts). If it did not come from the input,
or came with a non-trivial transformation, then any number of attempts won't
help. So limit the total number of attempts (until the next restart).
|
| |
|
|
|
|
|
| |
Signal rotation is intended to make the fuzzer re-discover flaky coverage
in non flaky way. However, taking into accout that we get effectively
the same effect after each manager restart, and that the fuzzer is overloaded
with triage/smash jobs, it does not look to be worth it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We see some errors of the form:
SYZFAIL: coverage filter is full
pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156
Executor shouldn't send non kernel addresses in signal,
but somehow it does. It can happen if the VM memory is corrupted,
or if the test program does something very nasty (e.g. discovers
the output region and writes to it).
It's not possible to reliably filter signal in the tested VM.
Move all of the filtering logic to the host.
Fixes #4942
|
| |
|
|
|
|
| |
It's a more general name that says what happened
rather than a detail of what excutor should do.
We can use this notification for other things as well.
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| | |
|
| |
|
|
|
| |
When we rewrite syz-fuzzer in C++ flag parsing will be painful,
so send as many parameters to syz-fuzzer in RPC rather than as flags.
|
| |
|
|
|
|
|
| |
During deflake/minimization we have 1 target call that should be handled specially:
during triage we want all signal, during minimization we want new+target signal.
For the rest of the calls we can do normal handling: collect new signal
and start triage if we see any new signal.
|
| |
|
|
|
|
|
| |
Notify fuzzer from the manager when corpus triage has finished
to start leak checking.
Fixes #4728
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
| |
Switch to flatrpc.ExecOpts.
|
| |
|
|
|
| |
It will be much simpler to return wait time in start executing message.
Then we don't need a separate message and don't need the count.
|
| |
|
|
|
|
| |
We needed it in the old RPC b/c messages could have been delivered
out-of-order, so we could not receive executing info when execution
is completed. With the new RPC out-of-order delivery can't happen.
|
| |
|
|
| |
It will require fewer casts, currently it's passed as []byte.
|
| |
|
|
|
|
|
|
|
|
| |
Remove T suffix from object API types.
It seems that we will use these types thoughout the code,
and the suffix looks alien in Go code.
So it's better to remove it before we started using
these names more widely.
Also add few extensions we will need to move feature
checking to the host.
|
|
|
Add schema for manager<->fuzzer communication.
We may need to change things when we start to use this,
but this serves as a proof of concept that we can
express things that we need in flatbuffers.
|
