| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
pkg/host does 2 things: detects supported syscalls and supported features.
There is enough code for each for a separate file.
|
| |
|
|
| |
The patches are being upstreamed and the interface has changed.
|
| |
|
|
| |
The interface is being upstreamed and the name has changed.
|
| |
|
|
|
|
|
|
| |
In case there is a fixed pci devlink handle "pci/pci/0000:00:10.0"
on the system (initial network namespace), it is moved to a working
network namespace.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
By default, the current KCSAN .config does not enable KCSAN during boot,
since we encounter races during boot which would prevent syzkaller from
ever executing.
This adds support to detect if KCSAN is available, and enables it on the
fuzzer host.
|
| |
|
|
| |
We don't use ip command for netdevices and tun setup.
|
| |
|
|
| |
syz_usb_ep_read reads data from USB endpoints other than #0.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add support for non-obvious open commands
* Adding Michael Specter to CONTRIBUTORS
* update
* /pkg/host/host_linux.go: leverage .txt for OpenAt
Allows users to specify OpenAt flags. Currently, Syzkaller will
automatically attempt to open device nodes at startup, and ignore
descriptions that do not exist. Unfortunately, Syzkaller only opens with
read-only permissions, and some device drivers will
return -EINVAL or likewise if the correct flags are not specified.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.
1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.
2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.
3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.
4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.
5. Fix pkg/repro to do something more sane for leak bugs.
Few other minor fixes here and there.
|
| |
|
|
|
|
|
|
|
|
| |
On powerpc, the "stat" syscall is implemented by "sys_newstat" entry point.
This causes a test failure as we can't find "sys_stat" in kallsyms.
Add "stat" -> "newstat" to the kallsyms rename map to work around this.
Closes: #1083 ("pkg/host: TestSupportedSyscalls fails on ppc64le")
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
|
| |
|
|
| |
pkg/host/host_linux.go: Add "arm" to kallsyms support test.
pkg/host/host_test.go: TestKallsymsParse(): Add entry to test arm kallsyms parsing support.
|
| |
|
|
| |
Start with a few simple tests that can be extended when needed.
|
| |
|
|
|
|
| |
See #991 and added comments.
Fixes #991
|
| |
|
|
|
|
| |
Use PC tracing mode when detecting KCOV_REMOTE_ENABLE support in the kernel.
Also fix kcov_remote_handle_usb argument.
|
| |
|
|
| |
Based on whether the kernel supports KCOV_REMOTE_ENABLE ioctl.
|
| |
|
|
|
|
|
| |
Add a regex for syscall symbol extraction on ppc64le. ppc64le doesn't have
any special arch prefix.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
|
| |
|
|
|
| |
As pointed out my Mark Rutland, kallsyms entries have format of
__ia32_sys_${NAME} rather than __ia32_${NAME}. Fix the regexps.
|
| |
|
|
|
|
|
| |
Right now syz-fuzzer does a search through /proc/kallsyms for each syscall
to check whether it's supported. Do one search instead and save the results
to a map. This speeds up syscall detection ~60 times when testing arm64 kernel
on x86. Also add another search pattern for arm64 and add some logging.
|
| |
|
|
|
|
|
|
| |
EBUSY is returned when KMEMLEAK is in fact turned off,
not when scanning is already turned off.
That can't be recovered.
So instead check that we can write to the file in the check
function and give useful diagnostics.
|
| |
|
|
|
|
|
|
|
|
|
| |
Rewind kmemleak fd before reading it second time,
otherwise we will read truncated reports.
Auto-learn what leak reports we've already seen
and ignore them in future. This is required because
there are some false positives and some fire too frequently.
So now we will hit each leak only once per manager run,
but we still will try to reproduce them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
executor: add support for android_untrusted_app sandbox
This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.
In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.
Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files. The underlying mechanisms are relatively simple.
Fixes google/syzkaller#643
Test: make presubmit
Bug: http://b/112900774
|
| |
|
|
|
|
| |
The function executes random code.
Update #310
|
| |
|
|
| |
Update #533
|
| |
|
|
|
|
| |
Strengthen gocycle limit 35->24! Yay! No more jumbo functions!
Fixes #538
|
| |
|
|
|
|
|
| |
Check some errors where relevant.
Unfortunately enabling errcheck does not look feasible, too many warnings.
Update #538
|
| |
|
|
|
|
| |
Linux executor sets up some network devices for testing,
detect when that's supported on the machine and don't
do it if it's not supported.
|
| |
|
|
|
| |
Remove syz_fuse* and implement them as normal syscalls.
We not have enough expressive power to form mount options.
|
| |
|
|
|
|
|
| |
See issue #640 where /dev/net/tun is present, but open fails with ENODEV.
Check that we can actually open all these files.
Fixes #640
|
| | |
|
| |
|
|
|
| |
Detect supported syscall by directly executing them
if kallsyms is not present. This is required for gvisor testing.
|
| |
|
|
|
| |
Check socketpair.
Check non-constant socket types.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Currently host feature detection/setup code is spread
across platform-independent fuzzer code, pkg/host, pkg/ipc
and executor.
Move this all into pkg/host and show readable info
about features on manager start.
Fixes #46
|
| |
|
|
| |
Only init admin can mount filesystems with images.
|
| | |
|
| |
|
|
| |
Some x86 syscalls now seem to be __x64_ and __ia32_ instead of sys_ or ksys_.
|
| |
|
|
|
|
| |
Recent kernel changes to not call syscalls directly from kernel code
renamed syscall symbols from sys_foo to ksys_foo.
Support both formats.
|
| |
|
|
| |
Fix warnings pointed out by gometalinter.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Fix typos, non-canonical code, remove dead code, etc.
|
| |
|
|
|
|
|
|
|
|
|
| |
The new pseudo syscall allows opening sockets that can only
be created in init net namespace (BLUETOOTH, NFC, LLC).
Use it to open these sockets.
Unfortunately this only works with sandbox none at the moment.
The problem is that setns of a network namespace requires CAP_SYS_ADMIN
in the target namespace, and we've lost all privs in the init namespace
during creation of a user namespace.
|
| |
|
|
|
|
| |
We have them in linux solely for historical reasons.
Fixes #462
|
| | |
|
