| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Move more complex glob processing to the host (into prog package).
Make fuzzer just read and return globs if requested.
This moves us closer to #1541
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This moves significant part of logic from the target to host (#1541),
eventually this will allow us to switch target code from Go to C++.
Currnetly syz-fuzzer parses a number of system files (/proc/cpuinfo)
in non-trivial ways and passes that info to the host.
This is problematic to recreate in C++.
So instead make the fuzzer part as simple as possible:
now it merely reads the gives set of files and returns contents.
The rest of the parsing happens on the host (the new vminfo package).
Package vminfo extracts information about the target VM.
The package itself runs on the host, which may be a different OS/arch.
User of the package first requests set of files that needs to be fetched from the VM
(Checker.RequiredFiles), then fetches these files, and calls Checker.MachineInfo
to parse the files and extract information about the VM.
The information includes information about kernel modules and OS-specific info
(for Linux that includes things like parsed /proc/cpuinfo).
This also requires changing RPC flow between fuzzer and manager.
Currently, Check call is optional and happens only for first VMs.
With this change Check is always done because we need to return
contents of the requested files always.
The plan is to switch the rest of the pkg/host package to this scheme later:
instead of some complex custom logic, we need to express it as some
simple operations on the target (checking file presence, etc), and the rest
of the logic on the host.
|
| |
|
|
|
|
|
|
| |
Addresses from /proc/modules have little to do with the addresses of
modules' text sections. Instead of trying to fix them by parsing ELF
headers, stop supporting this use case.
It is still possible to pass modules.json to syz-cover.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The address from /proc/modules is not necessarily the address of .text,
e.g., can be the address of .plt.
If available, fix up the module address using the address from
/sys/module/<module-name>/sections/.text
This patch was originally uploaded to
https://github.com/google/syzkaller/pull/4025.
Additions to the original patch:
- fix lint warnings
- adjust the module size to account for the diff between the module
address and .text address
Signed-off-by: Alexander Potapenko <glider@google.com>
|
| | |
|
| |
|
|
| |
Change-Id: I3119aed5cfe223e24cfc56b27612adaf2a638a99
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Created a hash in syz-manager to map between each
instance address and a stored canonical address.
Translate PC coverage values when receiving inputs
from VMs and when sending inputs to each VM.
Signal conversion and coverage filtering will be
fixed in a future commit.
Edit from last (reverted) PR: added a check to confirm
fuzzer has been instantiated before canonicalization.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit c778c7f49050c40ff7c5e409d9b2c667483b3fc9.
We're getting the following panic:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x103ffdd]
goroutine 44811 [running]:
main.(*RPCServer).NewInput(0xc001010bb0, 0xc01d0b60a0, 0x1?)
syz-manager/rpc.go:270 +0x2dd
|
| |
|
|
|
|
|
|
|
|
|
| |
Created a hash in syz-manager to map between each
instance address and a stored canonical address.
Translate PC coverage values when receiving inputs
from VMs and when sending inputs to each VM.
Signal conversion and coverage filtering will be
fixed in a future commit.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: add new typename dirname
The current way to check files under sysfs or proc is:
- define a string to represent each file
- open the file
- pass the fd to write / read / close
The issues above are:
- Need to know what file present on target device
- Need to write openat for each file
With dirname added, which will open one file
in the directory randomly and then pass the fd to
write/read/close.
* all: use typename glob to match filename
Fixes #481
|
| |
|
|
|
| |
Use strconv.ParseUint instead of Sscanf, it's simpler
for parsing of a single number.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PCs returned for dynamic loaded module (DLKM) is not
parsed in coverage page, these PCs are dropped.
The commit is to use DLKM modules' load address and symbol file
to restore the PC and show coverage data of DLKM.
Introduced new config module_obj to specify module directories.
Example of config:
"module_obj": [
"module_path1"
"module_path2"
]
For linux target, before Manager.Connect run, load addresses are
getting from /proc/modules in order to group PCs into modules.
And so, if modules are under kernel_obj or module_obj dir,
their addresses and paths can be generated automatically.
kernel_obj is searched before module_obj dir and the first found
ko object is always used.
Also note that kaslr needs to be disabled.
|
|
|
It's better to keep functionality in packages rather than in main.
It makes it reusable and better organized.
Move machine info functionality to pkg/host and do some cosmetic refactoring.
|
