| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
| |
Flatbuffers compiler generates slices of pointers for these types,
so return slices of pointers to avoid converting the whole slice.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feature checking procedure is split into 2 phases:
1. syz-fuzzer invokes "syz-executor setup feature" for each feature one-by-one,
and checks if executor does not fail.
Executor can also return a special "this feature does not need custom setup",
this allows to not call setup of these features in each new VM.
2. pkg/vminfo runs a simple program with ipc.ExecOpts specific for a concrete feature,
e.g. for wifi injection it will try to run a program with wifi feature enabled,
if setup of the feature fails, executor should also exit with an error.
For coverage features we also additionally check that we actually got coverage.
Then pkg/vminfo combines results of these 2 checks into final result.
syz-execprog now also uses vminfo package and mimics the same checking procedure.
Update #1541
|
| |
|
|
|
| |
For some reason it started to consistently timeout on CI
(got 3 failures in a row). Disable it under race detector.
|
| |
|
|
|
|
|
| |
Start switching from host.Features to flatrpc.Features.
This change is supposed to be a no-op,
just to reduce future diffs that will change
how we obtain features.
|
| |
|
|
|
|
|
|
|
|
| |
Remove T suffix from object API types.
It seems that we will use these types thoughout the code,
and the suffix looks alien in Go code.
So it's better to remove it before we started using
these names more widely.
Also add few extensions we will need to move feature
checking to the host.
|
| |
|
|
|
|
| |
Switch to flatrpc.FileInfoT instead.
In preparation for pkg/host removal and to avoid
circular dependencies in future changes.
|
| |
|
|
|
|
| |
In preparation for pkg/host removal.
Nothing in pkg/host uses KernelModule, and pkg/cover
is effectively the only user of KernelModule.
|
| |
|
|
|
|
| |
Print better message and print it when verbosity >= 1.
This will allow to easier diff any changes in enabled
syscalls caused by future code changes.
|
| |
|
|
| |
No test b/c this code should be deleted soon.
|
| |
|
|
| |
We already disable it in descriptions and during sanitization.
|
| |
|
|
|
|
|
|
|
| |
Disable the syscall in descriptions rather than in the code.
This makes it more visible for users that it's disabled,
and makes it less special (will not need to move this logic to host).
Also change the condition in syz-sysgen to be more precise,
otherwise syz_execute_func becomes unused function.
|
| | |
|
| |
|
|
|
|
|
| |
Move more complex glob processing to the host (into prog package).
Make fuzzer just read and return globs if requested.
This moves us closer to #1541
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This moves significant part of logic from the target to host (#1541),
eventually this will allow us to switch target code from Go to C++.
Currnetly syz-fuzzer parses a number of system files (/proc/cpuinfo)
in non-trivial ways and passes that info to the host.
This is problematic to recreate in C++.
So instead make the fuzzer part as simple as possible:
now it merely reads the gives set of files and returns contents.
The rest of the parsing happens on the host (the new vminfo package).
Package vminfo extracts information about the target VM.
The package itself runs on the host, which may be a different OS/arch.
User of the package first requests set of files that needs to be fetched from the VM
(Checker.RequiredFiles), then fetches these files, and calls Checker.MachineInfo
to parse the files and extract information about the VM.
The information includes information about kernel modules and OS-specific info
(for Linux that includes things like parsed /proc/cpuinfo).
This also requires changing RPC flow between fuzzer and manager.
Currently, Check call is optional and happens only for first VMs.
With this change Check is always done because we need to return
contents of the requested files always.
The plan is to switch the rest of the pkg/host package to this scheme later:
instead of some complex custom logic, we need to express it as some
simple operations on the target (checking file presence, etc), and the rest
of the logic on the host.
|
| |
|
|
|
|
|
| |
Akaros support is unused, it was shutdown on syzbot for a while,
the akaros development seems to be frozen for years as well.
We have a bunch of hacks for Akaros since it supported
only super old gcc and haven't supported Go. Remove it.
|
| | |
|
| |
|
|
|
|
|
|
| |
Addresses from /proc/modules have little to do with the addresses of
modules' text sections. Instead of trying to fix them by parsing ELF
headers, stop supporting this use case.
It is still possible to pass modules.json to syz-cover.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The address from /proc/modules is not necessarily the address of .text,
e.g., can be the address of .plt.
If available, fix up the module address using the address from
/sys/module/<module-name>/sections/.text
This patch was originally uploaded to
https://github.com/google/syzkaller/pull/4025.
Additions to the original patch:
- fix lint warnings
- adjust the module size to account for the diff between the module
address and .text address
Signed-off-by: Alexander Potapenko <glider@google.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.
Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.
We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
|
| |
|
|
|
| |
Add new pseudo-syscall for creating a socket in init netns and connecting to
NVMe-oF/TCP server on 127.0.0.1:4420. Also add descriptions for NVMe-oF/TCP.
|
| |
|
|
|
|
|
|
|
| |
Test the filesystem for the fallocate support. It's cheaper than having
to manually zero-write the whole swap file, which can be quite slow on
emulated VMs.
As testing /tmp does not make much sense (it can be a totally different
filesystem), create a temp file directy in the user home directory.
|
| | |
|
| |
|
|
| |
Change-Id: I3119aed5cfe223e24cfc56b27612adaf2a638a99
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* syz-manager: endpoint to display canonical modules
Add a "/modules" endpoint that displays canonical module
information.
* tools/syz-cover: accept module info
Add support to syz-cover to generate coverage reports for drivers that
are built as kernel modules.
At the moment, ReportGenerator instances are created with no
[]host.KernelModule information. As a result, discoverModulesLinux()
does not process kernel modules, only the vmlinux.
Add a "-modules" flag that accepts module info. This info
can be fetched from the web UI at "/modules".
Usage:
$ ./bin/syz-cover -arch arm64 -kernel_obj ${KOBJ} -kernel_src ${KSRC} \
-json ~/report.json -modules ~/modules \
~/rawcover
|
| |
|
|
|
| |
If the feature is supported on the device, allocate a 128MB swap file
after VM boot and activate it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Created a hash in syz-manager to map between each
instance address and a stored canonical address.
Translate PC coverage values when receiving inputs
from VMs and when sending inputs to each VM.
Signal conversion and coverage filtering will be
fixed in a future commit.
Edit from last (reverted) PR: added a check to confirm
fuzzer has been instantiated before canonicalization.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit c778c7f49050c40ff7c5e409d9b2c667483b3fc9.
We're getting the following panic:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x103ffdd]
goroutine 44811 [running]:
main.(*RPCServer).NewInput(0xc001010bb0, 0xc01d0b60a0, 0x1?)
syz-manager/rpc.go:270 +0x2dd
|
| |
|
|
|
|
|
|
|
|
|
| |
Created a hash in syz-manager to map between each
instance address and a stored canonical address.
Translate PC coverage values when receiving inputs
from VMs and when sending inputs to each VM.
Signal conversion and coverage filtering will be
fixed in a future commit.
|
| |
|
|
| |
The syscall sets PKRU register which is part of protection keys (pkey).
|
| |
|
|
|
| |
Initialize_devlink_pci in executor fails w/o /proc/self/ns/net.
See https://groups.google.com/g/syzkaller/c/yJWM1_2DxUY
|
| | |
|
| |
|
|
| |
They do not exist on ARM64 Linux and break syzkaller tests on them.
|
| |
|
|
|
| |
Default maxTokenSize is 64k.
On 128 cores, I experienced 120k long token (len(flags * 128)).
+ check for scanner errors
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for moving a NIC PCI pass-through VF into Syzkaller's network
namespace so that it will tested. As DEVLINK support is triggered by
setting the pass-through device to "addr=0x10", NIC PCI pass-through VF
support will be triggered by setting the device to "addr=0x11".
If a NIC PCI pass-through VF is detected in do_sandbox, setup a staging
namespace before the fork() and transfer the NIC VF interface to it.
After the fork() and in the child transfer the NIC VF interface to
Syzkaller's network namespace and rename the interface to netpci0 so
that it will be tested.
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
|
| |
|
|
|
|
|
|
|
| |
This commit replaces all `ioutil.TempDir` with `t.TempDir` in tests.
The directory created by `t.TempDir` is automatically removed when the
test and all its subtests complete.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When syz-fuzzer starts, it tries all syscalls to filter out any that are
not supported. This process should include only the syscalls that are
enabled using the 'enable_syscalls' and 'disable_syscalls' fields in
syz-manager's config.
This is useful for fuzzing Cuttlefish devices, for example, where the
'vhost_vsock' syscall needs to be excluded from fuzzing and from this
test.
|
| |
|
|
|
|
|
|
|
|
| |
Add an empty common_ext.h which is included into executor and C reproducers
and can be used to add non-mainline pseudo-syscalls w/o changing any other files
(by replacing common_ext.h file).
It would be good to finish #2274 which allows to add pseudo-syscalls
along with *.txt descriptions, but #2274 is large and there are several
open design questions. So add this simple extension point for now.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| |
|
|
|
|
|
|
|
|
|
| |
Pseudo syscalls can (and most of the time) do invoke normal system
calls. However, when there's a risk that those calls might not be
present, syzkaller needs to take preventive actions - prepend the
corresponding defines. Otherwise syz-executor or C reproducers might
not compile on the host machine.
List those dependencies in sys/targets, check them during machine check
and add the corresponding defines during C source generation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that the current Linux implementation of KCOV does not
properly handle multiple mmap invocations on the same instance. The
first one succeedes, but the subsequent ones do not actually mmap
anything, yet returning no error at all.
The ability to mmap that memory multiple times allows us to increase
syz-executor performance and it would be a pity to completely lose it
(especially given that mmapping kcov works fine on *BSD).
In some time a patch will be prepared, but still we will have to support
both versions at the same time - the buggy one and the correct one.
Detect whether the bug is present by writing a value at the pointer
returned by mmap. If it is present, disable dynamic kcov mmapping and
pre-mmap 5 instances in the main() function - it should be enough for
all reasonable uses. Otherwise, pre-mmap 3 and let syz-executor mmap
them as needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syzkaller runs KVM until it exits and this is considered the end of
the KVM_RUN syscall. We can do a bit more with a VM if the exit was
legit (for example MMIO access or a hypercall). In such cases
the userspace emulates the request and stores the result in
the kvm_run struct (mmaped from vcpu_fd) which the next KVM_RUN
checks.
This defines specialized mmap and syz_memcpy_off to allow Syzkaller
fuzz the kvm_run struct with focus on the part where the huge union is.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
---
Changes:
v4:
* defined offset/size constants
* re-autogenerated dev_kvm.txt.const
v3:
* fixed syz_memcpy_off's src size
v2:
* limited changes to dev_kvm.txt instead of defining all new
syz_kvm_run.
|
| |
|
|
|
| |
Executor prints what's failed during setup command.
Log this output so that it's visible in syz-execprog/fuzzer output.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit 4f7e1d0f5e1c ("sys/linux: use openat for /dev/cdrom")
changed syz_open_dev to openat syzkaller tries to open /dev/cdrom
with r,w,rw flags. However, if there is no media in a cdrom
device these attempts will fail resulting in:
> disabling openat$sr: open(/dev/sr0) failed: no medium found
Add O_RDONLY|O_NONBLOCK mode to successfully open cdrom devices
with no media.
Signed-off-by: Denis Efremov <efremov@linux.com>
|
| |
|
|
|
|
|
|
|
| |
Other architectures check for targets.xxxx so do the same for PPC.
This drops "pppc64" (which is big endian) for now as it has never
been tested and this is unlikely to happen in the future.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
"make generate" produces this diff when go 1.17 (go1.17-c95464f0ea3f==upstream)
is used. Seems compatible with >=1.16.
https://github.com/golang/go/commit/4d2d89ff42ca documents the syntax.
https://github.com/golang/go/commit/eeadce2d8713 enforces "ignore" for
unsatisfiable tags hence the pkg/csource/gen.go change.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
It creates a temp dir in cwd, which is not guaranteed to be writable.
Create temp dir in temp instead.
Also don't assume Linux path separator, won't work on Windows.
Also actually check the result, current test would be happy
if glob always returns empty match as well.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: add new typename dirname
The current way to check files under sysfs or proc is:
- define a string to represent each file
- open the file
- pass the fd to write / read / close
The issues above are:
- Need to know what file present on target device
- Need to write openat for each file
With dirname added, which will open one file
in the directory randomly and then pass the fd to
write/read/close.
* all: use typename glob to match filename
Fixes #481
|
