| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
|
|
| |
We currently panic if the syz reproducer was not provided, but it's
actually a valid situation - it happens if we perform patch testing for
build/boot/test errors.
Closes #4907.
|
| |
|
|
|
| |
When we rewrite syz-fuzzer in C++ flag parsing will be painful,
so send as many parameters to syz-fuzzer in RPC rather than as flags.
|
| |
|
|
| |
It's not used anymore.
|
| |
|
|
|
|
|
|
|
|
|
| |
When we accept new kernels for fuzzing we need more extensive testing,
but syz-ci switched to using syz-manager for this purpose.
Now instance testing is used only for bisection and patch testing,
which does not need such extensive image testing (it may even harm).
So just run a simple program as a testing.
It also uses the same features as the target reproducer,
so e.g. if the reproducer does not use wifi, we won't test it,
which reduces changes of unrelated kernel bugs.
|
| |
|
|
| |
Switch to flatrpc.ExecOpts.
|
| |
|
|
|
|
| |
Remove things that are only needed for target VM communication:
conditional compression, timeout scaling, traffic stats.
To minimize diffs when we switch target VM communication to flatrpc.
|
| |
|
|
|
|
|
|
|
| |
syz-runtest effectively implemented the same execute program/return result
mechanism we use now for normal fuzzing.
So extend the general mechanism to allow collecting output/errors,
repeating program, and executing a precompiled binary as a test.
And switch syz-runtest to the general mechanism.
This removes another chunk of code from syz-fuzzer.
|
| |
|
|
|
|
| |
Move all ExecOpts logic from the fuzzer to the manager.
This makes the fuzzer simpler and will allow to vary
options across requests.
|
| |
|
|
|
|
| |
All callers of Run always call MonitorExecution right after it.
Combine these 2 methods. This allows to hide some implementation
details and simplify users of vm package.
|
| |
|
|
|
|
|
|
| |
RPC compression take up to 10% of CPU time in profiles,
but it's unlikely to be beneficial for local VM runs
(we are mostly copying memory in this case).
Enable RPC compression based on the VM type
(local VM don't use it, remove machines use it).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the cases where we do not / cannot sandbox individual prog executions
well enough, some share of progs end up being dependent on the
previously accumulated state of the whole VM.
As the result,
* We lose 5-10% of coverage/signal on every instance restart.
* A share of our corpus programs do not actually trigger the coverage
they were thought to reliably trigger.
This significantly affects fuzzing efficiency and prevents syzkaller
from accumulating bigger and better corpus over multiple runs.
Let's see if the situation becomes better if we restart syz-executor
before most of prog executions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases (e.g. gVisor instances using host's network namespace)
attempts to bind() all syz-fuzzer processes to the same port result in
conflicts and fuzzing breakages.
Refactor the code to enable custom pprof configuration depending on the
vm type.
For now, just disable pprof endpoints for gVisor VMs. Once we actually
need the feature there, we can generate custom ports for every gVisor
VM.
|
| | |
|
| | |
|
| |
|
|
|
| |
This will help avoid a circular dependency pkg/vcs -> pkg/report ->
pkg/vcs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's not correct to mix them since they point to fundamentally different
issues:
1) Boot time errors are caused by a problematic kernel image and can
only be resolved by using another kernel version or config.
2) Infrastructure errors are temporary, so we can just try again some
time later.
Reserve the existing BootError for (1) errors and let all other VM
handling errors refer to (2).
To make it possible to attach more output to the infra error, introduce
the VerboseInfraError type.
|
| |
|
|
|
|
| |
Otherwise we might end up in a situation when we have stopped all
fuzzing, but wait for the job processor to report Done to the waitgroup
object.
|
| |
|
|
| |
This will help reduce the number of overcommitted VMs.
|
| |
|
|
|
|
|
|
| |
Currently it's held during the whole job processing, which can take too
long.
Adjust it so that it's only taken when we really begin to build the
kernel or syzkaller.
|
| | |
|
| |
|
|
|
|
| |
Previously we only used the linter from the syz-ci config when building
the kernel for regular fuzzing. We were missing some plumbing to have
this setting reach patch testing and bisection jobs.
|
| |
|
|
| |
syz-manager: introduce a new setting 'sandbox_arg' (#3263)
|
| |
|
|
|
| |
This might help get more insight into patch testing failures, especially
for old bugs.
|
| |
|
|
|
|
| |
Currently syzbot only saves a log if there was a build/test error.
Closes #3185
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix these crashes:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xd430ae]
goroutine 875 [running]:
github.com/google/syzkaller/pkg/instance.(*inst).testRepro.func1(...)
pkg/instance/instance.go:371
github.com/google/syzkaller/pkg/instance.(*inst).testRepro(0xc0005a2c80)
pkg/instance/instance.go:396 +0x26e
github.com/google/syzkaller/pkg/instance.(*inst).test(0xc0005a2c80)
pkg/instance/instance.go:293 +0xf2
github.com/google/syzkaller/pkg/instance.(*env).Test.func1()
pkg/instance/instance.go:237 +0x26
created by github.com/google/syzkaller/pkg/instance.(*env).Test
pkg/instance/instance.go:237 +0x1d7
syz-ci.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
|
| |
|
|
|
|
|
|
|
|
| |
Previously it was copypasted in pkg/instance, pkg/repro,
tools/syz-crash. Use the single implementation instead.
Also, this commit fixes a bug - the previous code always set collide to
true while reproducing a bug, which led to an immediate syz-exexprog's
exit. As a result, newer bugs with .syz repro only were never actually
reproduced on #syz test requests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syzbot tests patches with -collide=true in order to trigger more bugs,
but now that -collide flag is deprecated, this no longer makes sense.
Moreover, it actually prevents the testing of bugs with syz repro now -
syz-execprog immediately exits due to -collide=true and env.Test()
accepts it as a normal outcome.
Set -collide=true only for those bugs, where collide was set to true by
the reproducer (and therefore syzkaller at that revision supported it).
Don't exit from syz-execprog immediately if -collide is set to true.
This will prevent such bugs from happening later and make the problem
more visible.
This was initially part of #3083, but seems to be more urgent to merge,
so pushing it as a separate PR.
|
| |
|
|
|
|
|
|
| |
Otherwise we get problems while testing patches for older syzkaller
versions, which didn't support optional arguments.
Adjust tests so that problems with how OldFuzzerCmd handles such
arguments could be seen.
|
| |
|
|
|
|
|
|
|
| |
Raw coverage might be important when e.g. analysing the origins of
out-of-place coverage in coverage reports or understanding why the
fuzzer could not reach deeper code.
If "raw_cover" is set to true, syzkaller will remember unsorted and
unduplicated coverage (PCs) for each its corpus program.
|
| |
|
|
|
|
| |
The method already has too many arguments, which complicates the further
addition of new features. Introduce FuzzerCmdArgs structure to overcome
the problem.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now we use go1.16+, but sometimes syz-ci still has to compile and run
old syzkaller revisions, which were not meant to be compiled with modern
Go.
In particular, this leads to the following errors:
syzkaller build failed: failed to run ["make" "target"]: exit status 2
tools/syz-make/make.go:14:2: no required module provides package
github.com/google/syzkaller/pkg/osutil: go.mod file not found in
current directory or any parent directory; see 'go help modules'
tools/syz-make/make.go:15:2: no required module provides package
github.com/google/syzkaller/sys/targets: go.mod file not found in
current directory or any parent directory; see 'go help modules'
Makefile:39: *** syz-make failed. Stop.
Fix this by adding GO111MODULE=auto to the environment variables.
Reported-by: Taylor R Campbell <riastradh@netbsd.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
|
|
|
|
|
| |
Currently syzkaller only applies its suppressions regexps to the oops message
itself and a small number of its preceding bytes. A case has been reported
(#2685), where it was important to analyse a bigger portion of output data.
Pass the whole log and a starting position to the `Report.Parse` method
separately instead of passing an already cut log there. Adjust use cases of
the `Report.Parse` method to handle its new behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a number of report post-processing activities are implemented as a
decorator over the interface that defines OS-specific implementations.
Following exactly the same interface is too restrictive in this case as adding
extra parameters to the post-processing forces the developer to adjust all
implementations thay may not need these parameters at all.
Untie the wrapper from the Reporter interface. Use a package-private
reporterImpl interface for the OS-specific implementations, while having an
exported Reporter structure. Make sure that Reporter is stored and
passed as a pointer.
|
| |
|
|
|
|
|
|
|
| |
Default compilers are specified in the OS- and platform-dependent logic.
It is more convenient to extract info about them during the kernel build
itself, rather than during the manager object initialization.
Apply the necessary changes throughout the code that is involved in
building the kernels and processing information about this process.
|
| |
|
|
|
|
|
|
|
|
| |
The struct pkg.build.Params is currently primarily passed on as a
pointer, which leads make it hard to see the places, where it can
(and should) actually be modified.
Make it all more explicit by only passing pointer references to objects
of this type when the object is expected to be modified by the function.
In fact, at this moment there are no such situations.
|
| |
|
|
| |
environment for each program
|
| |
|
|
| |
These can be used to disable threaded execution and collision mode for program's system calls.
|
| |
|
|
| |
This function creates the command for starting a runner with the provided command line arguments.
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
|
|
| |
Everything in syzkaller is syz-something, it's pointless to add syz prefix
to everything and unnecessary increases clutter. Remove the prefix.
Also, rename ExecutorCmd in target to ExecutorBin to make it consistent
with mgrconfig and ExecprogBin/FuzzerBin.
|
| |
|
|
|
|
| |
These are widely used with the config as the refactoring shows.
This removes a bunch of unnecessary code.
Also fixes a number of bugs where we confused Arch with VMArch.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
| |
Add option to use ccache in kernel builds.
Signed-off-by: Jouni Hogander <jouni.hoegander@partner.bmw.de>
|
| |
|
|
|
| |
For debugging of:
https://groups.google.com/forum/#!topic/syzkaller-bugs/2lgvlHd8t1c
|
| |
|
|
|
| |
SkipPos is what pkg/instance needs,
but also will be needed for ParseAll.
|
| |
|
|
|
|
| |
Currenlty only syz file is taken into account when testing.
Use also c source file if available. Still use syz as a "main"
reproducer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new attribute to syzkaller targets that tells
syzkaller how to invoke the syz-executor command.
Some systems, like Fuchsia, are now building syz-executor as part of the
build, and there is no need to copy it over, or to run it from `/tmp`.
In fact, that might stop working at some time in the future in Fuchsia.
All places that used to copy syz-executor into the target machine will
now check for the SyzExecutorCmd flag, and won't copy it if the flag is
set.
|
