| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Raw coverage might be important when e.g. analysing the origins of
out-of-place coverage in coverage reports or understanding why the
fuzzer could not reach deeper code.
If "raw_cover" is set to true, syzkaller will remember unsorted and
unduplicated coverage (PCs) for each its corpus program.
|
| |
|
|
|
|
| |
The method already has too many arguments, which complicates the further
addition of new features. Introduce FuzzerCmdArgs structure to overcome
the problem.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now we use go1.16+, but sometimes syz-ci still has to compile and run
old syzkaller revisions, which were not meant to be compiled with modern
Go.
In particular, this leads to the following errors:
syzkaller build failed: failed to run ["make" "target"]: exit status 2
tools/syz-make/make.go:14:2: no required module provides package
github.com/google/syzkaller/pkg/osutil: go.mod file not found in
current directory or any parent directory; see 'go help modules'
tools/syz-make/make.go:15:2: no required module provides package
github.com/google/syzkaller/sys/targets: go.mod file not found in
current directory or any parent directory; see 'go help modules'
Makefile:39: *** syz-make failed. Stop.
Fix this by adding GO111MODULE=auto to the environment variables.
Reported-by: Taylor R Campbell <riastradh@netbsd.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
|
|
|
|
|
| |
Currently syzkaller only applies its suppressions regexps to the oops message
itself and a small number of its preceding bytes. A case has been reported
(#2685), where it was important to analyse a bigger portion of output data.
Pass the whole log and a starting position to the `Report.Parse` method
separately instead of passing an already cut log there. Adjust use cases of
the `Report.Parse` method to handle its new behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a number of report post-processing activities are implemented as a
decorator over the interface that defines OS-specific implementations.
Following exactly the same interface is too restrictive in this case as adding
extra parameters to the post-processing forces the developer to adjust all
implementations thay may not need these parameters at all.
Untie the wrapper from the Reporter interface. Use a package-private
reporterImpl interface for the OS-specific implementations, while having an
exported Reporter structure. Make sure that Reporter is stored and
passed as a pointer.
|
| |
|
|
|
|
|
|
|
| |
Default compilers are specified in the OS- and platform-dependent logic.
It is more convenient to extract info about them during the kernel build
itself, rather than during the manager object initialization.
Apply the necessary changes throughout the code that is involved in
building the kernels and processing information about this process.
|
| |
|
|
|
|
|
|
|
|
| |
The struct pkg.build.Params is currently primarily passed on as a
pointer, which leads make it hard to see the places, where it can
(and should) actually be modified.
Make it all more explicit by only passing pointer references to objects
of this type when the object is expected to be modified by the function.
In fact, at this moment there are no such situations.
|
| |
|
|
| |
environment for each program
|
| |
|
|
| |
These can be used to disable threaded execution and collision mode for program's system calls.
|
| |
|
|
| |
This function creates the command for starting a runner with the provided command line arguments.
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
|
|
| |
Everything in syzkaller is syz-something, it's pointless to add syz prefix
to everything and unnecessary increases clutter. Remove the prefix.
Also, rename ExecutorCmd in target to ExecutorBin to make it consistent
with mgrconfig and ExecprogBin/FuzzerBin.
|
| |
|
|
|
|
| |
These are widely used with the config as the refactoring shows.
This removes a bunch of unnecessary code.
Also fixes a number of bugs where we confused Arch with VMArch.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
| |
Add option to use ccache in kernel builds.
Signed-off-by: Jouni Hogander <jouni.hoegander@partner.bmw.de>
|
| |
|
|
|
| |
For debugging of:
https://groups.google.com/forum/#!topic/syzkaller-bugs/2lgvlHd8t1c
|
| |
|
|
|
| |
SkipPos is what pkg/instance needs,
but also will be needed for ParseAll.
|
| |
|
|
|
|
| |
Currenlty only syz file is taken into account when testing.
Use also c source file if available. Still use syz as a "main"
reproducer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new attribute to syzkaller targets that tells
syzkaller how to invoke the syz-executor command.
Some systems, like Fuchsia, are now building syz-executor as part of the
build, and there is no need to copy it over, or to run it from `/tmp`.
In fact, that might stop working at some time in the future in Fuchsia.
All places that used to copy syz-executor into the target machine will
now check for the SyzExecutorCmd flag, and won't copy it if the flag is
set.
|
| |
|
|
|
|
|
| |
Move HostFuzzer from vm/qemu.
It's needed in a number of other packages
and strictly saying is not specific to qemu
(it just happened that both fuchsia and akaros only support qemu).
|
| |
|
|
|
|
|
|
| |
Detect bisection to merge commits and to commits that don't affect
kernel binary (comments, other arches, whitespaces, etc).
Such bisections are not reported in emails (but shown on web).
Update #1271
|
| |
|
|
|
|
|
| |
Add optional build signature for images, currently only implemented for linux.
This can be used in bisection process to detect changes that does not affect kernel.
Update #1271
|
| |
|
|
|
|
|
| |
Image takes too many arguments, so we need to do lots of forwarding,
adding new argumnets is painful and most OSes are not interested
in lots of arguments.
Combine all arguments into a params struct.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(note: incomplete change)
Refactor existing code as follows:
* Move reusable test utility functions from git_repo_test.go to
pkg/vcs/test_util.go and make them exported.
* Split Run() into Run()+runImpl().
* Change type of bisect.go:env.inst to `instance.BuilderTester`.
Change usage inside syz-testbuild/testbuild.go accordingly.
* Move most of linux.PreviousReleaseTags() into vcs/git.go as
git.previousReleaseTags().
* Allow build.CompilerIdentity to be mocked.
Introduce the following changes:
* instance.BuilderTester is an interface with methods
BuildSyzkaller()
BuildKernel()
Test()
NewEnv() now returns this interface.
* type testEnv implements instance.BuilderTester.
* type testBuilder implements builder interface. Add a entry into table
inside pkg/build/build.go:getBuilder() to return testBuilder object.
|
| |
|
|
|
|
|
|
|
| |
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
|
| |
|
|
|
| |
To avoid conflicts with programs that import both syzkaller packages
and github.com/golang/glog which also defines -v flag.
|
| |
|
|
|
|
| |
In several places we do special handling for some crash types.
Currently we compare report title with magic strings,
which is error-prone. Add explicit Type to reports.
|
| |
|
|
|
| |
vmConfig value is interface{}, not string.
So compare with nil and assign int.
|
| |
|
|
|
|
| |
* pkg/instance: break the line to appease linter
* fix up format
|
| |
|
|
|
| |
.config is linux-ism. We have a convention that kernel config
is copied to kernel.config file. Use it.
|
| |
|
|
|
| |
If a manager has less then 10 VMs override it to 10 for bisection.
If a manager has only 1 VM, bisection won't end well.
|
| |
|
|
|
|
|
|
|
| |
We are seeing some flakes during bisection and image testing.
Hard to tell what's the root cause because they are episodic.
But using non-preemptible VMs for bisection and image testing
looks good on all fronts.
Update #501
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running bisection using an older repro failed with:
<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
extern int mkdir (const char *__path, __mode_t __mode)
Let's be safe and ignore warnings during repro/bisect.
Everything that runs during tests still has all warnings.
Update #501
|
| |
|
|
|
|
|
| |
Currently we truncate output up to rep.EndPos after unexpected reboot.
But report sets EndPos to the _last_ report in output,
so if there are any other errors they are all skipped after
truncation to EndPos. Truncate just one line instead.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Since we can be building very old revisions for bisection here,
make the build as permissive as possible.
Newer compilers tend to produce more warnings also kernel headers may be broken, e.g.:
ebtables.h:197:19: error: invalid conversion from ‘void*’ to ‘ebt_entry_target*’
Update #501
|
| | |
|
| |
|
|
|
|
| |
Currently we always pass cover=false during instance testing
and as the result covereage is not tested. This can result in
broken images. Pass the actual value of coverage for testing.
|
| |
|
|
|
|
|
|
|
| |
Currently we only support canExit flag.
However there are actually 3 separate conditions:
- program can exit normally
- program can timeout (e.g. fuzzer test or runtest can't)
- program can exit with error (e.g. C test can)
Allow to specify these 3 conditions separately.
|
| |
|
|
| |
The current code is linux specific, generalize it to other OSes.
|
| |
|
|
| |
Update #712
|
| |
|
|
|
|
|
| |
If pkg/build produces a kernel, inject it into vmm config too.
This will allow continuous build with vmm VM type.
Update #712
|
| |
|
|
|
|
|
|
| |
We currently have this list in multiple places (somewhat diverged).
Specify this "overcommit" property in VM implementations.
In particular, we also want to allow overcommit for "vmm" type.
Update #712
|
| |
|
|
|
| |
New FuzzerCmd generates flags that can't be parsed by an old fuzzer.
Fix that and add a test.
|
| |
|
|
|
|
|
|
|
|
|
| |
The tool is run as:
$ syz-runtest -config manager.config
This runs all programs from sys/*/test/* in different modes
on actual VMs and checks results.
Fixes #603
|
| |
|
|
|
|
|
|
| |
mgrconfig was used only by syz-manager initially,
but now it's used by a dozen of packages and it's
weird to import from under a binary dir.
pkg/ is much more reasonable dir for a widely used
helper package.
|
| |
|
|
|
|
| |
Only akaros needs OS, because the rest assume host OS.
But speciying OS for all OSes breaks patch testing on syzbot
because old execprog does not have os flag.
|
| | |
|
