| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
| |
Switch to flatrpc.ExecOpts.
|
| |
|
|
|
|
| |
Switch to flatrpc.ProgInfo.
Note: this disables syz-runtest and syz-verifier.
|
| |
|
|
|
|
| |
Flatrpc flags are passed in RPC execution requests,
so to avoid conversions and duplicate set of flags
use flatrpc flags in pkg/ipc directly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feature checking procedure is split into 2 phases:
1. syz-fuzzer invokes "syz-executor setup feature" for each feature one-by-one,
and checks if executor does not fail.
Executor can also return a special "this feature does not need custom setup",
this allows to not call setup of these features in each new VM.
2. pkg/vminfo runs a simple program with ipc.ExecOpts specific for a concrete feature,
e.g. for wifi injection it will try to run a program with wifi feature enabled,
if setup of the feature fails, executor should also exit with an error.
For coverage features we also additionally check that we actually got coverage.
Then pkg/vminfo combines results of these 2 checks into final result.
syz-execprog now also uses vminfo package and mimics the same checking procedure.
Update #1541
|
| |
|
|
|
|
|
|
| |
Move the test from executor to pkg/ipc to prevent import cycle
in the next change.
pkg/ipc looks like the most reasonable place for it (besides executor),
it already builds executor binary.
The test cannot be moved to pkg/csource b/c it will create csource<->ipc cycle.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pass EnvFlags into Exec instead of New.
This allows to change EnvFlags between executions.
Change of EnvFlags forces executor process restart
since it uses EnvFlags during setup.
Currently this is intended to be NFC since we always
pass the same EnvFlags.
In future this will allow to (1) reduce part of the
VM checking procedure to execution of programs with
different options (e.g. we can probe for coverage/comparisons
support, probe different sandboxes, etc);
(2) use it during fuzzing/reproduction, e.g. we can check
if the crash reproduces under setuid sandbox, or execute some
fuzzing programs in significantly different modes.
|
| |
|
|
|
| |
Fix checking of Logf, it has string in 0-th arg.
Add checking of t.Errorf/Fatalf.
|
| |
|
|
|
| |
OpenBSD in particular is not compatible with TestOS expectation
of having a syscall function.
|
| | |
|
| |
|
|
|
|
|
| |
Move image compression-related function to a separate package.
In preperation for subsequent changes that make decompression
more complex. Prog package is already large and complex.
Also makes running compression tests/benchmarks much faster.
|
| | |
|
| |
|
|
|
| |
The code to send rand source is dublicated in several packages.
Move it to testutil package.
|
| |
|
|
| |
syz-manager: introduce a new setting 'sandbox_arg' (#3263)
|
| |
|
|
|
|
|
|
| |
pkg/repro tries to clear the Threaded flag during repro simplification,
so it's easier just to ignore the remaining async flags in that case -
they won't be in the C repro either.
Add a test to pkg/ipc to verify the new behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
| |
We need to check GOARCH instead of GOOS,
otherwise all executor failures are ignored...
|
| |
|
|
|
| |
It's not used for anything useful and will conflict
with automatic timeout tuning.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
| |
BrokenCompiler is only initialized after Get.
|
| |
|
|
| |
We may run some cross-arch tests using qemu-user.
|
| | |
|
| |
|
|
|
|
|
|
| |
In preparation to running some tests as github actions.
Both Travis and Github define CI env var, while TRAVIS is, well,
too Travis-specific.
Update #1699
|
| |
|
|
|
|
|
|
|
|
|
| |
Make MakeMmap return more than 1 call.
This is a preparation for future changes.
Also remove addr/size as they are effectively
always the same and can be inferred from the target
(will also conflict with the future changes).
Also rename to MakeDataMmap to better represent
the new purpose: it's just some arbitrary mmap,
but rather mapping of the data segment.
|
| |
|
|
|
| |
They don't belong there, executor does not know about them.
In preparation for future changes.
|
| |
|
|
| |
Update #977
|
| |
|
|
|
|
|
|
|
| |
Just appending the pid number can produce conflicting names
if the name itself ends with digits (standard temp file naming convention).
So append ".PID".
Also remove beginning from too long names instead of ending.
Temp files in tests has unique numbers at the end, we need to preserve them
to avoid file name conflicts.
|
| |
|
|
|
|
|
|
| |
This ability was never used but we maintain a bunch of code for it.
syzkaller also recently learned to spoof this error code
with some ptrace magic (probably intercepted control flow again
and exploited executor binary).
Drop all of it.
|
| |
|
|
|
| |
Don't use random seed on travis as it produces flaky coverage reports,
and probably generally better for CI setting.
|
| |
|
|
|
|
| |
This patch add a new struct ProgInfo that for now holds info about each
call in a program []CallInfo, but in the future will be expanded with remote
coverage info. Update all the callers to use the new interface as well.
|
| |
|
|
|
| |
Move all ipc flags into pkg/ipc/ipcconfig package
so that importing pkg/ipc does pull in the flags.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make as much code as possible shared between all OSes.
In particular main is now common across all OSes.
Make more code shared between executor and csource
(in particular, loop function and threaded execution logic).
Also make loop and threaded logic shared across all OSes.
Make more posix/unix code shared across OSes
(e.g. signal handling, pthread creation, etc).
Plus other changes along similar lines.
Also support test OS in executor (based on portable posix)
and add 4 arches that cover all execution modes
(fork server/no fork server, shmem/no shmem).
This change paves way for testing of executor code
and allows to preserve consistency across OSes and executor/csource.
|
| |
|
|
|
| |
Pass actual target to DefaultConfig, that's what we really want,
not the stray ipc flag.
|
| |
|
|
|
|
|
| |
Currently we first send on errs and then close env.
As the result process can exit before env.Close finishes,
which will leave garbage behind.
Close env before sending on errs.
|
| |
|
|
|
|
| |
In most cases we have source in memory,
so provide a function to build right from memory
without creating temp files.
|
| | |
|
| |
|
|
|
|
| |
Don't use random programs for testing.
Sometimes they lead to flakes like:
opendir(./1/file0) failed (errno 13)
|
| |
|
|
| |
Fix typos, non-canonical code, remove dead code, etc.
|
| |
|
|
| |
Also add a test for this.
|
| |
|
|
|
|
|
| |
Currently threaded/collide are global environment flags.
It can be useful to turn off collider during some executions
(minimization, triage, etc).
Make them per-program options.
|
| |
|
|
|
|
|
| |
Boot and minimally test images before declaring them as good
and switching to using them.
If image build/boot/test fails, upload report about this to dashboard.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently use more complex and functional protocol on linux,
and a simple ad-hoc protocol on other OSes.
This leads to code duplication in both ipc and executor.
Linux supports coverage, shared memory communication and fork server,
which would also be useful for most other OSes.
Unify communication protocol and parametrize it by
(1) use of shmem or only pipes, (2) use of fork server.
This reduces duplication in ipc and executor and will
allow to support the useful features for other OSes easily.
Finally, this fixes akaros support as it currently uses
syz-stress running on host (linux) and executor running on akaros.
|
| |
|
|
| |
Update #191
|
| | |
|
| |
|
|
|
|
| |
Now each prog function accepts the desired target explicitly.
No global, implicit state involved.
This is much cleaner and allows cross-OS/arch testing, etc.
|
| |
|
|
|
| |
Add target config parameter (e.g. linux/amd64) which controls target OS/arch.
No more explicit assumptions about target.
|
| |
|
|
|
|
|
|
|
|
|
| |
Large overhaul moves syscalls and arg types from sys to prog.
Sys package now depends on prog and contains only generated
descriptions of syscalls.
Introduce prog.Target type that encapsulates all targer properties,
like syscall list, ptr/page size, etc. Also moves OS-dependent pieces
like mmap call generation from prog to sys.
Update #191
|
