| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Raw coverage might be important when e.g. analysing the origins of
out-of-place coverage in coverage reports or understanding why the
fuzzer could not reach deeper code.
If "raw_cover" is set to true, syzkaller will remember unsorted and
unduplicated coverage (PCs) for each its corpus program.
|
| |
|
|
|
|
|
|
| |
pkg/repro tries to clear the Threaded flag during repro simplification,
so it's easier just to ignore the remaining async flags in that case -
they won't be in the C repro either.
Add a test to pkg/ipc to verify the new behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that the current Linux implementation of KCOV does not
properly handle multiple mmap invocations on the same instance. The
first one succeedes, but the subsequent ones do not actually mmap
anything, yet returning no error at all.
The ability to mmap that memory multiple times allows us to increase
syz-executor performance and it would be a pity to completely lose it
(especially given that mmapping kcov works fine on *BSD).
In some time a patch will be prepared, but still we will have to support
both versions at the same time - the buggy one and the correct one.
Detect whether the bug is present by writing a value at the pointer
returned by mmap. If it is present, disable dynamic kcov mmapping and
pre-mmap 5 instances in the main() function - it should be enough for
all reasonable uses. Otherwise, pre-mmap 3 and let syz-executor mmap
them as needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have seen cases when a test program re-execed the current binary:
11:53:29 executing program 0:
openat$zero(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0)
lseek(r0, 0x4000000000000000, 0x4)
execveat(r0, &(0x7f0000000080)='\x00', 0x0, 0x0, 0x1000)
In such cases, we have to be sure that executor will not print SYZFAIL
log messages and will not exit with kFailStatus.
Since a659b3f1, syzkaller reports bugs in all these cases.
Fixes: a659b3f1dc88 ("pkg/report: detect executor failures")
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
| |
Pointed by golangci-lint.
For context see https://github.com/golang/go/issues/40701
|
| |
|
|
|
| |
Scale sandbox wait timeout according to the target slowdown.
Also de-hardcode program timeout.
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
| |
In preparation for making timeouts tunable based
on OS/arch/VM/etc de-hardcode all (almost) timeouts in executor.
|
| |
|
|
|
| |
We need to check GOARCH instead of GOOS,
otherwise all executor failures are ignored...
|
| | |
|
| |
|
|
|
| |
It's not used for anything useful and will conflict
with automatic timeout tuning.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
| |
We started to see lots of "provided buffer is too small" with seeded
syz_mount_image programs. Currently it fails whole VM, which is not good.
Ignoring them is not perfect, but there does not seem to be any better
simple solution.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
| |
BrokenCompiler is only initialized after Get.
|
| |
|
|
| |
We may run some cross-arch tests using qemu-user.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: initialize vhci in linux
* executor/common_linux.h: improve vhci initialization
* pkg/repro/repro.go: add missing vhci options
* executor/common_linux.h: fix type and add missing header
* executor, pkg: do it like NetInjection
* pkg/csource/csource.go: do not emit syz_emit_vhci if vhci is not enabled
* executor/common_linux.h: fix format string
* executor/common_linux.h: initialize with memset
For som reason {0} gets complains about missing braces...
* executor/common_linux.h: simplify vhci init
* executor/common_linux.h: try to bring all available hci devices up
* executor/common_linux.h: find which hci device has been registered
* executor/common_linux.h: use HCI_VENDOR_PKT response to retrieve device id
* sys/linux/dev_vhci.txt: fix structs of inquiry and report packets
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* sys/linux/dev_vhci.txt: pack extended_inquiry_info_t
* sys/linux/l2cap.txt: add l2cap_conf_opt struct
* executor/common_linux.h: just fill bd addr will 0xaa
* executor/common_linux.h: just fill bd addr will 0xaa
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems that different gcc's have different defaults for ASAN flags.
Some fail with:
run.go:67: nonfailing none/thr/repeat : FAIL: run 0: call 0 is not executed
ASAN:DEADLYSIGNAL
=================================================================
==67143==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7b0befb0a2 bp 0x7f7b0cfdad10 sp 0x7f7b0cfda490 T1)
#0 0x7f7b0befb0a1 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d0a1)
#1 0x404bbb in syz_compare(long, long, long, long) (/tmp/utor355225125.0+0x404bbb)
#2 0x403cdf in execute_call(thread_t*) (/tmp/utor355225125.0+0x403cdf)
#3 0x404006 in worker_thread(void*) (/tmp/utor355225125.0+0x404006)
#4 0x7f7b0bc584a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#5 0x7f7b0b99ad0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d0a1)
Thread T1 created by T0 here:
#0 0x7f7b0be9ef59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x406117 in execute_one() (/tmp/utor355225125.0+0x406117)
|
| |
|
|
|
|
|
| |
Fix capitalization, dots at the end
and two spaces after a period.
Update #1876
|
| |
|
|
|
|
|
|
| |
Use native byte-order for IPC and program serialization.
This way we will be able to support both little- and big-endian
architectures.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
| |
If C compiler is installed e.g. in /opt then
we have to import LD_LIBRARY_PATH.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
| |
A good one. Lots of fixed comments are contributed by episodic contributors.
So it's good to catch these earlier.
|
| | |
|
| |
|
|
|
|
|
|
| |
In preparation to running some tests as github actions.
Both Travis and Github define CI env var, while TRAVIS is, well,
too Travis-specific.
Update #1699
|
| |
|
|
|
|
|
|
|
|
|
| |
Make MakeMmap return more than 1 call.
This is a preparation for future changes.
Also remove addr/size as they are effectively
always the same and can be inferred from the target
(will also conflict with the future changes).
Also rename to MakeDataMmap to better represent
the new purpose: it's just some arbitrary mmap,
but rather mapping of the data segment.
|
| |
|
|
|
|
| |
Unsafe is, well, unsafe.
Plus it fails under the new checkptr mode in go1.14.
Remove some uses of unsafe.
|
| |
|
|
| |
It's not needed for test os and slows down pkg/runtest tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We've got the following crash:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x7d30ba]
goroutine 75 [running]:
github.com/google/syzkaller/pkg/ipc.(*command).exec(0xc000c68cb0, 0xc0001a4d20, 0xc00147a000, 0x1f28, 0x200000, 0x0, 0x0, 0xc00170a000, 0x1000000, 0x1000000, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/pkg/ipc/ipc.go:783 +0x7ca
github.com/google/syzkaller/pkg/ipc.(*Env).Exec(0xc0002de240, 0xc0001a4d20, 0xc016c2f440, 0x11, 0xc00019c7e0, 0x40, 0x1, 0xc016b6f590, 0x30, 0xc01615cc40)
/syzkaller/gopath/src/github.com/google/syzkaller/pkg/ipc/ipc.go:280 +0x104
main.(*Proc).executeRaw(0xc0012a45c0, 0xc0001a4d20, 0xc016c2f440, 0x1, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:292 +0x1f3
main.(*Proc).execute(0xc0012a45c0, 0xc0001a4d20, 0xc016c2f440, 0x0, 0x1, 0x1)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:255 +0x6a
main.(*Proc).loop(0xc0012a45c0)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:101 +0x4df
created by main.main
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:259 +0x1153
err can be nil even if hang=true in case of a narrow race:
we decided to kill the process, but it finished successfully meanwhile.
|
| |
|
|
|
|
| |
There is little reason in not doing the chown for sandbox=none.
Simpler and can actually increase coverage if the test program
setuid's itself (since it's root under sandbox=none).
|
| |
|
|
|
| |
They don't belong there, executor does not know about them.
In preparation for future changes.
|
| |
|
|
| |
In preparation for future changes.
|
| |
|
|
|
|
|
| |
Move HostFuzzer from vm/qemu.
It's needed in a number of other packages
and strictly saying is not specific to qemu
(it just happened that both fuchsia and akaros only support qemu).
|
| |
|
|
|
|
|
|
| |
In case there is a fixed pci devlink handle "pci/pci/0000:00:10.0"
on the system (initial network namespace), it is moved to a working
network namespace.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
| |
This change reuses the logic for sending the output back from
syz-executor to syz-fuzzer that forkserver oses use: reading it
periodically. This will be useful for debugging issues in Fuchsia that
does not support forkserver yet.
|
| |
|
|
|
|
|
|
|
| |
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.
1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.
2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.
3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.
4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.
5. Fix pkg/repro to do something more sane for leak bugs.
Few other minor fixes here and there.
|
| |
|
|
|
|
|
|
| |
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
|
| |
|
|
|
| |
pkg/ipc changed format of binaries, but pkg/report wasn't updated.
Update pkg/report for the new format.
|
| |
|
|
|
| |
We cannot create folders in other directories anymore, for now, we only
have access to create directories in /data/. This change is temporary as
we move to a component-based world.
|
| |
|
|
| |
Update #977
|
| |
|
|
|
|
|
|
|
|
|
| |
This change makes all syz-execprog, syz-prog2c and syz-stress accept
-enable and -disable flags to enable or disable additional features
(tun, net_dev, net_reset, cgroups and binfmt_misc) instead of having
a separate flag for each of them.
The default (without any flags) behavior isn't changed: syz-execprog
and syz-stress enabled all the features (provided the runtime supports
them) and syz-prog2c disables all of them.
|
| |
|
|
|
|
|
|
|
| |
Just appending the pid number can produce conflicting names
if the name itself ends with digits (standard temp file naming convention).
So append ".PID".
Also remove beginning from too long names instead of ending.
Temp files in tests has unique numbers at the end, we need to preserve them
to avoid file name conflicts.
|
| |
|
|
|
|
| |
Remove kRetryStatus, it's effectively the same as exiting with 0.
Remove ipc.ExecutorFailure, nobody uses it.
Simplify few other minor things around exit status handling.
|
| |
|
|
|
|
|
|
| |
This ability was never used but we maintain a bunch of code for it.
syzkaller also recently learned to spoof this error code
with some ptrace magic (probably intercepted control flow again
and exploited executor binary).
Drop all of it.
|
| | |
|
| |
|
|
| |
Based on whether the kernel supports KCOV_REMOTE_ENABLE ioctl.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now syzkaller only supports coverage collected from the threads that
execute syscalls. However some useful things happen in background threads,
and it would be nice to collect coverage from those threads as well.
This change adds extra coverage support to syzkaller. This coverage is not
associated with a particular syscall, but rather with the whole program.
Executor passes extra coverage over the same ipc mechanism to syz-fuzzer
with syscall number set to -1. syz-fuzzer then passes this coverage to
syz-manager with the call name "extra".
This change requires the following kcov patch:
https://github.com/xairy/linux/pull/2
|
| |
|
|
|
| |
Don't use random seed on travis as it produces flaky coverage reports,
and probably generally better for CI setting.
|
