| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Just appending the pid number can produce conflicting names
if the name itself ends with digits (standard temp file naming convention).
So append ".PID".
Also remove beginning from too long names instead of ending.
Temp files in tests has unique numbers at the end, we need to preserve them
to avoid file name conflicts.
|
| |
|
|
|
|
| |
Remove kRetryStatus, it's effectively the same as exiting with 0.
Remove ipc.ExecutorFailure, nobody uses it.
Simplify few other minor things around exit status handling.
|
| |
|
|
|
|
|
|
| |
This ability was never used but we maintain a bunch of code for it.
syzkaller also recently learned to spoof this error code
with some ptrace magic (probably intercepted control flow again
and exploited executor binary).
Drop all of it.
|
| | |
|
| |
|
|
| |
Based on whether the kernel supports KCOV_REMOTE_ENABLE ioctl.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now syzkaller only supports coverage collected from the threads that
execute syscalls. However some useful things happen in background threads,
and it would be nice to collect coverage from those threads as well.
This change adds extra coverage support to syzkaller. This coverage is not
associated with a particular syscall, but rather with the whole program.
Executor passes extra coverage over the same ipc mechanism to syz-fuzzer
with syscall number set to -1. syz-fuzzer then passes this coverage to
syz-manager with the call name "extra".
This change requires the following kcov patch:
https://github.com/xairy/linux/pull/2
|
| |
|
|
|
| |
Don't use random seed on travis as it produces flaky coverage reports,
and probably generally better for CI setting.
|
| |
|
|
| |
Fixes #897
|
| |
|
|
|
|
| |
Currently syz-runtest fails to start because -debug flag is defined
both in syz-runtest and ipcconfig.
But moving sandbox functions we prevent ipcconfig from being imported into syz-runtest.
|
| |
|
|
|
|
| |
This patch add a new struct ProgInfo that for now holds info about each
call in a program []CallInfo, but in the future will be expanded with remote
coverage info. Update all the callers to use the new interface as well.
|
| |
|
|
| |
Reformat, remove debug leftovers, fix comment style.
|
| |
|
|
|
|
|
|
|
|
|
| |
Rewind kmemleak fd before reading it second time,
otherwise we will read truncated reports.
Auto-learn what leak reports we've already seen
and ignore them in future. This is required because
there are some false positives and some fire too frequently.
So now we will hit each leak only once per manager run,
but we still will try to reproduce them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
executor: add support for android_untrusted_app sandbox
This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.
In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.
Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files. The underlying mechanisms are relatively simple.
Fixes google/syzkaller#643
Test: make presubmit
Bug: http://b/112900774
|
| |
|
|
|
|
|
|
| |
In pkg/ipc we don't just want to UmountAll,
we want to remove all handling as many cases as possible
(mounts, read-only files, etc, similar to executor's remove_dir).
So unmounting and removing needs to be a single function,
so that it can handle all these cases.
|
| |
|
|
|
|
| |
They were needed for intermediate gvisor support.
Now that we have end-to-end support for gvisor,
they are not needed anymore. Remove.
|
| |
|
|
|
| |
Move all ipc flags into pkg/ipc/ipcconfig package
so that importing pkg/ipc does pull in the flags.
|
| |
|
|
|
|
|
|
|
| |
readOutCoverage was complete mess.
Split it into several functions.
Use callReply struct directly.
Make error handling more idiomatic.
Update #538
|
| |
|
|
|
|
|
|
| |
Write coverage from unfinished syscalls.
Also detect when a syscall was blocked during execution,
even if it finished. Helpful for fallback coverage.
Fixes #580
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make as much code as possible shared between all OSes.
In particular main is now common across all OSes.
Make more code shared between executor and csource
(in particular, loop function and threaded execution logic).
Also make loop and threaded logic shared across all OSes.
Make more posix/unix code shared across OSes
(e.g. signal handling, pthread creation, etc).
Plus other changes along similar lines.
Also support test OS in executor (based on portable posix)
and add 4 arches that cover all execution modes
(fork server/no fork server, shmem/no shmem).
This change paves way for testing of executor code
and allows to preserve consistency across OSes and executor/csource.
|
| |
|
|
|
|
| |
Linux executor sets up some network devices for testing,
detect when that's supported on the machine and don't
do it if it's not supported.
|
| |
|
|
| |
Move common code from 4 vm implementations to vmimpl.
|
| | |
|
| |
|
|
|
| |
Pass actual target to DefaultConfig, that's what we really want,
not the stray ipc flag.
|
| | |
|
| |
|
|
|
| |
Also mixin resource constructors and some signature
of flags values for successful calls into fallback coverage.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Currently we first send on errs and then close env.
As the result process can exit before env.Close finishes,
which will leave garbage behind.
Close env before sending on errs.
|
| |
|
|
| |
fuchsia mishandles relative paths.
|
| |
|
|
|
|
| |
It's possible to get no signal from normal coverage due to dedup,
in that case we don't want to add fallback coverage
because it can lead to corpus bloat.
|
| |
|
|
|
|
|
|
|
|
| |
We have fallback coverage implmentation for freebsd.
1. It's broken after some recent changes.
2. We need it for fuchsia, windows, akaros, linux too.
3. It's painful to work with C code.
Move fallback coverage to ipc package,
fix it and provide for all OSes.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Currently host feature detection/setup code is spread
across platform-independent fuzzer code, pkg/host, pkg/ipc
and executor.
Move this all into pkg/host and show readable info
about features on manager start.
Fixes #46
|
| |
|
|
|
|
| |
In most cases we have source in memory,
so provide a function to build right from memory
without creating temp files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently have native cross-compilation logic duplicated
in Makefile and in sys/targets. Some pieces are missed in one
place, some are in another. Only pkg/csource knows how to check
for -static support.
Move all CC/CFLAGS logic to sys/targets and pull results in Makefile.
This should make Makefile work on distros that have broken x86_64-linux-gnu-gcc,
now we will use just gcc. And this removes the need to define NOSTATIC,
as it's always auto-detected.
This also paves the way for making pkg/csource work on OSes other than Linux.
|
| |
|
|
|
|
|
| |
120 columns looks like a reasonable limit
and requires few changes to existing code.
Update #538
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
syz-manager always passes explicit value for the flag.
syz-stress does not need coverage.
The only real user is syz-execprog. syz-execprog already
forces coverage with -coverfile is given. Coverage is harmful
for external users trying to reproduce reported bugs.
For the remaining cases of syzkaller developers running
syz-execprog on KCOV-enabled kernel, the flag can be given
manually if really needed.
Fixes #554
|
| |
|
|
|
|
| |
Don't use random programs for testing.
Sometimes they lead to flakes like:
opendir(./1/file0) failed (errno 13)
|
| |
|
|
| |
Fix typos, non-canonical code, remove dead code, etc.
|
| |
|
|
| |
Also add a test for this.
|
| |
|
|
| |
Helps to understand what program caused it.
|
| |
|
|
|
|
|
|
|
|
| |
Generated program always uses pid=0 even when there are multiple processes.
Make each process use own pid.
Unfortunately required to do quite significant changes to prog,
because the current format only supported fixed pid.
Fixes #490
|
| |
|
|
|
|
|
|
|
|
|
| |
syz-fuzzer organically grew from a small nice main function
into a huge single-file monster with tons of global state.
Start refactoring it into something more managable.
This change separates 2 things:
1. Proc: a single fuzzing process (ipc.Env wrapper).
2. WorkQueue: holds global non-fuzzing work items.
More work needed, but this is good first step.
|
| |
|
|
|
|
|
| |
Currently threaded/collide are global environment flags.
It can be useful to turn off collider during some executions
(minimization, triage, etc).
Make them per-program options.
|
| |
|
|
|
|
|
| |
Boot and minimally test images before declaring them as good
and switching to using them.
If image build/boot/test fails, upload report about this to dashboard.
|
| |
|
|
|
|
| |
When manager is stopped there are sometimes runaway qemu
processes still running. Set PDEATHSIG for all subprocesses.
We never need child processes outliving parents.
|
| |
|
|
| |
if/else branches are intermixed
|
