| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
We need to check GOARCH instead of GOOS,
otherwise all executor failures are ignored...
|
| | |
|
| |
|
|
|
| |
It's not used for anything useful and will conflict
with automatic timeout tuning.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
| |
We started to see lots of "provided buffer is too small" with seeded
syz_mount_image programs. Currently it fails whole VM, which is not good.
Ignoring them is not perfect, but there does not seem to be any better
simple solution.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
| |
BrokenCompiler is only initialized after Get.
|
| |
|
|
| |
We may run some cross-arch tests using qemu-user.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: initialize vhci in linux
* executor/common_linux.h: improve vhci initialization
* pkg/repro/repro.go: add missing vhci options
* executor/common_linux.h: fix type and add missing header
* executor, pkg: do it like NetInjection
* pkg/csource/csource.go: do not emit syz_emit_vhci if vhci is not enabled
* executor/common_linux.h: fix format string
* executor/common_linux.h: initialize with memset
For som reason {0} gets complains about missing braces...
* executor/common_linux.h: simplify vhci init
* executor/common_linux.h: try to bring all available hci devices up
* executor/common_linux.h: find which hci device has been registered
* executor/common_linux.h: use HCI_VENDOR_PKT response to retrieve device id
* sys/linux/dev_vhci.txt: fix structs of inquiry and report packets
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* sys/linux/dev_vhci.txt: pack extended_inquiry_info_t
* sys/linux/l2cap.txt: add l2cap_conf_opt struct
* executor/common_linux.h: just fill bd addr will 0xaa
* executor/common_linux.h: just fill bd addr will 0xaa
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems that different gcc's have different defaults for ASAN flags.
Some fail with:
run.go:67: nonfailing none/thr/repeat : FAIL: run 0: call 0 is not executed
ASAN:DEADLYSIGNAL
=================================================================
==67143==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7b0befb0a2 bp 0x7f7b0cfdad10 sp 0x7f7b0cfda490 T1)
#0 0x7f7b0befb0a1 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d0a1)
#1 0x404bbb in syz_compare(long, long, long, long) (/tmp/utor355225125.0+0x404bbb)
#2 0x403cdf in execute_call(thread_t*) (/tmp/utor355225125.0+0x403cdf)
#3 0x404006 in worker_thread(void*) (/tmp/utor355225125.0+0x404006)
#4 0x7f7b0bc584a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#5 0x7f7b0b99ad0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d0a1)
Thread T1 created by T0 here:
#0 0x7f7b0be9ef59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x406117 in execute_one() (/tmp/utor355225125.0+0x406117)
|
| |
|
|
|
|
|
| |
Fix capitalization, dots at the end
and two spaces after a period.
Update #1876
|
| |
|
|
|
|
|
|
| |
Use native byte-order for IPC and program serialization.
This way we will be able to support both little- and big-endian
architectures.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
| |
If C compiler is installed e.g. in /opt then
we have to import LD_LIBRARY_PATH.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
| |
A good one. Lots of fixed comments are contributed by episodic contributors.
So it's good to catch these earlier.
|
| | |
|
| |
|
|
|
|
|
|
| |
In preparation to running some tests as github actions.
Both Travis and Github define CI env var, while TRAVIS is, well,
too Travis-specific.
Update #1699
|
| |
|
|
|
|
|
|
|
|
|
| |
Make MakeMmap return more than 1 call.
This is a preparation for future changes.
Also remove addr/size as they are effectively
always the same and can be inferred from the target
(will also conflict with the future changes).
Also rename to MakeDataMmap to better represent
the new purpose: it's just some arbitrary mmap,
but rather mapping of the data segment.
|
| |
|
|
|
|
| |
Unsafe is, well, unsafe.
Plus it fails under the new checkptr mode in go1.14.
Remove some uses of unsafe.
|
| |
|
|
| |
It's not needed for test os and slows down pkg/runtest tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We've got the following crash:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x7d30ba]
goroutine 75 [running]:
github.com/google/syzkaller/pkg/ipc.(*command).exec(0xc000c68cb0, 0xc0001a4d20, 0xc00147a000, 0x1f28, 0x200000, 0x0, 0x0, 0xc00170a000, 0x1000000, 0x1000000, ...)
/syzkaller/gopath/src/github.com/google/syzkaller/pkg/ipc/ipc.go:783 +0x7ca
github.com/google/syzkaller/pkg/ipc.(*Env).Exec(0xc0002de240, 0xc0001a4d20, 0xc016c2f440, 0x11, 0xc00019c7e0, 0x40, 0x1, 0xc016b6f590, 0x30, 0xc01615cc40)
/syzkaller/gopath/src/github.com/google/syzkaller/pkg/ipc/ipc.go:280 +0x104
main.(*Proc).executeRaw(0xc0012a45c0, 0xc0001a4d20, 0xc016c2f440, 0x1, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:292 +0x1f3
main.(*Proc).execute(0xc0012a45c0, 0xc0001a4d20, 0xc016c2f440, 0x0, 0x1, 0x1)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:255 +0x6a
main.(*Proc).loop(0xc0012a45c0)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:101 +0x4df
created by main.main
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:259 +0x1153
err can be nil even if hang=true in case of a narrow race:
we decided to kill the process, but it finished successfully meanwhile.
|
| |
|
|
|
|
| |
There is little reason in not doing the chown for sandbox=none.
Simpler and can actually increase coverage if the test program
setuid's itself (since it's root under sandbox=none).
|
| |
|
|
|
| |
They don't belong there, executor does not know about them.
In preparation for future changes.
|
| |
|
|
| |
In preparation for future changes.
|
| |
|
|
|
|
|
| |
Move HostFuzzer from vm/qemu.
It's needed in a number of other packages
and strictly saying is not specific to qemu
(it just happened that both fuchsia and akaros only support qemu).
|
| |
|
|
|
|
|
|
| |
In case there is a fixed pci devlink handle "pci/pci/0000:00:10.0"
on the system (initial network namespace), it is moved to a working
network namespace.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
| |
This change reuses the logic for sending the output back from
syz-executor to syz-fuzzer that forkserver oses use: reading it
periodically. This will be useful for debugging issues in Fuchsia that
does not support forkserver yet.
|
| |
|
|
|
|
|
|
|
| |
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.
1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.
2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.
3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.
4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.
5. Fix pkg/repro to do something more sane for leak bugs.
Few other minor fixes here and there.
|
| |
|
|
|
|
|
|
| |
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
|
| |
|
|
|
| |
pkg/ipc changed format of binaries, but pkg/report wasn't updated.
Update pkg/report for the new format.
|
| |
|
|
|
| |
We cannot create folders in other directories anymore, for now, we only
have access to create directories in /data/. This change is temporary as
we move to a component-based world.
|
| |
|
|
| |
Update #977
|
| |
|
|
|
|
|
|
|
|
|
| |
This change makes all syz-execprog, syz-prog2c and syz-stress accept
-enable and -disable flags to enable or disable additional features
(tun, net_dev, net_reset, cgroups and binfmt_misc) instead of having
a separate flag for each of them.
The default (without any flags) behavior isn't changed: syz-execprog
and syz-stress enabled all the features (provided the runtime supports
them) and syz-prog2c disables all of them.
|
| |
|
|
|
|
|
|
|
| |
Just appending the pid number can produce conflicting names
if the name itself ends with digits (standard temp file naming convention).
So append ".PID".
Also remove beginning from too long names instead of ending.
Temp files in tests has unique numbers at the end, we need to preserve them
to avoid file name conflicts.
|
| |
|
|
|
|
| |
Remove kRetryStatus, it's effectively the same as exiting with 0.
Remove ipc.ExecutorFailure, nobody uses it.
Simplify few other minor things around exit status handling.
|
| |
|
|
|
|
|
|
| |
This ability was never used but we maintain a bunch of code for it.
syzkaller also recently learned to spoof this error code
with some ptrace magic (probably intercepted control flow again
and exploited executor binary).
Drop all of it.
|
| | |
|
| |
|
|
| |
Based on whether the kernel supports KCOV_REMOTE_ENABLE ioctl.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now syzkaller only supports coverage collected from the threads that
execute syscalls. However some useful things happen in background threads,
and it would be nice to collect coverage from those threads as well.
This change adds extra coverage support to syzkaller. This coverage is not
associated with a particular syscall, but rather with the whole program.
Executor passes extra coverage over the same ipc mechanism to syz-fuzzer
with syscall number set to -1. syz-fuzzer then passes this coverage to
syz-manager with the call name "extra".
This change requires the following kcov patch:
https://github.com/xairy/linux/pull/2
|
| |
|
|
|
| |
Don't use random seed on travis as it produces flaky coverage reports,
and probably generally better for CI setting.
|
| |
|
|
| |
Fixes #897
|
| |
|
|
|
|
| |
Currently syz-runtest fails to start because -debug flag is defined
both in syz-runtest and ipcconfig.
But moving sandbox functions we prevent ipcconfig from being imported into syz-runtest.
|
| |
|
|
|
|
| |
This patch add a new struct ProgInfo that for now holds info about each
call in a program []CallInfo, but in the future will be expanded with remote
coverage info. Update all the callers to use the new interface as well.
|
| |
|
|
| |
Reformat, remove debug leftovers, fix comment style.
|
| |
|
|
|
|
|
|
|
|
|
| |
Rewind kmemleak fd before reading it second time,
otherwise we will read truncated reports.
Auto-learn what leak reports we've already seen
and ignore them in future. This is required because
there are some false positives and some fire too frequently.
So now we will hit each leak only once per manager run,
but we still will try to reproduce them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
executor: add support for android_untrusted_app sandbox
This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.
In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.
Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files. The underlying mechanisms are relatively simple.
Fixes google/syzkaller#643
Test: make presubmit
Bug: http://b/112900774
|
| |
|
|
|
|
|
|
| |
In pkg/ipc we don't just want to UmountAll,
we want to remove all handling as many cases as possible
(mounts, read-only files, etc, similar to executor's remove_dir).
So unmounting and removing needs to be a single function,
so that it can handle all these cases.
|
| |
|
|
|
|
| |
They were needed for intermediate gvisor support.
Now that we have end-to-end support for gvisor,
they are not needed anymore. Remove.
|
| |
|
|
|
| |
Move all ipc flags into pkg/ipc/ipcconfig package
so that importing pkg/ipc does pull in the flags.
|
| |
|
|
|
|
|
|
|
| |
readOutCoverage was complete mess.
Split it into several functions.
Use callReply struct directly.
Make error handling more idiomatic.
Update #538
|
