| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| | |
|
| |
|
|
|
|
|
| |
We incorrectly extended comparison arguments since forever. This is sad.
We tested the prog logic, but not the ipc/executor part.
Fix the extension, add tests and force manager to re-triage inputs.
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
| |
Switch to flatrpc.ExecOpts.
|
| |
|
|
|
|
| |
Switch to flatrpc.ProgInfo.
Note: this disables syz-runtest and syz-verifier.
|
| |
|
|
|
|
| |
Flatrpc flags are passed in RPC execution requests,
so to avoid conversions and duplicate set of flags
use flatrpc flags in pkg/ipc directly.
|
| |
|
|
| |
There's no need in duplicating the signal, coverage, hints flags.
|
| |
|
|
|
|
| |
Use the same interfaces as the fuzzer.
Now syz-manager no longer needs to treat machine check executions
differently.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feature checking procedure is split into 2 phases:
1. syz-fuzzer invokes "syz-executor setup feature" for each feature one-by-one,
and checks if executor does not fail.
Executor can also return a special "this feature does not need custom setup",
this allows to not call setup of these features in each new VM.
2. pkg/vminfo runs a simple program with ipc.ExecOpts specific for a concrete feature,
e.g. for wifi injection it will try to run a program with wifi feature enabled,
if setup of the feature fails, executor should also exit with an error.
For coverage features we also additionally check that we actually got coverage.
Then pkg/vminfo combines results of these 2 checks into final result.
syz-execprog now also uses vminfo package and mimics the same checking procedure.
Update #1541
|
| |
|
|
|
|
|
|
| |
Move the test from executor to pkg/ipc to prevent import cycle
in the next change.
pkg/ipc looks like the most reasonable place for it (besides executor),
it already builds executor binary.
The test cannot be moved to pkg/csource b/c it will create csource<->ipc cycle.
|
| |
|
|
|
|
|
| |
Start switching from host.Features to flatrpc.Features.
This change is supposed to be a no-op,
just to reduce future diffs that will change
how we obtain features.
|
| | |
|
| |
|
|
|
|
|
| |
Currently we set errno=999 in executor for non-finished syscalls,
but syscalls that were not even started still have errno=0.
They also don't have Executed flag, but it's still handy to have
a non-0 errno when the call is not successful.
|
| |
|
|
| |
Currently it's duplicated 4 times, dedup it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pass EnvFlags into Exec instead of New.
This allows to change EnvFlags between executions.
Change of EnvFlags forces executor process restart
since it uses EnvFlags during setup.
Currently this is intended to be NFC since we always
pass the same EnvFlags.
In future this will allow to (1) reduce part of the
VM checking procedure to execution of programs with
different options (e.g. we can probe for coverage/comparisons
support, probe different sandboxes, etc);
(2) use it during fuzzing/reproduction, e.g. we can check
if the crash reproduces under setuid sandbox, or execute some
fuzzing programs in significantly different modes.
|
| |
|
|
|
|
|
|
| |
Linter now complains:
Error: SA1019: reflect.SliceHeader has been deprecated since Go 1.21
and an alternative has been available since Go 1.17:
Use unsafe.Slice or unsafe.SliceData instead.
|
| |
|
|
|
| |
Fix checking of Logf, it has string in 0-th arg.
Add checking of t.Errorf/Fatalf.
|
| |
|
|
|
|
|
|
|
|
| |
Instead of counting exeutor restarts add executor freshness
(number of tests executed in the same process before this one)
into execution result.
This removes all program-related metrics from syz-fuzzer,
and concentrates all of them in the manager.
The freshness of the concrete test may also be useful
for some analysis later.
|
| |
|
|
|
|
|
| |
Does not require passing text program to ipc.Env.Exec.
Make it possible to provide just the exec encoding.
This requires moving fallback coverage to the host
since it need the program.
|
| |
|
|
|
|
| |
If we send exec encoding to the fuzzer, it's not necessary to serialize
exec encoding into existing buffer (currnetly we serialize directly into shmem).
So simplify code by serializing into a new slice.
|
| |
|
|
|
|
|
| |
1. Move the flag to Config (logically belongs there).
2. Create rate limter lazily (it's not needed most of the time).
This will help to stop passing *prog.Prog to Exec method.
|
| |
|
|
|
|
|
| |
Add ability for each package to create and export own stats.
Each stat is self-contained, describes how it should be presented,
and there is not need to copy them from one package to another.
Stats also keep historical data and allow building graphs over time.
|
| |
|
|
|
| |
OpenBSD in particular is not compatible with TestOS expectation
of having a syscall function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We used to optimize the memory usage by making the slices of individual
CallInfo structs point to the shared memory buffer between syz-fuzzer
and executor.
However, this puts very strict expectations on all pkg/ipc users and
complicates the decoupling of the fuzzing logic from individual proc
loops.
Let's try to live without this optimization. When compared with the cost
of a single syz-executor execution, the cost of array copying is very
very small anyway.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the cases where we do not / cannot sandbox individual prog executions
well enough, some share of progs end up being dependent on the
previously accumulated state of the whole VM.
As the result,
* We lose 5-10% of coverage/signal on every instance restart.
* A share of our corpus programs do not actually trigger the coverage
they were thought to reliably trigger.
This significantly affects fuzzing efficiency and prevents syzkaller
from accumulating bigger and better corpus over multiple runs.
Let's see if the situation becomes better if we restart syz-executor
before most of prog executions.
|
| |
|
|
|
|
|
| |
On a loaded VM, the restar may easily take 10-20 second, during which
all other procs have to wait due to gate ticketing.
Restart executor processes outside of synchronization primitives.
|
| |
|
|
|
|
|
|
|
|
|
| |
Even though syz-executor is supposed to kill its forked children after 5
seconds, in practice it fails to do so once in a while.
As a result, we end up waiting 50+ seconds before pkg/ipc kills the
parent syz-executor process. Due to the gate ticketing system, the whole
fuzzing stay stalled in the meanwhile.
Reduce the timeout to 25 seconds.
|
| | |
|
| |
|
|
|
| |
This can happen when c.cmd.Wait returns an error.
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| | |
|
| |
|
|
|
|
|
| |
Move image compression-related function to a separate package.
In preperation for subsequent changes that make decompression
more complex. Prog package is already large and complex.
Also makes running compression tests/benchmarks much faster.
|
| | |
|
| |
|
|
|
| |
The code to send rand source is dublicated in several packages.
Move it to testutil package.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for moving a NIC PCI pass-through VF into Syzkaller's network
namespace so that it will tested. As DEVLINK support is triggered by
setting the pass-through device to "addr=0x10", NIC PCI pass-through VF
support will be triggered by setting the device to "addr=0x11".
If a NIC PCI pass-through VF is detected in do_sandbox, setup a staging
namespace before the fork() and transfer the NIC VF interface to it.
After the fork() and in the child transfer the NIC VF interface to
Syzkaller's network namespace and rename the interface to netpci0 so
that it will be tested.
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
|
| |
|
|
| |
syz-manager: introduce a new setting 'sandbox_arg' (#3263)
|
| |
|
|
|
|
|
| |
An executor can leak its file descriptor and we can block on reading
from it forever.
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
| |
When a shared memory is used, the executor can corrupt reply messages,
so let's add magic to detect such cases.
It is an attempt to debug issues like this one:
https://syzkaller.appspot.com/bug?id=faca64c3182e9f130ca94b7931dd771be390ef67
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
| |
Raw coverage might be important when e.g. analysing the origins of
out-of-place coverage in coverage reports or understanding why the
fuzzer could not reach deeper code.
If "raw_cover" is set to true, syzkaller will remember unsorted and
unduplicated coverage (PCs) for each its corpus program.
|
| |
|
|
|
|
|
|
| |
pkg/repro tries to clear the Threaded flag during repro simplification,
so it's easier just to ignore the remaining async flags in that case -
they won't be in the C repro either.
Add a test to pkg/ipc to verify the new behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that the current Linux implementation of KCOV does not
properly handle multiple mmap invocations on the same instance. The
first one succeedes, but the subsequent ones do not actually mmap
anything, yet returning no error at all.
The ability to mmap that memory multiple times allows us to increase
syz-executor performance and it would be a pity to completely lose it
(especially given that mmapping kcov works fine on *BSD).
In some time a patch will be prepared, but still we will have to support
both versions at the same time - the buggy one and the correct one.
Detect whether the bug is present by writing a value at the pointer
returned by mmap. If it is present, disable dynamic kcov mmapping and
pre-mmap 5 instances in the main() function - it should be enough for
all reasonable uses. Otherwise, pre-mmap 3 and let syz-executor mmap
them as needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have seen cases when a test program re-execed the current binary:
11:53:29 executing program 0:
openat$zero(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0)
lseek(r0, 0x4000000000000000, 0x4)
execveat(r0, &(0x7f0000000080)='\x00', 0x0, 0x0, 0x1000)
In such cases, we have to be sure that executor will not print SYZFAIL
log messages and will not exit with kFailStatus.
Since a659b3f1, syzkaller reports bugs in all these cases.
Fixes: a659b3f1dc88 ("pkg/report: detect executor failures")
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
| |
Pointed by golangci-lint.
For context see https://github.com/golang/go/issues/40701
|
| |
|
|
|
| |
Scale sandbox wait timeout according to the target slowdown.
Also de-hardcode program timeout.
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
| |
In preparation for making timeouts tunable based
on OS/arch/VM/etc de-hardcode all (almost) timeouts in executor.
|
