| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
| |
Add hash of actual kernel commit to crash metainfo if available.
Signed-off-by: Grigory Bazilevich <g.bazilevich@ispras.ru>
Signed-off-by: Sergey Zotov <svzotov@ispras.ru>
|
| |
|
|
|
|
|
|
|
|
|
| |
Save crashes and repros with corresponding kernel and syzkaller configs locally
in syz-manager even when they are published to syz-dashboard,
to be able to share the crashes with
Linux Verification Center (linuxtesting.org).
Signed-off-by: Grigory Bazilevich <g.bazilevich@ispras.ru>
Signed-off-by: Sergey Zotov <svzotov@ispras.ru>
Co-authored-by: Sergey Zotov <svzotov@ispras.ru>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If the crash dumps are enabled, collect one crash dump per each crash
when fuzzing locally.
Optionally also collect crash dumps in pkg/instance's Test().
Inspired by Chenxi Huang's downstream changes to syzkaller.
|
| |
|
|
|
| |
Refactor the package to support testing and add
a number of basic tests.
|
| | |
|
| |
|
|
|
| |
Move the code to a separate pkg/manager/diff package. Split the
code into several files.
|
| |
|
|
|
| |
Simplify if conditions and extract a repro result processing from the
Loop method.
|
| | |
|
| |
|
|
|
|
| |
When configuring focus areas before directed fuzzing, construct regular
expressions that match the exact function names. Otherwise, we end up
adding more functions than intended.
|
| |
|
|
|
|
|
|
|
|
| |
We return Ctime from CreationTime. But "C" does not stand for "creation",
it stands for "status change" (inode update). It may or may not be the
creation time.
Use Btime (birth time) for creation time.
Fixes #6547
|
| |
|
|
| |
Return not just the modified files, but also their blob hashes.
|
| |
|
|
|
| |
Sorting using numSort for column with empty non-number rows does not work.
Always print repro attemps, but make 0 inactive (gray).
|
| |
|
|
| |
Any is the preferred over interface{} now in Go.
|
| |
|
|
|
|
|
|
|
| |
In the presence of numerous program seeds that mount fs images, our html
coverage reports end up being as big as 1GB, which makes it problematic
to render/manipulate them in the web browser.
Adjust coverage report generation: once the total size of program seeds
exceeds 100MB, switch to the compact seed serialization mode.
|
| |
|
|
|
|
|
| |
There are still situations where we don't properly terminate fuzzing on
context cancelation.
Add more logging to debug it.
|
| |
|
|
|
| |
We don't need it to hold it for the call to the externally supplied
callback.
|
| |
|
|
|
| |
Instead of just checking whether the bug was observed on the base crash,
accept a regexp of accepted bug titles as well.
|
| | |
|
| | |
|
| |
|
|
| |
Send only the first report to dashboard.
|
| | |
|
| | |
|
| |
|
|
| |
Add a new column next to it to list the number of repro attempts separately.
|
| |
|
|
|
|
|
| |
When we run a reproducer on a base kernel and it crashes, we must record
the crash title observed on the base kernel.
Rename the field to reduce the chance of confusion in the future.
|
| |
|
|
|
|
| |
Report base kernel crashes observed during fuzzing.
Consult the common API for each patched kernel crash to see if it was
already observed on the base kernel.
|
| |
|
|
|
| |
1. func Run optionally accepts the opts.
2. Some refactoring, more comments.
|
| |
|
|
| |
This reduces the redundancy a bit.
|
| |
|
|
|
|
| |
On the syz-manager's html dashboard, dispay the number of repro attempts
per each bug. It will help distinguish the bugs where reproduction
was attempted and failed from those that have never been reproduced yet.
|
| |
|
|
| |
The VM pool expects us to listen on the boot error channel.
|
| |
|
|
|
| |
It's been checking the inverse of what was needed.
Rename the helper function to reduce confusion in the future.
|
| |
|
|
|
|
| |
Instead of calling grep (the implementations of which may differ in
different environments), traverse the directory and grep files with a
special pkg/osutil helper functionality.
|
| |
|
|
| |
If the manager name is set, display it in the header.
|
| |
|
|
|
|
|
| |
The rules were too generic - there are plenty of functions that have
"stall" as substring, yet they do not relate to rcu stall bugs.
Improve the rules list and add a unit test.
|
| |
|
|
|
|
|
|
| |
After ensuring that a bug only affects the patched kernel, do one more
round of reproduction and (if successful) re-report the result.
This will ensure that, provided enough time, diff fuzzing results will
also have minimalistic C reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We used to generate a choice table and do its normalization for all
present syscalls, also it was not considered during the /prio page
generation.
Enabled/disabled syscalls were accounted for in the choice table
construction, but there's a chance that the resulting table was still
somewhat skewed.
The situation must have become worse after several thousands of auto
syscalls were added.
|
| |
|
|
|
| |
The previous message was misleading - executor's coverage filter can
well be 0, it's the number of PCs per focus area that's of interest.
|
| |
|
|
| |
Right at the Loop() start, these are not filled out yet.
|
| |
|
|
|
|
|
|
|
| |
Hash the code section of the individual symbols from vmlinux.o and use
it to determine the functions that changed their bodies between the base
and the patched build.
If the number of affected symbols is reasonable (<5%), fuzz it with the
highest priority.
|
| |
|
|
| |
For that, make a part of the tar_test.go reusable.
|
| |
|
|
| |
These are already symbolized in pkg/repro.
|
| |
|
|
|
| |
If we matched 0 PCs for the areas of focused fuzzing, don't abort the
process after 30 minutes.
|
| |
|
|
|
| |
Use the context provided via errgroup.Group so that a single error can
successfully shut down the whole diff fuzzing process.
|
| |
|
|
|
| |
Don't waste time doing focused fuzzing if no modified code has
been reached in 30 minutes after corpus triage.
|
| |
|
|
|
|
| |
In syz-manager, we symbolize reports right before saving them. Follow a
similar approach for diff fuzzing as well and symbolize only the reports
which were confirmed to only affect the patched kernel.
|
| |
|
|
|
|
| |
During diff fuzzing, ignore too unreliable reproducers completely.
For moderately reliable ones, do a larger number of runs.
|
| |
|
|
| |
It allows to use context as a single termination signal source.
|
| |
|
|
|
|
|
|
|
| |
When running the reproducer from the patched kernel on the base kernel,
stay on the safe side when encountering errors and context
cancellations.
Always demand 3 successful executions before declaring a bug
patched-only.
|
| |
|
|
|
|
|
| |
Writes to channels are dangerous in the presence of context cancellation
- no one may be listening on the receiving side.
Wrap the writes in a select that also awaits ctx.Done().
|
