| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a "fatal error:" bug is reported, this usually means that syzkaller
itself had a memory corruption (except in the gVisor fuzzing case where
this could be an actual bug in gVisor)
Most likely, this is due to a kernel that went wild and corrupted the
syzkaller address space, but in that case the exact details of what part
of the runtime failed are rarely relevant.
This gathers all these go runtime errors under one umbrella so they are
easier to track. Except for gVisor on which the logic is kept the same
as existing.
Add three test cases to the linux reporting:
- 705 (equivalent to the current all/report/7) to make sure Go OOO are
suppressed (they have a different title now but still get suppressed)
- 706 (equivalent to the current all/report/8) to make sure that ALSA
"fatal errors" are not handled as Go fatal errors
- 707 (new) to make sure that reports like
https://syzkaller.appspot.com/bug?extid=3f00d7083c52713ba3b0 are
re-named to "go runtime error"
|
| |
|
|
|
| |
This will help avoid a circular dependency pkg/vcs -> pkg/report ->
pkg/vcs.
|
| |
|
|
| |
Amend oops and oopsFormat to contain report type.
|
| |
|
|
| |
They are invalid and we're tired of manually marking them as such.
|
| |
|
|
|
|
| |
The original panic: is printed without logging and is often garbled
by concurrent printing by another core. OTOH, `show panic` is printed
exclusively so we prefer to use that.
|
| | |
|
| |
|
|
| |
This routine was recently renamed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a number of report post-processing activities are implemented as a
decorator over the interface that defines OS-specific implementations.
Following exactly the same interface is too restrictive in this case as adding
extra parameters to the post-processing forces the developer to adjust all
implementations thay may not need these parameters at all.
Untie the wrapper from the Reporter interface. Use a package-private
reporterImpl interface for the OS-specific implementations, while having an
exported Reporter structure. Make sure that Reporter is stored and
passed as a pointer.
|
| |
|
|
|
|
|
|
|
| |
The witness output was recently changed in order to aid tracking down
scenarios in which lock ordering data is missing. This is probably a bug
and turning them into unique reports should hopefully help syzkaller
being able to find a reproducer.
The existing inode suppression must be tweaked a bit order to not flag
the relevant reports as suppressed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It looks we got a couple of odd crashes where the syz-executor is
probably hanging but the VM is still responsive[1].
Does the hypervisor try to diagnose the VM under such circumstances?
Since the VM is still responsive, the input written to the console is
echoed back which in turns causes a panic to be detected.
If this theory is true, we can avoid detecting such false positives by
making the oops indicator disjoint from the input written to the
console.
[1] https://syzkaller.appspot.com/bug?id=af604b59c590384e9faa00dfc958ef87a922ae71
|
| |
|
|
|
|
|
|
|
|
| |
These reports are not that helpful and are rarely a problem as each
vnode has a unique lock. Reports from witness regarding lock order
reversal between two vnode locks are already suppressed by the kernel,
see RWL_IS_VNODE in the rwlock(9) manual.
While here, update `testdata/openbsd/report/10` as this report was
generated before I prefixed all output from witness.
|
| |
|
|
|
|
| |
Regression introduced in commit cb93dc6a ("pkg/report: flag short
uvm_fault reports as corrupted") causing some valid reports to be
flagged as corrupted.
|
| |
|
|
|
|
|
| |
They don't contain enough context to be useful.
This change makes `testdata/openbsd/report/0` to be treated as
corrupted, which is desirable since it also lacks context.
|
| | |
|
| |
|
|
|
|
|
|
| |
In order to avoid treating the following diagnostic printf as a panic[1]:
vmx_mprotect_ept: uvm_fault returns 14, GPA=0x200000
[1] https://syzkaller.appspot.com/bug?id=25f3ef919bf9f5d8a89e13b1ba5fec8ca56334be
|
| |
|
|
| |
At last!
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Overall idea of netlink checking.
Currnetly we check netlink policies for common detectable mistakes.
First, we detect what looks like a netlink policy in our descriptions
(these are structs/unions only with nlattr/nlnext/nlnetw fields).
Then we find corresponding symbols (offset/size) in vmlinux using nm.
Then we read elf headers and locate where these symbols are in the rodata section.
Then read in the symbol data, which is an array of nla_policy structs.
These structs allow to easily figure out type/size of attributes.
Finally we compare our descriptions with the kernel policy description.
Update #590
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Some syzkaller panics happen due to memory corruptions,
but it still would be useful at least to get some visibility into these crashes.
On some OSes we actualy already detect them as they have "panic:" oops pattern,
but not e.g. on linux.
Fixes #318
|
| |
|
|
|
| |
This panic is not to interesting since the intended behavior is to panic and
it requires root due to usage of mknod(2).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Some reports[1] does not include a symbol but rather an address in the
"Stopped at" line. There's unfortunately no useful context to add to the
title so make them generic instead.
[1] https://syzkaller.appspot.com/bug?id=3e44d0b128fd8d6826e4d0044baadcfc02ba7125
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Reports from witness regarding returning to userspace with locks held is not
unique enough, causing all lock leaks to be grouped under the same bug.
Instead try to extract the name of syscall where the first held lock was
grabbed.
While here, shorten the title a bit.
|
| |
|
|
|
|
| |
We now pass 5 arguments through a bunch of functions,
this is quite inconvinient when the set of arguments changes.
Incapsulate all arguments in a struct and pass/store it as a whole.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* pkg/cover: Modify parsing logic
1. Remove prefix computation
2. Add a mgrconfig for kernel build directory
* pkg/report: shorten reports with kernelBuildSrc instead of kernelSrc
* pkg/report: Fix failing tests
* pkg/report: fix formating issues
* tools/syz-cover: Fix unintended redefinition
* make changes to fix failing ci build
* pkg/report: fix issues
|
| |
|
|
| |
Fixes #1059
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
A line length of 79 in the ddb output does not necessarily imply that the
following line is a continuation of the current line. Since there's no way
to distinguish between ordinary and continuation lines, it could end up
corrupting the report by joining two lines that are disjoint[1].
Instead, disable line wrapping in ddb. If we want some kind of wrapping in
the future it's easier done by pkg/report.
[1] https://syzkaller.appspot.com/bug?extid=03f7377a9848d7d008c9
|
| |
|
|
|
|
| |
Possible now since the output is consistently prefixed[1].
[1] https://marc.info/?l=openbsd-cvs&m=154850328128727&w=2
|
| |
|
|
|
|
|
|
|
|
| |
* pkg/report: symbolize witness trace on OpenBSD
* vm/vmimpl: show witness locks on panic
* vm/vmimpl: show memory stats on panic
* fixup! pkg/report: symbolize witness trace on OpenBSD
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CONFIG_PRINTK_CALLER has reached linux-next:
https://groups.google.com/d/msg/syzkaller/xEDUgkgFvL8/d5bBS3BJBwAJ
Enable CONFIG_PRINTK_CALLER and support parsing of its output format.
This gives us several advantages:
- output from different contexts don't intermix
- intermixed output doesn't cause corrupted reports
- we can keep larger prefix since we know it comes from the same task
Credit for the kernel part goes to Tetsuo Handa.
Also Sergey Senozhatsky and Petr Mladek for reviews of the kernel part.
Fixes #596
Fixes #600
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
In order to use the already defined kernel name in sys/targets to reduce
duplications.
|
| |
|
|
|
|
| |
Sometimes the reorder_kernel error message is truncated causing the current
ignore pattern to fail. Instead, simply reject all lines containing
`reorder_kernel' in order to reduce noisy crash reports.
|
| |
|
|
|
| |
OpenBSD produces \n\r for new lines and split output at 79 column.
Handle both of these things.
|
|
|
all: add openbsd support
squash of the following commits:
* openbsd: add mandatory bits
* report: add OpenBSD support
* executor: skip building kvm on OpenBSD
* executor: add OpenBSD support
Linking against libutil is necessary due to usage of openpty(3).
* executor: fix typo in fail() message
* fixup! report: add OpenBSD support
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! report: add OpenBSD support
* gometalinter: skip sys/openbsd
|
