| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
The context is assumed to be passed into the function doing the actual
processing. Refactor vminfo to follow this approach.
This will help refactor pkg/rpcserver later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is done to solve a particular test failure running:
$ tools/syz-env go test ./prog -run TestSpecialStructs
, which failed on PPC64, because prog/rand.go instanciated a call to
syz_kvm_setup_syzos_vm(), which requested too much memory (1024 pages)
from the allocator (PPC64 uses 64k pages, so the number of available pages
is lower).
On the other hand, factoring out syzos-related descriptions is probably
a nice thing to do anyway.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syz_kvm_add_vcpu
The old syz_kvm_setup_cpu() API mixed together VM and VCPU setup, making it
harder to create and fuzz two VCPUs in the same VM.
Introduce two new pseudo-syscalls, syz_kvm_setup_syzos_vm() and syz_kvm_add_vcpu(),
that will simplify this task.
syz_kvm_setup_syzos_vm() takes a VM file descriptor, performs VM setup
(allocates guest memory and installs SYZOS code into it) and returns a
new kvm_syz_vm resource, which is in fact a pointer to `struct kvm_syz_vm`
encapsulating VM-specific data in the C code.
syz_kvm_add_vcpu() takes the VM ID denoted by kvm_syz_vm and creates a
new VCPU within that VM with a proper CPU number. It then stores the
fuzzer-supplied SYZOS API sequence into the corresponding part (indexed by
CPU number) of the VM memory slot, and sets up the CPU registers to interpret
that sequence.
The new pseudo-syscall let the fuzzer create independent CPUs that run different
code sequences without interfering with each other.
|
| |
|
|
|
| |
The new pseudo-syscall sets up VGICv3 IRQ controller on the host.
That still requires guest setup code, which will be submitted separately.
|
| |
|
|
| |
The object enables a graceful shutdown of machine checks.
|
| |
|
|
|
| |
Flatbuffers compiler generates slices of pointers for these types,
so return slices of pointers to avoid converting the whole slice.
|
| |
|
|
|
|
| |
Use the same interfaces as the fuzzer.
Now syz-manager no longer needs to treat machine check executions
differently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feature checking procedure is split into 2 phases:
1. syz-fuzzer invokes "syz-executor setup feature" for each feature one-by-one,
and checks if executor does not fail.
Executor can also return a special "this feature does not need custom setup",
this allows to not call setup of these features in each new VM.
2. pkg/vminfo runs a simple program with ipc.ExecOpts specific for a concrete feature,
e.g. for wifi injection it will try to run a program with wifi feature enabled,
if setup of the feature fails, executor should also exit with an error.
For coverage features we also additionally check that we actually got coverage.
Then pkg/vminfo combines results of these 2 checks into final result.
syz-execprog now also uses vminfo package and mimics the same checking procedure.
Update #1541
|
| |
|
|
|
|
|
| |
The test becomes very restrictive in cases when custom descriptions are
present.
Let's only check for the filesystems we expect to see.
|
| |
|
|
|
| |
Properly dedup syscall tests.
This reduces number of test programs for linux from 4349 to 641.
|
| |
|
|
|
|
|
|
|
|
| |
Remove T suffix from object API types.
It seems that we will use these types thoughout the code,
and the suffix looks alien in Go code.
So it's better to remove it before we started using
these names more widely.
Also add few extensions we will need to move feature
checking to the host.
|
| |
|
|
|
|
| |
Switch to flatrpc.FileInfoT instead.
In preparation for pkg/host removal and to avoid
circular dependencies in future changes.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the syscall checking logic to the host.
Diffing sets of disabled syscalls before/after this change
in different configurations (none/setuid sandboxes, amd64/386 arches,
large/small kernel configs) shows only some improvements/bug fixes.
1. socket$inet[6]_icmp are now enabled.
Previously they were disabled due to net.ipv4.ping_group_range sysctl
in the init namespace which prevented creation of ping sockets.
In the new net namespace the sysctl gets default value which allows creation.
2. get_thread_area and set_thread_area are now disabled on amd64.
They are available only in 32-bit mode, but they are present in /proc/kallsyms,
so we enabled them always.
3. socket$bt_{bnep, cmtp, hidp, rfcomm} are now disabled.
They cannot be created in non init net namespace.
bt_sock_create() checks init_net and returns EAFNOSUPPORT immediately.
This is a bug in descriptions we need to fix.
Now we see it due to more precise checks.
4. fstat64/fstatat64/lstat64/stat64 are now enabled in 32-bit mode.
They are not present in /proc/kallsyms as syscalls, so we have not enabled them.
But they are available in 32-bit mode.
5. 78 openat variants + 10 socket variants + mount are now disabled
with setuid sandbox. They are not permitted w/o root permissions,
but we ignored that. This additionally leads to 700 transitively
disabled syscalls.
In all cases checking in the actual executor context/sandbox
looks very positive, esp. for more restrictive sandboxes.
Android sandbox should benefit as well.
The additional benefit is full testability of the new code.
The change includes only a basic test that covers all checks,
and ensures the code does not crash/hang, all generated programs
parse successfully, etc. But it's possible to unit-test
every condition now.
The new version also parallelizes checking across VMs,
checking on a slow emulated qemu drops from 210 seconds
to 140 seconds.
|
|
|
This moves significant part of logic from the target to host (#1541),
eventually this will allow us to switch target code from Go to C++.
Currnetly syz-fuzzer parses a number of system files (/proc/cpuinfo)
in non-trivial ways and passes that info to the host.
This is problematic to recreate in C++.
So instead make the fuzzer part as simple as possible:
now it merely reads the gives set of files and returns contents.
The rest of the parsing happens on the host (the new vminfo package).
Package vminfo extracts information about the target VM.
The package itself runs on the host, which may be a different OS/arch.
User of the package first requests set of files that needs to be fetched from the VM
(Checker.RequiredFiles), then fetches these files, and calls Checker.MachineInfo
to parse the files and extract information about the VM.
The information includes information about kernel modules and OS-specific info
(for Linux that includes things like parsed /proc/cpuinfo).
This also requires changing RPC flow between fuzzer and manager.
Currently, Check call is optional and happens only for first VMs.
With this change Check is always done because we need to return
contents of the requested files always.
The plan is to switch the rest of the pkg/host package to this scheme later:
instead of some complex custom logic, we need to express it as some
simple operations on the target (checking file presence, etc), and the rest
of the logic on the host.
|
