| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Otherwise we get problems while testing patches for older syzkaller
versions, which didn't support optional arguments.
Adjust tests so that problems with how OldFuzzerCmd handles such
arguments could be seen.
|
| |
|
|
| |
It popped up in a new KASAN report after recent KASAN changes.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Raw coverage might be important when e.g. analysing the origins of
out-of-place coverage in coverage reports or understanding why the
fuzzer could not reach deeper code.
If "raw_cover" is set to true, syzkaller will remember unsorted and
unduplicated coverage (PCs) for each its corpus program.
|
| |
|
|
|
|
| |
The method already has too many arguments, which complicates the further
addition of new features. Introduce FuzzerCmdArgs structure to overcome
the problem.
|
| |
|
|
|
|
|
|
|
| |
This commit replaces all `ioutil.TempDir` with `t.TempDir` in tests.
The directory created by `t.TempDir` is automatically removed when the
test and all its subtests complete.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
|
| |
|
|
| |
Now we always enable it, make this configurable for GCE instances.
|
| |
|
|
|
|
|
|
|
| |
(#2908)
Program verification logic is located in one function now.
VMs fetch programs from priority queues, not from the generator.
VMs operate the tasks, not programs now.
For the crashed VM - return error for every program in the queue
*fixed some road errors
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now we use go1.16+, but sometimes syz-ci still has to compile and run
old syzkaller revisions, which were not meant to be compiled with modern
Go.
In particular, this leads to the following errors:
syzkaller build failed: failed to run ["make" "target"]: exit status 2
tools/syz-make/make.go:14:2: no required module provides package
github.com/google/syzkaller/pkg/osutil: go.mod file not found in
current directory or any parent directory; see 'go help modules'
tools/syz-make/make.go:15:2: no required module provides package
github.com/google/syzkaller/sys/targets: go.mod file not found in
current directory or any parent directory; see 'go help modules'
Makefile:39: *** syz-make failed. Stop.
Fix this by adding GO111MODULE=auto to the environment variables.
Reported-by: Taylor R Campbell <riastradh@netbsd.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
When syz-fuzzer starts, it tries all syscalls to filter out any that are
not supported. This process should include only the syscalls that are
enabled using the 'enable_syscalls' and 'disable_syscalls' fields in
syz-manager's config.
This is useful for fuzzing Cuttlefish devices, for example, where the
'vhost_vsock' syscall needs to be excluded from fuzzing and from this
test.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
It's not practical to parse configs from tools/syz-testbed because it
limits the tool to using only those configuration options, which are
supported by the syzkaller version at the moment of tools/syz-testbed
compilation.
Operate with manager configs as if they were just some JSON objects.
Introduce a PatchJSON method to update their fields in a convenient way.
|
| |
|
|
|
| |
Show top crashers for X last days.
Show graph with daily shares of crashes that satisfy user-entered regexps.
|
| |
|
|
|
|
|
|
|
|
| |
We cannot expect syscalls to always succeed during fuzzing, especially
when the situation involves a complex interaction with the system.
For the syz_genetlink_get_family_id case, it leads to numerous SYZFAIL
crashes every day.
Don't print a SYZFAIL error for this pseudo syscall.
|
| |
|
|
|
| |
Introduce a presere_progs parameter, which, if set to false, forces
syz-manager to purge unneeded programs from the corpus.
|
| |
|
|
|
|
|
|
|
|
|
| |
It was too radical to repair and overwrite db file unconditionally.
syz-execprog probes if a given file is a database. Usually it's a crash log
or a single program, but db.Open started to overwrite it.
And an explicit repair flag in db.Open and enable it only in
syz-manager and syz-hub.
Fixes #2997
|
| |
|
|
|
| |
Reported-by: syzbot+aada2d85478c047a3cbf@syzkaller.appspotmail.com
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
| |
Opening inaccessible file won't fail under root.
Skip the test.
|
| |
|
|
|
|
|
|
| |
corpus.db may get corrupted on an unexpected reset, etc.
Commit a254b0f5 ("pkg/db: properly handle errors when loading a DB")
made these errors fatal and manager never recovers on its own.
Restore the previous behavior when we still recovered some records from the db.
But (1) ensure that the file is at least writable and (2) add tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was found out in #2921, fork bombs are still possible in Linux-based
instances. One of the possible reasons is described below.
An invalid stack can be passed to the clone() call, thus causing it to stumble
on an invalid memory access right during returning from the clone() call. This
is in turn catched by the NONFAILING() macro and the control actually jumps
over it and eventually both the child and the parent continue executing the
same code.
Prevent it by handling SIGSEGV and SIGBUS differently during the clone process.
Co-authored-by: Andrei Vagin <avagin@google.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The source PowerISA latex files have updated so refresh the instruction
list. The fixed are not used by syzkaller in macros so there should be
no huge change in behaviour, if any.
While at this, simplify+comment the conversion script and fix handling of
privileged instructions, apparently a debug version of the convertion
script made it to the git repo.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add an empty common_ext.h which is included into executor and C reproducers
and can be used to add non-mainline pseudo-syscalls w/o changing any other files
(by replacing common_ext.h file).
It would be good to finish #2274 which allows to add pseudo-syscalls
along with *.txt descriptions, but #2274 is large and there are several
open design questions. So add this simple extension point for now.
|
| |
|
|
|
| |
Currently only 4 are created by default. This limits the maximum number
of simultaneously running syz-executors.
|
| |
|
|
| |
Using debug/elf is better on all fronts: faster, simpler, no external deps.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| |
|
|
| |
This prevents syzkaller from replacing /*{{{NAME}}}*/ within them.
|
| | |
|
| |
|
|
|
| |
Add memfd_create as a dependency to syz_mount_image and
syz_read_part_table.
|
| |
|
|
|
|
|
|
|
|
|
| |
Pseudo syscalls can (and most of the time) do invoke normal system
calls. However, when there's a risk that those calls might not be
present, syzkaller needs to take preventive actions - prepend the
corresponding defines. Otherwise syz-executor or C reproducers might
not compile on the host machine.
List those dependencies in sys/targets, check them during machine check
and add the corresponding defines during C source generation.
|
| |
|
|
|
| |
Otherwise the pseudo syscalls there won't be able to access those
definitions.
|
| |
|
|
|
| |
ref_tracker is a generic debugging facility,
the actual bug is (almost always) in the caller.
|
| |
|
|
|
| |
This will allow callbacks to stop iteration early by
setting ctx.Stop flag (as it works for ForeachArg).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Don't consider syscalls that return resources in unions/arrays as constructors.
Unions and arrays are problematic because we don't have directed generation
in prog.randGen.createResource() and can fail to generate a syscall that
returns a particular resource (generate a wrong union option that does not
contain the necessary resource). This leads to the following panics:
panic: failed to create a resource ifindex with ioctl$sock_SIOCGIFCONF
Require each resource to have a constructor syscall that returns the resource
outside of unions/arrays.
|
| |
|
|
| |
Add missing space before brackets.
|
| |
|
|
| |
These types in explict out fields is either unnecessary details or bugs in descriptions.
|
| |
|
|
|
|
| |
Direction attributes on unions work in a confusing way and don't do
what users may think they do. Now we have out_overlay attribute
for structs that allows to have overlapping input and output fields.
|
| | |
|
| |
|
|
|
| |
Slightly refactor code in preparation for future changes.
No functional changes intended.
|
| |
|
|
| |
That's some mutex internals.
|
| |
|
|
|
|
|
|
| |
Support extracting multiple frames from a single report
(one per parseStackTrace marker). Extract KMSAN origin
frame and use it as an additional ALT title for deduplication.
Fixes #2927
|
| |
|
|
|
|
| |
Keeping backwards compatibility will complicate future changes.
Since KMSAN is not upstream yet and is always rebased, we don't
really need to keep parsing old reports.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
syz-execprog now uses twice the number of CPU cores as the number
of processes. Each process might use a tun device. So bump the
maximum number of tun devices to the maximum of 256, which allows
syz-execprog to run with default settings on systems with up to
128 cores.
|
| | |
|
| | |
|
| |
|
|
| |
Adds the function to read GCP Secrets.
|
