| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the generated KFuzzTest programs were reusing the address of
the top-level input struct. A problem could arise when the encoded blob
is large and overflows into another allocated region - this certainly
happens in the case where the input struct points to some large char
buffer, for example.
While this wasn't directly a problem, it could lead to racy behavior
when running KFuzzTest targets concurrently.
To fix this, we now introduce an additional buffer parameter into
syz_kfuzztest_run that is as big as the maximum accepted input size in
the KFuzzTest kernel code. When this buffer is allocated, we ensure that
we have some allocated space in the program that can hold the entire
encoded input.
This works in practice, but has not been tested with concurrent
KFuzzTest executions yet.
|
| |
|
|
|
|
|
| |
Introduce a KFuzzTest mode for the fuzzer so that a smaller number of
recommended calls can be used if we are fuzzing KFuzzTest targets.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
| |
syz-kfuzztest is a new standalone designed for fuzzing KFuzzTest on a
live kernel VM (e.g., inside QEMU). It has no dependencies on the
executor program, instead directly writing into a KFuzzTest target's
debugfs entry.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
| |
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| | |
|
| |
|
|
|
|
|
| |
Add a new package, pkg/kfuzztest, that implements dynamic discovery of
KFuzzTest targets by parsing a vmlinux kernel binary.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add syz_kfuzztest_run pseudo-syscall, KFuzzTest attribute, and encoding
logic.
KFuzzTest targets, which are invoked in the executor with the new
syz_kfuzztest_run pseudo-syscall, require specialized encoding. To
differentiate KFuzzTest calls from standard syzkaller calls, we
introduce a new attribute called KFuzzTest or "kfuzz_test" in syzkaller
descriptions that can be used to annotate calls.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a Go-native KCOV package, with a helper functions for tracing a
a function. This is in preparation for a standalone KFuzzTest tool,
which should be written in Go in order to take advantage of existing
fuzzing infrastructure.
The hard-coded coverage buffer size is the same as the executor program,
defined as `512 << 10` in `executor/executor.cc`.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
| |
Break checkCallResult() down into smaller functions, checkCallStatus() and
checkCallCoverage().
|
| |
|
|
| |
Implement a pseudo-syscall to check the value of kvm_run.exit_reason
|
| |
|
|
|
|
|
|
|
|
| |
Pseudo-syscalls from noCovSyscalls may not generate any coverage, which
leads to a crash in the following line:
if len(inf.Signal) < 2 && !calls[callName] && len(info.Extra.Signal)
Make sure that this check is only done for calls not belonging to
noCovSyscalls.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `no_squash` per-syscall attribute prevents the fuzzer from generating
squashed arguments to a particular syscall.
This is particularly helpful for pseudo-syscalls with elaborate
arguments that are hard to reason about when they are squashed - e.g.
for syz_kvm_add_vcpu() that takes a SYZOS program as an input.
I've considered an alternative solution that prohibits ANY for all
pseudo-syscalls. But there is a bunch of existing programs (both
the tests and the repros) for syscalls like syz_mount_image() for which
the benefit of not passing ANY is not immediately obvious.
I therefore decided to go with an explicit attribute that can later
be enforced for every pseudo-syscall at compile time.
|
| |
|
|
|
|
| |
This should fix our broken bisections.
Closes #6136.
|
| |
|
|
|
|
|
|
|
| |
When determining whether a patch series is worth fuzzing, consider not
only the hashes of .text symbols, but also the hashes of the global
(static and non-static) variables.
As before, calculate the hashes during build and process them at the
beginning of the fuzz step.
|
| | |
|
| | |
|
| |
|
|
| |
Send only the first report to dashboard.
|
| | |
|
| |
|
|
|
|
|
| |
The needed Bazel version to build gVisor got bumped. However, instead of
doing the same bump in two places whenever this happens, we can simply
use bazelisk in syzkaller to determine which bazel version to use
automatically.
|
| | |
|
| |
|
|
| |
Add a new column next to it to list the number of repro attempts separately.
|
| |
|
|
|
|
|
|
| |
Include a bit more info into the bug reports.
The change is motivated by inactionable "image testing failed w/o kernel
bug" errors like this:
https://syzkaller.appspot.com/text?tag=CrashLog&x=17acec42580000
|
| |
|
|
|
|
|
| |
Copy everything that might be important during execution on other
kernels/VM pools. Add a test to verify it.
The functionality is actively used to clone requests in the diff fuzzer.
|
| |
|
|
|
|
|
| |
When we run a reproducer on a base kernel and it crashes, we must record
the crash title observed on the base kernel.
Rename the field to reduce the chance of confusion in the future.
|
| |
|
|
|
|
| |
Report base kernel crashes observed during fuzzing.
Consult the common API for each patched kernel crash to see if it was
already observed on the base kernel.
|
| |
|
|
| |
We used the wrong name for the optional argument.
|
| |
|
|
|
| |
To be useful, the stat should have a different name depending on the VM
pool name.
|
| |
|
|
|
|
| |
The parser in symbolizer was incorrectly handling values of 0x0-0xf.
Fixes #6290
|
| |
|
|
|
| |
When set as env variables, these don't seem to have any effect, but
start to work as indended when passed as explicit make arguments.
|
| |
|
|
|
| |
This will let us see executor restart statistics per VM pool (relevant
for diff fuzzing).
|
| |
|
|
|
|
| |
Following
https://github.com/google/gvisor/commit/b47d21ef21a6f59b8f574eebf83c7936880c1c0d
syzkaller should look for this message type.
|
| |
|
|
|
| |
It simplifies the dependency tree and fixes a build error for the
send-test-email container.
|
| |
|
|
|
|
| |
Google Cloud cannot automatically infer it from our images, so we need
to explicitly set it. The flag is required to create a GVNIC-based GCE
instance (the only type for C4A machines).
|
| |
|
|
| |
It must be more than 10GB.
|
| |
|
|
|
| |
1. func Run optionally accepts the opts.
2. Some refactoring, more comments.
|
| |
|
|
| |
This reduces the redundancy a bit.
|
| |
|
|
|
|
| |
On the syz-manager's html dashboard, dispay the number of repro attempts
per each bug. It will help distinguish the bugs where reproduction
was attempted and failed from those that have never been reproduced yet.
|
| |
|
|
|
|
| |
#6070 explains the problem of data propagation.
1. Add weekly /cron/update_coverdb_subsystems.
2. Stop updating subsystems from coverage receiver API.
|
| |
|
|
| |
The VM pool expects us to listen on the boot error channel.
|
| |
|
|
|
| |
It's been checking the inverse of what was needed.
Rename the helper function to reduce confusion in the future.
|
| |
|
|
|
|
| |
Instead of calling grep (the implementations of which may differ in
different environments), traverse the directory and grep files with a
special pkg/osutil helper functionality.
|
| |
|
|
|
|
|
|
| |
Ensure that corpus and signal are non-zero after the bugs have been
found.
Fix coverage configuration - the test was de facto running on a fallback
coverage.
|
| | |
|
| |
|
|
| |
Bonus: add error processing.
|
| |
|
|
|
|
|
|
|
|
|
| |
The structure of arguments passed into syscalls is often hard to parse
since it is memcpy'd into mmap'd regions. Structural relations are often
lost in translation, resulting in reproducers that take longer for a
developer to understand.
This patch adds functionality for parsing syscall arguments semantically and
emitting a structured and human-readable comment which is inserted before each
syscall in the resulting C-source.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new vminfo feature, FeatureKcovResetIoctl, that is true if the
kernel supports ioctl(KCOV_RESET_TRACE) making it possible to reset the
coverage buffer on the kernel side. This, in turn, allows us to map the
coverage buffer read-only, which will prevent all sorts of
userspace-generated corruptions at a cost of an extra syscall per program
execution.
The corresponding exec env flag, ExecEnv::ReadOnlyCoverage, turns on
read-only coverage in the executor. It is enabled by default
if FeatureKcovResetIoctl is on.
|
| |
|
|
| |
If the manager name is set, display it in the header.
|
| |
|
|
|
|
|
| |
The rules were too generic - there are plenty of functions that have
"stall" as substring, yet they do not relate to rcu stall bugs.
Improve the rules list and add a unit test.
|
| | |
|
