| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| |
|
|
|
|
|
| |
We have too many corpus minimization executions and the main source of these is call removal.
Try to remove all "unrelated" calls at once. Unrelated calls are the calls that don't use
any resources/files from the transitive closure of the resources/files used by the target call.
This may significantly reduce large generated programs in a single step.
|
| |
|
|
|
|
| |
We have too many corpus minimization executions and for corpus we are only
interested in reducing total number of args that will be considered for mutation.
So don't minimize file names.
|
| |
|
|
|
|
|
|
| |
Generally we try to avoid generating duplicates,
but in some cases they are hard to avoid.
For example, if we have an array with several equal elements,
removing them leads to the same program.
So check for duplicates explicitly.
|
| |
|
|
|
|
|
|
|
| |
It makes little sense to minimize int's for corpus.
Also replacing resource with a default value does not make sense as well.
For corpus we are only interesting in reducing total number of args
that will be considered for mutation.
Add CrashSnapshot mode, mainly to keep the minimization code "alive" for now.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All callers shouldn't control lots of internal details of minimization
(if we have more params, that's just more variations to test,
and we don't have more, params is just a more convoluted way to say
if we minimize for corpus or a crash).
2 bools also allow to express 4 options, but only 3 make sense.
Also when I see MinimizeParams{} in the code, it's unclear what it means.
Replace params with mode.
And potentially "crash" minimization is not "light", it's just different.
E.g. we can simplify int arguments for reproducers (esp in snapshot mode),
but we don't need that for corpus.
|
| |
|
|
| |
Add an explicit parameter to only run call removal.
|
| |
|
|
|
| |
Fix checking of Logf, it has string in 0-th arg.
Add checking of t.Errorf/Fatalf.
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`compressed_image`
Rather than accepting "segments", `syz_mount_image` now accepts a
compressed image. Since this is already a corpus-breaking change, also
rearrange the arguments so that the image is at the end. This makes it
easier to inspect what the other arguments are set to.
We need to increase the timeout associated with `syz_mount_image`, as
decompression and execution take a little longer. 5000ms should be very
generous.
This commit updates the descriptions and the `syz-imagegen` tool.
The executor, seed images, and asset saving will be updated in future commits.
|
| |
|
|
|
| |
It will simplify the C code and let us extract the raw images in a more
convenient way.
|
| |
|
|
|
|
|
|
| |
Minimizing of large images is time-consuming and unlikely to reproduce
any errors. This commit therefore marks the `syz_mount_image`
pseudo-syscall as ineligible for minimization.
A test has also been added to `prog/minimization_test.go`.
|
| |
|
|
|
| |
Generate very long file names once in a while to provoke bugs like:
https://github.com/google/gvisor/commit/f857f268eceb1cdee0b2bdfa218c969c84033fcd
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to collide specific syscalls more precisely, we need to
repeat the process many times.
Introduce the `rerun` call property, which instructs `syz-executor` to
repeat the call the specified number of times. The intended use is:
call1() (rerun: 100, async)
call2() (rerun: 100)
For now, assign rerun values randomly to consecutive pairs of calls,
where the first one is async.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
| |
Update #477
Update #502
|
| |
|
|
|
|
|
|
| |
Default value for ProcType is 0 (same for all PID's).
Usually 0 either does not make sense at all or make different PIDs collide
(since we use ProcType to separate value ranges for different PIDs).
So don't change ProcType to 0 unless the type is explicitly marked as opt
(in that case we will also generate 0 anyway).
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Fix several nasty bugs in minimization that could lead
to almost arbitrary results. These bugs affected both
crash minimization and corpus population.
Extend the randomized test to catch these bugs.
Add additional asserts to code to catch similar bugs in future.
Reported-by @xairy
|
| |
|
|
|
|
|
|
|
|
|
| |
Over time we relaxed parsing to handle all kinds of invalid programs
(excessive/missing args, wrong types, etc).
This is useful when reading old programs from corpus.
But this is harmful for e.g. reading test inputs as they can become arbitrary outdated.
For runtests which creates additional problem of executing not
what is actually written in the test (or at least what author meant).
Add strict parsing mode that does not tolerate any errors.
For now it just checks excessive syscall arguments.
|
| |
|
|
|
| |
This patch changes minimization routines to try assigning a.Res to nil
for each pointer arg.
|
| |
|
|
|
|
|
|
| |
Hints mutation could produce unsanitized calls.
Sanitize calls after hints mutation.
Also sanitize on load (in validate), because bad programs
can already be in corpuses. And it's just the right thing
to do because sanitization rules can change over time.
|
| |
|
|
| |
Update #538
|
| |
|
|
|
|
|
|
|
| |
We currently use -1 as default value for resources
when the actual value is not available.
-1 is good for fd's, but is not the right default
value for pointers/keys/etc.
Pass from prog and use in executor proper default
value for resources.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1. mmap all memory always, without explicit mmap calls in the program.
This makes lots of things much easier and removes lots of code.
Makes mmap not a special syscall and allows to fuzz without mmap enabled.
2. Change address assignment algorithm.
Current algorithm allocates unmapped addresses too frequently
and allows collisions between arguments of a single syscall.
The new algorithm analyzes actual allocations in the program
and places new arguments at unused locations.
|
| |
|
