| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Any is the preferred over interface{} now in Go.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We used to generate a choice table and do its normalization for all
present syscalls, also it was not considered during the /prio page
generation.
Enabled/disabled syscalls were accounted for in the choice table
construction, but there's a chance that the resulting table was still
somewhat skewed.
The situation must have become worse after several thousands of auto
syscalls were added.
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| | |
|
| |
|
|
| |
We don't use Enabled() anywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Two changes:
1) Instead of multiplying static and dynamic prios, add them 1:1.
2) For dynamic priorities, limit the effect of too frequent call
combinations by taking a sqrt() of the value.
On syz-testbed experiments, the updated algorithm triggers 5-10%
more different crash types.
As before, there is no big theory behind the approach :)
|
| |
|
|
|
| |
The function modifies its arguments, which makes it problematic to call
it multiple times. Refactor it.
|
| |
|
|
|
| |
Adds comments about how choice table runs values are populated
based on information from dynamic and static priorities.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
builtin
Create the `BufferCompressed` kind of `BufferType`, which will be used
to represent compressed data. Create the corresponding `compressed_image`
syzlang builtin, which is backed by `BufferCompressed`. For now, no
syscalls use this feature - this will be introduced in future commits.
We have to be careful to decompress the data before mutating, and
re-compress before storing. We make sure that any deserialised
`BufferCompressed` data is valid too.
`BufferCompressed` arguments are mutated using a generic heatmap. In
future, we could add variants of `BufferCompressed` or populate the
`BufferType` sub-kind, using it to choose different kinds of heatmap for
different uncompressed data formats.
Various operations on compressed data must be forbidden, so we check for
`BufferCompressed` in key places. We also have to ensure `compressed_image`
can only be used in syscalls that are marked `no_{generate,minimize}`.
Therefore, we add a generic compiler check which allows type
descriptions to require attributes on the syscalls which use them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a `no_generate` attribute to be used with syscalls that
`syzkaller` should not try to generate from scratch. In other words,
`syzkaller` will only use seeds of this call. This will be useful for
syscalls which are unlikely to be correctly generated.
In particular, prevent these syscalls from being included in the choice
table or from being considered as possible resource constructors.
Also add a test which will attempt to generate programs with a bias
towards `no_generate` syscalls, and flag up any that make it into result
programs. Currently there are no `no_generate` syscalls, but the next
commit will add some.
|
| |
|
|
|
| |
This will allow callbacks to stop iteration early by
setting ctx.Stop flag (as it works for ForeachArg).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: add new typename dirname
The current way to check files under sysfs or proc is:
- define a string to represent each file
- open the file
- pass the fd to write / read / close
The issues above are:
- Need to know what file present on target device
- Need to write openat for each file
With dirname added, which will open one file
in the directory randomly and then pass the fd to
write/read/close.
* all: use typename glob to match filename
Fixes #481
|
| |
|
|
|
|
|
| |
Switch from float32 to int32.
Float32 is super slow in arm emulation.
Plus flats are generally non-deterministic due to order of operations,
so we needed to do additional sorts to deal with that. Now we don't.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
These checks still fire episodically [on gvisor instance only?].
I've done several attempts to debug this/extend checks.
But so far I have no glue and we are still seeing them.
They are rare enough to be directly debuggable and to be
something trivial. This may be some memory corruption
(kernel or our race), or some very episodic condition.
They are rare enough to be a problem, so don't include
syscall name so that they all go into a single bug bucket.
|
| |
|
|
| |
Make it faster + disable in race mode (still too slow).
|
| |
|
|
|
|
|
| |
Floats bite.
We interated over uses map non-deterministically,
which would be fine overall except that it may
break floats due to rounding.
|
| |
|
|
|
|
|
|
|
|
|
| |
We are seeing some panics that say that some disabled
syscalls somehow get into corpus.
I don't see where/how this can happen.
Add a check to syz-fuzzer to panic whenever we execute
a program with disabled syscall. Hopefull the panic
stack will shed some light.
Also add a check in manager as the last defence line
so that bad programs don't get into the corpus.
|
| |
|
|
|
| |
Update #477
Update #502
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove StructDesc, KeyedStruct, StructKey and all associated
logic/complexity in prog and pkg/compiler.
We can now handle recursion more generically with the Ref type,
and Dir/FieldName are not a part of the type anymore.
This makes StructType/UnionType simpler and more natural.
Reduces size of sys/linux/gen/amd64.go from 5201321 to 4180861 (-20%).
Update #1580
|
| |
|
|
|
|
|
| |
Name "Type" is confusing when referring to pointer/array element type.
Frequently there are too many Type/typ/typ1/t and typ.Type is not very informative.
It _is_ a type, but what's usually more relevant is that it's an _element_ type.
Let's leave type checking to compiler and give it a more meaningful name.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having Dir is Type is handy, but forces us to duplicate lots of types.
E.g. if a struct is referenced as both in and out, then we need to
have 2 copies and 2 copies of structs/types it includes.
If also prevents us from having the struct type as struct identity
(because we can have up to 3 of them).
Revert to the old way we used to do it: propagate Dir as we walk
syscall arguments. This moves lots of dir passing from pkg/compiler
to prog package.
Now Arg contains the dir, so once we build the tree, we can use dirs
as before.
Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%).
Update #1580
|
| |
|
|
|
|
| |
Makes tests deterministic and syz-mutate with -seed flag.
Pointed out by Jordan Frank (@jwf).
|
| |
|
|
|
|
|
|
|
| |
Use a random subset of syscalls/corpus/coverage for each individual VM run.
Hypothesis is that this should allow fuzzer to get more coverage
find more bugs in saturated state (stuck in local optimum).
See the issue and comments for details.
Update #1348
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
| |
Update #1380
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this check programs may end up panicing in places far away
from the real cause. E.g.
worker# ./syz-fuzzer -executor=./syz-executor -name=vm-0 -arch=amd64 -manager=10.128.0.101:21386 -sandbox=setuid -procs=2 -v=0 -cover=true -debug=false -test=false
2004/02/03 12:11:11 fuzzer started
2004/02/03 12:11:11 dialing manager at 10.128.0.101:21386
2004/02/03 12:11:12 syscalls: 1
2004/02/03 12:11:12 code coverage: enabled
2004/02/03 12:11:12 comparison tracing: support is not implemented in syzkaller
2004/02/03 12:11:12 setuid sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 namespace sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 Android sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 fault injection: support is not implemented in syzkaller
2004/02/03 12:11:12 leak checking: support is not implemented in syzkaller
2004/02/03 12:11:12 net packet injection: enabled
2004/02/03 12:11:12 net device setup: support is not implemented in syzkaller
panic: invalid argument to Intn
goroutine 27 [running]:
math/rand.(*Rand).Intn(0xc000dff530, 0x0, 0x40)
/usr/local/go/src/math/rand/rand.go:169 +0x9c
github.com/google/syzkaller/prog.(*ChoiceTable).Choose(0xc000d92ec0, 0xc000dff530, 0xffffffffffffffff, 0xc000dff650)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/prio.go:241 +0x1a0
github.com/google/syzkaller/prog.(*randGen).generateCall(0xc000e145a0, 0xc000c2a200, 0xc000ce7f80, 0x2348f1940, 0xc000ce3440, 0xc000e6ee01)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:451 +0x69
github.com/google/syzkaller/prog.(*Target).Generate(0xc00007f1e0, 0x8f8680, 0xc000ce3440, 0x1e, 0xc000d92ec0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/generation.go:19 +0x2b2
main.(*Proc).loop(0xc000d92f40)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:93 +0x2a1
created by main.main
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:236 +0xfe2
|
| |
|
|
|
| |
Based on twitter bug report:
https://twitter.com/panicaII/status/1035058001269248000
|
| |
|
|
|
|
| |
Factor out several helper functions.
Update #538
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1. mmap all memory always, without explicit mmap calls in the program.
This makes lots of things much easier and removes lots of code.
Makes mmap not a special syscall and allows to fuzz without mmap enabled.
2. Change address assignment algorithm.
Current algorithm allocates unmapped addresses too frequently
and allows collisions between arguments of a single syscall.
The new algorithm analyzes actual allocations in the program
and places new arguments at unused locations.
|
| |
|
|
|
|
| |
Now works fast enough even for short mode.
Fixes #208
|
| |
|
|
|
|
|
| |
We need to choose last value inclusice,
otherwise we will never select the last call.
Will be tested by upcoming mutation tests.
|
| |
|
|
|
|
| |
Now each prog function accepts the desired target explicitly.
No global, implicit state involved.
This is much cleaner and allows cross-OS/arch testing, etc.
|
| |
|
|
| |
Abstract "mmap" away as it can be called differently on another OS.
|
| |
|
|
|
|
|
|
|
|
|
| |
Large overhaul moves syscalls and arg types from sys to prog.
Sys package now depends on prog and contains only generated
descriptions of syscalls.
Introduce prog.Target type that encapsulates all targer properties,
like syscall list, ptr/page size, etc. Also moves OS-dependent pieces
like mmap call generation from prog to sys.
Update #191
|
| |
|
|
| |
In preparation for moving sys types to prog to reduce later diffs.
|
| |
|
|
|
| |
In preparation for moving sys types to prog
to avoid confusion between sys.Call and prog.Call.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dynamic prio is meant to prioritize calls that
are already used together in existing programs.
The calculation used call index in the program
instead of call ID, which does not make any
sense and is a plain bug. It prioritized calls
starting from 'a' (as syscalls are sorted).
Use call ID for dynamic prio calculation.
Static prios for add_key:
1.0000 keyctl$search
1.0000 request_key
1.0000 add_key
0.5411 keyctl$assume_authority
0.5411 keyctl$setperm
0.5411 keyctl$set_timeout
0.5411 keyctl$unlink
0.5411 keyctl$revoke
0.5411 keyctl$reject
0.5411 keyctl$read
0.5411 keyctl$negate
0.5411 keyctl$link
0.5411 keyctl$join
0.5411 keyctl$invalidate
0.5411 keyctl$instantiate_iov
0.5411 keyctl$instantiate
0.5411 keyctl$get_security
0.5411 keyctl$get_persistent
0.5411 keyctl$update
Dynamic prios before fix:
0.1000 accept
0.1000 accept$alg
0.1000 accept$ax25
0.1000 accept$inet
0.1000 accept$inet6
0.1000 accept$inet_sctp
0.1000 accept$ipx
0.1000 accept$netrom
0.1000 accept$nfc_llcp
0.1000 accept$unix
0.1000 accept4
0.1000 accept4$ax25
0.1000 accept4$inet
0.1000 accept4$inet6
0.1000 accept4$inet_sctp
0.1000 accept4$ipx
0.1000 accept4$unix
0.1000 acct
Dynamic prios after fix:
0.2465 request_key
0.1142 keyctl$search
0.1000 add_key
0.1000 perf_event_open
0.0766 keyctl$invalidate
0.0717 keyctl$setperm
0.0717 keyctl$unlink
0.0717 keyctl$instantiate_iov
0.0681 keyctl$read
0.0649 keyctl$update
0.0649 keyctl$chown
0.0645 keyctl$link
0.0645 keyctl$get_security
0.0631 keyctl$revoke
0.0622 keyctl$clear
0.0622 keyctl$reject
0.0618 keyctl$set_timeout
0.0618 keyctl$negate
0.0613 keyctl$instantiate
Fixes #164
|
| |
|
|
|
|
| |
Add new pseudo syscall syz_kvm_setup_cpu that setups VCPU into
interesting states for execution. KVM is too difficult to setup otherwise.
Lots of improvements possible, but this is a starting point.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This allows to write:
string[salg_type, 14]
which will give a string buffer of size 14 regardless of actual string size.
Convert salg_type/salg_name to this.
|
| |
|
|
|
|
|
|
|
|
| |
Allow to define string flags in txt descriptions. E.g.:
filesystem = "ext2", "ext3", "ext4"
and then use it in string type:
ptr[in, string[filesystem]]
|
| |
|
|
|
| |
FileoffType is effectively an int, no need for a separate type.
Also remove fd option from fileoff as it is unused and use story is unclear.
|
| |
|
|
| |
FilenameType is effectively a buffer, there is no need for a separate type.
|
| |
|
|
|
|
| |
Dir is a static info, so we don't need to compute, propagate and
attach it in prog whenever we generate/change programs.
Attach Dir to all types.
|
| |
|
|
|
|
|
|
| |
Currently we store most types by value in sys.Type.
This is somewhat counter-intuitive for C++ programmers,
because one can't easily update the type object.
Store pointers to type objects for all types.
It also makes it easier to update types, e.g. adding paddings.
|
