| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
The structure of arguments passed into syscalls is often hard to parse
since it is memcpy'd into mmap'd regions. Structural relations are often
lost in translation, resulting in reproducers that take longer for a
developer to understand.
This patch adds functionality for parsing syscall arguments semantically and
emitting a structured and human-readable comment which is inserted before each
syscall in the resulting C-source.
|
| |
|
|
|
| |
go install golang.org/x/tools/cmd/deadcode@latest
deadcode -test ./...
|
| | |
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
| |
If the overflows happen often, it's bad.
Add visibility into this.
|
| |
|
|
| |
Reduce the size of syz-manager.
|
| | |
|
| |
|
|
|
|
|
| |
Allow to serialize/deserialize DataMmapProg
and fix validation in debug mode.
Fixes #4750
|
| |
|
|
|
|
|
| |
Currently we throw away saturated calls only after triage/minimization.
Triage/minimization is unnecessary for saturated calls,
we already know we will throw them away later.
Don't send saturated calls for triage/minimization.
|
| |
|
|
|
|
| |
Structs may not change, but for arrays it's pretty normal. Let's remove
this source of subtle panics by supporting arrays of differing sizes in
replaceArg().
|
| |
|
|
|
|
|
|
| |
Not cloning the argument results in replaceArg() replacing a union
argument with itself, which may lead to inconsistent resource
references.
Add an assertion to detect such cases in the future.
|
| |
|
|
|
|
|
|
|
|
|
| |
The replaced union field may contain resource references that must also
be cleaned up.
The bug was triggered via methods that patch conditional fields, so
let's add stress tests for the conditional fields + resources
combination.
Reported-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
This reverts commit 6387f6b7d487e2a77d753ad28c1074e39c17c3ca.
|
| |
|
|
| |
This reverts commit 4097c8d7a8596ddbc9a9db7b7f39c5cbdb1bd742.
|
| |
|
|
|
|
|
|
| |
Not cloning the argument results in replaceArg() replacing a union
argument with itself, which may lead to inconsistent resource
references.
Add an assertion to detect such cases in the future.
|
| |
|
|
|
|
|
|
|
|
|
| |
The replaced union field may contain resource references that must also
be cleaned up.
The bug was triggered via methods that patch conditional fields, so
let's add stress tests for the conditional fields + resources
combination.
Reported-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
If conditions of several union fields are satisfied, select one
randomly. This would be a more logical semantics.
When conditional struct fields are translated to unions, negate the
condition for the union alternative.
|
| |
|
|
|
|
|
|
|
| |
Prohibit arg direction from being DirIn if other calls use the resource
as input.
Fix one case where we used to violate it - during argument squashing.
Reported-by: John Miller <jm3228520@gmail.com>
|
| |
|
|
|
| |
It will simplify the C code and let us extract the raw images in a more
convenient way.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to collide specific syscalls more precisely, we need to
repeat the process many times.
Introduce the `rerun` call property, which instructs `syz-executor` to
repeat the call the specified number of times. The intended use is:
call1() (rerun: 100, async)
call2() (rerun: 100)
For now, assign rerun values randomly to consecutive pairs of calls,
where the first one is async.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently csource skips calls at the very last moment, which has an
unpleasant consequence - if we make choice of enabled defines depend on
the individual calls or call properties, we may end up with defined yet
unused functions.
The perfect solution would be to untie
syz_emit_ethernet/syz_extract_tcp_res and NetInjection, and also to
untie VhciInjection and syz_emit_vhci.
For the time being, move these checks to the very beginning of csource
processing, so that these calls could be removed before we construct our
defines.
Adjust pkg/csource/csource_test.go to better cover fault injection
generation problems.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
|
|
|
|
| |
Call properties let us specify how each individual call within a program
must be executed. So far the only way to enforce extra rules was to pass
extra program-level properties (e.g. that is how fault injection was done).
However, it entangles the logic and not flexible enough.
Implement an ability to pass properties along with each individual call.
|
| |
|
|
|
| |
Create a constructor for the prog.Call type. It allows to reduce
the duplication of code now and during further changes.
|
| |
|
|
|
|
|
| |
Fix capitalization, dots at the end
and two spaces after a period.
Update #1876
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use Ref in Arg instead of full Type interface.
This reduces size of all args. In partiuclar the most common
ConstArg is reduces from 32 bytes to 16 and now does not
contain any pointers (better for GC).
Running syz-db bench on a beefy corpus: before:
allocs 7262 MB (18 M), next GC 958 MB, sys heap 1279 MB, live allocs 479 MB (8 M), time 9.704699958s
allocs 7262 MB (18 M), next GC 958 MB, sys heap 1279 MB, live allocs 479 MB (8 M), time 9.873792394s
allocs 7262 MB (18 M), next GC 958 MB, sys heap 1279 MB, live allocs 479 MB (8 M), time 9.820479906s
after:
allocs 7163 MB (18 M), next GC 759 MB, sys heap 1023 MB, live allocs 379 MB (8 M), time 8.938939937s
allocs 7163 MB (18 M), next GC 759 MB, sys heap 1087 MB, live allocs 379 MB (8 M), time 9.410243167s
allocs 7163 MB (18 M), next GC 759 MB, sys heap 1023 MB, live allocs 379 MB (8 M), time 9.38225806s
Max heap and live heap are reduced by 20%.
Update #1580
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Remvoe FieldName from Type and add a separate Field type
that holds field name. Use Field for struct fields, union options
and syscalls arguments, only these really have names.
Reduces size of sys/linux/gen/amd64.go from 5665583 to 5201321 (-8.2%).
Allows to not create new type for squashed any pointer.
But main advantages will follow, e.g. removing StructDesc,
using TypeRef in Arg, etc.
Update #1580
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having Dir is Type is handy, but forces us to duplicate lots of types.
E.g. if a struct is referenced as both in and out, then we need to
have 2 copies and 2 copies of structs/types it includes.
If also prevents us from having the struct type as struct identity
(because we can have up to 3 of them).
Revert to the old way we used to do it: propagate Dir as we walk
syscall arguments. This moves lots of dir passing from pkg/compiler
to prog package.
Now Arg contains the dir, so once we build the tree, we can use dirs
as before.
Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%).
Update #1580
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We will need a wrapper for target.SanitizeCall that will do more
than just calling the target-provided function. To avoid confusion
and potential mistakes, give the target function and prog function
different names. Prog package will continue to call this "sanitize",
which will include target's "neutralize" + more.
Also refactor API a bit: we need a helper function that sanitizes
the whole program because that's needed most of the time.
Fixes #477
Fixes #502
|
| |
|
|
|
|
|
|
| |
All callers of BitfieldMiddle just want static size (0 for middle).
Make it so: Size for middle bitfields just returns 0. Removes lots of if's.
Introduce Type.UnitSize, which now holds the underlying type for bitfields.
This will be needed to fix #1542 b/c even if UnitSize=4 for last bitfield
Size can be anywhere from 0 to 4 (not necessary equal to UnitSize due to overlapping).
|
| |
|
|
|
| |
Fuzzer manages to open it and do bad things with it.
Prevent it from doing so.
|
| | |
|
| |
|
|
|
|
| |
Prog.Finalize combines assignSizesCall, SanitizeCall and validate.
Intended for users who build own programs,
so that we don't need to expose all individual methods.
|
| |
|
|
|
| |
It's effectively exported anyway.
So export it the proper way.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we only generate either valid user-space pointers or NULL.
Extend NULL to a set of special pointers that we will use in programs.
All targets now contain 3 special values:
- NULL
- 0xfffffffffffffff (invalid kernel pointer)
- 0x999999999999999 (non-canonical address)
Each target can add additional special pointers on top of this.
Also generate NULL/special pointers for non-opt ptr's.
This restriction was always too restrictive. We may want to generate
them with very low probability, but we do want to generate them.
Also change pointers to NULL/special during mutation
(but still not in the opposite direction).
|
| |
|
|
|
|
| |
Parse and collect and prog comments.
Will be needed for runtest annotations
(e.g. "requires threaded mode", etc).
|
| |
|
|
|
|
| |
Refactor from single-big-switch to type methods.
Update #538
|
| |
|
|
|
|
|
|
| |
Make argument serialization Arg method.
This eliminates a very long function
that serializes all arguments.
Update #538
|
| |
|
|
|
|
| |
Remember per-call comments, will be useful for annotating tests.
Also support this form:
call() # comment
|
| |
|
|
|
| |
fmt type allows to convert intergers and resources
to string representation.
|
| |
|
|
|
|
|
| |
The current code is total, unstructured mess.
Since we now have 1:1 type -> arg correspondence,
rework validation around args. This makes code
much cleaner and 30% shorter.
|
| |
|
|
|
| |
No reason to allocate return value if there is no return type.
c.Ret == nil is the reasonable indication that this is a "void" call.
|
| |
|
|
|
|
| |
Now that we don't have ReturnArg and only ResultArg's refer
to other ResultArg's we can remove ArgUser/ArgUsed and
devirtualize lots of code.
|
| |
|
|
| |
It's not all that needed.
|
| |
|
|
| |
Fix typos, non-canonical code, remove dead code, etc.
|
| |
|
|
|
| |
Test that isDefaultArg returns true for result of DefaultArg.
Fix few bugs uncovered by this test.
|
| | |
|
