| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Auto-generated syscall descriptions currently do not properly mark
arch-specific syscalls like socketcall (which is only available on 32
bit systems), which leads to TestGenerate breakages.
Until the syz-declextract tool is fixed and descriptions are
re-generated, don't use such calls in TestGenerate tests. It has
recently caused numerous syzkaller update erorrs on syzbot.
Cc #5410.
Closes #6468.
|
| |
|
|
|
|
|
| |
Introduce a KFuzzTest mode for the fuzzer so that a smaller number of
recommended calls can be used if we are fuzzing KFuzzTest targets.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Internal kernel functions (and as a result KFuzzTest) have stricter
contracts than system calls. For this reason, we must avoid mutating
the following cases:
- Length arguments not matching the length of the related buffer.
- Strings not being null-terminated.
Add special cases for KFuzzTest calls that avoids these situations.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
| |
Permit structs to recursively contain itself in arrays.
This is needed for netlink. Amusingly several netlink policies contain itself.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is a totally valid situation when we could be recursively patching
conditional fields: if by changing a field's value we insert new
resource constructor calls. It's a bug to skip conditional field
patching for them.
Allow up to 2 nested patchConditionalFields() calls and panic if there
happen to be more.
Add a test that reproduces the situation described above.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several optimizations to reduce amount of hint replacements:
1. Don't mutate int's that are <= 8 bits.
2. Don't mutate data that is <= 3 bytes.
3. Restrict mutation of len only value >10 and < 1<<20.
Values <= 10 we can produce during normal mutation.
Values > 1<<20 are presumably not length of something
and we have logic to produce various large bogus lengths.
4. Include all small ints <= 16 into specialInts and remove 31, 32, 63
(don't remember where they come from).
5. Don't produce other known flags (and combinations) for flags.
And a larger part computes groups of related arguments
so that we don't try to produce known ioctl's from other known ioctl's,
and similarly for socket/socketpair/setsockopt/etc.
See comments in Target.initRelatedFields for details.
Update #477
|
| |
|
|
|
|
|
| |
Allow to serialize/deserialize DataMmapProg
and fix validation in debug mode.
Fixes #4750
|
| |
|
|
|
|
| |
This patch adds instruction generator for ARM64 based on the descriptions
provided as part of Go's arm64asm package. It also implements support for
pseudo-instructions for calling ARM64 hypercalls.
|
| |
|
|
|
|
|
|
|
| |
In practice, we need to try out many different corpus programs before we
may find a matching resource. It's very inefficient to Clone() each of
them.
This change gives a +76% speed improvement in the BenchmarkMutate()
test.
|
| |
|
|
|
|
|
|
|
| |
Treat all default union arguments as transient and reevaluate them after
the call was fully parsed.
Before conditional field patching, we do need to have performed arg
validation, which also reevaluates conditions. To break the cycle, make
validation configurable.
|
| |
|
|
| |
This reverts commit 8e75c913b6f9b09cab2ad31fd7d66ea0d1703de8.
|
| |
|
|
|
|
|
|
|
| |
Treat all default union arguments as transient and reevaluate them after
the call was fully parsed.
Before conditional field patching, we do need to have performed arg
validation, which also reevaluates conditions. To break the cycle, make
validation configurable.
|
| |
|
|
|
|
|
|
| |
If conditions of several union fields are satisfied, select one
randomly. This would be a more logical semantics.
When conditional struct fields are translated to unions, negate the
condition for the union alternative.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pkg/compiler restructures conditional fields in structures into unions,
so we only have to implement the support for unions.
Semantics is as follows:
If a union has conditions, syzkaller picks the first field whose
condition matches. Since we require the last union field to have no
conditions, we can always construct an object.
Changes from this commit aim at ensuring that the selected union fields
always follow the rule above.
|
| |
|
|
| |
Only the values of the returned array are of interest.
|
| |
|
|
|
|
|
|
|
| |
If no matching resource was already present in the program, we used to
substitute a random value in ~50% of cases. That's not efficient.
Restructure the resource generation process so that, if there are no
other options, we generate a new resource in 80% cases and in the
remaining 20% we substitute an integer.
|
| |
|
|
|
|
|
|
|
|
| |
During resource argument generation, we used to randomly select one of
the matching resources. With so many descendants of fd, this becomes
quite inefficient and most of the time syzkaller fails to build correct
programs.
Give precise resource contructions priority. Experiment with other
resource types only in 1/3 of cases.
|
| |
|
|
|
|
|
|
|
|
| |
There seem to be a lot of unclear dependencies between pseudo syscall
code and global methods. By testing them only together we have little
chance to detect these problems because implementations can indiretly
help one another.
In addition to existing tests, also compile all pseudo syscalls
independently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
builtin
Create the `BufferCompressed` kind of `BufferType`, which will be used
to represent compressed data. Create the corresponding `compressed_image`
syzlang builtin, which is backed by `BufferCompressed`. For now, no
syscalls use this feature - this will be introduced in future commits.
We have to be careful to decompress the data before mutating, and
re-compress before storing. We make sure that any deserialised
`BufferCompressed` data is valid too.
`BufferCompressed` arguments are mutated using a generic heatmap. In
future, we could add variants of `BufferCompressed` or populate the
`BufferType` sub-kind, using it to choose different kinds of heatmap for
different uncompressed data formats.
Various operations on compressed data must be forbidden, so we check for
`BufferCompressed` in key places. We also have to ensure `compressed_image`
can only be used in syscalls that are marked `no_{generate,minimize}`.
Therefore, we add a generic compiler check which allows type
descriptions to require attributes on the syscalls which use them.
|
| |
|
|
|
|
|
| |
We currently limit program length to 20.
But the NFC seed sys/linux/test/nfc needs 22 syscalls
just to do basic NFC setup.
Increase the limit to 30.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a `no_generate` attribute to be used with syscalls that
`syzkaller` should not try to generate from scratch. In other words,
`syzkaller` will only use seeds of this call. This will be useful for
syscalls which are unlikely to be correctly generated.
In particular, prevent these syscalls from being included in the choice
table or from being considered as possible resource constructors.
Also add a test which will attempt to generate programs with a bias
towards `no_generate` syscalls, and flag up any that make it into result
programs. Currently there are no `no_generate` syscalls, but the next
commit will add some.
|
| |
|
|
|
| |
Generate very long file names once in a while to provoke bugs like:
https://github.com/google/gvisor/commit/f857f268eceb1cdee0b2bdfa218c969c84033fcd
|
| |
|
|
|
| |
Add more special Ints to the array as it supports integers of 64
bytes length.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currnetly we loop up to 1000 times in randGen.createResource,
this is necessary because we can't guarantee that the generated syscall
will indeed contain the necessary resources. This is ugly.
Now that we have stricter constructors (no unions) with few additional tweaks
we can guarantee that we generate the resource every time.
Generate at least 1 array element when in createResource.
Don't generate special empty pointers when in createResource.
Record only resource constructors in Syscall.outputResource,
this makes rotation logic to include at least 1 of them.
|
| |
|
|
|
| |
Output actual resource type we tried to create in the panic messages.
In some cases we spoof it and it's not the original resource type.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently csource skips calls at the very last moment, which has an
unpleasant consequence - if we make choice of enabled defines depend on
the individual calls or call properties, we may end up with defined yet
unused functions.
The perfect solution would be to untie
syz_emit_ethernet/syz_extract_tcp_res and NetInjection, and also to
untie VhciInjection and syz_emit_vhci.
For the time being, move these checks to the very beginning of csource
processing, so that these calls could be removed before we construct our
defines.
Adjust pkg/csource/csource_test.go to better cover fault injection
generation problems.
|
| |
|
|
|
| |
Create a constructor for the prog.Call type. It allows to reduce
the duplication of code now and during further changes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: add new typename dirname
The current way to check files under sysfs or proc is:
- define a string to represent each file
- open the file
- pass the fd to write / read / close
The issues above are:
- Need to know what file present on target device
- Need to write openat for each file
With dirname added, which will open one file
in the directory randomly and then pass the fd to
write/read/close.
* all: use typename glob to match filename
Fixes #481
|
| |
|
|
|
|
|
|
|
| |
ifuzzimpl imports the public interface package ifuzz
and prog package needs to import ifuzzimpl (implementation guts that
nobody outside of ifuzz should care about). This is not right.
Invert everything so that prog package only needs to import ifuzz
and ifuzz imports ifuzzimpl.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds KVM's syz_kvm_setup_cpu pseudo syscall. This adds placeholder
for options (none implemented yet).
This adds instruction generator for ifuzz; this also adds a few pseudo
instructions to simulate super/hyper/ultracalls
(a PPC64/pseries platform thing).
The insns.go is generated from PowerISA_public.v3.0B.pdf [1] by
a horrendous python3 script on top of pdftotext. The ISA covers POWER9
which is the latest available POWER CPU at the moment. The next ISA
for POWER10 is quite different and we will deal with it later.
The // comment after every instruction is a fixed opcode list for
verification purposes.
This does not define DecodeExt as there is no obvious replacement of
the Intel XED library for POWERPC (gapstone-capstone, later, may be).
[1] https://openpowerfoundation.org/?resource_lib=power-isa-version-3-0
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment ifuzz only generates x86 instructions. In order to support
instruction fuzzing for others (ARM, POWERPC), some separation of
the common and arch layers is needed.
This adds 2 packages:
1. "x86" where x86 instruction generator goes to
2. "ifuzzimpl which contains some common code.
The goal was to keep changes to the rand.go to the minimum.
The next patch will use this when adding PPC64.
This should cause no behavioural change.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
| |
This loop used to hang infinitely occasionally when all values are 0s.
The previous commit makes compiler not generate such flags,
but also add a check here to be on the safer side
(we don't have a local check for values and the failure mode was very obscure).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we only prune recursion for createResource.
But createResource can still recurse into resourceCentric,
this can produce huge programs and may be very slow
(esp. if we already in createResource doing failing attempts).
With this change:
$ CI=yes go test -run TestMutateCorpus -count=2 ./prog
passes in ~3 seconds. If I comment out inGenerateResource
logic, it times out after 100 seconds. So this can indeed
have significant effect on generation/mutation performance.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Calls to alloc didn't respect the alignment attribute. Now
Type.Alignment() is used to ensure each type is correctly
aligned. Existing descriptions with [align[X]] don't have an
issue as they align to small blocks and default align is to
64 bytes. This commits adds support for [align[X]] for an X
larger than 64.
|
| |
|
|
|
|
|
| |
For strings it's more readable to compare the string itself with "",
instead of comparing len with 0. Fix all such cases.
Update #1876
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default configuration on PPC64 uses 64K system page size. Having it
4K was not a problem until recently when 365fba2440cee3aed74c77
"executor: surround the data mapping with PROT_NONE pages" added
surrounding mappings not aligned to the actual system page size.
This changes the page size for ppc64 to 64K and introduces the upper
limit to randPageCount() as we have the hard coded limit of 16MB.
If the unlikely event of a PPC64 system with 4K pages, we will end up
allocating less pages which is not great but acceptable.
This avoids using os.Getpagesize() as the page size on a building host
may be different than on the test machine so we always use the bigger
size for simplicity.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
| |
The linux string dictionary comes from extremely old times
when we did not have proper descriptions for almost anything,
and the dictionary was a quick hack to guess at least some
special strings.
Now we have way better descriptions and the dictionary
become both unnecessary and probably even harmful.
|
| | |
|
| |
|
|
| |
Points to bad empty lines very precisely.
|
| |
|
|
|
|
|
| |
We chosen a non-deterministic resource in createResource
due to map iteration order.
This is caught by existing TestDeterminism,
but just very infrequently.
|
| |
|
|
|
|
|
|
|
|
|
| |
We are seeing some panics that say that some disabled
syscalls somehow get into corpus.
I don't see where/how this can happen.
Add a check to syz-fuzzer to panic whenever we execute
a program with disabled syscall. Hopefull the panic
stack will shed some light.
Also add a check in manager as the last defence line
so that bad programs don't get into the corpus.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use Ref in Arg instead of full Type interface.
This reduces size of all args. In partiuclar the most common
ConstArg is reduces from 32 bytes to 16 and now does not
contain any pointers (better for GC).
Running syz-db bench on a beefy corpus: before:
allocs 7262 MB (18 M), next GC 958 MB, sys heap 1279 MB, live allocs 479 MB (8 M), time 9.704699958s
allocs 7262 MB (18 M), next GC 958 MB, sys heap 1279 MB, live allocs 479 MB (8 M), time 9.873792394s
allocs 7262 MB (18 M), next GC 958 MB, sys heap 1279 MB, live allocs 479 MB (8 M), time 9.820479906s
after:
allocs 7163 MB (18 M), next GC 759 MB, sys heap 1023 MB, live allocs 379 MB (8 M), time 8.938939937s
allocs 7163 MB (18 M), next GC 759 MB, sys heap 1087 MB, live allocs 379 MB (8 M), time 9.410243167s
allocs 7163 MB (18 M), next GC 759 MB, sys heap 1023 MB, live allocs 379 MB (8 M), time 9.38225806s
Max heap and live heap are reduced by 20%.
Update #1580
|
| |
|
|
|
|
|
|
|
|
| |
Currently ANY implementation fabricates new types dynamically.
This is something we don't do anywhere else, generally types
come from compiler and all are static.
Dynamic types will conflict with use of Ref in Arg optimization.
Move ANY types creation into compiler.
Update #1580
|
| |
|
|
|
| |
Update #477
Update #502
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Remvoe FieldName from Type and add a separate Field type
that holds field name. Use Field for struct fields, union options
and syscalls arguments, only these really have names.
Reduces size of sys/linux/gen/amd64.go from 5665583 to 5201321 (-8.2%).
Allows to not create new type for squashed any pointer.
But main advantages will follow, e.g. removing StructDesc,
using TypeRef in Arg, etc.
Update #1580
|
| |
|
|
|
|
|
| |
Name "Type" is confusing when referring to pointer/array element type.
Frequently there are too many Type/typ/typ1/t and typ.Type is not very informative.
It _is_ a type, but what's usually more relevant is that it's an _element_ type.
Let's leave type checking to compiler and give it a more meaningful name.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having Dir is Type is handy, but forces us to duplicate lots of types.
E.g. if a struct is referenced as both in and out, then we need to
have 2 copies and 2 copies of structs/types it includes.
If also prevents us from having the struct type as struct identity
(because we can have up to 3 of them).
Revert to the old way we used to do it: propagate Dir as we walk
syscall arguments. This moves lots of dir passing from pkg/compiler
to prog package.
Now Arg contains the dir, so once we build the tree, we can use dirs
as before.
Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%).
Update #1580
|
| |
|
|
|
|
| |
Add common infrastructure for syscall attributes.
Add few attributes we want, but they are not implemented for now
(don't affect behavior, this will follow).
|
