| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tests sometimes fail as:
--- FAIL: TestCreateResourceRotation (0.97s)
...
resources_test.go:181: testing call syz_io_uring_submit
resources_test.go:187: failed to create resource fd_dir
FAIL
Almost always it's related to fd_dir resource.
The problem is with no_generate syscalls (we have lots of
no_generate mount syscalls that produce fd_dif).
Rotator considers them as legit resource ctors,
but the actual code in createResource does not.
As the result Rotator creates subsets of syscalls
where not all resources can be created.
The same problem affects TransitivelyEnabledCalls.
It may leave syscalls that require resources produced only
by no_generate syscalls. We won't be able to produce such
resources during fuzzing.
Split Syscall.outputResources to createResources
(can actually be used to create, excludes no_generate)
and usesResources, this includes no_generate syscalls.
|
| |
|
|
|
|
| |
Print better message and print it when verbosity >= 1.
This will allow to easier diff any changes in enabled
syscalls caused by future code changes.
|
| |
|
|
|
|
|
|
|
|
| |
During resource argument generation, we used to randomly select one of
the matching resources. With so many descendants of fd, this becomes
quite inefficient and most of the time syzkaller fails to build correct
programs.
Give precise resource contructions priority. Experiment with other
resource types only in 1/3 of cases.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If trying to fuzz only bpf$PROG_LOAD, the executors fail with:
SYZFATAL: Manager.Check call failed: machine check failed: all
system calls are disabled
That is happening because it detects a dependency on fd_bpf_map via two
paths:
1. bpf_prog_t.fd_array is an optional pointer to an array of fd_bpf_map.
2. The bpf_insn union contains descriptions for two instructions,
bpf_insn_map_fd and bpf_insn_map_value, that reference fd_bpf_map.
Both of those cases point to optional uses of fd_bpf_map, but syzkaller
isn't able to recognize that today.
This commit addresses the first case, when a resource or one of the
types using it are explicitly marked as optional. Before this commit,
syzkaller was only able to recognize the case where the resource itself
is marked as optional. However, in the case of e.g. bpf_prog_t.fd_array,
it's the pointer to the array of fd_bpf_map that is marked optional.
To fix this, we propagate the optional bit when walking down the AST. We
then pass this propagated bit to the callback function via the context.
This change was tested on the above bpf$PROG_LOAD case 1, by removing
bpf_insn_map_fd and bpf_insn_map_value from the bpf(2) description to
avoid hitting case 2. Addressing case 2 will require more changes to the
same logic.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currnetly we loop up to 1000 times in randGen.createResource,
this is necessary because we can't guarantee that the generated syscall
will indeed contain the necessary resources. This is ugly.
Now that we have stricter constructors (no unions) with few additional tweaks
we can guarantee that we generate the resource every time.
Generate at least 1 array element when in createResource.
Don't generate special empty pointers when in createResource.
Record only resource constructors in Syscall.outputResource,
this makes rotation logic to include at least 1 of them.
|
| |
|
|
| |
This is prog counter-part of the "pkg/compiler: require stricter resource constructors" commit.
|
| |
|
|
|
| |
This will allow callbacks to stop iteration early by
setting ctx.Stop flag (as it works for ForeachArg).
|
| |
|
|
|
|
|
| |
Fix capitalization, dots at the end
and two spaces after a period.
Update #1876
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove StructDesc, KeyedStruct, StructKey and all associated
logic/complexity in prog and pkg/compiler.
We can now handle recursion more generically with the Ref type,
and Dir/FieldName are not a part of the type anymore.
This makes StructType/UnionType simpler and more natural.
Reduces size of sys/linux/gen/amd64.go from 5201321 to 4180861 (-20%).
Update #1580
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having Dir is Type is handy, but forces us to duplicate lots of types.
E.g. if a struct is referenced as both in and out, then we need to
have 2 copies and 2 copies of structs/types it includes.
If also prevents us from having the struct type as struct identity
(because we can have up to 3 of them).
Revert to the old way we used to do it: propagate Dir as we walk
syscall arguments. This moves lots of dir passing from pkg/compiler
to prog package.
Now Arg contains the dir, so once we build the tree, we can use dirs
as before.
Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%).
Update #1580
|
| |
|
|
|
|
|
|
|
| |
Use a random subset of syscalls/corpus/coverage for each individual VM run.
Hypothesis is that this should allow fuzzer to get more coverage
find more bugs in saturated state (stuck in local optimum).
See the issue and comments for details.
Update #1348
|
| |
|
|
|
|
|
| |
When we build a list of resource constructors we over and over iterate through
all types in a syscall to find resource types. Speed it up by iterating only
once to build a list of constructors for each resource and then reuse it.
This significantly speeds up syz-exeprog startup time on Raspberry Pi Zero.
|
| |
|
|
| |
Reformat, remove debug leftovers, fix comment style.
|
| |
|
|
|
| |
fmt type allows to convert intergers and resources
to string representation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a call that both accepts and creates a resource
self-justifies itself and thus is always enabled.
A good example is accept call. Accepts are always self-enable
and thus enable all other syscalls that work with the socket.
Calculate TransitivelyEnabledCalls in the opposite direction
to resolve this. Start with empty set of enable syscalls,
then enable syscalls that don't accept any resources,
then enable syscalls that accept resources created by the
previous batch of syscalls, and so on.
This prevents self-enablement of accept.
|
| |
|
|
|
|
|
| |
120 columns looks like a reasonable limit
and requires few changes to existing code.
Update #538
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In resources.go, haveGettime is False when SyscallMap["clock_gettime"]
is nil.
In this code, there's a branch that's entered only if Gettime is False,
which appends SyscallMap["clock_gettime"] to resourceCtors. That is, it
appends nil to resourceCtors, then iterates through resourceCtors and
tries to dereference the .Name of each time, in this case, nil.Name.
This was causing a page fault on Fuchsia.
I'm not certain how the "standard" flow is supposed to work, since it
seems like any code that enters the `if cantCreate == "" && !haveGettime`
should fail... but, removing that section causes test failures, so let's
just enforce that SyscallMap["clock_gettime"] is non-nil.
If there's a better way to solve this, I'm open to suggestions.
|
| | |
|
| | |
|
| |
|
|
| |
Fix typos, non-canonical code, remove dead code, etc.
|
| |
|
|
|
|
| |
Squash complex structs into flat byte array and mutate this array
with generic blob mutations. This allows to mutate what we currently
consider as paddings and add/remove paddings from structs, etc.
|
| |
|
|
|
|
| |
Now each prog function accepts the desired target explicitly.
No global, implicit state involved.
This is much cleaner and allows cross-OS/arch testing, etc.
|
| |
|
