| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
This is equivalent to errors=panic.
|
| |
|
|
| |
/dev/rnullb{} is the Rust implementation of the null block driver.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syscall attributes are extended with a fsck command field which lets
file system mount definitions specify a fsck-like command to run. This
is required because all file systems have a custom fsck command
invokation style.
When uploading a compressed image asset to the dashboard, syz-manager
also runs the fsck command and logs its output over the dashapi.
The dashboard logs these fsck logs into the database.
This has been requested by fs maintainer Ted Tso who would like to
quickly understand whether a filesystem is corrupted or not before
looking at a reproducer in more details. Ultimately, this could be used
as an early triage sign to determine whether a bug is obviously
critical.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All flags that are subset of other flags were identified with the
following Bash script [1]. Only a small set of flags identified by the
script were rewritten to use nested flag definitions, after manually
checking if it makes sense (based on syzkaller context and man pages).
For example, msgget_flags was rewritten as follows:
-msgget_flags = IPC_CREAT, IPC_EXCL, S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH
+msgget_flags = IPC_CREAT, IPC_EXCL, open_mode
According to the msgget(2) man page:
Upon creation, the least significant bits of the argument msgflg
define the permissions of the message queue. These permission bits
have the same format and semantics as the permissions specified for
the mode argument of open(2).
So it is correct to use open_mode directly in the definition of the
flags for msgget(2).
1 -
#!/bin/bash
regexp_flags="^(\w+)\s*=\s+([a-zA-Z\"][^=]*)$"
is_subset() {
local -n subset=$1
local -n superset=$2
for element in "${subset[@]}"; do
if [[ ! " ${superset[@]} " =~ " $element " ]]; then
return 1
fi
done
return 0
}
declare -A parsed_lines
while IFS= read -r line; do
if [[ ! "$line" =~ $regexp_flags ]]; then
continue
fi
list_name="${BASH_REMATCH[1]}"
values="${BASH_REMATCH[2]}"
IFS=',' read -r -a values_array <<< "$(echo "$values" | sed 's/ //g' | tr ',' '\n' | sort | tr '\n' ',')"
# Skip flags with too few value.
if [ "${#values_array[@]}" -lt 3 ]; then
continue
fi
# Skip the syz0, syz1, etc. lists.
if [ "${values_array[0]}" = "\"syz0\"" ]; then
continue
fi
parsed_lines["${list_name}"]="${values_array[@]}"
done
for list_name in "${!parsed_lines[@]}"; do
values_array=(${parsed_lines["$list_name"]})
for other_list_name in "${!parsed_lines[@]}"; do
other_values_array=(${parsed_lines["$other_list_name"]})
if [ "$list_name" = "$other_list_name" ]; then
continue
fi
if is_subset values_array other_values_array; then
if [ "${#values_array[@]}" -eq "${#other_values_array[@]}" ]; then
echo "$list_name EQUALS $other_list_name"
else
echo "$list_name is a SUBET of $other_list_name"
fi
fi
done
done
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Handle torvalds/linux@b62e71be2110 ("f2fs: support
errors=remount-ro|continue|panic mountoption")
`errors=panic` is not added because it will cause many false positives.
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
|
| |
|
|
|
|
| |
This is currently in linux-next make sure it gets tested.
Signed-off-by: Christian Brauner <brauner@kernel.org>
|
| |
|
|
|
|
| |
This has been supported for a while but apparently was never added.
Signed-off-by: Christian Brauner <brauner@kernel.org>
|
| |
|
|
| |
NFS is not image-based filesystem.
|
| |
|
|
|
| |
afs is not image-based filesystems.
It accepts some server/cell as source argument.
|
| |
|
|
|
| |
Common options like ro/rw/sync/async can be used with any mount.
Add them to the options used by syz_mount_image.
|
| |
|
|
| |
These are now present in the syzbot kernel (see /proc/filesystems).
|
| |
|
|
| |
It's not image-based filesystem.
|
| | |
|
| |
|
|
| |
In my runs these calls take 80-100ms, so increase it to 200ms.
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`compressed_image`
Rather than accepting "segments", `syz_mount_image` now accepts a
compressed image. Since this is already a corpus-breaking change, also
rearrange the arguments so that the image is at the end. This makes it
easier to inspect what the other arguments are set to.
We need to increase the timeout associated with `syz_mount_image`, as
decompression and execution take a little longer. 5000ms should be very
generous.
This commit updates the descriptions and the `syz-imagegen` tool.
The executor, seed images, and asset saving will be updated in future commits.
|
| |
|
|
|
|
|
|
| |
Minimizing of large images is time-consuming and unlikely to reproduce
any errors. This commit therefore marks the `syz_mount_image`
pseudo-syscall as ineligible for minimization.
A test has also been added to `prog/minimization_test.go`.
|
| |
|
|
|
|
| |
It is quite unlikely that a valid image will be generated from scratch
for a `syz_mount_image` call. This commit marks the syscall as an
invalid target for generation, ensuring no time is wasted on this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a boolean argument to the `syz_mount_image` pseudo-syscall. When
this is true, `syz_mount_image` will change directory to the mountpoint
after mounting the image passed.
Experimentation suggests that to reproduce many non-`ext4` filesystem
bugs, it is sufficient to mount the filesystem within an `ext4`-based VM
and then change directory to the mountpoint before executing code.
This change aims to increase the probability that a mount operation will
be succeeded by the corresponding change in directory, and so increase
the probability of finding non-`ext4` bugs.
We also have to update the `syz-imagegen` tool. Now it generates seed
`syz_mount_image` calls with change of directory enabled. The previous
behaviour (i.e. no change of directory) will be recovered by use of
existing corpuses and fuzzing the change-of-directory argument.
The next commit will regenerate all `syz_mount_image` seeds.
|
| |
|
|
|
|
|
|
|
|
| |
5.15 kernel get new filesystem driver for ntfs called ntfs3. Old driver
is still in use so we do not delete it yet.
Generated test images are made with mkntfs v2021.8.22 (libntfs-3g) and
ntfs3 version from 5.17-rc7. For some reason I did not manage to
generate images with "-s 256" due some ntfs3 error. We can add those
later when we work out what is going on with those.
|
| |
|
|
| |
Cgroup mounts also accept a list of subsystem controllers.
|
| |
|
|
| |
These may be interesting to test, esp since they are marked as FS_USERNS_MOUNT.
|
| |
|
|
|
|
|
|
|
| |
I've moved the idmapped mount patchset into my for-next branch and plan
to send it for the v5.12 merge window in ~2.5 weeks. It comes with a
large xfstest but I would also like to get some syzkaller coverage.
With-help-from: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
|
| |
|
|
|
|
| |
Simplify and align mount$tmpfs() with other mount variants.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
mount$tmpfs() is useful for Landlock fuzzing.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
mount$bind() is useful for Landlock fuzzing.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Refactor syz_mount_image() to support filesystems not requiring a
backing device and filesystem image (e.g. FUSE). To do that, we check for
the presence of the pointer to the array of struct fs_image_segment: if
missingi, there is no need to setup the loop device and we can proceed
directly with the mount() syscall.
Add syz_mount_image$fuse() (specialization for FUSE) inside
sys/linux/fs_fuse.txt.
|
| |
|
|
|
|
|
|
|
|
| |
If a resource is never used as an input, it is not useful.
It's effectively the same as using an integer.
Detect such cases, they are quite confusing.
Fix all existing errors in descriptions.
This uncovered some interesting bugs as well,
e.g. use of a completely unrelated fd subtype after copy-paste
(while the resource that was supposed to be used there is completely unused).
|
| |
|
|
|
|
|
| |
Move additional call/prog timeouts to descriptions.
Due to this logic duplication executor used 50ms
for syz_mount_image, while pkg/csource used 100ms.
|
| |
|
|
|
|
|
|
| |
String value enforcement broke a number of tests
where we use different values.
Be more string as to what string values we use in tests.
Required to add tmpfs descriptions to test syz_mount_image.
Also special-casing AF_ALG algorithms as these are auto-generated.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
syscalls
|
| | |
|
