| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
|
|
|
| |
Fuse does not need an image and we don't pass image size anyway.
But we still pass/mutate an image.
Moreover with the no_generate attribute we can't call it at all
since we don't have seeds.
Fix that.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`compressed_image`
Rather than accepting "segments", `syz_mount_image` now accepts a
compressed image. Since this is already a corpus-breaking change, also
rearrange the arguments so that the image is at the end. This makes it
easier to inspect what the other arguments are set to.
We need to increase the timeout associated with `syz_mount_image`, as
decompression and execution take a little longer. 5000ms should be very
generous.
This commit updates the descriptions and the `syz-imagegen` tool.
The executor, seed images, and asset saving will be updated in future commits.
|
| | |
|
| |
|
|
|
|
|
|
| |
Minimizing of large images is time-consuming and unlikely to reproduce
any errors. This commit therefore marks the `syz_mount_image`
pseudo-syscall as ineligible for minimization.
A test has also been added to `prog/minimization_test.go`.
|
| |
|
|
|
|
| |
It is quite unlikely that a valid image will be generated from scratch
for a `syz_mount_image` call. This commit marks the syscall as an
invalid target for generation, ensuring no time is wasted on this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a boolean argument to the `syz_mount_image` pseudo-syscall. When
this is true, `syz_mount_image` will change directory to the mountpoint
after mounting the image passed.
Experimentation suggests that to reproduce many non-`ext4` filesystem
bugs, it is sufficient to mount the filesystem within an `ext4`-based VM
and then change directory to the mountpoint before executing code.
This change aims to increase the probability that a mount operation will
be succeeded by the corresponding change in directory, and so increase
the probability of finding non-`ext4` bugs.
We also have to update the `syz-imagegen` tool. Now it generates seed
`syz_mount_image` calls with change of directory enabled. The previous
behaviour (i.e. no change of directory) will be recovered by use of
existing corpuses and fuzzing the change-of-directory argument.
The next commit will regenerate all `syz_mount_image` seeds.
|
| |
|
|
|
|
|
|
|
|
| |
Refactor syz_mount_image() to support filesystems not requiring a
backing device and filesystem image (e.g. FUSE). To do that, we check for
the presence of the pointer to the array of struct fs_image_segment: if
missingi, there is no need to setup the loop device and we can proceed
directly with the mount() syscall.
Add syz_mount_image$fuse() (specialization for FUSE) inside
sys/linux/fs_fuse.txt.
|
| |
|
|
|
| |
Use the type bytelen instead of len to express the length of the data
structure being pointed by the pointer passed to read$FUSE().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment syzkaller is able to respond to FUSE with a syntactically
correct response using the specific write$FUSE_*() syscalls, but most of
the times these responses are not related to the type of request that
was received.
With this pseudo-syscall we are able to provide the correct response
type while still allowing the fuzzer to fuzz its content. This is done
by requiring each type of response as an input parameter and then
choosing the correct one based on the request opcode.
Notice that the fuzzer is still free to mix write$FUSE_*() and
syz_fuse_handle_req() syscalls, so it is not losing any degree of
freedom.
syz_fuse_handle_req() retrieves the FUSE request and resource
fuse_unique internally (by performing a read() on the /dev/fuse file
descriptor provided as input). For this reason, a new template argument has
been added to fuse_out (renamed to _fuse_out) so that the unique field
can be both an int64 (used by syz_fuse_handle_req()) and a fuse_unique
resource (used by the write$FUSE_*() syscalls) without any code
duplication.
|
| |
|
|
|
| |
Instead of using a generic int32 for fuse_attr.mode, use the expected
file mode flags.
|
| |
|
|
|
|
|
|
|
|
| |
Currently fuse_in.unique and fuse_out.unique are not linked by any
dependency chain. This causes the majority of the replies to the kernel
to be dropped because not referring to a previously sent request.
By defining them as a resource, we push the fuzzer in the right
direction (i.e., try to respond using a previously issued unique value).
The read syscall has been updated accordingly, it now expects and parses
a fuse_in header and some additional data.
|
| |
|
