| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Fill fake images with unique 4-byte values.
This allows hints mutation to easily guess magic numbers and checksums.
|
| |
|
|
|
| |
afs is not image-based filesystems.
It accepts some server/cell as source argument.
|
| |
|
|
| |
It's not image-based filesystem.
|
| |
|
|
|
| |
Since syz_mount_image calls are no_generate we need to add at least some
empty seeds for all for filesystems.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update seeds to account for the new pseudo-syscall prototype and the new
compressed Base64 syntax. This reduces `syz-imagegen` seed image space
requirements from 127 MB to 43 MB (measured using `du -ch syz_mount_image_*`).
Note that some filesystems are pathological for deflate, e.g. for `f2fs`
seed image space has increased from 320 KB to 2.1 MB. This discrepancy
should not be observed in corpuses after performing various filesystem
operations and image mutations - the previous ad-hoc compression is
highly efficient for near-empty images, but once images are modified deflate
should surpass it.
Tools/versions used are as in google@0d24140 and google@356d821.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This test covers file truncation with path and file descriptor checks
handled in security/landlock/fs.c .
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| | |
|
| |
|
|
|
|
| |
Add the missing boolean argument for changing directory to
`syz_mount_image` calls which are not generated by `syz-imagegen`. Set
it to false to ensure behaviour is as before.
|
| |
|
|
|
|
| |
Now with the ability to change directory.
Regenerate on a VM which supports NTFS, using the same versions as
google/syzkaller@356d821720a2d24a4cc96f8c0b2b7a11c8882190.
|
| |
|
|
|
|
| |
Now including the ability to change directory. Using the same
tools/versions as google/syzkaller@0d2414047943397599e7cfc12d40f4582d008726.
N.B. in particular, NTFS3 will be updated in the next commit.
|
| |
|
|
|
|
| |
Regenerate on a VM which supports NTFS, using:
mkntfs libntfs-3g v2022.5.17
kernel v5.19.0
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Regenerate using the following versions:
mkfs.f2fs 1.14.0 (2020-08-24)
mkfs.btrfs btrfs-progs v5.18.1
mkfs.fat 4.2 (2021-01-31)
mkexfatfs 1.3.0
mkfs.bfs util-linux 2.38
mkfs.xfs 5.19.0
mkfs.minix util-linux 2.38
mkfs.reiserfs 3.6.27
mkfs.jfs 1.1.15 (2011-03-04)
mkntfs libntfs-3g v2022.5.17
mke2fs 1.46.5 (2021-12-30)
mkfs.gfs2 3.4.1
mkfs.ocfs2 1.8.7
mkfs.cramfs util-linux 2.38
genromfs 0.5.2
mkfs.erofs 1.5
makefs 20190105-3
mkudffs udftools 2.3
mkfs.jffs2 mtd-utils 2.1.4
mkfs.nilfs2 nilfs-utils 2.2.8
mksquashfs sqaushfs-tools 4.5.1
genisomage 1.1.11
NB: NTFS3 is not included here as my kernel does not seem to be compiled
with it.
No errors appear (except for failure to find NTFS3).
This commit also updates a comment in `imagegen.go` listing dependencies.
|
| |
|
|
|
|
|
|
|
|
| |
net/ipv4/ping_group_range sysctl grants access to ICMP sockets
to the specified user groups. But it needs to be set inside
of the net namespace (it's per-namespace).
We were setting it but in the init namespace only (which we don't use).
Set it after CLONE_NEWNET. This repairs testing of ICMP sockets.
Note: don't set it for setuid sandbox since it's "low privilege".
|
| |
|
|
|
|
|
| |
This test covers linking, renaming and exchanging (RENAME_EXCHANGE) checks
handled in security/landlock/fs.c .
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
|
| |
5.15 kernel get new filesystem driver for ntfs called ntfs3. Old driver
is still in use so we do not delete it yet.
Generated test images are made with mkntfs v2021.8.22 (libntfs-3g) and
ntfs3 version from 5.17-rc7. For some reason I did not manage to
generate images with "-s 256" due some ntfs3 error. We can add those
later when we work out what is going on with those.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| |
|
|
|
|
|
| |
Remove all uses of direction attributes on union fields
and use out_overlay attribute instead.
The attribute actually does what was the intention behind
use of direction attribute on unions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced a new way to reference BPF maps in eBPF
instructions. An array of BPF map fds is passed at program load time.
Instructions can then reference fds in this array instead of carrying
the fds directly. The goal is to allow BPF instructions to be immutable
after compilation.
Since we don't yet have a good way to reference indexes in an array, we
define a new type map_fd_id for that purpose, with indexes between 0 and
16 only.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=387544bfa291
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
| |
Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.
Keep descriptions compatible with the legacy mode (when devices are
created at boot time).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets up a page table to map the text in order to exercise
more code paths in the KVM.
This defines flags to control the MMU state. When enabled, this
creates a simple page table at the 64K offset and maps all the RAM.
The fuzzer code is placed right after the table.
The flags are:
IR - enables MMU for instruction fetches
DR - enables MMU for data loads/stores
PR - "problem state", i.e. userspace (implies DR and IR)
PID1 - initializes a process table for PID>0 (PID#0 is used by the VM OS
normally)
This adds a simple "syz_kvm_setup_cpu_ppc64" syz-test with MSR=IR|DR|LE
which is a typical Linux kernel mode.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Represent array[const[X, int8], N] as string["XX...X"].
This replaces potentially huge number of:
NONFAILING(*(uint8_t*)0x2000126c = 0);
NONFAILING(*(uint8_t*)0x2000126d = 0);
NONFAILING(*(uint8_t*)0x2000126e = 0);
with a single memcpy. In one reproducer we had 3991 such lines.
Also replace memcpy's with memset's when possible.
Update #1070
|
| |
|
|
|
|
|
| |
This test covers mount namespace manipulation forbidden in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
This test helps cover most types of access checks in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/ptrace.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/fs.c:check_access_path()
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
This test helps cover security/landlock/fs.c:hook_sb_delete()
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
If rfkill is enabled by the fuzzer, wifi setup will fail.
Disable rfkill to initial state during setup.
|
| |
|
|
|
|
|
|
|
|
| |
We used to use our own netlink socket and then fail
on any errors. But commit "sys/linux: add ieee802154 descriptions"
made it possible to use fuzzer-provided socket,
and fuzzer can pass any invalid fd.
So don't fail on errors now.
Fixes #2444
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* sys/linux: add description for mali bifrost driver
* sys/linux: regenerate dev_bifrost.txt.const
* sys/linux/dev_bifrost: separate BASE_*_GROUP_ID_* to individual bits
* sys/linux/dev_bifrost: format code
|
| |
|
|
|
|
| |
- Add a test for BPF_PROG_TYPE_CGROUP_SYSCTL. This could be used as a
corpus.
- Remove an unnecessary file sys/linux/bpf_lsm.txt.const.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With fscrypt (a.k.a. ext4, f2fs, and ubifs encryption), several steps
are required to get to a properly set-up encrypted directory:
- Mount a filesystem that supports encryption.
- Call FS_IOC_ADD_ENCRYPTION_KEY on the mountpoint.
- Create a directory in the filesystem.
- Call FS_IOC_SET_ENCRYPTION_POLICY on the directory, specifying the
encryption key that was added earlier.
- Then actually create stuff in the directory.
It may be too hard for syzkaller to generate all these steps, which may
explain why syzbot isn't yet properly covering the fscrypt code; see
https://storage.googleapis.com/syzkaller/cover/ci-upstream-kasan-gce.html
which currently shows only 5% coverage of the fs/crypto/ directory.
Therefore add some test programs which do this setup on ext4 and f2fs.
Note that ubifs support can't be included yet because syzkaller doesn't
yet know how to mount an ubifs filesystem (which would likely require
using block2mtd, as ubifs uses MTD devices rather than block devices).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://lore.kernel.org/linuxppc-dev/20190418100218.0a4afd51@mschwideX1/
The test triggers this bug:
[ 224.294341] ==================================================================
[ 224.294389] BUG: KASAN: stack-out-of-bounds in gup_pgd_range+0x124a/0x1398
[ 224.294405] Read of size 8 at addr 000003e002e8f3d8 by task gup_fast_regr-s/633
[ 224.294417]
[ 224.294431] CPU: 0 PID: 633 Comm: gup_fast_regr-s Not tainted 5.9.0-rc6 #1
[ 224.294443] Hardware name: IBM 8561 T01 701 (KVM/Linux)
[ 224.294454] Call Trace:
[ 224.294470] [<0000000047708384>] show_stack+0x174/0x220
[ 224.294488] [<000000004bbcfb9c>] dump_stack+0x274/0x2f8
[ 224.294506] [<0000000047f4e8e6>] print_address_description.constprop.0+0x5e/0x550
[ 224.294523] [<0000000047f4e4ea>] kasan_report+0x11a/0x168
[ 224.294538] [<0000000047e4a77a>] gup_pgd_range+0x124a/0x1398
[ 224.294554] [<0000000047e4cbea>] internal_get_user_pages_fast+0x212/0x460
[ 224.294571] [<0000000047e4cf10>] get_user_pages_fast+0x70/0xb0
[ 224.294588] [<0000000049886cee>] iov_iter_get_pages+0x2d6/0xdf0
[ 224.294605] [<000000004974aaca>] bio_iov_iter_get_pages+0x2ca/0x1088
[ 224.294623] [<0000000048210282>] iomap_dio_bio_actor+0x8e2/0x1118
[ 224.294638] [<0000000048210b64>] iomap_dio_actor+0xac/0x550
[ 224.294655] [<000000004820212a>] iomap_apply+0x21a/0x9d0
[ 224.294670] [<00000000482118ae>] iomap_dio_rw+0x7c6/0x11e8
[ 224.294689] [<0000000048374ca8>] ext4_file_read_iter+0x4b0/0x638
[ 224.294707] [<0000000047fd85ec>] new_sync_read+0x444/0x6d0
[ 224.294722] [<0000000047fde212>] vfs_read+0x2c2/0x4e0
[ 224.294737] [<0000000047fdf3ba>] ksys_read+0x16a/0x298
[ 224.294754] [<000000004bc37ee8>] system_call+0xdc/0x298
[ 224.294794]
[ 224.294800]
[ 224.294809] addr 000003e002e8f3d8 is located in stack of task gup_fast_regr-s/633 at offset 72 in frame:
[ 224.294827] gup_pgd_range+0x0/0x1398
[ 224.294837]
[ 224.294844] this frame has 3 objects:
[ 224.294854] [32, 40) 'pgd'
[ 224.294858] [64, 72) 'p4d'
[ 224.294867] [96, 104) 'pud'
[ 224.294874]
[ 224.294885] Memory state around the buggy address:
[ 224.294900] 000003e002e8f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294915] 000003e002e8f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294930] >000003e002e8f380: 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3
[ 224.294943] ^
[ 224.294957] 000003e002e8f400: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294972] 000003e002e8f480: 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 00 00
[ 224.294984] ==================================================================
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
80211_setup_station is extended with frame injections and delays that
are arranged in such a way that the device successuflly joins an
access point.
80211_scan is a new test that starts a channel scan and then injects a
beacon and a probe response.
These additions were tested manually and were observed to fulfill
their purpose.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit enables accurate generation of 802.11 frames for
injection. The descriptions only include frames/fields/elements that
are supported by mac80211.
Also, this commit includes fixes to tests that were affected by
modification of the existing descriptions.
The validity of the frames was verified by capturing the generated
packets and examining them in Wirehark.
|
| |
|
|
|
|
| |
1. A runtest that sets up an access point.
2. A runtest that configures a station.
3. A runtest that configures a mesh device.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
|
|
|
|
| |
And populate images with some files,
which should make both mounting and resulting dir more interesting.
Note: this adds 100MB of image files into the repo...
Maybe we need to think of some other way of string these images...
|
| |
|
|
| |
Add flexible_inline_xattr, inode_checksum, inode_crtime, project_quota features.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tools/create_{f2fs,btrfs}_image.sh are... well, shell scripts.
It's hard to scale this appraoch to more file systems
avoiding duplication and stupid errors while doing proper
error handling and parallelization.
Upgrade syz-imagegen to generate full test files and replace
the shell scripts.
f2fs -O=compression options is removed, it does not seem to be
supported by mkfs.f2fs, it always says:
Error: Wrong features
The shell script used it, but it seems that the way it passed
arguments (in a single '-quoted string) just made mkfs misparse
the arguments (use only the first one?) and so -O=compression
and most other arguments were simply ignored.
|
| |
|
|
|
|
| |
The previous commit did not get all intended changes.
Follow up to 2066
|
| |
|
|
|
|
|
|
|
| |
1. Use set -eu
2. Use consistent name of the generated files
3. Add "requires: manual"
4. Fix some option combinations that lead to errors
Follow up to 2066
|
| |
|
|
|
| |
Add several unit tests that mount different versions of btrfs images, and
the .sh file that generates these tests.
|
