| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Now that images are not linux-specific,
we can move all image-related logic directly into prog package
and significantly simplify the logic.
|
| |
|
|
|
|
|
| |
Move image compression-related function to a separate package.
In preperation for subsequent changes that make decompression
more complex. Prog package is already large and complex.
Also makes running compression tests/benchmarks much faster.
|
| |
|
|
| |
MADV_COLLAPSE was added to Linux in 6.1.
|
| |
|
|
| |
NFS is not image-based filesystem.
|
| |
|
|
|
| |
afs is not image-based filesystems.
It accepts some server/cell as source argument.
|
| |
|
|
|
| |
Common options like ro/rw/sync/async can be used with any mount.
Add them to the options used by syz_mount_image.
|
| |
|
|
| |
These are now present in the syzbot kernel (see /proc/filesystems).
|
| |
|
|
| |
It's not image-based filesystem.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Currently we uncompress all images in Deserialize to check that the data is valid.
As the result deserializing all seeds we have takes ~40 seconds of real time
and ~125 seconds of CPU time. And we do this during every syz-manager start.
Don't materialize the uncompressed image.
This reduces real time to ~15 seconds and CPU time to 18 seconds (no garbage collections).
In syz-manager the benefit is even larger since garbage collections take longer (larger heap).
|
| |
|
|
|
| |
Since syz_mount_image calls are no_generate we need to add at least some
empty seeds for all for filesystems.
|
| | |
|
| | |
|
| |
|
|
|
| |
This ioctl accepts blkpg_partition struct:
https://elixir.bootlin.com/linux/v6.1-rc6/source/block/ioctl.c#L20
|
| |
|
|
| |
In my runs these calls take 80-100ms, so increase it to 200ms.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This will allow us to mutate the image size.
Fixes #3527
|
| |
|
|
|
|
|
|
| |
Fuse does not need an image and we don't pass image size anyway.
But we still pass/mutate an image.
Moreover with the no_generate attribute we can't call it at all
since we don't have seeds.
Fix that.
|
| |
|
| |
It is an external test. It uses only exported "linux" package functions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update seeds to account for the new pseudo-syscall prototype and the new
compressed Base64 syntax. This reduces `syz-imagegen` seed image space
requirements from 127 MB to 43 MB (measured using `du -ch syz_mount_image_*`).
Note that some filesystems are pathological for deflate, e.g. for `f2fs`
seed image space has increased from 320 KB to 2.1 MB. This discrepancy
should not be observed in corpuses after performing various filesystem
operations and image mutations - the previous ad-hoc compression is
highly efficient for near-empty images, but once images are modified deflate
should surpass it.
Tools/versions used are as in google@0d24140 and google@356d821.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Asset storage is now significantly simpler: we just take the
Base64-encoded, compressed image and output it to a file. There is a
slight overhead in that we decompress from the `zlib` format and
re-compress to the `gzip` format.
This commit removes most of the logic from `init_images.go`,
and therefore most of the tests from `init_images_test.go`.
We could instead keep this logic around and use it to adapt old-style
`syz_mount_image` calls in existing corpuses to match the new format.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`compressed_image`
Rather than accepting "segments", `syz_mount_image` now accepts a
compressed image. Since this is already a corpus-breaking change, also
rearrange the arguments so that the image is at the end. This makes it
easier to inspect what the other arguments are set to.
We need to increase the timeout associated with `syz_mount_image`, as
decompression and execution take a little longer. 5000ms should be very
generous.
This commit updates the descriptions and the `syz-imagegen` tool.
The executor, seed images, and asset saving will be updated in future commits.
|
| | |
|
| |
|
|
| |
Add NFC netlink descriptions and improve socket descriptions a bit.
|
| | |
|
| |
|
|
| |
Update const files on next-20221031.
|
| | |
|
| |
|
|
|
| |
unmap has its own set of flags that trigger interesting behavior.
map needs to take in a user_va or it will not succeed in many cases.
|
| |
|
|
|
|
|
| |
This is a complex nested structure that syskaller doesn't actually need
to care about the output for. However it better matches the kernel if
we describe it in a similar way. The goal is to make the buffer large
enough for the call to succeed.
|
| |
|
|
| |
Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
|
| |
|
|
|
| |
This was removed from the upstream kernel in:
torvalds/linux@1202cdd665315c525b5237e96e0bedc76d7e754f
|
| |
|
|
| |
Signed-off-by: Lin Ma <linma@zju.edu.cn>
|
| |
|
|
|
|
|
|
|
|
|
| |
Update ext4 ioctls. Add EXT4_IOC_GETFSUUID/EXT4_IOC_SETFSUUID
ioctls which were added upstream in d95efb14c0b8 ("ext4: add ioctls to
get/set the ext4 superblock uuid").
In the current code `fsu_flags` is always 0 and `fsu_len` is either 0
or UUID_SIZE.
Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
|
| |
|
|
|
|
|
| |
This test covers file truncation with path and file descriptor checks
handled in security/landlock/fs.c .
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
Add the new LANDLOCK_ACCESS_FS_TRUNCATE flag for the file truncation
handling.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
| |
Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Ideally, we should properly support the already existing fix flag to
distinguish between fixing and checking, but for now at least let it
control whether structural changes are to be made.
Otherwise we get into trouble while hint-mutating syz_mount_image calls,
because we iterate over all call arguments and (possibly) remove them at
the same time. It leads to `bad group arg size %v, should be <= %v for
%#v type %#v` errors.
|
| | |
|
| | |
|
| |
|
|
|
| |
To simplify the extraction code, let's make segments non-overlapping
even before execution.
|
| |
|
|
|
| |
It will simplify the C code and let us extract the raw images in a more
convenient way.
|
| |
|
|
|
|
|
|
| |
Minimizing of large images is time-consuming and unlikely to reproduce
any errors. This commit therefore marks the `syz_mount_image`
pseudo-syscall as ineligible for minimization.
A test has also been added to `prog/minimization_test.go`.
|
| |
|
|
|
|
| |
It is quite unlikely that a valid image will be generated from scratch
for a `syz_mount_image` call. This commit marks the syscall as an
invalid target for generation, ensuring no time is wasted on this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for moving a NIC PCI pass-through VF into Syzkaller's network
namespace so that it will tested. As DEVLINK support is triggered by
setting the pass-through device to "addr=0x10", NIC PCI pass-through VF
support will be triggered by setting the device to "addr=0x11".
If a NIC PCI pass-through VF is detected in do_sandbox, setup a staging
namespace before the fork() and transfer the NIC VF interface to it.
After the fork() and in the child transfer the NIC VF interface to
Syzkaller's network namespace and rename the interface to netpci0 so
that it will be tested.
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
|
| |
|
|
|
|
| |
Add the missing boolean argument for changing directory to
`syz_mount_image` calls which are not generated by `syz-imagegen`. Set
it to false to ensure behaviour is as before.
|
| |
|
|
|
|
| |
Now with the ability to change directory.
Regenerate on a VM which supports NTFS, using the same versions as
google/syzkaller@356d821720a2d24a4cc96f8c0b2b7a11c8882190.
|
| |
|
|
|
|
| |
Now including the ability to change directory. Using the same
tools/versions as google/syzkaller@0d2414047943397599e7cfc12d40f4582d008726.
N.B. in particular, NTFS3 will be updated in the next commit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a boolean argument to the `syz_mount_image` pseudo-syscall. When
this is true, `syz_mount_image` will change directory to the mountpoint
after mounting the image passed.
Experimentation suggests that to reproduce many non-`ext4` filesystem
bugs, it is sufficient to mount the filesystem within an `ext4`-based VM
and then change directory to the mountpoint before executing code.
This change aims to increase the probability that a mount operation will
be succeeded by the corresponding change in directory, and so increase
the probability of finding non-`ext4` bugs.
We also have to update the `syz-imagegen` tool. Now it generates seed
`syz_mount_image` calls with change of directory enabled. The previous
behaviour (i.e. no change of directory) will be recovered by use of
existing corpuses and fuzzing the change-of-directory argument.
The next commit will regenerate all `syz_mount_image` seeds.
|
