| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
|
|
|
|
|
|
| |
Ideally, we should properly support the already existing fix flag to
distinguish between fixing and checking, but for now at least let it
control whether structural changes are to be made.
Otherwise we get into trouble while hint-mutating syz_mount_image calls,
because we iterate over all call arguments and (possibly) remove them at
the same time. It leads to `bad group arg size %v, should be <= %v for
%#v type %#v` errors.
|
| |
|
|
| |
The executor uses more file descriptors by now.
|
| |
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
run out of resources[1].
[1] https://syzkaller.appspot.com/bug?id=08745ec898fac9de9164bcc4d03bf62a078f56ab
|
| |
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
run out of resources[1].
[1] https://syzkaller.appspot.com/bug?id=39e86177b5ccebb26f3dd60ab2bf261d40e485d7
|
| |
|
|
|
| |
Do not fiddle with witness since we explicit values as part of the
kernel configuration in dashboard/config/openbsd.
|
| |
|
|
|
|
|
|
|
| |
sys/openbsd/init.go:58:36: Top level comment should end in a period
// kCoverFd in executor/executor.cc
^
sys/openbsd/init.go:60:38: Top level comment should end in a period
// kOutPipeFd in executor/executor.cc
^
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
panic[1]. Greg is currently working on sanitizing sysctl integer knobs
in the OpenBSD kernel. This will improve the situation but preventing
fiddling with this knob is a good call anyway.
While here, restructure the code a bit making it easier to add sysctl
neutralizers.
[1] https://syzkaller.appspot.com/bug?id=40bcbbeb244998dfc4eeec90b8f8bce372882211
|
| |
|
|
|
|
| |
One of "no output from test machine" report causes[1].
[1] https://syzkaller.appspot.com/text?tag=ReproSyz&x=10b0c7d8900000
|
| |
|
|
| |
In the hopes of lowering the cyclomatic complexity.
|
| | |
|
| |
|
|
|
|
|
| |
One of "no output from test machine" report causes[1]. Since it's a root
only knob, disallow fiddling with it for now.
[1] https://syzkaller.appspot.com/bug?id=a222a4193c0a9814e02fcc61b7343a5af04a7457
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Warn about:
var x int = foo
In most cases this can be expressed shorter as:
var x int
x := foo
x := int(foo)
Update #1876
|
| |
|
|
|
|
|
|
|
| |
Disarms the latest reproducer[1] for the discovered "no output from test
machine" panic.
While here, tidy up and improve comments.
[1] https://syzkaller.appspot.com/bug?id=4c3b1ac22d6d7f1d9ebcad5469a28cb4562debda
|
| |
|
|
|
|
|
|
|
|
|
| |
Surround the main data mapping with PROT_NONE pages to make virtual address layout more consistent
across different configurations (static/non-static build) and C repros.
One observed case before: executor had a mapping above the data mapping (output region),
while C repros did not have that mapping above, as the result in one case VMA had next link,
while in the other it didn't and it caused a bug to not reproduce with the C repro.
The bug that reproduces only with the mapping above:
https://lkml.org/lkml/2020/4/17/819
|
| |
|
|
|
|
|
|
|
|
|
| |
Make MakeMmap return more than 1 call.
This is a preparation for future changes.
Also remove addr/size as they are effectively
always the same and can be inferred from the target
(will also conflict with the future changes).
Also rename to MakeDataMmap to better represent
the new purpose: it's just some arbitrary mmap,
but rather mapping of the data segment.
|
| |
|
|
|
|
|
| |
Turns out the mmap protection get out of sync
between executor and C reproducers.
C reproducers missed PROT_EXEC.
Add PROT_EXEC for linux, freebsd and akaros.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We will need a wrapper for target.SanitizeCall that will do more
than just calling the target-provided function. To avoid confusion
and potential mistakes, give the target function and prog function
different names. Prog package will continue to call this "sanitize",
which will include target's "neutralize" + more.
Also refactor API a bit: we need a helper function that sanitizes
the whole program because that's needed most of the time.
Fixes #477
Fixes #502
|
| |
|
|
|
|
|
|
|
|
| |
This is one of the root causes of the 'no output from test machine'
panic. Issuing a DIOCKILLSTATES ioctl on a /dev/pf file descriptor will
cause state associated with ongoing connections to be purged;
effectively killing the ssh connection to the VM.
Including net/pfvar.h is necessary in order to make use of the
DIOCKILLSTATES define.
|
| |
|
|
|
|
|
| |
Writing to the swap partition during fuzzing can lead to all kinds of
corruptions[1].
[1] https://syzkaller.appspot.com/bug?id=a2eca15e6e0be4be3ed1b0b2bab3332edc317b1c
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The sanitizer fails to sanitize programs like the following:
setrlimit(0x10000000000002, &(0x7f0000000080))
... due to presence of the most significant bit. Therefore mask of all
bits that cannot form a valid rlimit resource.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
|
| |
|
|
|
|
|
|
| |
Locking down future mappings will most likely cause syz-executor to run
out of memory.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
|
| |
|
|
|
|
|
|
|
|
| |
Do not allow the stack to grow beyond the initial soft limit chosen by
syz-executor. Otherwise, syz-executor will most likely not be able to
perform any more heap allocations since they majoriy of memory is
reserved for the stack.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
|
| |
|
|
|
|
|
|
|
| |
OpenBSD performs a strict validation of the RLIMIT_DATA soft limit
during memory allocation. Lowering the same limit could cause
syz-executor to run out of memory quickly. Therefore make sure to not go
lower than the default soft limit for the staff group.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).
This commit introduces an optional annotate function on a per target basis.
Example for the OpenBSD target:
$ cat prog.in
mknod(0x0, 0x0, 0x4503)
getpid()
$ syz-prog2c -prog prog.in
int main(void)
{
syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
syscall(SYS_getpid);
return 0;
}
|
| |
|
|
|
|
|
| |
This is especially problematic for file descriptors referring to tty/pty
devices since it can cause the SSH connection to the VM to die.
The ambition here is reduce the number of "lost connection/no output" failures
at the cost of limiting the coverage of chflags(2).
|
| |
|
|
|
| |
Writing to the raw root disk could lead to all kinds of corruptions[1].
[1] https://flak.tedunangst.com/post/syzkaller-found-a-bug
|
| |
|
|
|
|
|
|
| |
Prevent nodes that maps to an already open kcov fd from being created since
they can corrupt the coverage buffer.
Partial revert of commit 04aed72692137822b809098c55401dd3493dd0f6 with some
tweaks and testing.
|
| |
|
|
|
|
|
|
| |
This reverts commit 77c702cf1a02ef4bb695e9daa9339afb3cbd5d89.
A proper fix has instead been committed to OpenBSD[1].
[1] https://github.com/openbsd/src/commit/650b9bc3abafbd3178268c3cae5b7a240d7f32b7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevents corpus explosion with corrupted coverage data.
The two parallel runs of:
`doas ./syz-execprog -cover -coverfile /tmp/{fixed,unfixed} r.syz`
show markedly different coverage pictures:
unfixed:
```
2019/01/12 13:55:38 parsed 1 programs
2019/01/12 13:55:38 executed programs: 0
2019/01/12 13:55:38 call #0: signal 821, coverage 2438
2019/01/12 13:55:38 call #1: signal 243, coverage 1363
2019/01/12 13:55:38 call #2: signal 502, coverage 1993
2019/01/12 13:55:38 call #3: signal 15, coverage 44
2019/01/12 13:55:38 call #4: signal 335, coverage 8196
```
fixed:
```
2019/01/12 13:51:57 parsed 1 programs
2019/01/12 13:51:57 executed programs: 0
2019/01/12 13:51:57 call #0: signal 837, coverage 2491
2019/01/12 13:51:57 call #1: signal 241, coverage 1341
2019/01/12 13:51:57 call #2: signal 27, coverage 61
2019/01/12 13:51:57 call #3: signal 13, coverage 44
2019/01/12 13:51:57 call #4: signal 39, coverage 299
```
The contents of `r.syz` is
```
mknod(&(0x7f0000000180)='./file0\x00', 0x2006, 0x10000016e8)
r0 = open(&(0x7f0000000100)='./file0\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2, 0x10, r0, 0x0, 0x0)
writev(0xffffffffffffffff, &(0x7f0000002480)=[{&(0x7f0000001480)="<junk>", 0x573}], 0x1)
lstat(&(0x7f0000000240)='./file0\x00', &(0x7f0000000000))
```
So, it's the final lstat which was getting that extra coverage. In
particular, the end of unfixed.4 has some 4734 values
0xffffffff00000000.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when we get target consts with target.ConstMap["name"]
during target initialization, we just get 0 for missing consts.
This is error-prone as we can mis-type a const, or a const may
be undefined only on some archs (as we have common unix code
shared between several OSes).
Check that all the consts are actually defined.
The check detects several violations, to fix them:
1. move mremap to linux as it's only defined on linux
2. move S_IFMT to openbsd, as it's only defined and used on openbsd
3. define missing MAP_ANONYMOUS for freebsd and netbsd
4. fix extract for netbsd
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On OpenBSD, the vnode type for a device node of type S_IFMT is interpreted as
VBAD. Such vnodes often causes assertion failures inside kernel producing noisy
crashes. The goal of the OpenBSD specific SanitizeCall() is to prevent such
device nodes from being created. The S_IFMT constant is a mask covering all
possible device types, thus covering both character and block devices. Therefore
when the fuzzer generates a mknod{,at}() syscall with the S_IFMT type we cannot
known if the intent was to create a block or character device. Therefore
simplify the code to create a character device under such circumstances.
The observed failure is caused by the interaction between the OpenBSD specific
SanitizeCall() and the Unix one. The Unix sanitizer will not modify the mode
argument if it contains the S_IFMT mask. But on the second invocation when the
mode no longer contains S_IFMT it would modify it, causing a different program
to be produced. Therefore only delegate to the Unix sanitizer if the syscall is
not equal to mknod{,at}().
Regression introduces in commit b771b17e ("Add mandatory OpenBSD bits (#689)").
|
| |
|
|
|
|
|
| |
TestSerializeDeserializeRandom fails from time to time
because program is different after we serialize/deserialize it.
Turns out openbsd SanitizeCall is not idempotent.
Add a test for this and disable the logic for now.
|
|
|
all: add openbsd support
squash of the following commits:
* openbsd: add mandatory bits
* report: add OpenBSD support
* executor: skip building kvm on OpenBSD
* executor: add OpenBSD support
Linking against libutil is necessary due to usage of openpty(3).
* executor: fix typo in fail() message
* fixup! report: add OpenBSD support
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! report: add OpenBSD support
* gometalinter: skip sys/openbsd
|
