| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of generating Go files with descriptions
serialize them as gob and compress with flate.
This significantly reduces build time, go vet time,
and solves scalability problems with some static analysis tools.
Reference times (all after rm -rf ~/.cache/go-build) before:
TIME="%e %P %M" time go install ./syz-manager
48.29 577% 4824820
TIME="%e %P %M" time go test -c ./prog
56.28 380% 6973292
After:
TIME="%e %P %M" time go install ./syz-manager
22.81 865% 859788
TIME="%e %P %M" time go test -c ./prog
12.74 565% 267760
syz-manager size before/after: 194712597 -> 83418407
-57% even provided we now embed all descriptions
instead of just a single arch.
Deflate/decoding time for a single Linux arch is ~330ms.
Fixes #5542
|
| |
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
run out of resources[1].
[1] https://syzkaller.appspot.com/bug?id=08745ec898fac9de9164bcc4d03bf62a078f56ab
|
| |
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
run out of resources[1].
[1] https://syzkaller.appspot.com/bug?id=39e86177b5ccebb26f3dd60ab2bf261d40e485d7
|
| |
|
|
|
| |
Do not fiddle with witness since we explicit values as part of the
kernel configuration in dashboard/config/openbsd.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
panic[1]. Greg is currently working on sanitizing sysctl integer knobs
in the OpenBSD kernel. This will improve the situation but preventing
fiddling with this knob is a good call anyway.
While here, restructure the code a bit making it easier to add sysctl
neutralizers.
[1] https://syzkaller.appspot.com/bug?id=40bcbbeb244998dfc4eeec90b8f8bce372882211
|
| |
|
|
|
|
| |
One of "no output from test machine" report causes[1].
[1] https://syzkaller.appspot.com/text?tag=ReproSyz&x=10b0c7d8900000
|
| |
|
|
|
|
|
| |
One of "no output from test machine" report causes[1]. Since it's a root
only knob, disallow fiddling with it for now.
[1] https://syzkaller.appspot.com/bug?id=a222a4193c0a9814e02fcc61b7343a5af04a7457
|
| |
|
|
|
|
|
|
|
| |
Disarms the latest reproducer[1] for the discovered "no output from test
machine" panic.
While here, tidy up and improve comments.
[1] https://syzkaller.appspot.com/bug?id=4c3b1ac22d6d7f1d9ebcad5469a28cb4562debda
|
| |
|
|
|
| |
1. Allow to not provide Out if it's the same as In.
2. Always check Out.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We will need a wrapper for target.SanitizeCall that will do more
than just calling the target-provided function. To avoid confusion
and potential mistakes, give the target function and prog function
different names. Prog package will continue to call this "sanitize",
which will include target's "neutralize" + more.
Also refactor API a bit: we need a helper function that sanitizes
the whole program because that's needed most of the time.
Fixes #477
Fixes #502
|
| |
|
|
|
| |
sys/{linux,openbsd} duplicate deserialization test logic as well.
Export and reuse the existing helper function.
|
| |
|
|
|
|
|
|
|
|
| |
This is one of the root causes of the 'no output from test machine'
panic. Issuing a DIOCKILLSTATES ioctl on a /dev/pf file descriptor will
cause state associated with ongoing connections to be purged;
effectively killing the ssh connection to the VM.
Including net/pfvar.h is necessary in order to make use of the
DIOCKILLSTATES define.
|
| |
|
|
| |
Fixes #1604
|
| |
|
|
|
|
|
| |
Writing to the swap partition during fuzzing can lead to all kinds of
corruptions[1].
[1] https://syzkaller.appspot.com/bug?id=a2eca15e6e0be4be3ed1b0b2bab3332edc317b1c
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The sanitizer fails to sanitize programs like the following:
setrlimit(0x10000000000002, &(0x7f0000000080))
... due to presence of the most significant bit. Therefore mask of all
bits that cannot form a valid rlimit resource.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
|
| |
|
|
|
|
|
|
| |
Locking down future mappings will most likely cause syz-executor to run
out of memory.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Do not allow the stack to grow beyond the initial soft limit chosen by
syz-executor. Otherwise, syz-executor will most likely not be able to
perform any more heap allocations since they majoriy of memory is
reserved for the stack.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
|
| |
|
|
|
|
|
|
|
| |
OpenBSD performs a strict validation of the RLIMIT_DATA soft limit
during memory allocation. Lowering the same limit could cause
syz-executor to run out of memory quickly. Therefore make sure to not go
lower than the default soft limit for the staff group.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
|
| |
|
|
|
|
|
| |
This is especially problematic for file descriptors referring to tty/pty
devices since it can cause the SSH connection to the VM to die.
The ambition here is reduce the number of "lost connection/no output" failures
at the cost of limiting the coverage of chflags(2).
|
| |
|
|
|
| |
Writing to the raw root disk could lead to all kinds of corruptions[1].
[1] https://flak.tedunangst.com/post/syzkaller-found-a-bug
|
|
|
Prevent nodes that maps to an already open kcov fd from being created since
they can corrupt the coverage buffer.
Partial revert of commit 04aed72692137822b809098c55401dd3493dd0f6 with some
tweaks and testing.
|
