| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of generating Go files with descriptions
serialize them as gob and compress with flate.
This significantly reduces build time, go vet time,
and solves scalability problems with some static analysis tools.
Reference times (all after rm -rf ~/.cache/go-build) before:
TIME="%e %P %M" time go install ./syz-manager
48.29 577% 4824820
TIME="%e %P %M" time go test -c ./prog
56.28 380% 6973292
After:
TIME="%e %P %M" time go install ./syz-manager
22.81 865% 859788
TIME="%e %P %M" time go test -c ./prog
12.74 565% 267760
syz-manager size before/after: 194712597 -> 83418407
-57% even provided we now embed all descriptions
instead of just a single arch.
Deflate/decoding time for a single Linux arch is ~330ms.
Fixes #5542
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
|
|
|
|
| |
Disable the syscall in descriptions rather than in the code.
This makes it more visible for users that it's disabled,
and makes it less special (will not need to move this logic to host).
Also change the condition in syz-sysgen to be more precise,
otherwise syz_execute_func becomes unused function.
|
| |
|
|
|
|
| |
These flags were identified using the same script as for sys/linux.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
| |
Cleanup obsolete names and regenerate consts on the latest OpenBSD
checkout.
SYS_ consts are no longer needed after #3836
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Ideally, we should properly support the already existing fix flag to
distinguish between fixing and checking, but for now at least let it
control whether structural changes are to be made.
Otherwise we get into trouble while hint-mutating syz_mount_image calls,
because we iterate over all call arguments and (possibly) remove them at
the same time. It leads to `bad group arg size %v, should be <= %v for
%#v type %#v` errors.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
The executor uses more file descriptors by now.
|
| |
|
|
|
|
| |
More info here:
https://marc.info/?l=openbsd-cvs&m=164028539524813&w=2
|
| |
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
run out of resources[1].
[1] https://syzkaller.appspot.com/bug?id=08745ec898fac9de9164bcc4d03bf62a078f56ab
|
| |
|
|
|
|
|
|
|
| |
It's a somewhat common mistake to write comments instead of directives:
#include <foo>
#define FOO BAR
because that's how it's done in C.
In preparation for warning about such cases remove all existing
comments that fake directives.
|
| | |
|
| |
|
|
| |
* sys/openbsd: add vnd descriptions
* sys/openbsd: sync wsmousecfg_flags
|
| |
|
|
|
|
| |
Commit empty files into generated packages,
so that the tree is buildable even w/o generated files
and Go tools continue to work.
|
| |
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
run out of resources[1].
[1] https://syzkaller.appspot.com/bug?id=39e86177b5ccebb26f3dd60ab2bf261d40e485d7
|
| |
|
|
|
| |
Do not fiddle with witness since we explicit values as part of the
kernel configuration in dashboard/config/openbsd.
|
| |
|
|
|
|
| |
There is no point in having flags when values are equal.
This can only mean a typo or other bug. Check for such cases
and fix 3 existing precedents.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
|
|
| |
sys/openbsd/init.go:58:36: Top level comment should end in a period
// kCoverFd in executor/executor.cc
^
sys/openbsd/init.go:60:38: Top level comment should end in a period
// kOutPipeFd in executor/executor.cc
^
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
panic[1]. Greg is currently working on sanitizing sysctl integer knobs
in the OpenBSD kernel. This will improve the situation but preventing
fiddling with this knob is a good call anyway.
While here, restructure the code a bit making it easier to add sysctl
neutralizers.
[1] https://syzkaller.appspot.com/bug?id=40bcbbeb244998dfc4eeec90b8f8bce372882211
|
| |
|
|
|
|
| |
One of "no output from test machine" report causes[1].
[1] https://syzkaller.appspot.com/text?tag=ReproSyz&x=10b0c7d8900000
|
| |
|
|
|
|
|
|
|
|
| |
If a resource is never used as an input, it is not useful.
It's effectively the same as using an integer.
Detect such cases, they are quite confusing.
Fix all existing errors in descriptions.
This uncovered some interesting bugs as well,
e.g. use of a completely unrelated fd subtype after copy-paste
(while the resource that was supposed to be used there is completely unused).
|
| |
|
|
| |
In the hopes of lowering the cyclomatic complexity.
|
| | |
|
| |
|
|
|
|
|
| |
One of "no output from test machine" report causes[1]. Since it's a root
only knob, disallow fiddling with it for now.
[1] https://syzkaller.appspot.com/bug?id=a222a4193c0a9814e02fcc61b7343a5af04a7457
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Warn about:
var x int = foo
In most cases this can be expressed shorter as:
var x int
x := foo
x := int(foo)
Update #1876
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Disarms the latest reproducer[1] for the discovered "no output from test
machine" panic.
While here, tidy up and improve comments.
[1] https://syzkaller.appspot.com/bug?id=4c3b1ac22d6d7f1d9ebcad5469a28cb4562debda
|
| |
|
|
|
|
|
|
|
|
| |
The namelen argument must reflect the number of elements in the name
vector. Since it's a vector of integers, bytesize4 seems more
appropriate.
With help from by Dmitry[1].
[1] https://github.com/google/syzkaller/pull/1761#discussion_r430139775
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking in the generated descriptions files makes few things simpler,
but causes pain for pull requests: (1) PRs that touch descriptions
_always_ conflict, (2) PRs are large and harder to review,
(3) people sometimes forget to add auto-generated files.
The proposed way does not require us to hardcode lots of dependencies
in the Makefile (which is nice) and seem to work.
Let's see how it works.
The main contributor-visible consequence is that the auto-generated
files do not need to be checked-in now.
Credit for figuring the Makefile magic goes to @melver.
Fixes #1291
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add prog.Ref Type that serves as a proxy for real types
and allows to deduplicate Types in generated descriptions.
The Ref type is effectively an index in an array of types.
Just before serialization pkg/compiler replaces real types
with the Ref types and prepares corresponding array of real types.
When a Target is registered in prog package, we do the opposite
operation and replace Ref's with the corresponding real types.
This brings improvements across the board:
compiler memory consumption is reduced by 15%,
test building time by 25%, descriptions size by 33%.
Before:
$ du -h sys/linux/gen
54M sys/linux/gen
$ time GOMAXPROCS=1 go test -p=1 -c ./prog
real 0m54.200s
real 0m53.883s
$ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog
real 0m27.911s
real 0m27.767s
$ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen
20.59 100% 3200016
20.97 100% 3445976
20.25 100% 3209684
After:
$ du -h sys/linux/gen
36M sys/linux/gen
$ time GOMAXPROCS=1 go test -p=1 -c ./prog
real 0m42.290s
real 0m43.230s
$ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog
real 0m24.337s
real 0m24.727s
$ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen
19.11 100% 2764952
19.66 100% 2787624
19.35 100% 2749376
Update #1580
|
| |
|
|
|
|
|
|
| |
* started with freebsd/vnet.txt
* pruned unsupported items
* gmake extract
* gmake generate_sys
* gmake fomat
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Introduce common infrastructure for describing and parsing attribute
instead of custom per-attribute code scattered across several locations.
Change align attribute syntax from the weird align_N to align[N].
This also allows to use literal constants as N.
Introduce notion of builtin constants.
Currently we have only PTR_SIZE, which is needed to replace
align_ptr with align[PTR_SIZE].
|
| |
|
|
|
|
|
|
|
|
|
| |
Surround the main data mapping with PROT_NONE pages to make virtual address layout more consistent
across different configurations (static/non-static build) and C repros.
One observed case before: executor had a mapping above the data mapping (output region),
while C repros did not have that mapping above, as the result in one case VMA had next link,
while in the other it didn't and it caused a bug to not reproduce with the C repro.
The bug that reproduces only with the mapping above:
https://lkml.org/lkml/2020/4/17/819
|
| |
|
|
|
|
|
|
|
|
|
| |
Make MakeMmap return more than 1 call.
This is a preparation for future changes.
Also remove addr/size as they are effectively
always the same and can be inferred from the target
(will also conflict with the future changes).
Also rename to MakeDataMmap to better represent
the new purpose: it's just some arbitrary mmap,
but rather mapping of the data segment.
|
| |
|
|
|
|
|
| |
Turns out the mmap protection get out of sync
between executor and C reproducers.
C reproducers missed PROT_EXEC.
Add PROT_EXEC for linux, freebsd and akaros.
|
| |
|
|
|
| |
1. Allow to not provide Out if it's the same as In.
2. Always check Out.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We will need a wrapper for target.SanitizeCall that will do more
than just calling the target-provided function. To avoid confusion
and potential mistakes, give the target function and prog function
different names. Prog package will continue to call this "sanitize",
which will include target's "neutralize" + more.
Also refactor API a bit: we need a helper function that sanitizes
the whole program because that's needed most of the time.
Fixes #477
Fixes #502
|
| |
|
|
|
| |
sys/{linux,openbsd} duplicate deserialization test logic as well.
Export and reuse the existing helper function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we have:
ioctl(fd fd, cmd int32)
ioctl$FOO(fd fd, cmd const[FOO])
Currently we assume that cmd size in ioctl$FOO is sizeof(void*).
However, we know that in ioctl it's specified as int32,
so we can infer that the actual syscall size is 4.
This massively reduces sizes of socket/setsockopt/getsockopt/ioctl
and some other syscalls, which is good because we now use physical
size in mutation/hints and some other places.
This will also enable not morphing ioctl's into other ioctl's.
Update #477
Update #502
|
| |
|
|
|
|
|
|
|
|
| |
This is one of the root causes of the 'no output from test machine'
panic. Issuing a DIOCKILLSTATES ioctl on a /dev/pf file descriptor will
cause state associated with ongoing connections to be purged;
effectively killing the ssh connection to the VM.
Including net/pfvar.h is necessary in order to make use of the
DIOCKILLSTATES define.
|
| | |
|
| |
|
|
| |
Fixes #1604
|
| | |
|
