| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
The problem is that there are no -m32 and -m64 options for gcc on arm64
and yet syzbot attemps to use them for tests that do C compilation.
We do already try to base the TestOS target on the GOOS/GOARCH target,
so let's try to go one step further -- also take all C flags from there.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On s390x, position independent code needs to be built with -fPIC or
-fPIE for pie executables.
How to reproduce on s390x
-------------------------
$ git clone https://github.com/google/syzkaller.git
$ cd syzkaller
$ make executor
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
make[1]: '.descriptions' is up to date.
mkdir -p ./bin/linux_s390x
gcc -o ./bin/linux_s390x/syz-executor executor/executor.cc \
-O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable \
-Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds \
-Wno-format-overflow -static-pie -DGOOS_linux=1 -DGOARCH_s390x=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"2159e4d29f58ffa1107fc2213dbc87185ff4498f\"
/usr/bin/ld: read-only segment has dynamic relocations
Signed-off-by: Alexander Egorenov <eaibmz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Ideally, we should properly support the already existing fix flag to
distinguish between fixing and checking, but for now at least let it
control whether structural changes are to be made.
Otherwise we get into trouble while hint-mutating syz_mount_image calls,
because we iterate over all call arguments and (possibly) remove them at
the same time. It leads to `bad group arg size %v, should be <= %v for
%#v type %#v` errors.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disable GCC warnings:
* stringop-overflow
* array-bounds
* format-overflow
These warnings generate false positives for C reproducers which cause
GCC to fail if -Werror is given.
This commit fixes the following false positives:
/root/test.c: In function ‘main’:
/root/test.c:88:50: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
88 | NONFAILING(*(uint8_t*)0x20000088 = 3);
/root/test.c:85:28: error: ‘memcpy’ offset [0, 23] is out of the bounds [0, 0] [-Werror=array-bounds]
85 | NONFAILING(memcpy((void*)0x20000040, "\001\000\000\000\002\000\000\000\003\000\004\000\000\000\000\000\005\000\000\000\000\000\000\000", 24));
<stdin>:86:40: error: ‘%023llo’ directive writing 23 bytes into a region of size 0 [-Werror=format-overflow=]
<stdin>:43:123: note: in definition of macro ‘NONFAILING’
GCC stringop-overflow bug reports:
- https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88443
syzkaller group discussion:
- https://groups.google.com/g/syzkaller/c/PIEYPflPWhQ
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang doesn't fail if an unknown flag is specified w/o specifying -Werror
as well.
[syzkaller]# clang -x c++ - -o /dev/null -Wtada < test.c
warning: unknown warning option '-Wtada' [-Wunknown-warning-option]
1 warning generated.
[syzkaller]# echo $?
0
[syzkaller]# clang -x c++ - -o /dev/null -Wtada -Werror < test.c
error: unknown warning option '-Wtada' [-Werror,-Wunknown-warning-option]
[syzkaller]# echo $?
1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| | |
|
| |
|
|
|
| |
Add memfd_create as a dependency to syz_mount_image and
syz_read_part_table.
|
| |
|
|
|
|
|
|
|
|
|
| |
Pseudo syscalls can (and most of the time) do invoke normal system
calls. However, when there's a risk that those calls might not be
present, syzkaller needs to take preventive actions - prepend the
corresponding defines. Otherwise syz-executor or C reproducers might
not compile on the host machine.
List those dependencies in sys/targets, check them during machine check
and add the corresponding defines during C source generation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make configs triggers the following race.
Always initialize the main target before initializing the alternative target,
otherwise they both read/modify CFlags.
==================
WARNING: DATA RACE
Write at 0x00c00027b700 by goroutine 102:
github.com/google/syzkaller/sys/targets.(*Target).setCompiler()
sys/targets/targets.go:749 +0x7c9
github.com/google/syzkaller/sys/targets.GetEx.func1()
sys/targets/targets.go:158 +0xb9
sync.(*Once).doSlow()
/usr/local/go/src/sync/once.go:68 +0x127
sync.(*Once).Do()
/usr/local/go/src/sync/once.go:59 +0x46
github.com/google/syzkaller/sys/targets.GetEx()
sys/targets/targets.go:155 +0x184
main.(*Context).setTarget()
tools/syz-kconf/kconf.go:360 +0x244
main.(*Context).generate()
tools/syz-kconf/kconf.go:171 +0x17e
main.main.func1()
tools/syz-kconf/kconf.go:97 +0x4e
Previous read at 0x00c00027b700 by goroutine 97:
runtime.slicecopy()
/usr/local/go/src/runtime/slice.go:284 +0x0
github.com/google/syzkaller/sys/targets.(*Target).lazyInit()
sys/targets/targets.go:796 +0x464
github.com/google/syzkaller/sys/targets.(*Target).lazyInit-fm()
sys/targets/targets.go:782 +0x39
sync.(*Once).doSlow()
/usr/local/go/src/sync/once.go:68 +0x127
sync.(*Once).Do()
/usr/local/go/src/sync/once.go:59 +0x46
github.com/google/syzkaller/sys/targets.GetEx()
sys/targets/targets.go:152 +0x127
main.(*Context).setTarget()
tools/syz-kconf/kconf.go:360 +0x244
main.(*Context).generate()
tools/syz-kconf/kconf.go:171 +0x17e
main.main.func1()
tools/syz-kconf/kconf.go:97 +0x4e
Goroutine 102 (running) created at:
main.main()
tools/syz-kconf/kconf.go:96 +0x1184
Goroutine 97 (running) created at:
main.main()
tools/syz-kconf/kconf.go:96 +0x1184
==================
|
| |
|
|
|
|
|
| |
clang does not handle -static-pie, so syz-executor does not get built.
Moreover, clang's FreeBSD driver does not properly support the creation
of static PIEs; for instance, it always links libc.a, which is not
compiled as PIC, instead of libc_pic.a. Until this is addressed
somehow, we have to keep ASLR disabled.
|
| |
|
|
|
| |
Create a constructor for the prog.Call type. It allows to reduce
the duplication of code now and during further changes.
|
| |
|
|
|
|
| |
In this case, executables are PIE by default and clang starts to compain
about "error: argument unused during compilation: '-static-pie'
[-Werror,-Wunused-command-line-argument]".
|
| |
|
|
|
|
|
|
|
|
|
| |
The -static-pie flag enables us to build static binaries with ASLR
support. Local testing demonstrated that enabling ASLR on syz-executor
eliminates (almost all?) memory corruptions and significantly reduces
the number of "no output from test machine" errors.
Enable ASLR by default for Linux and *BSD targets.
Replace -static-pie by -static when -static-pie is not supported.
Update cover report_test to properly handle ASLR binaries.
|
| |
|
|
| |
This error has been fixed by changing the DataOffset for darwin a while ago.
|
| |
|
|
|
|
|
|
| |
Using clang++ as CPP isn't supported by syzkaller. Note that g++ is a
symlink to clang++ on macOS. Install gcc from from homebrew instead.
Also removing -static, as macOS actively breaks and discourages this:
https://developer.apple.com/library/archive/qa/qa1118/_index.html
|
| | |
|
| | |
|
| |
|
|
| |
copy_file_range is also not defined in the syzbot host image.
|
| |
|
|
|
|
| |
Do not tamper character device creation when creating /dev/null .
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
| |
syzbot fails with:
error: use of undeclared identifier 'SYS___realpathat'
error: use of undeclared identifier 'SYS___realpathat'
|
| |
|
|
|
|
|
|
|
| |
* sys/linux: add description for mali bifrost driver
* sys/linux: regenerate dev_bifrost.txt.const
* sys/linux/dev_bifrost: separate BASE_*_GROUP_ID_* to individual bits
* sys/linux/dev_bifrost: format code
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
| |
Use it to identify several POSIX shared memory system calls that are not
known to the syzbot host to avoid spurious test failures.
|
| |
|
|
|
|
|
| |
Everything in syzkaller is syz-something, it's pointless to add syz prefix
to everything and unnecessary increases clutter. Remove the prefix.
Also, rename ExecutorCmd in target to ExecutorBin to make it consistent
with mgrconfig and ExecprogBin/FuzzerBin.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
| |
Add GetEx function that allow to specify gcc/clang.
Update #2171
|
| |
|
|
|
|
|
| |
Use as data offset the address 0xfffff000 for s390x arch.
It is better for testing because it crosses the 4GB address space.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
| |
Use strings.Replace as 1.11 does not have ReplaceAll
and we will need this package in the dashboard code.
Update #2144
|
| |
|
|
|
|
|
|
| |
In ESA/S390 mode, the CPU is able to address only 31bit of
memory address space. GCC on s390x expects the flag -m31 instead
of -m32 for 32bit code.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| | |
|
| |
|
|
|
|
| |
freebsd/386 requires a non-default DataOffset value. Since it is
currently the only platform with this constraint, just add a special
case for that when initializing target parameters.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We set HostFuzzer for all test targets b/c in some contexts
they needed the same special behavior as real HostFuzzer targets
(e.g no checking enabled syscalls).
However, in some other contexts they don't the same special
behavior as real HostFuzzer targets. For example, pkg/ipc
does rate limiting for HostFuzzer and pkg/runtest don't run
C tests for HostFuzzer.
Add special case for test targets in pkg/host,
and don't set HostFuzzer for all test targets
(keep it for one target for better coverage).
|
| |
|
|
|
|
|
| |
Fix capitalization, dots at the end
and two spaces after a period.
Update #1876
|
| |
|
|
| |
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mmap syscall is special on Linux s390x because
the parameters for this syscall are passed as a struct
on user stack instead of registers.
* Introduce the SyscallTrampolines table into targets.Target
to address the above problem.
* There is a bug in Linux kernel s390x which causes QEMU TCG
to hang when KASAN is enabled. The bug has been fixed
in the forthcoming Linux 5.8 version. Until then do not enable
KASAN when using QEMU TCG, QEMU KVM shall have no problems with
KASAN.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Introduce the new target flag 'LittleEndian' which specifies
of which endianness the target is.
* Introduce the new requires flag 'littleendian' for tests to
selectively enable/disable tests on either little-endian architectures
or big-endian ones.
* Disable KD unit test on s390x architecture because the test
works only on little-endian architecture.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
| |
mknod on netbsd can now also accept a resource for the last arg.
Fix that and add a test that will catch such things more reliably.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default configuration on PPC64 uses 64K system page size. Having it
4K was not a problem until recently when 365fba2440cee3aed74c77
"executor: surround the data mapping with PROT_NONE pages" added
surrounding mappings not aligned to the actual system page size.
This changes the page size for ppc64 to 64K and introduces the upper
limit to randPageCount() as we have the hard coded limit of 16MB.
If the unlikely event of a PPC64 system with 4K pages, we will end up
allocating less pages which is not great but acceptable.
This avoids using os.Getpagesize() as the page size on a building host
may be different than on the test machine so we always use the bigger
size for simplicity.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
| |
We should not skip the second check as well.
|
| |
|
|
|
|
|
|
| |
Since we now have SOURCEDIR_{FUCHSIA,AKAROS,NETBSD} exported in the
syz-big-env docker image, this will make CI fail for broken cross-builds too.
Update instructions in the docker image to fix the current problem
with permissions in syz-big-env: we need to tar with --mode=go=u.
|
| |
|
|
|
|
|
|
|
| |
* sys/targets: use a different SYZ_DATA_OFFSET for 32-bit FreeBSD
It seems that the value used on all platforms (512 << 20) does
not work on 32-bit FreeBSD when using the clang tools.
Try (256 << 20) instead.
* sys/targets: add comment why a non-default value is needed
|
| |
|
|
|
|
| |
This commit modifies the fuchsia cflags to use the short version of
the «target» flag. The previous code seemed to be broken due to lacking
an `=` after the flag name using the long version.
|
| |
|
|
|
| |
At some point it was enabled, but then somehow got disabled.
Re-enable and fix some regressions.
|
| |
|
|
|
|
|
|
| |
On top of syz-env it provides akaros/fuchsia/netbsd toolchains and gcloud sdk.
With this it's possible to run dashboard/app tests on CI and locally
and test executor build and pkg/{csource,cover} for these OSes.
Update #1765
|
| | |
|
| |
|
|
|
| |
cdc5f8a23e5e370d0fa7867ff2a2f54cb8caeef9 accidentially changed
this condition to a wrong one. Change it back.
|
| |
|
|
|
|
|
|
| |
Support SOURCEDIR_GOOS env vars as an alternative to SOURCEDIR.
SOURCEDIR_GOOS takes precedence.
This allows to test several OSes at the same time.
Update #1765
|
| |
|
|
|
|
|
|
|
| |
Test various combinations of no debug info,
no coverage instrumentation, no PCs, bad PCs, good PCs,
and what errors we produce for these.
Also implement support for cross-arch reports:
prefix objdump with cross-compile prefix
(e.g. aarch64-linux-gnu-objdump instead of objdump).
|
