| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Now it no longer causes a segfault.
|
| |
|
|
| |
This reverts commit 0931f9bfa8eacf9840a2bd3f9def3cfb4349431e.
|
| |
|
|
| |
Now it no longer causes a segfault.
|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| |
|
|
|
|
|
|
| |
ARM32 suffers from the same problem as ARM64 - the data offset may be
beyond the addressable memory range.
Cc #5986.
Cc #5770.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the standard way now.
Since our configuration permits multiple parameter value combinations,
explicitly check for the compiler and linker that were to be passed via
CC and LD, and replace that with LLVM=1 if they were clang and ld.lld
correspondingly.
Update syz-kconf to rely on pkg/build's exported functionality for
generating Linux kernel build arguments.
|
| | |
|
| |
|
|
|
|
|
|
| |
It is incorrect to consider VMArch here - if we are running a 32 bit app
on a 64 bit kernel, the 64 bit arch is not of interest here.
Also, VMArch is not set for every Target, what led to problems when
running arm64 fuzzing on an arm64 host.
|
| |
|
|
| |
Use 0x200000000000 to be within the address range used by Starnix.
|
| |
|
|
|
|
|
| |
It seems that, on ARM64, in many cases we just can't use many enough bits of
the address space. Let's use the old value for now.
It's also problematic (see #5770), but it's lesser of the two evils.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After some time, my FreeBSD fuzzing runs start to hit frequent "coverage
filter is full" SYZFAILs, caused by garbage PC values. Some assertions
in kcov convinced me that PC values exported by the kernel are in the
expected range, so it appears that the executor is corrupting them
somehow. In particular, we leave the first page of each kcov mapping
writeable since the interface to clear the trace buffer involves
overwriting the first quadword.
Sanitize kernel PC values so that we don't fill up the coverage filter
with bogus values.
|
| |
|
|
|
|
|
| |
It turned out the currently used value hit the high shadow area on arm64
machines.
Closes #5762.
|
| |
|
|
|
|
|
| |
The current default value sometimes intersects with the addresses used
by malloc, which causes executor memory corruptions.
Closes #5674.
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
|
| |
Depending on the cross compiler build configuration, it might not be
able to emit ARMv6 Thumb-1 instructions leading to "sorry,
unimplemented: Thumb-1 hard-float VFP ABI" error.
|
| |
|
|
|
|
|
|
| |
Currently, cross compiler names are hardcoded for each OS/arch combo.
However, toolchain tuples differ, especially when using vendor provided
toolchains or building with Yocto. Allow users to specify the cross
compiler for an OS/arch combo using SYZ_CC_<os>_<arch> environment
variables.
|
| |
|
|
|
|
|
|
|
|
|
| |
In some build environments (notably Yocto), syzkaller host and target
binaries end up in separate packages for each built architecture, which
are then shipped with the respective image/SDK.
Add the "Execprog/ExecutorBinOnTarget" and "StraceBinOnTarget" options
to the manager config, which when set expects the respective binaries to
be shipped with the target image and does not attempt to copy them from
the host.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We see some errors of the form:
SYZFAIL: coverage filter is full
pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156
Executor shouldn't send non kernel addresses in signal,
but somehow it does. It can happen if the VM memory is corrupted,
or if the test program does something very nasty (e.g. discovers
the output region and writes to it).
It's not possible to reliably filter signal in the tested VM.
Move all of the filtering logic to the host.
Fixes #4942
|
| |
|
|
|
|
|
| |
Removes the SYZ_STARNIX_HACK envvar and runs syz-fuzzer
on the VM.
Co-authored-by: mvanotti@google.com
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
$ go test -v -count=1 -run=TestCover/32 ./pkg/runtest/
=== RUN TestCover
=== PAUSE TestCover
=== CONT TestCover
=== RUN TestCover/32
run_test.go:121: skipping due to broken compiler:
gcc: error: unrecognized command-line option ‘-m32’; did you mean ‘-m31’?
--- PASS: TestCover (0.21s)
--- SKIP: TestCover/32 (0.00s)
PASS
ok github.com/google/syzkaller/pkg/runtest 0.318s
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the initialization of the target's BuildOS into initTarget()
function for TestOS because a correct value of BuildOS is required not to
falsely spoil native compiler binaries for TestOS and by that prevent
TestOS unit test from compiling.
$ go test -v -count=1 -run=TestCover/32 ./pkg/runtest/
=== RUN TestCover
=== PAUSE TestCover
=== CONT TestCover
=== RUN TestCover/32
=== PAUSE TestCover/32
=== CONT TestCover/32
build.go:39: failed to build executor: failed to build program:
compiler invocation: cant-build-test-on-linux
--- FAIL: TestCover (0.21s)
--- FAIL: TestCover/32 (0.00s)
FAIL
FAIL github.com/google/syzkaller/pkg/runtest 0.325s
FAIL
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| | |
|
| |
|
|
|
|
| |
Litte-endian is kind of default (except for s390).
So instead of saying that each arch is litte-endian,
mark only s390 as big-endian.
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
|
| |
Arm64 gcc on Debian rejects to build a program that includes <algorithm>.
Use C program for C compiler, and C++ program for C++ compiler.
|
| |
|
|
|
|
|
|
|
|
| |
debian:bookworm has broken C++ arm64->amd64 cross-compiler:
x86_64-linux-gnu-g++ -static-pie fails with:
cannot find /usr/lib/x86_64-linux-gnu/libm-2.36.a: No such file or directory
cannot find /usr/lib/x86_64-linux-gnu/libmvec.a: No such file or directory
collect2: error: ld returned 1 exit status
These are installed in a different dif in the image.
Test that C++ compiler works as well.
|
| |
|
|
|
|
| |
Let's see if we can get away with C++17 for all our toolchains.
The later standard we can use, the better. C++17 has a number
of nice features, e.g. std::optional.
|
| |
|
|
|
| |
Lint started warning about duplicate "gvisor" const in pkg/cover.
Add gvisor/starnix consts to sys/targets package to avoid duplication.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add C++ compiler and flags to the target
and build executor with the C++ compiler.
This will be needed to merge syz-fuzzer in to syz-executor
since it will be beefier and will most likely require linking in libc++.
But also this should fix #4821 since we won't use C++ flags
when building C sources (we already had work-around in pkg/csource,
but not in syz-extract).
Fixes #4821
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Akaros support is unused, it was shutdown on syzbot for a while,
the akaros development seems to be frozen for years as well.
We have a bunch of hacks for Akaros since it supported
only super old gcc and haven't supported Go. Remove it.
|
| |
|
|
|
|
|
|
|
| |
Use llvm-addr2line instead of addr2line if it's available.
llvm-addr2line seems to be way faster than llvm-addr2line
and consumes less memory on syzbot's vmlinux.
Also move the detection logic to sys/targets since that's
where we generally do this type of logic. This also allows
to reuse addr2line binary in other packages if needed.
|
| |
|
|
| |
It's missing syscall function yet TestOS requires it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first step for #1541.
Move the fuzzing engine that used to be interleaved with other syz-fuzzer
code into a separate package.
For now, the algorithm is more or less the same as it was, the only
difference is that a pkg/fuzzer instance scales to the available
computing power.
Add an executor-based test that performs real fuzzing.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.
Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.
We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
|
| |
|
|
|
| |
This relies on sendsyslog in sys/syslog.h which will be in OpenBSD
HEAD soon.
|
| |
|
|
| |
This centralizes all strings.HasPrefix(callName, "syz_") checks.
|
| |
|
|
|
|
| |
Otherwise we may end up corrupting device memory.
See https://groups.google.com/g/syzkaller-netbsd-bugs/c/Iy8-NZ_M9Ug/m/5jKKfncsAQAJ
|
| | |
|
| |
|
|
|
| |
Use --target= to set the correct target on FreeBSD. This allows the
syscall details to be extracted on a non-native architecture.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The behavior of certain flags (in particular link-time ones) may depend
on the target triple and other compiler options, therefore it's
insufficient to test them in the default host configuration.
Collect all non-optional flags and pass them to checkFlagSupported(), so
that support for optional flags is always tested in the presence of the
non-optional ones.
This is going to fix the problem with Clang 15 not supporting
-static-pie on MIPS, but silently passing the checkFlagSupported()
check, because it used to be performed on x86_64.
|
| |
|
|
|
| |
Clang enables -Wunused-command-line-argument by default, which may start
complaining if any of the options are unused.
|
| |
|
|
|
|
|
| |
New Clang versions have -Wunused-but-set-variable enabled by default,
which leads to test failures if loop variables are declared but never
used. Pass -Wno-unused-but-set-variable to the compiler to work around
this problem.
|
| |
|
|
|
|
|
|
|
| |
If a syz-ci is run on multiple arches, it's useful to be able to use the
same set of env variables. For this to become possible, make SOURCEDIR_
configuration more granular.
Earlier it was just SOURCEDIR or SOURCEDIR_{TargetOS}. Support also the
SOUREDIR_{TargetOS}_{TargetArch}_{HostOS}_{HostArch} variable.
|
| |
|
|
|
|
|
| |
This commit adds a new VM for fuzzing starnix.
The VM will boot a fuchsia image using the `ffx` tool and will connect to an adb server inside it. Fuzzing will be done using HostFuzzer mode due to some features not being implemented yet in starnix. Once this is possible, fuzzing will be performed without HostFuzzer mode.
Co-authored-by: Juampi Miceli <jpmiceli@google.com>
|
| |
|
|
|
|
| |
For test targets, we curretly specialize a single FreeBSD/386 exception.
But it's more robust to just copy the DataOffset value from the
reference targets, especially now that we explicitly determine it.
|
| |
|
|
|
|
| |
Don't set BuildOS for those targets, where we have not managed to find a
reference target based on GOARCH/GOOS. It doesn't make much sense to use
such test targets in such cases.
|
