| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Currently we have a bug with respect to struct layout
for some corner cases. Add a test case for the bug,
so that it's visible the fix in the next commit
affects the layout.
|
| |
|
|
|
|
|
|
| |
We never reset remote coverage, so if there is one block,
we will write it after every call and multiple times at the end.
It can lead to "too many calls in output" and just writes quadratic
amount of coverage/signal.
Reset remote coverage after writing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We see some errors of the form:
SYZFAIL: coverage filter is full
pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156
Executor shouldn't send non kernel addresses in signal,
but somehow it does. It can happen if the VM memory is corrupted,
or if the test program does something very nasty (e.g. discovers
the output region and writes to it).
It's not possible to reliably filter signal in the tested VM.
Move all of the filtering logic to the host.
Fixes #4942
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pkg/compiler restructures conditional fields in structures into unions,
so we only have to implement the support for unions.
Semantics is as follows:
If a union has conditions, syzkaller picks the first field whose
condition matches. Since we require the last union field to have no
conditions, we can always construct an object.
Changes from this commit aim at ensuring that the selected union fields
always follow the rule above.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We are seeing crashes like:
panic: call overlay_uses: result arg overlayres64 references out-of-tree result
This is caused by fact that we completely discard out_overlay part during squashing.
So if it contains any resources used later, we will get out-of-tree references.
Prohibit squashing structs with out_overlay attribute.
Alternatives would be either to produce out_overlay struct after squashing as well,
or remove all resources in out part from the program.
But it does not seem to be worth the complexity (we have few complex structs
with out_overlay, if any).
|
| | |
|
| |
|
|
| |
Ensure that we can handle hanging syscalls in all modes.
|
| |
|
|
|
|
|
| |
Flags with only 1 value 0 are transformed to ConstType.
Fmt did not expect that.
Fixes #1965
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Introduce common infrastructure for describing and parsing attribute
instead of custom per-attribute code scattered across several locations.
Change align attribute syntax from the weird align_N to align[N].
This also allows to use literal constants as N.
Introduce notion of builtin constants.
Currently we have only PTR_SIZE, which is needed to replace
align_ptr with align[PTR_SIZE].
|
| |
|
|
|
|
|
|
|
|
|
| |
1. Turns out that NLA_F_NESTED is actually used and checked
(nla_parse_nested checks it, while nla_parse_nested_deprecated does not).
Similarly, ipset extensively checks NLA_F_NET_BYTEORDER.
So we need these bits.
2. nla_len must not account for the trailing alighnment padding.
This means we set wrong len for payloads that are not multiple of 4
(int8/int16/strings/arrays/some structs/etc).
|
| |
|
|
| |
See the added test for details.
|
| |
|
|
|
|
| |
Just trying to get my head around it (and fix this in tests).
Update #1542
|
| |
|
|
|
|
| |
Just trying to get my head around it (and fix this in tests).
Update #1542
|
| |
|
|
| |
Update #1542
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add tests for issue #1542
The correct results are obtained with the following program:
struct foo {
unsigned char f0;
unsigned int f1:4;
unsigned short f2:4;
};
struct bar {
char f0;
struct foo foo;
};
int main() {
struct bar y;
memset(&y, 0, sizeof(y));
y.f0 = 0x12;
y.foo.f0 = 0x34;
y.foo.f1 = 0x56;
y.foo.f2 = 0x78;
int i;
for (i = 0; i < sizeof(y); i++)
printf("%02x", ((unsigned char*)&y)[i]);
printf("\n");
}
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't specify trailing unused args for some syscalls
(e.g. ioctl that does not use its arg).
Executor always filled tailing unsed args with 0's
but pkg/csource didn't. Some such syscalls actually
check that the unsed arg is 0 and as the result failed with C repro.
We could statically check and eliminate all such cases,
but it turns out the warning fires in 1500+ cases:
https://gist.githubusercontent.com/dvyukov/e59ba1d9a211ee32fa0ba94fab86a943/raw/a3ace5a63f7281f0298f51ea9842ead1e4713418/gistfile1.txt
So instead fill such args with 0's in pkg/csource too.
|
| |
|
|
|
|
|
| |
Always serialize strings in readable format (non-hex).
Serialize binary data in readable format in more cases.
Fixes #792
|
| |
|
|
|
| |
Currently we apply big-endian-ness and bitfield-ness in the wrong order in copyin.
This leads to totally bogus result. Fix this.
|
|
|
Add syz_errno syscall which sets errno to the argument,
and add a test with different errno values.
This mostly tests the testing infrastructure itself.
Add syz_compare syscall which compare two blobs,
this can be used for testing of argument memory layout.
Implement syz_mmap and fix Makefile to allow building syz-execprog for test OS.
Useful for debugging.
Update #603
|
