| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `no_squash` per-syscall attribute prevents the fuzzer from generating
squashed arguments to a particular syscall.
This is particularly helpful for pseudo-syscalls with elaborate
arguments that are hard to reason about when they are squashed - e.g.
for syz_kvm_add_vcpu() that takes a SYZOS program as an input.
I've considered an alternative solution that prohibits ANY for all
pseudo-syscalls. But there is a bunch of existing programs (both
the tests and the repros) for syscalls like syz_mount_image() for which
the benefit of not passing ANY is not immediately obvious.
I therefore decided to go with an explicit attribute that can later
be enforced for every pseudo-syscall at compile time.
|
| |
|
|
|
|
|
|
|
|
|
| |
syscall() is a variadic function, so we need to be careful when passing
const values in there without specifying their type.
For -1, we did not specify it, and on 64 bit architectures the de facto
passed value was 0xFFFFFFFF instead of 0xFFFFFFFFFFFFFFFF. Fix it and
add a test.
Closes #5921.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of generating Go files with descriptions
serialize them as gob and compress with flate.
This significantly reduces build time, go vet time,
and solves scalability problems with some static analysis tools.
Reference times (all after rm -rf ~/.cache/go-build) before:
TIME="%e %P %M" time go install ./syz-manager
48.29 577% 4824820
TIME="%e %P %M" time go test -c ./prog
56.28 380% 6973292
After:
TIME="%e %P %M" time go install ./syz-manager
22.81 865% 859788
TIME="%e %P %M" time go test -c ./prog
12.74 565% 267760
syz-manager size before/after: 194712597 -> 83418407
-57% even provided we now embed all descriptions
instead of just a single arch.
Deflate/decoding time for a single Linux arch is ~330ms.
Fixes #5542
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we have a bug in struct layout that affects
some corner cases that involve recursive structs.
The result of this bug is that we use wrong alignment 1
(not yet calculated) for some structs when calculating
layout of other structs.
The root cause of this bug is that we calculate struct
alignment too early in typeStruct.Gen when structs
are not yet laid out.
For this reason we moved struct size calculation to the
later phase (after compiler.layoutStruct).
Move alignment calculation from typeStruct.Gen to
compiler.layoutStruct to fix this.
|
| |
|
|
|
|
|
| |
Currently we have a bug with respect to struct layout
for some corner cases. Add a test case for the bug,
so that it's visible the fix in the next commit
affects the layout.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syscall attributes are extended with a fsck command field which lets
file system mount definitions specify a fsck-like command to run. This
is required because all file systems have a custom fsck command
invokation style.
When uploading a compressed image asset to the dashboard, syz-manager
also runs the fsck command and logs its output over the dashapi.
The dashboard logs these fsck logs into the database.
This has been requested by fs maintainer Ted Tso who would like to
quickly understand whether a filesystem is corrupted or not before
looking at a reproducer in more details. Ultimately, this could be used
as an early triage sign to determine whether a bug is obviously
critical.
|
| |
|
|
|
|
|
|
|
|
|
| |
ex. f3 field has logic or operator in if condition:
conditional_struct {
mask int32
f1 field1 (if[value[mask] & FIELD_FLAG1])
f2 int64 (if[value[mask] & FIELD_FLAG2])
f3 int64 (if[value[mask] == FIELD_FLAG1 || value[mask] == FIELD_FLAG2])
} [packed]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is a totally valid situation when we could be recursively patching
conditional fields: if by changing a field's value we insert new
resource constructor calls. It's a bug to skip conditional field
patching for them.
Allow up to 2 nested patchConditionalFields() calls and panic if there
happen to be more.
Add a test that reproduces the situation described above.
|
| |
|
|
|
|
|
|
| |
We never reset remote coverage, so if there is one block,
we will write it after every call and multiple times at the end.
It can lead to "too many calls in output" and just writes quadratic
amount of coverage/signal.
Reset remote coverage after writing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several optimizations to reduce amount of hint replacements:
1. Don't mutate int's that are <= 8 bits.
2. Don't mutate data that is <= 3 bytes.
3. Restrict mutation of len only value >10 and < 1<<20.
Values <= 10 we can produce during normal mutation.
Values > 1<<20 are presumably not length of something
and we have logic to produce various large bogus lengths.
4. Include all small ints <= 16 into specialInts and remove 31, 32, 63
(don't remember where they come from).
5. Don't produce other known flags (and combinations) for flags.
And a larger part computes groups of related arguments
so that we don't try to produce known ioctl's from other known ioctl's,
and similarly for socket/socketpair/setsockopt/etc.
See comments in Target.initRelatedFields for details.
Update #477
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We see some errors of the form:
SYZFAIL: coverage filter is full
pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156
Executor shouldn't send non kernel addresses in signal,
but somehow it does. It can happen if the VM memory is corrupted,
or if the test program does something very nasty (e.g. discovers
the output region and writes to it).
It's not possible to reliably filter signal in the tested VM.
Move all of the filtering logic to the host.
Fixes #4942
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a missing zero byte to the input data.
$ go test -v -count=1 -run=Test/64 ./pkg/runtest/ -filter=expressions_be
=== NAME Test/64
...
run.go:65: expressions_be C
executing program
### start
### call=0 errno=0
### call=1 errno=22
### call=2 errno=0
### call=3 errno=0
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| | |
|
| |
|
|
|
|
| |
Litte-endian is kind of default (except for s390).
So instead of saying that each arch is litte-endian,
mark only s390 as big-endian.
|
| |
|
|
|
|
|
|
|
| |
All OSes we have now support shmem.
Support for Fuchia/Starnix/Windows wasn't implemented,
but generally they support shared memory.
Remove all of the complexity and code associated with noshmem mode.
If/when we revive these OSes, it's easier to properly
implement shmem mode for them.
|
| |
|
|
|
|
|
|
|
| |
Disable the syscall in descriptions rather than in the code.
This makes it more visible for users that it's disabled,
and makes it less special (will not need to move this logic to host).
Also change the condition in syz-sysgen to be more precise,
otherwise syz_execute_func becomes unused function.
|
| |
|
|
|
|
|
|
|
|
| |
1. Don't write size/flags for addresses.
2. Write address w/o data offset (fewer bytes in leb128 encoding).
Median exec size shrinks by 25%:
- exec sizes: 10%:584 50%:1423 90%:7076
+ exec sizes: 10%:448 50%:1065 90%:6319
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 3 issues:
1. We intended to squash only 'in' pointer elems,
but we looked at the pointer direction rather than elem direction.
Since pointers themselves are always 'in' we squashed a number of
types we didn't want to squash.
2. We can squash filenames, which can lead to generation of escaping filenames,
e.g. fuzzer managed to create "/" filename for blockdev_filename as:
mount(&(0x7f0000000000)=ANY=[@ANYBLOB='/'], ...)
Don't squash filenames.
3. We analyzed a concrete arg to see if it contains something
we don't want to squash (e.g. pointers). But the whole type
can still contain unsupported things in inactive union options,
or in 0-sized arrays. E.g. this happened in the mount case above.
Analyze the whole type to check for unsupported things.
This also moves most of the analysis to the compiler,
so mutation will be a bit faster.
This removes the following linux types from squashing.
1. These are not 'in':
btrfs_ioctl_search_args_v2
btrfs_ioctl_space_args
ethtool_cmd_u
fscrypt_add_key_arg
fscrypt_get_policy_ex_arg
fsverity_digest
hiddev_ioctl_string_arg
hidraw_report_descriptor
ifreq_dev_t[devnames, ptr[inout, ethtool_cmd_u]]
ifreq_dev_t[ipv4_tunnel_names, ptr[inout, ip_tunnel_parm]]
ifreq_dev_t["sit0", ptr[inout, ip_tunnel_prl]]
io_uring_probe
ip_tunnel_parm
ip_tunnel_prl
poll_cq_resp
query_port_cmd
query_qp_resp
resize_cq_resp
scsi_ioctl_probe_host_out_buffer
sctp_assoc_ids
sctp_authchunks
sctp_getaddrs
sctp_getaddrs_old
2. These contain pointers:
binder_objects
iovec[in, netlink_msg_route_sched]
iovec[in, netlink_msg_route_sched_retired]
msghdr_netlink[netlink_msg_route_sched]
msghdr_netlink[netlink_msg_route_sched_retired]
nvme_of_msg
3. These contain filenames:
binfmt_script
blockdev_filename
netlink_msg_route_sched
netlink_msg_route_sched_retired
selinux_create_req
|
| |
|
|
|
|
|
|
|
|
|
| |
The replaced union field may contain resource references that must also
be cleaned up.
The bug was triggered via methods that patch conditional fields, so
let's add stress tests for the conditional fields + resources
combination.
Reported-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first step for #1541.
Move the fuzzing engine that used to be interleaved with other syz-fuzzer
code into a separate package.
For now, the algorithm is more or less the same as it was, the only
difference is that a pkg/fuzzer instance scales to the available
computing power.
Add an executor-based test that performs real fuzzing.
|
| |
|
|
| |
This reverts commit 6387f6b7d487e2a77d753ad28c1074e39c17c3ca.
|
| |
|
|
|
|
|
|
|
|
|
| |
The replaced union field may contain resource references that must also
be cleaned up.
The bug was triggered via methods that patch conditional fields, so
let's add stress tests for the conditional fields + resources
combination.
Reported-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
If conditions of several union fields are satisfied, select one
randomly. This would be a more logical semantics.
When conditional struct fields are translated to unions, negate the
condition for the union alternative.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pkg/compiler restructures conditional fields in structures into unions,
so we only have to implement the support for unions.
Semantics is as follows:
If a union has conditions, syzkaller picks the first field whose
condition matches. Since we require the last union field to have no
conditions, we can always construct an object.
Changes from this commit aim at ensuring that the selected union fields
always follow the rule above.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Earlier only len[parent, T] was supported and meant the size of the
whole structure.
Logically, len[parent:b, T] should be equivalent to just len[b, T].
Let len[parent:parent:a, T] refer to the structure that encloses the
current one.
Support len fields inside unions.
|
| |
|
|
|
|
|
| |
This factorizes const arguments into the shortest flags OR bitmask
possible so they are easy to read. E.g:
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul
|
| |
|
|
|
|
|
|
|
|
| |
During resource argument generation, we used to randomly select one of
the matching resources. With so many descendants of fd, this becomes
quite inefficient and most of the time syzkaller fails to build correct
programs.
Give precise resource contructions priority. Experiment with other
resource types only in 1/3 of cases.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for the following syntax:
int8[constant]
as an equivalent to:
const[constant, int8]
The goal is to have a unified const/flags definition that we can use in
templates. For example:
type template[CLASS, ...] {
class int8:3[CLASS]
// ...
}
type singleClassType template[SINGLE_CONST]
type subClassType template[abc_class_flags]
In this example, the CLASS template field can be either a constant or a
flag. This is especially useful when defining both a generic instance of
the template as well as specialized instances (ex. bpf_alu_ops and
bpf_add_op).
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for the following syntax:
int_flags = 1, 5, 8, 9
int32[int_flags]
which is equivalent to:
int_flags = 1, 5, 8, 9
flags[int_flags, int32]
The second int type argument, align, is not allowed if the first
argument is a flag. The compiler will also error if the first argument
appears to be a flag (is ident and has no colon), but can't be found in
the map of flags.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This commit adds a few test cases for the support of AUTO for structs.
It covers:
- A simple struct with only const and len types.
- A nested struct case.
- An error case when a struct has an int type field.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds more complex unit tests to cover the bug in
getInputResources fixed by the previous commit.
required_res1 and test_args3 covers the case where a struct is included
both as optional and required. required_res2 and test_args4 cover the
case where a struct is included both as DirOut and DirIn. In both cases
the resource should be recognized as being a required input resource for
the syscall.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This commit adds a unit test for getInputResources, to verify in
particular that it doesn't return input resources that are optional.
Note we can't test the built-in "optional[]" because that relies on
unions and those aren't supported yet.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This annotates syscall arguments so they are easier to read without
having to pull out the syscall's man page. E.g:
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul,
/*prot=*/0ul, ...
Signed-off-by: Florent Revest <revest@chromium.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The new "$..." syntax is read as a Base64 encoding binary data.
Note that users cannot specify the size of the Base64 syntax using the
`"..."/<size>` notation.
When serialising programs to human-readable form, only compressed types
(determined by `IsCompressed()`) are represented using the new Base64
notation.
Also add a couple of serialisation tests, checking behaviour for
compressed and non-compressed types.
|
| |
|
|
|
| |
Generate very long file names once in a while to provoke bugs like:
https://github.com/google/gvisor/commit/f857f268eceb1cdee0b2bdfa218c969c84033fcd
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We've got the following panic:
--- FAIL: TestMutateRandom (7.77s)
export_test.go:37: seed=1655724857302243235
--- FAIL: TestMutateRandom/test/32_shmem (0.00s)
panic: bad size [recovered]
panic: bad size
goroutine 562 [running]:
panic({0x5ea5a0, 0x8dade8})
/usr/local/go/src/runtime/panic.go:1038 +0x215
github.com/google/syzkaller/prog.(*Target).squashResult(0xc0002a9ba0, 0xc026faa7b0, 0xc026ad1bc8)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/any.go:236 +0x2d1
This happens because we try to squash resource of size 1.
While we still don't have such resources in real descriptions,
we've got one in test descriptions (added in out_overlay change).
Support int8 resources in squashing procedure.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We are seeing crashes like:
panic: call overlay_uses: result arg overlayres64 references out-of-tree result
This is caused by fact that we completely discard out_overlay part during squashing.
So if it contains any resources used later, we will get out-of-tree references.
Prohibit squashing structs with out_overlay attribute.
Alternatives would be either to produce out_overlay struct after squashing as well,
or remove all resources in out part from the program.
But it does not seem to be worth the complexity (we have few complex structs
with out_overlay, if any).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a bunch of hacks in syz-extract, syz-sysgen and syz-check
with respect to description files unsupported on some arches,
or that must not be part of make extract.
Add 2 meta attribtues to files:
meta noextract
Tells `make extract` to not extract constants for this file.
Though, `syz-extract` can still be invoked manually on this file.
meta arches["arch1", "arch2"]
Restricts this file only to the given set of architectures.
`make extract` and ``make generate` will not use it on other architectures.
Later we can potentially use meta attributes to specify git tree/commit
that must be used for extraction. Maybe something else.
Fixes #2754
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
$ go test -v -short ./pkg/runtest
run.go:67: overlay C : FAIL: run 0: wrong call 3 result 22, want 0
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=22
### call=4 errno=22
### call=5 errno=22
### call=6 errno=22
### call=7 errno=22
### call=8 errno=0
run.go:67: overlay /repeat C : BROKEN (non-forking loop)
run.go:67: overlay /thr C : FAIL: run 0: wrong call 3 result 22, want 0
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=22
### call=4 errno=22
### call=5 errno=22
### call=6 errno=22
### call=7 errno=22
### call=8 errno=0
run.go:67: overlay /thr/repeat C : BROKEN (non-forking loop)
run.go:67: overlay none : FAIL: run 0: wrong call 3 result 22, want 0
run.go:67: overlay none C : FAIL: run 0: wrong call 3 result 22, want 0
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=22
### call=4 errno=22
### call=5 errno=22
### call=6 errno=22
### call=7 errno=22
### call=8 errno=0
run.go:67: overlay none/repeat : FAIL: run 0: wrong call 3 result 22, want 0
run.go:67: overlay none/repeat C : BROKEN (non-forking loop)
run.go:67: overlay none/thr : FAIL: run 0: wrong call 3 result 22, want 0
run.go:67: overlay none/thr C : FAIL: run 0: wrong call 3 result 22, want 0
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=22
### call=4 errno=22
### call=5 errno=22
### call=6 errno=22
### call=7 errno=22
### call=8 errno=0
|
| |
|
|
|
|
|
| |
Remove all uses of direction attributes on union fields
and use out_overlay attribute instead.
The attribute actually does what was the intention behind
use of direction attribute on unions.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Represent array[const[X, int8], N] as string["XX...X"].
This replaces potentially huge number of:
NONFAILING(*(uint8_t*)0x2000126c = 0);
NONFAILING(*(uint8_t*)0x2000126d = 0);
NONFAILING(*(uint8_t*)0x2000126e = 0);
with a single memcpy. In one reproducer we had 3991 such lines.
Also replace memcpy's with memset's when possible.
Update #1070
|
| |
|
|
|
|
| |
Add some tests that verify source we get for various programs.
Update #1070
|
| |
|
|
|
|
| |
Commit empty files into generated packages,
so that the tree is buildable even w/o generated files
and Go tools continue to work.
|
| |
|
|
| |
Ensure that we can handle hanging syscalls in all modes.
|
| |
|
|
| |
prog/TestMutateRandom used to fail due to this.
|
