| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
The interface has significantly changed since the first version.
Update to the upstreammed interface.
Fixes #3030
|
| |
|
|
|
| |
Regenerate on latest upstream commit
56e337f2cf1326323844927a04e9dbce9a244835.
|
| |
|
|
| |
Based on v5.17-rc1 and upstream-usb.config.
|
| |
|
|
| |
The executor uses more file descriptors by now.
|
| | |
|
| |
|
|
| |
Regenerate const files on next-20220127.
|
| |
|
|
|
|
|
|
|
|
| |
Setting itself or another process as a real-time one leads to the
starvation of kernel threads and, as a result, to false positive stall
bug reports. We have been getting complaints about them for already
quite a long time now.
Neutralize the policy argument of the syscall as much as possible given
the set of possible syzkaller mutations.
|
| | |
|
| |
|
|
|
|
| |
It seems we had a bogus signature for sigaltstack for all that time.
It accepts 2 sigaltstack structs according to the kernel code:
https://elixir.bootlin.com/linux/v5.16/source/kernel/signal.c#L4217
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disable GCC warnings:
* stringop-overflow
* array-bounds
* format-overflow
These warnings generate false positives for C reproducers which cause
GCC to fail if -Werror is given.
This commit fixes the following false positives:
/root/test.c: In function ‘main’:
/root/test.c:88:50: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
88 | NONFAILING(*(uint8_t*)0x20000088 = 3);
/root/test.c:85:28: error: ‘memcpy’ offset [0, 23] is out of the bounds [0, 0] [-Werror=array-bounds]
85 | NONFAILING(memcpy((void*)0x20000040, "\001\000\000\000\002\000\000\000\003\000\004\000\000\000\000\000\005\000\000\000\000\000\000\000", 24));
<stdin>:86:40: error: ‘%023llo’ directive writing 23 bytes into a region of size 0 [-Werror=format-overflow=]
<stdin>:43:123: note: in definition of macro ‘NONFAILING’
GCC stringop-overflow bug reports:
- https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88443
syzkaller group discussion:
- https://groups.google.com/g/syzkaller/c/PIEYPflPWhQ
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang doesn't fail if an unknown flag is specified w/o specifying -Werror
as well.
[syzkaller]# clang -x c++ - -o /dev/null -Wtada < test.c
warning: unknown warning option '-Wtada' [-Wunknown-warning-option]
1 warning generated.
[syzkaller]# echo $?
0
[syzkaller]# clang -x c++ - -o /dev/null -Wtada -Werror < test.c
error: unknown warning option '-Wtada' [-Werror,-Wunknown-warning-option]
[syzkaller]# echo $?
1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
$ go test -v -short ./pkg/runtest
run.go:67: overlay C : FAIL: run 0: wrong call 3 result 22, want 0
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=22
### call=4 errno=22
### call=5 errno=22
### call=6 errno=22
### call=7 errno=22
### call=8 errno=0
run.go:67: overlay /repeat C : BROKEN (non-forking loop)
run.go:67: overlay /thr C : FAIL: run 0: wrong call 3 result 22, want 0
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=22
### call=4 errno=22
### call=5 errno=22
### call=6 errno=22
### call=7 errno=22
### call=8 errno=0
run.go:67: overlay /thr/repeat C : BROKEN (non-forking loop)
run.go:67: overlay none : FAIL: run 0: wrong call 3 result 22, want 0
run.go:67: overlay none C : FAIL: run 0: wrong call 3 result 22, want 0
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=22
### call=4 errno=22
### call=5 errno=22
### call=6 errno=22
### call=7 errno=22
### call=8 errno=0
run.go:67: overlay none/repeat : FAIL: run 0: wrong call 3 result 22, want 0
run.go:67: overlay none/repeat C : BROKEN (non-forking loop)
run.go:67: overlay none/thr : FAIL: run 0: wrong call 3 result 22, want 0
run.go:67: overlay none/thr C : FAIL: run 0: wrong call 3 result 22, want 0
### start
### call=0 errno=0
### call=1 errno=0
### call=2 errno=0
### call=3 errno=22
### call=4 errno=22
### call=5 errno=22
### call=6 errno=22
### call=7 errno=22
### call=8 errno=0
|
| |
|
|
| |
Update #590
|
| | |
|
| | |
|
| |
|
|
| |
They are not really structs in the kernel even if we describe them as structs.
|
| |
|
|
|
| |
Regenerate warn files on the latest kernel commit fe8152b38d3
and latest syzkaller commit with fresh kernel config files.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| | |
|
| |
|
|
|
| |
Add memfd_create as a dependency to syz_mount_image and
syz_read_part_table.
|
| |
|
|
|
|
|
|
|
|
|
| |
Pseudo syscalls can (and most of the time) do invoke normal system
calls. However, when there's a risk that those calls might not be
present, syzkaller needs to take preventive actions - prepend the
corresponding defines. Otherwise syz-executor or C reproducers might
not compile on the host machine.
List those dependencies in sys/targets, check them during machine check
and add the corresponding defines during C source generation.
|
| |
|
|
|
|
|
|
|
| |
As the comiling machine may have a kernel version different from the
tested one, not all definitions might be present. Generate sequences of
ifndef in defs.h to avoid potential issues.
Restrict __NR-related style checking rules to only checking common*.h
files.
|
| |
|
|
|
|
|
| |
Subsequent changes will require stricter resource constructors
and checks start failing for vcontext_handle (doesn't have ctors).
I can't wrap my head around how vcontext_handle is supposed to be created,
so for now it's downgraded to just int.
|
| | |
|
| |
|
|
|
|
|
| |
Add construcor for drm_plane_id resource that returns it outside of an array.
Provide more detailed desriptions for DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD/DRM_IOCTL_SYNCOBJ_FD_TO_HANDLE
as they accept/return complete different resources.
|
| |
|
|
|
|
|
|
|
| |
Move existing bits of /dev/media descriptions from sys.txt and dev_video4linux.txt
and complete the descriptions.
Also provide more concrete specialization of VIDIOC_QUERYBUF ioctl.
Add ioctl specialization that serves as fd_v4l2_buffer resource constructor
(returns it outside of a union).
|
| | |
|
| |
|
|
| |
The ioctls actually return the dmabuf fd that can be used in other APIs.
|
| |
|
|
|
|
|
| |
The comment says:
// ION support was removed from kernel.
// We plan to leave the descriptions for some time as is and later remove them.
|
| |
|
|
|
| |
NL802154_IFTYPE_UNSPEC value was changed in kernel commit 451dc48c806a7ce9fbec5e7a24ccf4b2c936e834.
dev_msr consts were not generated for non-x86 arches.
|
| |
|
|
|
|
|
| |
syz-env make extract fails on upstream commit d1587f7bfe:
/usr/bin/env: 'python3': No such file or directory
make[3]: *** [Makefile:72: bpf/resolve_btfids] Error 2
|
| |
|
|
|
|
| |
Currently fails with:
<stdin>:7:10: fatal error: asm/msr.h: No such file or directory
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove all uses of len/flags/const/proc types in explicitly marked out fields.
Use of these types for out fields does not make sense:
a len[b, int32] (out)
b flags[foo, int32] (out)
Since kernel fills these fields, that's unnecessary details or bugs in descriptions.
In particular all of these are actually bugs:
ioctl$TUNSETQUEUE(fd fd_tun, cmd const[TUNSETQUEUE], arg ptr[in, ifreq_t[flags[tun_queue_flags, int16]]])
ioctl$TUNSETIFF(fd fd_tun, cmd const[TUNSETIFF], arg ptr[in, ifreq_t[flags[tun_setiff_flags, int16]]])
ioctl$SIOCSIFHWADDR(fd fd_tun, cmd const[SIOCSIFHWADDR], arg ptr[in, ifreq_t[mac_addr]])
ioctl$sock_inet_SIOCSIFADDR(fd sock, cmd const[SIOCSIFADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFBRDADDR(fd sock, cmd const[SIOCSIFBRDADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFNETMASK(fd sock, cmd const[SIOCSIFNETMASK], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFDSTADDR(fd sock, cmd const[SIOCSIFDSTADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFPFLAGS(fd sock, cmd const[SIOCSIFPFLAGS], arg ptr[inout, ifreq_t[int32]])
ioctl$SIOCSIFMTU(fd sock_pppl2tp, cmd const[SIOCSIFMTU], arg ptr[in, ifreq_t[int32]])
ioctl$sock_SIOCETHTOOL(fd sock, cmd const[SIOCETHTOOL], arg ptr[inout, ifreq_t[ptr[inout, ethtool_cmd_u]]])
We pretend that we pass in some flags or addresses, but the ifreq field
was marked as (out), so we actually did not pass anything in.
|
| |
|
|
|
|
|
| |
Remove all uses of direction attributes on union fields
and use out_overlay attribute instead.
The attribute actually does what was the intention behind
use of direction attribute on unions.
|
| | |
|
| |
|
|
|
|
| |
More info here:
https://marc.info/?l=openbsd-cvs&m=164028539524813&w=2
|
| |
|
|
|
|
|
| |
The new neighbour flag NTF_STICKY was added upstream in commit
v4.20-rc1~14^2~392.
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
| |
The NDA_FLAGS_EXT netlink attribute was added upstream in commit
v5.16-rc1~159^2~222^2~1, to allow for new neighbor flags. The only such
flag currently supported is NTF_EXT_MANAGED.
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
| |
Yet another root only knob that can cause the syz-execprog process to
run out of resources[1].
[1] https://syzkaller.appspot.com/bug?id=08745ec898fac9de9164bcc4d03bf62a078f56ab
|
| |
|
|
|
|
|
|
|
|
|
| |
The structure used for BPF map creation now has an additional field,
map_extra, introduced in [1] upstream. The definition of that field
depends on the map type being created and is only used by bloom
filter maps for now. For bloom filter maps, the 4 lower bits define
the number of hash functions to use.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9330986c03006
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced support for BPF calls to kernel
functions, via a new call instruction BPF_PSEUDO_KFUNC_CALL. In this new
instruction, the immediate value is the BTF ID of the function to call
in the kernel.
This commit introduces basic support for this new instruction in
syzkaller. The immediate value will point to a BTF ID, but a fair amount
of additional work would be required to ensure that BTF ID is actually
pointing to a kernel function.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6ac2450d6dee
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced a new BPF helper, bpf_for_each_map_elem,
which comes with callback functions (BPF programs). The callback
function's address is provided via a 64-bit IMM load instruction where
the first 32-bit of the immediate value are the offset from the current
instruction to the start of the callback function. The 64-bit value is
then rewritten into the address of the callback function.
Callback BPF functions are similar to BPF_PSEUDO_CALL functions, except
the offset to the function is converted into an address to be passed to
a BPF helper. The same workaround is thus used to encode the offset in
syzkaller, given we can't currently limit the offset to the program
size.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=69c087ba6225b
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced a new way to reference BPF maps in eBPF
instructions. An array of BPF map fds is passed at program load time.
Instructions can then reference fds in this array instead of carrying
the fds directly. The goal is to allow BPF instructions to be immutable
after compilation.
Since we don't yet have a good way to reference indexes in an array, we
define a new type map_fd_id for that purpose, with indexes between 0 and
16 only.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=387544bfa291
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sys/linux/damon.txt: initial description
description of DAMON's interface mounted in debugfs: target_ids, attrs, init_regions, monitor_on
* sys/linux/damon.txt: additional damon interface description added
added DAMON interface descriptions for schemes, kdamond_pid, mk_contexts, rm_contexts
prefix of all the files with damon to avoid colliding naming
* sys/linux/damon.txt: standard copyright statement added
* sys/linux/damon.txt.const: const file of sys/linux/damon.txt added
* sys/linux/damon.txt: type fix of pid to fmt
* dashboard/config/linux/bits/subsystems.yml: damon configs added for Syzbot
* dashboard/config/linux: generated kernel configs with added damon config
* sys/linux/damon.txt: fmt type fix
* sys/linux/damon.txt: read and close syscalls removed
write and read mk_contexts summarized into one syscall
some refining of syscall interfaces
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make configs triggers the following race.
Always initialize the main target before initializing the alternative target,
otherwise they both read/modify CFlags.
==================
WARNING: DATA RACE
Write at 0x00c00027b700 by goroutine 102:
github.com/google/syzkaller/sys/targets.(*Target).setCompiler()
sys/targets/targets.go:749 +0x7c9
github.com/google/syzkaller/sys/targets.GetEx.func1()
sys/targets/targets.go:158 +0xb9
sync.(*Once).doSlow()
/usr/local/go/src/sync/once.go:68 +0x127
sync.(*Once).Do()
/usr/local/go/src/sync/once.go:59 +0x46
github.com/google/syzkaller/sys/targets.GetEx()
sys/targets/targets.go:155 +0x184
main.(*Context).setTarget()
tools/syz-kconf/kconf.go:360 +0x244
main.(*Context).generate()
tools/syz-kconf/kconf.go:171 +0x17e
main.main.func1()
tools/syz-kconf/kconf.go:97 +0x4e
Previous read at 0x00c00027b700 by goroutine 97:
runtime.slicecopy()
/usr/local/go/src/runtime/slice.go:284 +0x0
github.com/google/syzkaller/sys/targets.(*Target).lazyInit()
sys/targets/targets.go:796 +0x464
github.com/google/syzkaller/sys/targets.(*Target).lazyInit-fm()
sys/targets/targets.go:782 +0x39
sync.(*Once).doSlow()
/usr/local/go/src/sync/once.go:68 +0x127
sync.(*Once).Do()
/usr/local/go/src/sync/once.go:59 +0x46
github.com/google/syzkaller/sys/targets.GetEx()
sys/targets/targets.go:152 +0x127
main.(*Context).setTarget()
tools/syz-kconf/kconf.go:360 +0x244
main.(*Context).generate()
tools/syz-kconf/kconf.go:171 +0x17e
main.main.func1()
tools/syz-kconf/kconf.go:97 +0x4e
Goroutine 102 (running) created at:
main.main()
tools/syz-kconf/kconf.go:96 +0x1184
Goroutine 97 (running) created at:
main.main()
tools/syz-kconf/kconf.go:96 +0x1184
==================
|
| |
|
|
|
|
| |
Add description of the new syscall futex_waitv.
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
|
| |
|
|
|
| |
* sys/freebsd: add definitions for filemon(4)
* pkg/build: load filemon.ko on FreeBSD
|
| | |
|
