| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Any is the preferred over interface{} now in Go.
|
| |
|
|
|
|
|
| |
When in VMLess mode, reproLoop is not initialized, but we try to dereference it anyways. Check if reproLoop is nil
before trying to access it.
Fixes #6420
|
| |
|
|
|
|
|
| |
Introduce a KFuzzTest mode for the fuzzer so that a smaller number of
recommended calls can be used if we are fuzzing KFuzzTest targets.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
| |
Add logic for dynamic KFuzzTest target discovery in syz-manager. By
default, all KFuzzTest targets are enabled when the enable_kfuzztest
config option is set to true.
|
| |
|
|
| |
Send only the first report to dashboard.
|
| | |
|
| |
|
|
|
| |
1. func Run optionally accepts the opts.
2. Some refactoring, more comments.
|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| | |
|
| |
|
|
|
| |
Move C repro generation from syz-manager to pkg/repro to avoid code
duplication.
|
| |
|
|
| |
It allows to use context as a single termination signal source.
|
| |
|
|
| |
These are perfectly normal since we are stopping all the functionality.
|
| |
|
|
|
| |
If the context is cancelled, we need to make sure that the reproduction
process is aborted as well.
|
| |
|
|
|
|
| |
Check coverage early.
Otherwise we do machine check w/o coverage, but then it's enabled
by ifaceprobe package for all programs anyway.
|
| |
|
|
|
|
|
|
|
| |
When running in debug mode, mgr.vmPool.Count()-mgr.cfg.FuzzingVMs
can become negative even for a valid config since we reduce
number of VMs to 1.
NewReproLoop panics when VM count argument is negative
since it passes it to make chan.
Cap number of repro VMs at 0.
|
| | |
|
| | |
|
| |
|
|
|
| |
Check for the existence of fsck binaries and report their absence only
once.
|
| |
|
|
|
| |
Whenever the status is set, also include the reason. It should help
easier debug execution and machine check time problems.
|
| |
|
|
| |
Apply necessary changes to pkg/flatrpc and pkg/manager as well.
|
| |
|
|
| |
This enables graceful error handling in the caller code.
|
| |
|
|
|
| |
It enables stopping the server.
Also, replace some log.Fatalf calls by returning errors.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently read an fs image twice from an io.Reader, once to upload it
to the dashboard and once to write it to disk for fsck. The first
io.Reader read exhausts the stream and therefore leaves an empty image
to write to disk. All fsck commands fail with
fsck.ext4 -n exited with status code 8
e2fsck 1.47.0 (5-Feb-2023)
fsck.ext4: Attempt to read block from filesystem resulted in short
read while trying to open /tmp/1234.img
Could this be a zero-length partition?
This basically duplicates the io.Reader using a Tee. I considered
refactoring the asset upload and fsck APIs to use a buffer instead of a
reader but this leads to a rather far fetching refactoring. Duplicating
streams here seemed to be a more self-contained change.
|
| |
|
|
|
|
|
|
| |
We don't really need an HTTP server when running syz-manager during kernel
image testing and when running syz-diff automatically.
Don't require the config to be set and don't start the HTTP server in
this case.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We query globs for 2 reasons:
1. Expand glob types in syscall descriptions.
2. Dynamic file probing for automatic descriptions generation.
In both of these contexts are are interested in files
that will be present during test program execution
(rather than normal unsandboxed execution).
For example, some files may not be accessible to test programs
after pivot root. On the other hand, we create and link
some additional files for the test program that don't
normally exist.
Add a new request type for querying of globs that are
executed in the test program context.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syscall attributes are extended with a fsck command field which lets
file system mount definitions specify a fsck-like command to run. This
is required because all file systems have a custom fsck command
invokation style.
When uploading a compressed image asset to the dashboard, syz-manager
also runs the fsck command and logs its output over the dashapi.
The dashboard logs these fsck logs into the database.
This has been requested by fs maintainer Ted Tso who would like to
quickly understand whether a filesystem is corrupted or not before
looking at a reproducer in more details. Ultimately, this could be used
as an early triage sign to determine whether a bug is obviously
critical.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Package ifaceprobe implements dynamic component of automatic kernel interface extraction.
Currently it discovers all /{dev,sys,proc} files, and collects coverage for open/read/write/mmap/ioctl
syscalls on these files. Later this allows to build file path <-> file_operations mapping.
I've tried 2 other approaches:
1. Immediately map file to file_operations callbacks similar to tools/fops_probe,
and export only that. This required lots of hardcoding of kernel function/file
names, did not work well in all cases, and presumably would produce more
maintanance in future.
2. Automatically infer what kernel functions are common, and which correspond
to file_operations callbacks by first collecting coverage for all files/programs,
and then counting how many times wach PC is encountered in combined coverage.
Presumably common functions (SYS_read, vfs_read) will be present in most/all traces,
while the actual file_operations callback will be present in only one/few traces.
This also did not work well and produced lots of bugs where common functions
were somehow called in few programs, or common file_operations callbacks were
called in too many traces.
|
| |
|
|
|
|
|
|
|
|
|
| |
Few assorted changes to reduce future diffs:
- add rpcserver.RemoteConfig similar to LocalConfig
(there are too many parameters)
- add CheckGlobs to requesting additional globs from VMs
- pass whole InfoRequest to the MachineChecked callback
so that it's possible to read globs information
- add per-mode config checking in the manager
- add Manager.saveJson helper
|
| |
|
|
|
|
|
|
|
| |
Makes modes more scalable and easier to add.
Currently the name, descritpion, and logic for each mode
is spread across the code.
Make most things related to a mode described in the mode
description, but also possible to check for a concrete
mode in the code if necessary.
|
| |
|
|
|
|
|
|
|
|
| |
Refactor pkg/repro to accept a context.Context object. This will make it
look more similar to other package interfaces and will eventually let us
abort currently running repro jobs without having to shut down the whole
application.
Simplify the code by factoring out the parameters common both to RunSyzRepro()
and RunCRepro().
|
| |
|
|
|
|
|
|
|
| |
The pause function is useful to make manager stop consuming CPU
for some time, e.g. when it runs on a shared machine,
and a user wants to use CPU for something else.
Previously one would need to kill the manager process and
restart later to achieve this, but the restart is costly,
and aborts all bug reproductions.
|
| |
|
|
|
|
|
|
|
| |
Pools and ReproLoop and always created on start,
so there is no need to support lazy set for them.
It only complicates code and makes it harder to reason about.
Also introduce vm.Dispatcher as an alias to dispatcher.Pool,
as it's the only specialization we use in the project.
|
| |
|
|
|
| |
Set Corpus in HTTPServer dynamically.
Refactor syz-manager and syz-diff accordingly.
|
| |
|
|
| |
In some cases, one might want to tolerate non-perfect filters.
|
| |
|
|
|
| |
Switch from the CoverageFilter to the more flexible mechanism of focus
areas.
|
| |
|
|
|
| |
There was a bug in syz-manager because of that. Fix it by introducing a
new method in prog.
|
| | |
|
| |
|
|
| |
This will enable its reuse.
|
| |
|
|
|
| |
It will enable collecting statistics for several simultaneous RPCServer
objects.
|
| |
|
|
|
| |
There's 0 chance we will ever look at those.
Currently, they only litter the web dashboards of syzbot instances.
|
| |
|
|
| |
It will help us catch broken seeds right in TestParse().
|
| |
|
|
|
| |
Decouple it from syz-manager.
Remove a lot of no longer necessary mutex calls.
|
| |
|
|
| |
Add calls to Close() from all locations that call Create().
|
| |
|
|
|
| |
These no longer make any sense since we only send programs after the
corpus triage.
|
| |
|
|
|
|
| |
It used to race with Enqueue(), which made it more complicated to write
reproducible tests. Also, there's really no reason to separate
StartReproduction() and Loop().
|
| |
|
|
|
|
|
|
|
|
|
| |
We used to send corpus updates (added/removed elements) to the hub in each sync.
But that produced too much churn since hub algorithm is O(N^2) (distributing everything
to everybody), and lots of new inputs are later removed (either we can't reproduce coverage
after restart, or inputs removed during corpus minimization). So now we don't send new inputs
in each sync, instead we aim at sending corpus once after initial triage. This solves
the problem with non-reproducible/removed inputs. Typical instance life-time on syzbot is <24h,
for such instances we send the corpus once. If an instance somehow lives for longer, then we
re-connect and re-send once in a while (e.g. a local long-running instance).
|
| |
|
|
|
|
| |
If a manager uses fake coverage, don't send its corpus to the hub.
It should be lower quality than coverage-guided corpus.
However still send repros and accept new inputs.
|
| |
|
|
|
|
|
|
|
| |
It does sometimes happen that the kernel is crashed so fast that
syz-manager is not notified that the syz-executor has started running
the faulty input.
In cases when the exact program is known from Comm, let's make sure it's
always present in the log of the last executed programs.
|
