| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Add calls to Close() from all locations that call Create().
|
| |
|
|
|
|
|
|
|
|
|
| |
When we accept new kernels for fuzzing we need more extensive testing,
but syz-ci switched to using syz-manager for this purpose.
Now instance testing is used only for bisection and patch testing,
which does not need such extensive image testing (it may even harm).
So just run a simple program as a testing.
It also uses the same features as the target reproducer,
so e.g. if the reproducer does not use wifi, we won't test it,
which reduces changes of unrelated kernel bugs.
|
| |
|
|
|
|
|
| |
We don't really need to overwrite it.
For syz programs, don't ignore non-zero exit codes. This should enable
syzkaller to find reproducers for "lost connection" bugs.
|
| |
|
|
|
|
| |
All callers of Run always call MonitorExecution right after it.
Combine these 2 methods. This allows to hide some implementation
details and simplify users of vm package.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
If `strace_bin` is specified, syzkaller will invoke a reproducer with it
and save the output. This should help in debugging.
If syz-manager is attached to a dashboard, upload the strace-powered output
and report.
|
| |
|
|
|
| |
Also update syz-crush to save RawOutput instead of output from the
Report.
|
| |
|
|
|
|
|
|
|
|
| |
Previously it was copypasted in pkg/instance, pkg/repro,
tools/syz-crash. Use the single implementation instead.
Also, this commit fixes a bug - the previous code always set collide to
true while reproducing a bug, which led to an immediate syz-exexprog's
exit. As a result, newer bugs with .syz repro only were never actually
reproduced on #syz test requests.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a number of report post-processing activities are implemented as a
decorator over the interface that defines OS-specific implementations.
Following exactly the same interface is too restrictive in this case as adding
extra parameters to the post-processing forces the developer to adjust all
implementations thay may not need these parameters at all.
Untie the wrapper from the Reporter interface. Use a package-private
reporterImpl interface for the OS-specific implementations, while having an
exported Reporter structure. Make sure that Reporter is stored and
passed as a pointer.
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently syz-crush saves the results in the syzkaller workdir.
That brings a side effect: if you test two different reproducers giving
crashes with the same title, syz-crush saves all your results in
a single crash directory.
Let's make it more flexible. Save syz-crush results in the directory
containing the tested reproducer:
- we have the original workflow, if all tested reproducers reside
in the syzkaller workdir;
- we can get the results separately, if all tested reproducers reside
in separate directories.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently syz-crush saves the results in the syzkaller workdir.
If you run this tool multiple times, you may lose the connection
between your reproducers and the crash reports saved in workdir.
Let's improve storeCrash():
1. print the sequence number of the saved crash,
2. report about the errors during crash saving,
3. copy the reproducer to the workdir as well.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
|
| |
|
|
|
|
|
| |
Everything in syzkaller is syz-something, it's pointless to add syz prefix
to everything and unnecessary increases clutter. Remove the prefix.
Also, rename ExecutorCmd in target to ExecutorBin to make it consistent
with mgrconfig and ExecprogBin/FuzzerBin.
|
| |
|
|
|
|
| |
These are widely used with the config as the refactoring shows.
This removes a bunch of unnecessary code.
Also fixes a number of bugs where we confused Arch with VMArch.
|
| |
|
|
| |
Signed-off-by: Jukka Kaartinen <jukka.kaartinen@unikie.com>
|
| |
|
|
|
| |
We always use verbosity 0, there is no point in using
our custom package. Switch to the standard one instead.
|
| |
|
|
| |
As discussed in #1798.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
usage:
syz-crush -config=config.json creprog.c
Produced output is same as syz-manager produces.
New directory called reproduced_with is added that lists all the
reproducers that triggered the crash.
Example:
~/workdir/crashes $ tree
.
├── 2a8fff76c6267ecfeaf3530a602ed48afbc4a151
│ ├── description
│ ├── log0
│ ├── log1
│ ├── log2
│ ├── report0
│ ├── report1
│ ├── report2
│ └── reproduced_with
│ └── 17a6ed226769660f3e5dad7b22b13466b938e290.c
├── 2b6b921457afe8cebd0a96ca40f8569e6ee95174
│ ├── description
│ ├── log0
│ ├── log1
│ ├── log2
│ ├── log3
│ ├── log4
│ ├── log5
│ ├── report0
│ ├── report1
│ ├── report2
│ ├── report3
│ ├── report4
│ ├── report5
│ └── reproduced_with
│ ├── 9fb2f5b37bf4428382334e336bbbb201634c7c4c.c
│ └── ab27002b46d19cafb1ebb8b040f0a3b0f8f88974.c
Signed-off-by: Jukka Kaartinen <jukka.kaartinen@unikie.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new attribute to syzkaller targets that tells
syzkaller how to invoke the syz-executor command.
Some systems, like Fuchsia, are now building syz-executor as part of the
build, and there is no need to copy it over, or to run it from `/tmp`.
In fact, that might stop working at some time in the future in Fuchsia.
All places that used to copy syz-executor into the target machine will
now check for the SyzExecutorCmd flag, and won't copy it if the flag is
set.
|
| |
|
|
|
|
|
|
|
| |
Currently we only support canExit flag.
However there are actually 3 separate conditions:
- program can exit normally
- program can timeout (e.g. fuzzer test or runtest can't)
- program can exit with error (e.g. C test can)
Allow to specify these 3 conditions separately.
|
| |
|
|
|
|
|
|
| |
mgrconfig was used only by syz-manager initially,
but now it's used by a dozen of packages and it's
weird to import from under a binary dir.
pkg/ is much more reasonable dir for a widely used
helper package.
|
| |
|
|
|
|
| |
Only akaros needs OS, because the rest assume host OS.
But speciying OS for all OSes breaks patch testing on syzbot
because old execprog does not have os flag.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently all (linux-specific) suppressions are hardcoded in mgrconfig.
This is very wrong. Move them to pkg/report and allow to specify per OS.
Add gvisor-specific suppressions.
This required a bit of refactoring. Introduce mgrconfig.KernelObj finally.
Make report.NewReporter and vm.Create accept mgrconfig directly
instead of passing it as multiple scattered args.
Remove tools/syz-parse and it always did the same as tools/syz-symbolize.
Simplify global vars in syz-manager/cover.go.
Create reporter eagerly in manager. Use sort.Slice more.
Overall -90 lines removed.
|
| |
|
|
|
| |
For the case when VM type affects output.
Will be needed for gvisor. It is kinda linux, but kinda not.
|
| |
|
|
|
| |
It may need it later to try to obtain additional
diagnostic from hanged instances.
|
| |
|
|
|
|
|
|
|
|
| |
Currently host feature detection/setup code is spread
across platform-independent fuzzer code, pkg/host, pkg/ipc
and executor.
Move this all into pkg/host and show readable info
about features on manager start.
Fixes #46
|
| |
|
|
|
|
| |
Underscores are against Go coding style.
Update #538
|
| |
|
|
| |
Fix typos, non-canonical code, remove dead code, etc.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Whole raw output is indivisble part of Report,
currently we always pass Output separately along with Report.
Make Output a Report field.
Then, put whole Report into manager Crash and repro context and Result.
There is little point in passing Report as aa bunch of separate fields.
|
| |
|
|
|
|
| |
This allows callers to get access to Report.Corrupted.
Better than adding 6-th return value and will allow
to pipe other report properties if necessary.
|
| |
|
|
|
|
|
|
|
| |
We currently have several names for crash attributes, which is disturbing.
E.g. crash title is called "Title" or "Desc". Name them consistently.
Title - single line bug identity.
Report - whole crash text.
Log - whole fuzzer/kernel output.
|
| |
|
|
|
|
| |
Always wait 10 secs for output.
If anything this can only lead to missed crashes during repro.
Let's unify manager and repro behavior.
|
| |
|
|
|
|
| |
Introduce report.Reporter interface.
Add an implementation per-OS.
Make users be explicit about OS they are testing.
|
| |
|
|
|
|
| |
Now each prog function accepts the desired target explicitly.
No global, implicit state involved.
This is much cleaner and allows cross-OS/arch testing, etc.
|
| |
|
|
|
| |
Add target config parameter (e.g. linux/amd64) which controls target OS/arch.
No more explicit assumptions about target.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sshkey is a property of image, which is in manager config.
Move sshkey to the same location as image.
The motivation for the move is as follows.
Continuous build produces an image and the key,
both need to be passed manager instance.
Continuous build system should not distinguish
different VM types and mess with their configs.
NOTE FOR USERS: this breaks manager configs again.
Hopefully the last time for now. Docs are updated.
|
| |
|
|
|
|
| |
Allow loading manager config from memory.
Follow pkg/config naming convention,
i.e. LoadFile/LoadData instead of Parse.
|
| |
|
|
|
|
|
|
|
|
|
| |
We have 2 packages with the same name: pkg/config and syz-manager/config.
This leads to constant clashes. We either rename one to pkgconfig or
another to mgrconfig. This is not good and will become worse when/if
we have another program-specific config in a separate package.
Rename manager config to mgrconfig.
Other program-specific configs can use the same convention
in future -- fooconfig.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
VM infrastructure currently has several problems:
- Config struct is complete mess with a superset of params for all VM types
- verification of Config is mess spread across several places
- there is no place where VM code could do global initialization
like creating GCE connection, uploading GCE image to GCS,
matching adb devices with consoles, etc
- it hard to add private VM implementations
such impl would need to add code to config package
which would lead to constant merge conflicts
- interface for VM implementation is mixed with interface for VM users
this does not allow to provide best interface for both of them
- there is no way to add common code for all VM implementations
This change solves these problems by:
- splitting VM interface for users (vm package) and VM interface
for VM implementations (vmimpl pacakge), this in turn allows
to add common code
- adding Pool concept that allows to do global initialization
and config checking at the right time
- decoupling manager config from VM-specific config
each VM type now defines own config
Note: manager configs need to be changed after this change:
VM-specific parts are moved to own "vm" subobject.
Note: this change also drops "local" VM type.
Its story was long unclear and there is now syz-stress which solves the same problem.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Introduce generic config.Load function that can be
reused across multiple programs (syz-manager, syz-gce, etc).
Move the generic config functionality to pkg/config package.
The idea is to move all helper (non-main) packages to pkg/ dir,
because we have more and more of them and they pollute the top dir.
Move the syz-manager config parts into syz-manager/config package.
|
| |
|
|
|
|
| |
Add new config parameter "ignores" which contains list of regexp expressions.
If one of the expressions is matched against oops line,
crash report is not saved and VM is not restarted.
|
| |
|
|
|
|
|
| |
With this change manager will run reproduction on crashes
until reproducer is discovered, but at most 3 times.
If reproducer is discovered it is saved with crashes and shown on the web UI.
|
| |
|
|
| |
This is required for crash reproduction in manager.
|
|
|
syz-crush replays crash log on multiple VMs. Usage:
syz-crush -config=config.file execution.log
Intended for reproduction of particularly elusive crashes.
|
