aboutsummaryrefslogtreecommitdiffstats
path: root/tools/syz-execprog
Commit message (Collapse)AuthorAgeFilesLines
...
* tools/syz-execprog: remove dead codeDongliang Mu2019-03-231-6/+0
|
* execprog: fix executing with fault injectionAndrey Konovalov2019-03-051-0/+6
| | | | | | | | | If the fault injection flags are not provided, but the log contains a fault injection like this: 2017/08/12 17:16:04 executing program 5 (fault-call:4 fault-nth:5): we fail to enable fault injection in ipc.Config. Fix it.
* execprog, stress, prog2c: unify flags to enable additional featuresAndrey Konovalov2019-03-051-9/+28
| | | | | | | | | | | This change makes all syz-execprog, syz-prog2c and syz-stress accept -enable and -disable flags to enable or disable additional features (tun, net_dev, net_reset, cgroups and binfmt_misc) instead of having a separate flag for each of them. The default (without any flags) behavior isn't changed: syz-execprog and syz-stress enabled all the features (provided the runtime supports them) and syz-prog2c disables all of them.
* executor: remove ability to detect kernel bugsDmitry Vyukov2019-01-311-6/+2
| | | | | | | | This ability was never used but we maintain a bunch of code for it. syzkaller also recently learned to spoof this error code with some ptrace magic (probably intercepted control flow again and exploited executor binary). Drop all of it.
* all: detect extra coverage supportAndrey Konovalov2019-01-161-0/+3
| | | | Based on whether the kernel supports KCOV_REMOTE_ENABLE ioctl.
* all: support extra coverageAndrey Konovalov2019-01-161-12/+18
| | | | | | | | | | | | | | | Right now syzkaller only supports coverage collected from the threads that execute syscalls. However some useful things happen in background threads, and it would be nice to collect coverage from those threads as well. This change adds extra coverage support to syzkaller. This coverage is not associated with a particular syscall, but rather with the whole program. Executor passes extra coverage over the same ipc mechanism to syz-fuzzer with syscall number set to -1. syz-fuzzer then passes this coverage to syz-manager with the call name "extra". This change requires the following kcov patch: https://github.com/xairy/linux/pull/2
* ipc: fix ProgInfo usage betterAndrey Konovalov2018-11-231-4/+4
| | | | Fix a bad fix for ProgInfo usage.
* ipc: fix ProgInfo usageAndrey Konovalov2018-11-221-1/+1
| | | | | | We used to use len([]CallInfo) to check both, whether the slice is nil or whether its length is zero. Since ProgInfo is not a slice, we need a separate check for nil.
* ipc: add ProgInfo structAndrey Konovalov2018-11-221-7/+7
| | | | | | This patch add a new struct ProgInfo that for now holds info about each call in a program []CallInfo, but in the future will be expanded with remote coverage info. Update all the callers to use the new interface as well.
* tools/syz-execprog: show host featuresDmitry Vyukov2018-10-101-0/+5
| | | | syz-execprog -output is handy way to check what features host.Check detects.
* tools/syz-execprog: print blocked/unfinished/faulted flags for callsDmitry Vyukov2018-08-081-51/+78
|
* pkg/ipc: move flags into subpackageDmitry Vyukov2018-08-031-1/+2
| | | | | Move all ipc flags into pkg/ipc/ipcconfig package so that importing pkg/ipc does pull in the flags.
* tools/syz-execprog: refactorDmitry Vyukov2018-07-311-114/+138
| | | | | | | Reduce cyclomatic complexity of the main function. It's too huge. Update #538
* syz-execprog: initialize net devicesDmitry Vyukov2018-07-271-0/+3
|
* pkg/host: disable for akarosDmitry Vyukov2018-07-061-2/+2
| | | | | | akaros can't have own host version because fuzzer does not run on akaros, so just disable it all.
* pkg/ipc: create default config based on targetDmitry Vyukov2018-07-051-4/+4
| | | | | Pass actual target to DefaultConfig, that's what we really want, not the stray ipc flag.
* executor, pkg/ipc: support output over pipesDmitry Vyukov2018-06-291-2/+4
|
* pkg/host: rework host feature detection/setupDmitry Vyukov2018-06-121-3/+12
| | | | | | | | | | Currently host feature detection/setup code is spread across platform-independent fuzzer code, pkg/host, pkg/ipc and executor. Move this all into pkg/host and show readable info about features on manager start. Fixes #46
* tools/syz-execprog: restore the previous tun disabling logicDmitry Vyukov2018-05-181-0/+3
| | | | | | | | This probably can break some things. I feel that tun setup can affect other things even if syz_emit_ethernet/syz_extract_tcp_res are not used. So it can make sense to setup tun even if they are not used. But let's be more careful.
* pkg/csource: minimize netdevices and net resetDmitry Vyukov2018-05-171-3/+0
| | | | | | Add separate options to minimize netdevices setup and net namespace reset. Fixes #581
* tools/syz-execprog: split overly large functionDmitry Vyukov2018-05-071-44/+52
| | | | Update #538
* gometalinter: check dot importsDmitry Vyukov2018-05-031-16/+16
| | | | Update #538
* tools/syz-execprog: reduce log level of some messagesDmitry Vyukov2018-04-081-7/+10
| | | | Too much output by default.
* tools/syz-execprog: dump coverage in text formatDmitry Vyukov2018-04-051-6/+1
| | | | | | | There is no point in using sancov, it does not do anything other than transforming binary format to a useful text format. Write out text format directly.
* sys/linux: add support for mounting filesystem imagesDmitry Vyukov2018-03-301-0/+5
|
* all: fix gometalinter warningsDmitry Vyukov2018-03-081-1/+1
| | | | Fix typos, non-canonical code, remove dead code, etc.
* tools/syz-execprog: fix parsing of multiple logsDmitry Vyukov2018-01-311-1/+1
|
* syz-fuzzer: refactorDmitry Vyukov2017-12-181-2/+1
| | | | | | | | | | | syz-fuzzer organically grew from a small nice main function into a huge single-file monster with tons of global state. Start refactoring it into something more managable. This change separates 2 things: 1. Proc: a single fuzzing process (ipc.Env wrapper). 2. WorkQueue: holds global non-fuzzing work items. More work needed, but this is good first step.
* pkg/ipc: make threaded/collide per-program optionsDmitry Vyukov2017-12-171-5/+2
| | | | | | | Currently threaded/collide are global environment flags. It can be useful to turn off collider during some executions (minimization, triage, etc). Make them per-program options.
* tools/syz-execprog: extend hints outputDmitry Vyukov2017-12-081-0/+3
| | | | | Print call number because one is usually interested in a particular call only.
* execprog: correctly handle fault injectionsAndrey Konovalov2017-11-071-17/+26
| | | | | | syz-execprog doesn't utilize info about fault injections from a prog log. Since syz-execprog is used by the repro package to reproduce crashes, crashes caused by fault injections might not reproduce.
* tools/syz-execprog: allow to override target OSDmitry Vyukov2017-11-061-1/+2
| | | | This is currently useful for akaros, which is tested remotely.
* syz-fuzzer: generates hints only for the call that gave new coverageDmitry Vyukov2017-10-231-7/+8
| | | | | | During smashing we know what call gave new coverage, so we can concentrate just on it. This helps to reduce amount of hints generated (we have too many of them).
* tools/syz-execprog: print total number of comps/hintsDmitry Vyukov2017-10-231-2/+18
|
* all: more assorted fuchsia supportDmitry Vyukov2017-09-223-36/+5
|
* all: initial support for fuchsiaDmitry Vyukov2017-09-203-12/+33
| | | | | | Nothing works, but builds. Update #191
* prog: remove default target and all global stateDmitry Vyukov2017-09-151-2/+3
| | | | | | Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc.
* syz-fuzzer, syz-execprog: add -arch flagDmitry Vyukov2017-09-151-1/+2
| | | | | arch flag specifies target arch, which can be different from GOARCH. For example, 386 executor with amd64 fuzzer.
* syz-manager/mgrconfig: explicitly specify target in configDmitry Vyukov2017-09-151-0/+5
| | | | | Add target config parameter (e.g. linux/amd64) which controls target OS/arch. No more explicit assumptions about target.
* prog, sys: move types to progDmitry Vyukov2017-09-051-0/+1
| | | | | | | | | | | Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
* ipc, prog, fuzzer, execprog: add hints generation codeVictor Chibotaru2017-08-301-0/+14
| | | | | | | | | | | | | | | | | | | | | | A hint is basically a tuple consisting of a pointer to an argument in one of the syscalls of a program and a value, which should be assigned to that argument. A simplified version of hints workflow looks like this: 1. Fuzzer launches a program and collects all the comparisons' data for every syscall in the program. 2. Next it tries to match the obtained comparison operands' values vs. the input arguments' values. 3. For every such match the fuzzer mutates the program by replacing the pointed argument with the saved value. 4. If a valid program is obtained, then fuzzer launches it and checks if new coverage is obtained. This commit includes: 1. All the code related to hints generation, parsing and mutations. 2. Fuzzer functions to launch the process. 3. Some new stats gathered by fuzzer and manager, related to hints. 4. An updated version of execprog to test the hints process.
* all: use consistent file permissionsDmitry Vyukov2017-07-031-1/+2
| | | | | | | | | | | | | | | | Currently we have unix permissions for new files/dirs hardcoded throughout the code base. Some places use 0644, some - 0640, some - 0600 and a variety of other constants. Introduce osutil.MkdirAll/WriteFile that use the default permissions and use them throughout the code base. This makes permissions consistent and also allows to easily change the permissions later if we change our minds. Also merge pkg/fileutil into pkg/osutil as they become dependent on each other. The line between them was poorly defined anyway as both operate on files.
* pkg/ipc: move from ipcDmitry Vyukov2017-06-171-1/+1
|
* pkg/cover: move from coverDmitry Vyukov2017-06-171-1/+1
|
* pkg/log: move from logDmitry Vyukov2017-06-031-1/+1
|
* all: add fault injection capabilityDmitry Vyukov2017-05-261-5/+17
| | | | | | | Systematically inject faults during smashing. Requires kernel patch: "fault-inject: support systematic fault injection" (currently in linux-next).
* sys, executor: extract tcp sequence numbers from /dev/net/tunAndrey Konovalov2017-05-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
* ipc: add an optional 'abort' signalMichael Pratt2017-05-191-6/+6
| | | | | | | | | | | | | If an external sandbox process wraps the executor, it may be helpful to send a signal other than SIGKILL to the sandbox when the program times out or fails to respond. This gives the sandbox the opportunity to emit additional debugging information before exiting. Add an 'abort' signal to ipc, which is sent to the executor before SIGKILL. If the executor fails to exit within 5s, the signal is upgraded to SIGKILL. The default abort signal remains SIGKILL, maintaining existing behavior.
* execprog: enable tun when syz_emit_ethernet is usedAndrey Konovalov2017-01-311-0/+10
|
* all: implement edge coverageDmitry Vyukov2017-01-271-7/+10
| | | | | | | | | | | Currently syzkaller uses per-call basic block (BB) coverage. This change implements edge (not-per-call) coverage. Edge coverage is more detailed than BB coverage as it captures not-taken branches, looping, etc. So it provides better feedback signal. This coverage is now called "signal" throughout the code. BB code coverage is also collected as it is required for visualisation. Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K), this has profound effect on fuzzing efficiency.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-11 20:41:47 +0000