| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This change is necessary as it allows us to access the reports printed by syz-executor, such as KMEMLEAK reports.
Fixes google#4728.
|
| |
|
|
|
| |
Accept context as a function argument.
Split out the code that creates a syz-executor process instance.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We query globs for 2 reasons:
1. Expand glob types in syscall descriptions.
2. Dynamic file probing for automatic descriptions generation.
In both of these contexts are are interested in files
that will be present during test program execution
(rather than normal unsandboxed execution).
For example, some files may not be accessible to test programs
after pivot root. On the other hand, we create and link
some additional files for the test program that don't
normally exist.
Add a new request type for querying of globs that are
executed in the test program context.
|
| | |
|
| |
|
|
|
|
| |
This makes it possible to skip certain machine
checks depending on the VM type, as syz-manager
already does.
|
| |
|
|
|
|
| |
written descriptions or both
Add "Auto" type and allow to choose descriptions mode in configurations. Defaults to using manual only.
|
| |
|
|
|
|
|
|
|
| |
We are getting too many generated candidates, the fuzzer may not keep up
with them at all (hints jobs keep growing infinitely). If a hint indeed came
from the input w/o transformation, then we should guess it on the first
attempt (or at least after few attempts). If it did not come from the input,
or came with a non-trivial transformation, then any number of attempts won't
help. So limit the total number of attempts (until the next restart).
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
|
| |
Before running actual programs we run few programs generated by pkg/vminfo
to test features present on the machine. If executor is broken and crashes,
it's likely to crash on these first vminfo programs. So it's useful
to set debug mode for these as well to see executor output.
|
| |
|
|
| |
ProgInfo.Extra may be nil if no extra coverage present.
|
| |
|
|
|
|
| |
Now that PCs are 64-bit we don't need RestorePC callback.
Now we can just use PreviousInstructionPC, which does not require
creation of ReportGenerator.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
| |
Switch to flatrpc.ExecOpts.
|
| |
|
|
|
|
| |
Switch to flatrpc.ProgInfo.
Note: this disables syz-runtest and syz-verifier.
|
| |
|
|
|
|
| |
Flatrpc flags are passed in RPC execution requests,
so to avoid conversions and duplicate set of flags
use flatrpc flags in pkg/ipc directly.
|
| |
|
|
| |
There's no need in duplicating the signal, coverage, hints flags.
|
| |
|
|
| |
There's no need to duplicate the execution mechanisms.
|
| |
|
|
|
|
| |
Use the same interfaces as the fuzzer.
Now syz-manager no longer needs to treat machine check executions
differently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feature checking procedure is split into 2 phases:
1. syz-fuzzer invokes "syz-executor setup feature" for each feature one-by-one,
and checks if executor does not fail.
Executor can also return a special "this feature does not need custom setup",
this allows to not call setup of these features in each new VM.
2. pkg/vminfo runs a simple program with ipc.ExecOpts specific for a concrete feature,
e.g. for wifi injection it will try to run a program with wifi feature enabled,
if setup of the feature fails, executor should also exit with an error.
For coverage features we also additionally check that we actually got coverage.
Then pkg/vminfo combines results of these 2 checks into final result.
syz-execprog now also uses vminfo package and mimics the same checking procedure.
Update #1541
|
| |
|
|
|
|
|
| |
Start switching from host.Features to flatrpc.Features.
This change is supposed to be a no-op,
just to reduce future diffs that will change
how we obtain features.
|
| |
|
|
|
|
|
|
| |
Move syz-stress logic into syz-execprog.
It's already doing most of what syz-stress could do,
it even can load a corpus since recently.
There are few remaining bits that are missing
in execprog, so add them to execprog.
|
| |
|
|
| |
Currently it's duplicated 4 times, dedup it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pass EnvFlags into Exec instead of New.
This allows to change EnvFlags between executions.
Change of EnvFlags forces executor process restart
since it uses EnvFlags during setup.
Currently this is intended to be NFC since we always
pass the same EnvFlags.
In future this will allow to (1) reduce part of the
VM checking procedure to execution of programs with
different options (e.g. we can probe for coverage/comparisons
support, probe different sandboxes, etc);
(2) use it during fuzzing/reproduction, e.g. we can check
if the crash reproduces under setuid sandbox, or execute some
fuzzing programs in significantly different modes.
|
| |
|
|
|
|
|
| |
Does not require passing text program to ipc.Env.Exec.
Make it possible to provide just the exec encoding.
This requires moving fallback coverage to the host
since it need the program.
|
| |
|
|
|
|
|
|
|
|
|
| |
There is non-0 rate of transient executor errors.
Currently we do full GC, free OS memory and sleep for a second after then.
This was more meaningful when the fuzzer was in the VM as the fuzzer process
consumed lots of memory. Now it consumes only ~20MB, any OOMs are likely
not due to the fuzzer process.
So instead sleep briefly and only after several retries
(I would assume most errors are fixed after 1 retry).
|
| |
|
|
|
| |
The call may potentially generate a very large number of possible
mutations. Add a way to abort the process.
|
| |
|
|
| |
It will help syzkaller find reproducers for these kinds of problems.
|
| |
|
|
|
|
|
|
| |
Make two improvements to addresses obtained from kcov:
- call backend.PreviousInstructionPC() so that they point to the
__sanitizer_cov_trace_pc calls;
- read the top 32 bits of the kernel addresses from /proc/kallsyms
instead of using the hardcoded 0xffffffff value
|
| |
|
|
|
|
|
|
|
| |
When coverfile option is used with multiple program inputs (e.g., with
a corpus input), syz-execprog overwrites the output coverage files with
each program run.
Create coverage file per program run instead, which would let save
the coverage information for all inputs.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for moving a NIC PCI pass-through VF into Syzkaller's network
namespace so that it will tested. As DEVLINK support is triggered by
setting the pass-through device to "addr=0x10", NIC PCI pass-through VF
support will be triggered by setting the device to "addr=0x11".
If a NIC PCI pass-through VF is detected in do_sandbox, setup a staging
namespace before the fork() and transfer the NIC VF interface to it.
After the fork() and in the child transfer the NIC VF interface to
Syzkaller's network namespace and rename the interface to netpci0 so
that it will be tested.
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syzbot tests patches with -collide=true in order to trigger more bugs,
but now that -collide flag is deprecated, this no longer makes sense.
Moreover, it actually prevents the testing of bugs with syz repro now -
syz-execprog immediately exits due to -collide=true and env.Test()
accepts it as a normal outcome.
Set -collide=true only for those bugs, where collide was set to true by
the reproducer (and therefore syzkaller at that revision supported it).
Don't exit from syz-execprog immediately if -collide is set to true.
This will prevent such bugs from happening later and make the problem
more visible.
This was initially part of #3083, but seems to be more urgent to merge,
so pushing it as a separate PR.
|
| |
|
|
|
|
|
|
|
|
|
| |
It was too radical to repair and overwrite db file unconditionally.
syz-execprog probes if a given file is a database. Usually it's a crash log
or a single program, but db.Open started to overwrite it.
And an explicit repair flag in db.Open and enable it only in
syz-manager and syz-hub.
Fixes #2997
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that the current Linux implementation of KCOV does not
properly handle multiple mmap invocations on the same instance. The
first one succeedes, but the subsequent ones do not actually mmap
anything, yet returning no error at all.
The ability to mmap that memory multiple times allows us to increase
syz-executor performance and it would be a pity to completely lose it
(especially given that mmapping kcov works fine on *BSD).
In some time a patch will be prepared, but still we will have to support
both versions at the same time - the buggy one and the correct one.
Detect whether the bug is present by writing a value at the pointer
returned by mmap. If it is present, disable dynamic kcov mmapping and
pre-mmap 5 instances in the main() function - it should be enough for
all reasonable uses. Otherwise, pre-mmap 3 and let syz-executor mmap
them as needed.
|
| |
|
|
|
| |
This looks like a reasonable default.
If a user wants specifically 1 proc, it can be done with -procs=1.
|
| |
|
|
| |
Allows to execute each program from corpus.db once as a regression test.
|
| |
|
|
|
|
| |
We used to store prog.LogEntry's because they contained info about
fault injection, but now it's contained right in programs
so it's unnecessary to store prog.LogEntry's.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
|
| |
syz-fuzzer fails only after 10-th executor error.
Do the same in syz-execprog, this is important for repro process.
Otherwise repro fails on transient failures.
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* all: initialize vhci in linux
* executor/common_linux.h: improve vhci initialization
* pkg/repro/repro.go: add missing vhci options
* executor/common_linux.h: fix type and add missing header
* executor, pkg: do it like NetInjection
* pkg/csource/csource.go: do not emit syz_emit_vhci if vhci is not enabled
* executor/common_linux.h: fix format string
* executor/common_linux.h: initialize with memset
For som reason {0} gets complains about missing braces...
* executor/common_linux.h: simplify vhci init
* executor/common_linux.h: try to bring all available hci devices up
* executor/common_linux.h: find which hci device has been registered
* executor/common_linux.h: use HCI_VENDOR_PKT response to retrieve device id
* sys/linux/dev_vhci.txt: fix structs of inquiry and report packets
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* sys/linux/dev_vhci.txt: pack extended_inquiry_info_t
* sys/linux/l2cap.txt: add l2cap_conf_opt struct
* executor/common_linux.h: just fill bd addr will 0xaa
* executor/common_linux.h: just fill bd addr will 0xaa
|
| |
|
|
| |
To reduce diff in future changes. Currently no-op.
|
| |
|
|
|
| |
Rename some features in preparation for subsequent changes
which will align names across the code base.
|
| |
|
|
|
|
|
|
| |
In case there is a fixed pci devlink handle "pci/pci/0000:00:10.0"
on the system (initial network namespace), it is moved to a working
network namespace.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.
1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.
2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.
3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.
4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.
5. Fix pkg/repro to do something more sane for leak bugs.
Few other minor fixes here and there.
|
| |
|
|
|
|
|
|
| |
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
|
