aboutsummaryrefslogtreecommitdiffstats
path: root/tools
Commit message (Collapse)AuthorAgeFilesLines
* prog2c: use 1 prog by defaultAndrey Konovalov2017-06-121-1/+1
|
* csourse: don't generate debug printfsAndrey Konovalov2017-06-121-0/+2
|
* csource: try to simplify repeat loopAndrey Konovalov2017-06-121-0/+2
|
* csource: use sandbox only when requiredAndrey Konovalov2017-06-121-1/+1
|
* csource: only handle SIGSEGV when necessaryAndrey Konovalov2017-06-121-21/+23
|
* csource: use tmp dir only when necessaryAndrey Konovalov2017-06-121-0/+2
|
* csource: add EnableTun optionAndrey Konovalov2017-06-121-0/+2
|
* tools: repro: fix vm count calculationAndrey Konovalov2017-06-121-1/+1
|
* tools: repro: fix vm count calculationAndrey Konovalov2017-06-071-1/+1
|
* vm: overhaulDmitry Vyukov2017-06-032-33/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | VM infrastructure currently has several problems: - Config struct is complete mess with a superset of params for all VM types - verification of Config is mess spread across several places - there is no place where VM code could do global initialization like creating GCE connection, uploading GCE image to GCS, matching adb devices with consoles, etc - it hard to add private VM implementations such impl would need to add code to config package which would lead to constant merge conflicts - interface for VM implementation is mixed with interface for VM users this does not allow to provide best interface for both of them - there is no way to add common code for all VM implementations This change solves these problems by: - splitting VM interface for users (vm package) and VM interface for VM implementations (vmimpl pacakge), this in turn allows to add common code - adding Pool concept that allows to do global initialization and config checking at the right time - decoupling manager config from VM-specific config each VM type now defines own config Note: manager configs need to be changed after this change: VM-specific parts are moved to own "vm" subobject. Note: this change also drops "local" VM type. Its story was long unclear and there is now syz-stress which solves the same problem.
* pkg/db: move from dbDmitry Vyukov2017-06-032-2/+2
|
* pkg/log: move from logDmitry Vyukov2017-06-034-4/+4
|
* pkg/hash: move from hashDmitry Vyukov2017-06-031-1/+1
|
* tools: more reliable network config in create-gce-image.shDmitry Vyukov2017-06-031-1/+1
| | | | | | Currently we append to /etc/network/interfaces, which can lead to duplicate lo entry. Write out the whole interfaces file instead.
* tools: sync create-image.sh and create-gce-image.shDmitry Vyukov2017-06-031-0/+3
| | | | Move few additional settings from create-gce-image.sh to create-image.sh.
* config: split and refactorDmitry Vyukov2017-06-012-2/+2
| | | | | | | | | Introduce generic config.Load function that can be reused across multiple programs (syz-manager, syz-gce, etc). Move the generic config functionality to pkg/config package. The idea is to move all helper (non-main) packages to pkg/ dir, because we have more and more of them and they pollute the top dir. Move the syz-manager config parts into syz-manager/config package.
* all: cleanup executor/ipc status checkingMichael Pratt2017-05-301-6/+2
| | | | | | | | | | This is mostly a cleanup change with little functional change. In ipc.command.exec, remove the status fallback from the pipe to the exit status. Once the executor is serving, it always writes the status over the pipe; anything else is an error. Remove the panic check in syz-stress, which is no longer needed.
* csource: reproduce crashes with fault injectionDmitry Vyukov2017-05-261-12/+17
|
* all: add fault injection capabilityDmitry Vyukov2017-05-262-7/+19
| | | | | | | Systematically inject faults during smashing. Requires kernel patch: "fault-inject: support systematic fault injection" (currently in linux-next).
* sys, executor: extract tcp sequence numbers from /dev/net/tunAndrey Konovalov2017-05-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new pseudo syscall syz_extract_tcp_res, that reads a packet from /dev/net/tun and extracts tcp sequence numbers to be used in subsequent packets. As a result this syzkaller program: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10) listen(r0, 0x5) syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}) syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}}) r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10) established a TCP connection: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 5477/a.out tcp 2 0 172.20.0.170:20000 172.20.0.187:20001 ESTABLISHED 5477/a.out Similar program for IPv6: mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c) listen(r0, 0x5) syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0) syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}}) r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 :::20001 :::* LISTEN 5527/a.out tcp6 0 0 fe80::aa:20001 fe80::bb:20000 ESTABLISHED 5527/a.out
* manager: save and reuse allSymbols, vmOffsetbaishuai2017-05-252-2/+2
|
* syz-symbolize: symbolize all console outputDmitry Vyukov2017-05-231-2/+2
| | | | | | | Currently syz-symbolize uses report.Parse function that extracts crash messages from console output. Symbolize all console output instead. E.g. there can be something on the console that is not crash.
* ipc: add an optional 'abort' signalMichael Pratt2017-05-192-8/+8
| | | | | | | | | | | | | If an external sandbox process wraps the executor, it may be helpful to send a signal other than SIGKILL to the sandbox when the program times out or fails to respond. This gives the sandbox the opportunity to emit additional debugging information before exiting. Add an 'abort' signal to ipc, which is sent to the executor before SIGKILL. If the executor fails to exit within 5s, the signal is upgraded to SIGKILL. The default abort signal remains SIGKILL, maintaining existing behavior.
* Add sudo for mkfs.ext4Oscar Salvador2017-03-301-1/+1
|
* vm: add Odroid supportAndrey Konovalov2017-03-101-0/+1
| | | | | | | | | | | This commit adds Odroid C2 support to syzkaller. It's now possible to specify "type": "odroid" in manager config. Documentation on how to setup fuzzing with Odroid C2 board is here: https://github.com/google/syzkaller/wiki/Setup:-Odroid-C2 Note, that after this change libusb-1.0-0-dev package should be installed to build syzkaller.
* tools/syz-dashtool: allow uploading all crashes for a single bugDmitry Vyukov2017-03-051-9/+33
|
* syz-dash: assorted improvmentsDmitry Vyukov2017-02-241-7/+55
|
* syz-dash: first version of dashboard appDmitry Vyukov2017-02-171-0/+121
| | | | | syz-dash is an appengine app that aggregates crashes from multiple managers. Very early version, still flashing out required functionality.
* prog, sys: add icmp descriptions and checksumAndrey Konovalov2017-02-062-0/+2
|
* execprog: enable tun when syz_emit_ethernet is usedAndrey Konovalov2017-01-311-0/+10
|
* all: implement edge coverageDmitry Vyukov2017-01-272-8/+11
| | | | | | | | | | | Currently syzkaller uses per-call basic block (BB) coverage. This change implements edge (not-per-call) coverage. Edge coverage is more detailed than BB coverage as it captures not-taken branches, looping, etc. So it provides better feedback signal. This coverage is now called "signal" throughout the code. BB code coverage is also collected as it is required for visualisation. Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K), this has profound effect on fuzzing efficiency.
* syz-prog2c: fix a typo in error messageDmitry Vyukov2017-01-251-1/+1
|
* tools/create-image.sh: add psmisc package for killallDmitry Vyukov2017-01-242-1/+3
| | | | + raise console output level, otherwise stack traces may be dropped
* tools/kcovtrace: add KCOV-based tracing utilityDmitry Vyukov2017-01-201-0/+62
| | | | | | | kcovtrace is like strace but show kernel coverage collected with KCOV. It is very simplistic at this point and does not support multithreaded processes, etc. It can be used to understand, for example, exact location where kernel bails out with an error for a particular syscall.
* tools/syz-benchcmp: add utility for visualization of syz-manager ↵Dmitry Vyukov2017-01-201-0/+247
| | | | benchmarking results
* tools/syz-stress: switch to the new corpus database formatDmitry Vyukov2017-01-171-17/+6
|
* tools/syz-db: add new utilityDmitry Vyukov2017-01-161-0/+94
| | | | The utility allows to pack/unpack corpus database to/from seprate files.
* tools/create-image.sh: simplify scriptDmitry Vyukov2017-01-161-5/+1
| | | | Checkout necessary packages during debootstrap instead of a separate step.
* syz-gce: support continous buildDmitry Vyukov2017-01-161-5/+5
| | | | | Add "local" mode in which syz-gce clones, builds and monitors for updates a linux kernel repo.
* vm/qemu: add some kvm-related kernel cmd line flagsDmitry Vyukov2017-01-091-1/+1
| | | | | In particular it is useful to enable nested. Enable a bunch of others as well.
* syz-stress: add flag that controls generation of new programsDmitry Vyukov2017-01-091-1/+5
|
* vm/qemu: enable more kvm features in test kernelDmitry Vyukov2017-01-091-1/+1
|
* manager: add ability to ignore bugsDmitry Vyukov2016-12-194-5/+5
| | | | | | Add new config parameter "ignores" which contains list of regexp expressions. If one of the expressions is matched against oops line, crash report is not saved and VM is not restarted.
* tools/syz-symbolize: add report symbolizer utilityDmitry Vyukov2016-12-161-0/+41
|
* tools/create-image.sh: install sudo into the imageDmitry Vyukov2016-12-071-1/+1
|
* tools/create-image.sh: use net.core.bpf_jit_enable = 1Dmitry Vyukov2016-12-072-2/+2
| | | | | bpf_jit_enable = 2 causes printing of all programs to console. Produces lots of output and is not very useful. Disable it.
* tools: enable bpg jit in create-image.shDmitry Vyukov2016-11-281-1/+3
| | | | JIT should be more interesting to fuzz.
* tools: fix getty configuration in create-gce-image.shDmitry Vyukov2016-11-281-1/+1
|
* tools: fix getty configuration in create-image.shAlexander Popov2016-11-281-1/+1
| | | | | | | | | | | create-image.sh adds the string "V0:23:respawn:/sbin/getty 115200 hvc0" to inittab of a virtual machine, but a fresh debian-wheezy doesn't have a hvc0 device. So getty fails to start and respawns over and over again: INIT: Id "V0" respawning too fast: disabled for 5 minutes Let's fix create-image.sh to have a working VM terminal. Signed-off-by: Alexander Popov <alex.popov@linux.com>
* sys: add proc type to denote per proccess integersAndrey Konovalov2016-11-252-2/+2
|
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-04-11 07:35:38 +0000