| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
If vmlinux is specified as a flag, we perform a setup stage where we
parse vmlinux for KFuzzTest targets.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
| |
Add a tool for generating a syscaller description for every KFuzzTest
target discovered in a vmlinux binary and outputting it to stdout.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As shown in https://github.com/google/syzkaller/issues/5565,
SYZOS code in the `guest` section cannot reference global data,
because it is relocated into the guest memory.
While arm64 executor has a dynamic check for data accesses, it is
virtually impossible to do the same on x86 without implementing an
x86 disassembler. Instead of doing so, introduce a build-time script
that will detect instructions referencing global data on a best-effort
basis.
|
| |
|
|
|
| |
Transform the hard-coded list of feature combinations in to individual
groups of features.
|
| |
|
|
|
|
|
|
|
| |
Introduce a new Filesystem parameter - the maximum number of resulting
seeds.
If the total number of flag combinations exceeds this number, switch to
generating a covering array (that is, make sure that all flag value
pairs are covered, or at least as many of them as possible).
|
| |
|
|
|
|
|
|
|
| |
Don't generate just the hard-coded list of filesystems, but also
generate seeds for the externally supplied json description of a
filesystem.
Add a special syscall attribute to help syz-imagegen guess the actual
filesystem name from the syz_mount_image variant name.
|
| |
|
|
|
|
|
| |
The needed Bazel version to build gVisor got bumped. However, instead of
doing the same bump in two places whenever this happens, we can simply
use bazelisk in syzkaller to determine which bazel version to use
automatically.
|
| |
|
|
|
|
|
|
|
|
| |
Change the kernel patch and the syz-usbgen tool to split the extracted
USB IDs by the driver they belong to.
This will allow for a more precise patching of class/driver-specific
USB descriptors.
Also update USB IDs with Linux kernel 6.16.
|
| |
|
|
|
|
|
|
| |
Instead of accepting a folder name and traversing all nested folders in
it, accept the directories to process as separate arguments. This allows
for more flexibility - one can either specify just one archive to
process or one can use bash wildcards to achieve the previously default
functionality.
|
| | |
|
| |
|
|
| |
That's the current version in the tree.
|
| | |
|
| |
|
|
| |
The old version prevents us from rebuiling ci-openbsd.
|
| |
|
|
|
|
|
|
|
|
|
| |
The structure of arguments passed into syscalls is often hard to parse
since it is memcpy'd into mmap'd regions. Structural relations are often
lost in translation, resulting in reproducers that take longer for a
developer to understand.
This patch adds functionality for parsing syscall arguments semantically and
emitting a structured and human-readable comment which is inserted before each
syscall in the resulting C-source.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We used to generate a choice table and do its normalization for all
present syscalls, also it was not considered during the /prio page
generation.
Enabled/disabled syscalls were accounted for in the choice table
construction, but there's a chance that the resulting table was still
somewhat skewed.
The situation must have become worse after several thousands of auto
syscalls were added.
|
| |
|
|
|
|
| |
Don't specify the subsystem revision in the dashboard config and instead
let it be nested in the registered subsystems. This reduces the amount
of the manual work needed to switch syzbot to a newer subsystem list.
|
| |
|
|
|
|
|
|
|
| |
Hash the code section of the individual symbols from vmlinux.o and use
it to determine the functions that changed their bodies between the base
and the patched build.
If the number of affected symbols is reasonable (<5%), fuzz it with the
highest priority.
|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| |
|
|
| |
Some dependencies update fail because of the len(descr_line)>120.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The most frustrating part of updating syzbot configs is figuring out
what config options (possibly transivitely) selected the configs we
wanted to stay disabled.
For each "X is present in the final config" message, auto-generate
a small list of enabled config options that may have transitively
"select"ed X.
|
| |
|
|
|
|
|
| |
Check if the translations in docs/translations/LANG/FILES are update
with docs/FILES with detailed outputs.
Translations should be committed with "Update to commit HASH (TITLE)".
|
| |
|
|
|
|
|
|
|
|
| |
In a previous change (https://github.com/google/syzkaller/pull/6023) we
made a simplification, assuming that a non-existent Match section in
systemd networkd's config would allow DHCP for any network interface.
After more testing this turns out to be incorrect and we really only get
an IP via DHCP with an explicit broad Name regex.
Signed-off-by: Bjoern Doebel <doebel@amazon.de>
|
| |
|
|
|
| |
Add the new dependencies necessary for generating RUST=y Linux configs
and for building RUST=y kernels.
|
| |
|
|
|
|
|
|
|
| |
Split off kvm-x86 from kvm for better coverage accounting.
Both subsystems will still share the CC lists, so bugs in x86 code
won't be emailed twice.
While at this, also fix the tool name in the generated comment and
regenerate pkg/subsystem/lists/linux.go on v6.14-rc7.
|
| |
|
|
|
|
|
|
|
| |
The current EC2/AL2023 root file system only works for systems using the
Intel e1000 driver. Remove the match clause to support all potential
network interfaces and allow fuzzing with other network interfaces (such
as virtio-net).
Signed-off-by: Bjoern Doebel <doebel@amazon.de>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Rename the method to LatestCommit and make it more flexible:
1) Return the commit date alongside the commit hash.
2) Rename the time filter to highlight that it's non-inclusive.
3) Make it possible to query the commits newer than the specified commit
hash.
It will let us poll lore archives more efficiently.
|
| |
|
|
|
|
|
|
|
| |
Use a newer Buildroot release.
Use an appropriate arm instruction set for arm32.
Reduce the syslogd logging level.
Closes #5986.
Closes #5452.
|
| |
|
|
|
| |
It requires appengine dependency update to match golang versions.
gcloud-appengine-python patching is needed to fix #4785.
|
| |
|
|
| |
The tests began to fail after pushing the new env container.
|
| |
|
|
|
|
|
| |
clang-15 is now the minimum required version, so we're already on the
verge of not being able to compile the Linux kernel.
But keep clang-15 anyway - it will be used during bisections.
|
| |
|
|
|
|
|
|
|
| |
It's almost never reasonable to keep on generating configs after some
targets have already failed. We have a lot of different kernels and
regenerating them all takes a very long time.
Having to regenerate everything on each iteration slows down the
development significantly.
|
| |
|
|
|
|
| |
1. Properly set up a manager config.
2. Use clang/ld.lld by default.
3. Set the right boot partition for qemu VMs.
|
| |
|
|
|
| |
We use the env container to update kernel configs and the lack of ld.lld
in it prevents the usage of LLVM=1.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the standard way now.
Since our configuration permits multiple parameter value combinations,
explicitly check for the compiler and linker that were to be passed via
CC and LD, and replace that with LLVM=1 if they were clang and ld.lld
correspondingly.
Update syz-kconf to rely on pkg/build's exported functionality for
generating Linux kernel build arguments.
|
| |
|
|
|
|
| |
Make the fuzzing step of syz-cluster create the manager.DiffStore object
explicitly and dump its state to the logs after finishing the fuzzing
session.
|
| | |
|
| |
|
|
|
| |
Regenerate golden files with up-to-date clang tool.
Missed part of commit c7e92da6cb06679b04062786481f50e42c585bfc.
|
| |
|
|
|
|
| |
Add open callback if there are no other unique callbacks.
This happens for e.g. seq files which only have unique open,
while read is a common seq_read callback.
|
| |
|
|
|
|
| |
Use resolved Function references instead of string names for fileops
callback resolution. Function names are not unique, a number of callbacks
have the same names.
|
| |
|
|
|
|
| |
Currently we misparse some function references, e.g. for:
.write = (foo) ? bar : baz,
we extract "foo". Extract first function reference from such expressions.
|
| | |
|
| |
|
|
|
| |
Some ioctls are declared inconsistently using enums rather than macros.
Extract these as well.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Add coverage percent for kernel interfaces.
The current data is generated with Mar coverage report
on kernel commit 1e7857b28020ba57ca7fdafae7ac855ba326c697.
|
| |
|
|
|
|
| |
Export each syscall variant (e.g. fcnt$*) as a separate interface.
Effectively these are separate syscalls. We will want this for
ioctl as well (it's not 1 interface).
|
