| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
| |
Construct a more elaborate and close to real life test that ensures that
multiple Instance.Run() calls successfully finish.
|
| |
|
|
|
|
|
|
|
| |
If the crash dumps are enabled, collect one crash dump per each crash
when fuzzing locally.
Optionally also collect crash dumps in pkg/instance's Test().
Inspired by Chenxi Huang's downstream changes to syzkaller.
|
| |
|
|
|
| |
It prevents multiple Run() calls per single liftime of a VM.
Move its closure to the Close() method.
|
| |
|
|
|
| |
Introduce an Error() method to avoid capturing the errors of already
overridden decoders.
|
| |
|
|
| |
Otherwise the "ssh-err" channel decoder never exits.
|
| |
|
|
|
|
|
|
|
|
| |
The stdout and stderr streams may be closed before the program actually
exits, which races with our attempt to kill the process. It results in
Run() sometimes returning an error even though the command has actually
succeeded.
Let's give the process some more time to exit itself, and kill it only
after the timeout.
|
| |
|
|
| |
This will give an even better granularity for filtering out unwanted data.
|
| |
|
|
| |
Remember if it was coming from a command output or from a serial port.
|
| |
|
|
|
|
|
|
|
|
|
| |
The sshArgs function was incorrectly passing inst.User (username) to
vmimpl.SSHArgs instead of inst.Key (SSH key path).
This bug was not discovered during normal fuzzing because sshArgs() is
only called via ssh(), which is only used by the Diagnose() function
for crash diagnosis. The main fuzzing operations (Copy and Run)
construct their SSH arguments directly using vmimpl.SCPArgs and
vmimpl.SSHArgsForward with the correct inst.Key parameter.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Prevent the fuzzer from entering in an infinte loop
of device reboots when the adb shell reboot command
returns with an error code.
Fixes: #6598
Signed-off-by: Sebastian Ene <sebastianene@google.com>
|
| |
|
|
|
|
|
|
|
|
| |
Probe for the debugfs rootdir instead of the kcov
sub-path to prevent the fuzzer from entering in
device reboot loop in case the android device
doesn't support kcov.
Fixes: #6600
Signed-off-by: Sebastian Ene <sebastianene@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
GCE instance tags can be used for various purposes, such as applying
network firewall rules or filtering VMs for scheduling onto specific
hosts.
To support these use cases, syzkaller needs the ability to set
instance tags during VM creation.
This patch introduces a new tags field to the gce VM configuration that
allows users to specify a list of tags to be attached to GCE instances
created by syz-manager.
|
| | |
|
| | |
|
| |
|
|
| |
Any is the preferred over interface{} now in Go.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This change adds VirtualBox support to syzkaller. It implements the VM
interface for VirtualBox and provides:
- full VM lifecycle operations (create, boot, stop, snapshot restore)
- serial console hookup and integration with the output merger
- proper boot wait logic similar to qemu, using SSH readiness
- boot-time crash capture using collected console output
|
| |
|
|
| |
This is a much cleaner logic than string matching.
|
| |
|
|
|
| |
After this change it fits more naturally into the Go's error
functionality.
|
| |
|
|
|
|
| |
In almost all cases these mean some boot time crash.
It also doesn't make much sense to continue string matching since the
boot output may contain the matched strings in benign contexts.
|
| |
|
|
|
|
|
|
|
|
| |
Enable external abortion of the instance creation process. This is
especially useful for the qemu case where we retry the creation/boot up
to 1000 times, which can take significant time (e.g. it timeouts
syz-cluster pods on unstable kernels).
The context can be further propagated to WaitForSSH, but that requires
another quite significant vm/ refactoring.
|
| |
|
|
|
|
|
|
| |
Instead of:
ffx --target <target> target get-ssh-address
Use:
ffx --target <target> target list --format addresses
|
| | |
|
| |
|
|
|
|
| |
Google Cloud cannot automatically infer it from our images, so we need
to explicitly set it. The flag is required to create a GVNIC-based GCE
instance (the only type for C4A machines).
|
| |
|
|
|
| |
1. func Run optionally accepts the opts.
2. Some refactoring, more comments.
|
| |
|
|
| |
Move boot error reporting to a separate function.
|
| |
|
|
|
|
|
| |
React on the context cancellation even if the boot error channel is
blocked.
Add a test that verifies this behavior.
Print a log message if the channel is full.
|
| |
|
|
|
| |
ffx log is now built separately from the main
ffx binary.
|
| |
|
|
|
|
|
| |
ffx emu now needs to know the locations of some host
tools. Copy these paths from the default ffx config
into the configuration for the isolated ffx instance
that syzkaller uses for most tasks.
|
| |
|
|
|
|
|
|
| |
1. recover the removed comment
2. unnecessary leading newline
3. unnecessary brackets
4. restore dropped "..."
5. use bytes.Equal instead of conversion to string
|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
virtio-net-ccw is a preferred way to set up a virtual network interface on
s390x at the moment because it is faster than virtio-net-pci
(eventfd and irqfd is missing). This also allows disabling of zPCI in QEMU
which was required only because virtio-net-pci was used as a network
interface. PCI is special on s390x and, for instance, does not use MMIO or
expose topology [1,2,3]. Furthermore, any features like PXE are
not supported with virtio-net-pci on s390x.
[1] https://people.redhat.com/~cohuck/2018/02/19/notes-on-pci-on-s390x.html
[2] https://wiki.qemu.org/Documentation/Platforms/S390X#A_note_on_PCI_support
[3] https://www.qemu.org/docs/master/system/s390x/pcidevices.html
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Add a command to show all locked TCP control blocked. If a panic
is related to the TCP stack, most likely the affected TCP control
block is locked. Therefore, this is show. This is much less noisy
than showing all TCP control blocks.
|
| |
|
|
| |
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
| |
It allows to use context as a single termination signal source.
|
| |
|
|
| |
This reverts commit 85a5a23f228f2de970f578bf3b452a23a222c09d.
|
| |
|
|
|
|
|
|
| |
It will help distinguish the cases when the output was collected, but
lost somewhere during the reporting pipeline, or it was empty in the
first place, e.g. because qemu could not start at all.
Cc #5986.
|
| |
|
|
|
|
|
| |
The previously used combination does not boot our buildroot image:
[ 6.334727][ T1] Run /sbin/init as init process
[ 6.668200][ T1] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004
|
| |
|
|
|
|
|
|
|
|
| |
Make the pool.Run() function take a context.Context to be able to abort
the callback passed to it or abort its scheduling if it's not yet
running.
Otherwise, if the callback is not yet started and the pool's Loop is
aborted, we risk waiting for pool.Run() forever. It prevents the normal
shutdown of repro.Run() and, consequently, the DiffFuzzer functionality.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Closes #5870.
|
| | |
|
