From 7795ae03c0d2358a40130693e40e0fcab5232ed2 Mon Sep 17 00:00:00 2001 From: Greg Steuck Date: Tue, 11 Dec 2018 02:14:21 -0800 Subject: prog: detect invalid target.Syscalls in BuildChoiceTable Without this check programs may end up panicing in places far away from the real cause. E.g. worker# ./syz-fuzzer -executor=./syz-executor -name=vm-0 -arch=amd64 -manager=10.128.0.101:21386 -sandbox=setuid -procs=2 -v=0 -cover=true -debug=false -test=false 2004/02/03 12:11:11 fuzzer started 2004/02/03 12:11:11 dialing manager at 10.128.0.101:21386 2004/02/03 12:11:12 syscalls: 1 2004/02/03 12:11:12 code coverage: enabled 2004/02/03 12:11:12 comparison tracing: support is not implemented in syzkaller 2004/02/03 12:11:12 setuid sandbox: support is not implemented in syzkaller 2004/02/03 12:11:12 namespace sandbox: support is not implemented in syzkaller 2004/02/03 12:11:12 Android sandbox: support is not implemented in syzkaller 2004/02/03 12:11:12 fault injection: support is not implemented in syzkaller 2004/02/03 12:11:12 leak checking: support is not implemented in syzkaller 2004/02/03 12:11:12 net packet injection: enabled 2004/02/03 12:11:12 net device setup: support is not implemented in syzkaller panic: invalid argument to Intn goroutine 27 [running]: math/rand.(*Rand).Intn(0xc000dff530, 0x0, 0x40) /usr/local/go/src/math/rand/rand.go:169 +0x9c github.com/google/syzkaller/prog.(*ChoiceTable).Choose(0xc000d92ec0, 0xc000dff530, 0xffffffffffffffff, 0xc000dff650) /syzkaller/gopath/src/github.com/google/syzkaller/prog/prio.go:241 +0x1a0 github.com/google/syzkaller/prog.(*randGen).generateCall(0xc000e145a0, 0xc000c2a200, 0xc000ce7f80, 0x2348f1940, 0xc000ce3440, 0xc000e6ee01) /syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:451 +0x69 github.com/google/syzkaller/prog.(*Target).Generate(0xc00007f1e0, 0x8f8680, 0xc000ce3440, 0x1e, 0xc000d92ec0, 0x0) /syzkaller/gopath/src/github.com/google/syzkaller/prog/generation.go:19 +0x2b2 main.(*Proc).loop(0xc000d92f40) /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:93 +0x2a1 created by main.main /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:236 +0xfe2 --- prog/prio.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/prog/prio.go b/prog/prio.go index 95713392e..eaec3a70d 100644 --- a/prog/prio.go +++ b/prog/prio.go @@ -215,6 +215,9 @@ func (target *Target) BuildChoiceTable(prios [][]float32, enabled map[*Syscall]b for c := range enabled { enabledCalls = append(enabledCalls, c) } + if len(enabledCalls) == 0 { + panic(fmt.Sprintf("empty enabledCalls, len(target.Syscalls)=%v", len(target.Syscalls))) + } run := make([][]int, len(target.Syscalls)) for i := range run { if !enabled[target.Syscalls[i]] { -- cgit mrf-deployment