syzkaller/vm/vm.go

// Copyright 2015 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

package vm

import (
	"bytes"
	"errors"
	"fmt"
	"io"
	"os"
	"regexp"
	"syscall"
	"time"

	"github.com/google/syzkaller/report"
)

// Instance represents a Linux VM or a remote physical machine.
type Instance interface {
	// Copy copies a hostSrc file into vm and returns file name in vm.
	Copy(hostSrc string) (string, error)

	// Forward setups forwarding from within VM to host port port
	// and returns address to use in VM.
	Forward(port int) (string, error)

	// Run runs cmd inside of the VM (think of ssh cmd).
	// outc receives combined cmd and kernel console output.
	// errc receives either command Wait return error or vm.TimeoutErr.
	// Command is terminated after timeout. Send on the stop chan can be used to terminate it earlier.
	Run(timeout time.Duration, stop <-chan bool, command string) (outc <-chan []byte, errc <-chan error, err error)

	// Close stops and destroys the VM.
	Close()
}

type Config struct {
	Name        string
	Index       int
	Workdir     string
	Bin         string
	BinArgs     string
	Initrd      string
	Kernel      string
	Cmdline     string
	Image       string
	Sshkey      string
	Executor    string
	Device      string
	MachineType string
	Cpu         int
	Mem         int
	Debug       bool
}

type ctorFunc func(cfg *Config) (Instance, error)

var ctors = make(map[string]ctorFunc)

func Register(typ string, ctor ctorFunc) {
	ctors[typ] = ctor
}

// Close to interrupt all pending operations.
var Shutdown = make(chan struct{})

// Create creates and boots a new VM instance.
func Create(typ string, cfg *Config) (Instance, error) {
	ctor := ctors[typ]
	if ctor == nil {
		return nil, fmt.Errorf("unknown instance type '%v'", typ)
	}
	return ctor(cfg)
}

func LongPipe() (io.ReadCloser, io.WriteCloser, error) {
	r, w, err := os.Pipe()
	if err != nil {
		return nil, nil, fmt.Errorf("failed to create pipe: %v", err)
	}
	for sz := 128 << 10; sz <= 2<<20; sz *= 2 {
		syscall.Syscall(syscall.SYS_FCNTL, w.Fd(), syscall.F_SETPIPE_SZ, uintptr(sz))
	}
	return r, w, err
}

var TimeoutErr = errors.New("timeout")

func MonitorExecution(outc <-chan []byte, errc <-chan error, local, needOutput bool, ignores []*regexp.Regexp) (desc string, text, output []byte, crashed, timedout bool) {
	waitForOutput := func() {
		dur := time.Second
		if needOutput {
			dur = 10 * time.Second
		}
		timer := time.NewTimer(dur).C
		for {
			select {
			case out, ok := <-outc:
				if !ok {
					return
				}
				output = append(output, out...)
			case <-timer:
				return
			}
		}
	}

	matchPos := 0
	const (
		beforeContext = 256 << 10
		afterContext  = 128 << 10
	)
	extractError := func(defaultError string) (string, []byte, []byte, bool, bool) {
		// Give it some time to finish writing the error message.
		waitForOutput()
		if bytes.Contains(output, []byte("SYZ-FUZZER: PREEMPTED")) {
			return "preempted", nil, nil, false, true
		}
		if !report.ContainsCrash(output[matchPos:], ignores) {
			return defaultError, nil, output, true, false
		}
		desc, text, start, end := report.Parse(output[matchPos:], ignores)
		start = start + matchPos - beforeContext
		if start < 0 {
			start = 0
		}
		end = end + matchPos + afterContext
		if end > len(output) {
			end = len(output)
		}
		return desc, text, output[start:end], true, false
	}

	lastExecuteTime := time.Now()
	ticker := time.NewTimer(3 * time.Minute)
	tickerFired := false
	for {
		if !tickerFired && !ticker.Stop() {
			<-ticker.C
		}
		tickerFired = false
		ticker.Reset(3 * time.Minute)
		select {
		case err := <-errc:
			switch err {
			case nil:
				waitForOutput()
				return "", nil, output, false, false
			case TimeoutErr:
				return err.Error(), nil, nil, false, true
			default:
				// Note: connection lost can race with a kernel oops message.
				// In such case we want to return the kernel oops.
				return extractError("lost connection to test machine")
			}
		case out := <-outc:
			output = append(output, out...)
			if bytes.Index(output[matchPos:], []byte("executing program")) != -1 { // syz-fuzzer output
				lastExecuteTime = time.Now()
			}
			if bytes.Index(output[matchPos:], []byte("executed programs:")) != -1 { // syz-execprog output
				lastExecuteTime = time.Now()
			}
			if report.ContainsCrash(output[matchPos:], ignores) {
				return extractError("")
			}
			if len(output) > 2*beforeContext {
				copy(output, output[len(output)-beforeContext:])
				output = output[:beforeContext]
			}
			matchPos = len(output) - 128
			if matchPos < 0 {
				matchPos = 0
			}
			// In some cases kernel constantly prints something to console,
			// but fuzzer is not actually executing programs.
			if !local && time.Since(lastExecuteTime) > 3*time.Minute {
				return "test machine is not executing programs", nil, output, true, false
			}
		case <-ticker.C:
			tickerFired = true
			if !local {
				return "no output from test machine", nil, output, true, false
			}
		case <-Shutdown:
			return "", nil, nil, false, false
		}
	}
}

// Sleep for d.
// If shutdown is in progress, return false prematurely.
func SleepInterruptible(d time.Duration) bool {
	select {
	case <-time.After(d):
		return true
	case <-Shutdown:
		return false
	}
}
initial commit 2015-10-12 08:16:57 +00:00			`// Copyright 2015 syzkaller project authors. All rights reserved.`
			`// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.`

			`package vm`

			`import (`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`"bytes"`
vm: improve VM interface Current interface is suitable only for running syz-fuzzer. Make the interface more generic (boot, copy file, run an arbitrary command). This allows to build other tools on top of vm package (e.g. reproducer creation). 2015-12-23 18:11:29 +00:00			`"errors"`
initial commit 2015-10-12 08:16:57 +00:00			`"fmt"`
vm: merger console/fuzzer output line-by-line Fixes #57 2016-08-28 17:21:57 +00:00			`"io"`
			`"os"`
manager: add ability to ignore bugs Add new config parameter "ignores" which contains list of regexp expressions. If one of the expressions is matched against oops line, crash report is not saved and VM is not restarted. 2016-12-19 16:39:03 +00:00			`"regexp"`
vm: merger console/fuzzer output line-by-line Fixes #57 2016-08-28 17:21:57 +00:00			`"syscall"`
vm: improve VM interface Current interface is suitable only for running syz-fuzzer. Make the interface more generic (boot, copy file, run an arbitrary command). This allows to build other tools on top of vm package (e.g. reproducer creation). 2015-12-23 18:11:29 +00:00			`"time"`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00
			`"github.com/google/syzkaller/report"`
initial commit 2015-10-12 08:16:57 +00:00			`)`

vm: improve VM interface Current interface is suitable only for running syz-fuzzer. Make the interface more generic (boot, copy file, run an arbitrary command). This allows to build other tools on top of vm package (e.g. reproducer creation). 2015-12-23 18:11:29 +00:00			`// Instance represents a Linux VM or a remote physical machine.`
initial commit 2015-10-12 08:16:57 +00:00			`type Instance interface {`
vm: refactor VM interface in preparation for adb support adb has more complex port forwarding setup, also / is mounted read-only. Make VM interface more flexible to support such cases. 2016-01-11 16:33:44 +00:00			`// Copy copies a hostSrc file into vm and returns file name in vm.`
			`Copy(hostSrc string) (string, error)`

			`// Forward setups forwarding from within VM to host port port`
			`// and returns address to use in VM.`
			`Forward(port int) (string, error)`

vm: improve VM interface Current interface is suitable only for running syz-fuzzer. Make the interface more generic (boot, copy file, run an arbitrary command). This allows to build other tools on top of vm package (e.g. reproducer creation). 2015-12-23 18:11:29 +00:00			`// Run runs cmd inside of the VM (think of ssh cmd).`
			`// outc receives combined cmd and kernel console output.`
			`// errc receives either command Wait return error or vm.TimeoutErr.`
vm: add ability to interrupt commands This is required for crash reproduction in manager. 2016-11-19 10:14:11 +00:00			`// Command is terminated after timeout. Send on the stop chan can be used to terminate it earlier.`
			`Run(timeout time.Duration, stop <-chan bool, command string) (outc <-chan []byte, errc <-chan error, err error)`
vm: refactor VM interface in preparation for adb support adb has more complex port forwarding setup, also / is mounted read-only. Make VM interface more flexible to support such cases. 2016-01-11 16:33:44 +00:00
vm: improve VM interface Current interface is suitable only for running syz-fuzzer. Make the interface more generic (boot, copy file, run an arbitrary command). This allows to build other tools on top of vm package (e.g. reproducer creation). 2015-12-23 18:11:29 +00:00			`// Close stops and destroys the VM.`
			`Close()`
initial commit 2015-10-12 08:16:57 +00:00			`}`

aggregate vm params into a single struct (for ease of extension) 2015-10-19 10:47:37 +00:00			`type Config struct {`
vm/gce: add support GCE VMs 2016-10-06 14:15:10 +00:00			`Name string`
			`Index int`
			`Workdir string`
			`Bin string`
vm/qemu: support non-native mode Add config bin_args parameter that contains additional arguments for qemu binary. This allows to specify e.g. "bin_args": "-machine virt -cpu cortex-a57". Also restore qemu debugging output when -debug flag is specified. 2016-11-22 15:59:04 +00:00			`BinArgs string`
vm/gce: add support GCE VMs 2016-10-06 14:15:10 +00:00			`Initrd string`
			`Kernel string`
			`Cmdline string`
			`Image string`
			`Sshkey string`
			`Executor string`
			`Device string`
			`MachineType string`
			`Cpu int`
			`Mem int`
			`Debug bool`
aggregate vm params into a single struct (for ease of extension) 2015-10-19 10:47:37 +00:00			`}`

vm: improve VM interface Current interface is suitable only for running syz-fuzzer. Make the interface more generic (boot, copy file, run an arbitrary command). This allows to build other tools on top of vm package (e.g. reproducer creation). 2015-12-23 18:11:29 +00:00			`type ctorFunc func(cfg *Config) (Instance, error)`
initial commit 2015-10-12 08:16:57 +00:00
			`var ctors = make(map[string]ctorFunc)`

			`func Register(typ string, ctor ctorFunc) {`
			`ctors[typ] = ctor`
			`}`

vm/adb: avoid draining battery One common issue we see with android devices is that fuzzing drains battery episodically, device goes down and then does not boot until one presses the power button. Check battery level at the beginning of each cycles and wait if it is too low. Current numbers are: wait if level < 20% until it is >=30%. Let's see how it works. Fixes #79 2016-09-29 13:04:48 +00:00			`// Close to interrupt all pending operations.`
			`var Shutdown = make(chan struct{})`

vm: improve VM interface Current interface is suitable only for running syz-fuzzer. Make the interface more generic (boot, copy file, run an arbitrary command). This allows to build other tools on top of vm package (e.g. reproducer creation). 2015-12-23 18:11:29 +00:00			`// Create creates and boots a new VM instance.`
			`func Create(typ string, cfg *Config) (Instance, error) {`
initial commit 2015-10-12 08:16:57 +00:00			`ctor := ctors[typ]`
			`if ctor == nil {`
			`return nil, fmt.Errorf("unknown instance type '%v'", typ)`
			`}`
vm: improve VM interface Current interface is suitable only for running syz-fuzzer. Make the interface more generic (boot, copy file, run an arbitrary command). This allows to build other tools on top of vm package (e.g. reproducer creation). 2015-12-23 18:11:29 +00:00			`return ctor(cfg)`
initial commit 2015-10-12 08:16:57 +00:00			`}`
vm: improve VM interface Current interface is suitable only for running syz-fuzzer. Make the interface more generic (boot, copy file, run an arbitrary command). This allows to build other tools on top of vm package (e.g. reproducer creation). 2015-12-23 18:11:29 +00:00
vm: merger console/fuzzer output line-by-line Fixes #57 2016-08-28 17:21:57 +00:00			`func LongPipe() (io.ReadCloser, io.WriteCloser, error) {`
			`r, w, err := os.Pipe()`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("failed to create pipe: %v", err)`
			`}`
			`for sz := 128 << 10; sz <= 2<<20; sz *= 2 {`
			`syscall.Syscall(syscall.SYS_FCNTL, w.Fd(), syscall.F_SETPIPE_SZ, uintptr(sz))`
			`}`
			`return r, w, err`
			`}`

report: add a new package for report parsing and processing Move vm.FindCrash to the new package. 2016-08-30 13:19:28 +00:00			`var TimeoutErr = errors.New("timeout")`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00
manager: add ability to ignore bugs Add new config parameter "ignores" which contains list of regexp expressions. If one of the expressions is matched against oops line, crash report is not saved and VM is not restarted. 2016-12-19 16:39:03 +00:00			`func MonitorExecution(outc <-chan []byte, errc <-chan error, local, needOutput bool, ignores []*regexp.Regexp) (desc string, text, output []byte, crashed, timedout bool) {`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`waitForOutput := func() {`
			`dur := time.Second`
			`if needOutput {`
			`dur = 10 * time.Second`
			`}`
			`timer := time.NewTimer(dur).C`
			`for {`
			`select {`
			`case out, ok := <-outc:`
			`if !ok {`
			`return`
			`}`
			`output = append(output, out...)`
			`case <-timer:`
			`return`
			`}`
			`}`
			`}`

			`matchPos := 0`
			`const (`
			`beforeContext = 256 << 10`
			`afterContext = 128 << 10`
			`)`
vm: give preference to kernel oops over "lost connection" If lost connection races with a kernel oops (which probably caused the lost), give preference to the oops message (it should be more useful). 2016-09-28 16:05:28 +00:00			`extractError := func(defaultError string) (string, []byte, []byte, bool, bool) {`
			`// Give it some time to finish writing the error message.`
			`waitForOutput()`
vm/gce: handle graceful preemption In case of graceful preemption fuzzer should be terminated by SIGTERM. Catch it and propagate to manager. 2016-12-16 15:11:18 +00:00			`if bytes.Contains(output, []byte("SYZ-FUZZER: PREEMPTED")) {`
			`return "preempted", nil, nil, false, true`
			`}`
manager: add ability to ignore bugs Add new config parameter "ignores" which contains list of regexp expressions. If one of the expressions is matched against oops line, crash report is not saved and VM is not restarted. 2016-12-19 16:39:03 +00:00			`if !report.ContainsCrash(output[matchPos:], ignores) {`
vm: give preference to kernel oops over "lost connection" If lost connection races with a kernel oops (which probably caused the lost), give preference to the oops message (it should be more useful). 2016-09-28 16:05:28 +00:00			`return defaultError, nil, output, true, false`
			`}`
manager: add ability to ignore bugs Add new config parameter "ignores" which contains list of regexp expressions. If one of the expressions is matched against oops line, crash report is not saved and VM is not restarted. 2016-12-19 16:39:03 +00:00			`desc, text, start, end := report.Parse(output[matchPos:], ignores)`
vm: give preference to kernel oops over "lost connection" If lost connection races with a kernel oops (which probably caused the lost), give preference to the oops message (it should be more useful). 2016-09-28 16:05:28 +00:00			`start = start + matchPos - beforeContext`
			`if start < 0 {`
			`start = 0`
			`}`
			`end = end + matchPos + afterContext`
			`if end > len(output) {`
			`end = len(output)`
			`}`
			`return desc, text, output[start:end], true, false`
			`}`

manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`lastExecuteTime := time.Now()`
			`ticker := time.NewTimer(3 * time.Minute)`
manager: fix deadlock This fixes 2 problems: 1. syz-manager inverted condition for local instances. 2. local instances deadlocked on "no output" condition 2016-09-09 11:22:48 +00:00			`tickerFired := false`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`for {`
manager: fix deadlock This fixes 2 problems: 1. syz-manager inverted condition for local instances. 2. local instances deadlocked on "no output" condition 2016-09-09 11:22:48 +00:00			`if !tickerFired && !ticker.Stop() {`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`<-ticker.C`
			`}`
manager: fix deadlock This fixes 2 problems: 1. syz-manager inverted condition for local instances. 2. local instances deadlocked on "no output" condition 2016-09-09 11:22:48 +00:00			`tickerFired = false`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`ticker.Reset(3 * time.Minute)`
			`select {`
			`case err := <-errc:`
			`switch err {`
			`case nil:`
			`waitForOutput()`
			`return "", nil, output, false, false`
			`case TimeoutErr:`
			`return err.Error(), nil, nil, false, true`
			`default:`
vm: give preference to kernel oops over "lost connection" If lost connection races with a kernel oops (which probably caused the lost), give preference to the oops message (it should be more useful). 2016-09-28 16:05:28 +00:00			`// Note: connection lost can race with a kernel oops message.`
			`// In such case we want to return the kernel oops.`
			`return extractError("lost connection to test machine")`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`}`
			`case out := <-outc:`
			`output = append(output, out...)`
syz-repro: fix false "not executing programs" 2016-09-03 10:35:16 +00:00			`if bytes.Index(output[matchPos:], []byte("executing program")) != -1 { // syz-fuzzer output`
			`lastExecuteTime = time.Now()`
			`}`
			`if bytes.Index(output[matchPos:], []byte("executed programs:")) != -1 { // syz-execprog output`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`lastExecuteTime = time.Now()`
			`}`
manager: add ability to ignore bugs Add new config parameter "ignores" which contains list of regexp expressions. If one of the expressions is matched against oops line, crash report is not saved and VM is not restarted. 2016-12-19 16:39:03 +00:00			`if report.ContainsCrash(output[matchPos:], ignores) {`
vm: give preference to kernel oops over "lost connection" If lost connection races with a kernel oops (which probably caused the lost), give preference to the oops message (it should be more useful). 2016-09-28 16:05:28 +00:00			`return extractError("")`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`}`
			`if len(output) > 2*beforeContext {`
			`copy(output, output[len(output)-beforeContext:])`
			`output = output[:beforeContext]`
			`}`
			`matchPos = len(output) - 128`
			`if matchPos < 0 {`
			`matchPos = 0`
			`}`
			`// In some cases kernel constantly prints something to console,`
			`// but fuzzer is not actually executing programs.`
			`if !local && time.Since(lastExecuteTime) > 3*time.Minute {`
			`return "test machine is not executing programs", nil, output, true, false`
			`}`
			`case <-ticker.C:`
manager: fix deadlock This fixes 2 problems: 1. syz-manager inverted condition for local instances. 2. local instances deadlocked on "no output" condition 2016-09-09 11:22:48 +00:00			`tickerFired = true`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`if !local {`
			`return "no output from test machine", nil, output, true, false`
			`}`
vm/adb: avoid draining battery One common issue we see with android devices is that fuzzing drains battery episodically, device goes down and then does not boot until one presses the power button. Check battery level at the beginning of each cycles and wait if it is too low. Current numbers are: wait if level < 20% until it is >=30%. Let's see how it works. Fixes #79 2016-09-29 13:04:48 +00:00			`case <-Shutdown:`
			`return "", nil, nil, false, false`
manager, repro: unify VM monitoring Unify and factor out VM monitoring loop used in syz-manager and syz-repro. This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc). And also just deduplicates code. 2016-09-01 17:54:55 +00:00			`}`
			`}`
			`}`
vm/adb: avoid draining battery One common issue we see with android devices is that fuzzing drains battery episodically, device goes down and then does not boot until one presses the power button. Check battery level at the beginning of each cycles and wait if it is too low. Current numbers are: wait if level < 20% until it is >=30%. Let's see how it works. Fixes #79 2016-09-29 13:04:48 +00:00
			`// Sleep for d.`
			`// If shutdown is in progress, return false prematurely.`
			`func SleepInterruptible(d time.Duration) bool {`
			`select {`
			`case <-time.After(d):`
			`return true`
			`case <-Shutdown:`
			`return false`
			`}`
			`}`