Commit Graph

46 Commits

Author SHA1 Message Date
Aleksandr Nogikh
9133037195 all: integrate with mac80211_hwsim
Two virtual wireless devices are instantiated during network devices
initialization.

A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.

Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.

Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)

Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.

Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
2020-09-22 10:12:23 +02:00
Dmitry Vyukov
991110ce9d pkg/csource: add comment re ignoring cpp errors
Clarify why we ignore cpp errors.
2020-08-14 14:45:37 +02:00
Dmitry Vyukov
1089015fcc executor: remove block comments
1. We don't generally use /* */ block comments,
few precedents we have are inconsistent with the rest of the code.

2. pkg/csource does not strip them from the resulting code.

Remove the cases we have and add a test to prevent new ones being added.
2020-08-04 16:53:31 +02:00
TheOfficialFloW
b094755316
all: initialize vhci in linux
* all: initialize vhci in linux

* executor/common_linux.h: improve vhci initialization

* pkg/repro/repro.go: add missing vhci options

* executor/common_linux.h: fix type and add missing header

* executor, pkg: do it like NetInjection

* pkg/csource/csource.go: do not emit syz_emit_vhci if vhci is not enabled

* executor/common_linux.h: fix format string

* executor/common_linux.h: initialize with memset

For som reason {0} gets complains about missing braces...

* executor/common_linux.h: simplify vhci init

* executor/common_linux.h: try to bring all available hci devices up

* executor/common_linux.h: find which hci device has been registered

* executor/common_linux.h: use HCI_VENDOR_PKT response to retrieve device id

* sys/linux/dev_vhci.txt: fix structs of inquiry and report packets

* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size

* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size

* sys/linux/dev_vhci.txt: pack extended_inquiry_info_t

* sys/linux/l2cap.txt: add l2cap_conf_opt struct

* executor/common_linux.h: just fill bd addr will 0xaa

* executor/common_linux.h: just fill bd addr will 0xaa
2020-07-30 11:33:48 +02:00
Andrey Konovalov
09ff5abc02 csource, executor: add usb emulation feature
The feature gets enabled when /dev/raw-gadget is present and accessible.
With this feature enabled, executor will do chmod 0666 /dev/raw-gadget on
startup, which makes it possible to do USB fuzzing in setuid and namespace
sandboxes. There should be no backwards compatibility issues with syz
reproducers that don't explicitly enable this feature, as they currently only
work in none sandbox.
2020-04-03 12:42:06 +02:00
Dmitry Vyukov
157653cfe7 pkg/csource: rename some options
Rename some options in preparation for subsequent changes
which will align names across the code base.
2019-11-16 09:58:54 +01:00
Dmitry Vyukov
690740b4a4 executor: refactor sandbox flags
In preparation for future changes.
2019-11-16 09:58:54 +01:00
Dmitry Vyukov
a6e3054436 executor: rename some macros
Rename some macros in preparation for subsequent changes
which will align names across the code base.
2019-11-16 09:58:54 +01:00
Dmitry Vyukov
ca13dd2ab5 pkg/csoruce: test that executor does not mis-spell any of the SYZ_* macros 2019-11-16 09:58:54 +01:00
Jiri Pirko
d40d75d2d7 executor: move fixed pci devlink handle into network namespace
In case there is a fixed pci devlink handle "pci/pci/0000:00:10.0"
on the system (initial network namespace), it is moved to a working
network namespace.

Signed-off-by: Jiri Pirko <jiri@mellanox.com>
2019-11-03 14:20:59 +01:00
Marco Elver
b2f369e56e executor, host, csource: Add support to enable KCSAN
By default, the current KCSAN .config does not enable KCSAN during boot,
since we encounter races during boot which would prevent syzkaller from
ever executing.

This adds support to detect if KCSAN is available, and enables it on the
fuzzer host.
2019-10-04 13:44:09 +02:00
Siddharth M
8570f91c22 pkg/csource: fix failing syz-runtest for NetBSD
* pkg/csource: fix failing syz-runtest for NetBSD

* update common.go
2019-08-21 07:13:43 -07:00
Dmitry Vyukov
8285069f89 executor: implement support for leak checking
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.

1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.

2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.

3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.

4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.

5. Fix pkg/repro to do something more sane for leak bugs.

Few other minor fixes here and there.
2019-05-20 19:40:20 +02:00
Andrey Konovalov
5c51045d28 all: add optional close_fds feature to reproducers
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
2019-04-09 10:53:11 +02:00
Andrey Konovalov
e619f52452 csource: use /*FOO*/ instead of [[FOO]]
The latter differently confuses different versions of clang-format.
2019-04-09 10:53:11 +02:00
Dmitry Vyukov
4b69c3cbac pkg/runtest: make tests pass on freebsd
The problem is stupid: <endian.h> should be included as <sys/endian.h> on freebsd.
Pass actual host OS to executor build as HOSTGOOS and use it to figure out
how we should include this header.
2019-03-07 20:37:43 +01:00
Mark Johnston
c08c1cd05c pkg/csource: sort sys/types.h to the top on FreeBSD
sys/types.h is a special header that is required by many other system
headers on FreeBSD.
2019-03-07 19:46:55 +01:00
Andrey Konovalov
dfd609eca1 execprog, stress, prog2c: unify flags to enable additional features
This change makes all syz-execprog, syz-prog2c and syz-stress accept
-enable and -disable flags to enable or disable additional features
(tun, net_dev, net_reset, cgroups and binfmt_misc) instead of having
a separate flag for each of them.

The default (without any flags) behavior isn't changed: syz-execprog
and syz-stress enabled all the features (provided the runtime supports
them) and syz-prog2c disables all of them.
2019-03-05 14:30:10 +01:00
Anton Lindqvist
1508cc9c44 pkg/csource: add support for creating reproducers on OpenBSD 2018-11-17 10:32:19 -08:00
Zach Riggle
0eca949a6c RFC: android: Add support for untrusted_app sandboxing (#697)
executor: add support for android_untrusted_app sandbox

This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.

In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.

Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files.  The underlying mechanisms are relatively simple.

Fixes google/syzkaller#643

Test: make presubmit
Bug: http://b/112900774
2018-09-17 11:33:11 +02:00
Dmitry Vyukov
3c5c9177b5 pkg/csource: refactor defineList
Make it simpler and shorter.

Update #538
2018-08-02 16:57:32 +02:00
Dmitry Vyukov
efc2683657 pkg/csource: rafactor option checking
Update #538
2018-07-31 18:43:45 +02:00
Dmitry Vyukov
788351b1b0 pkg/csource: rewrite gen.sh in Go
Shell files cause portability problems.
On Linux it's hard to install /bin/sh,
/bin/bash is not present on *BSD.
Any solution is hard to test on Darwin.
Don't even want to mention Windows.

Just do it in Go.
2018-07-27 10:22:23 +02:00
Dmitry Vyukov
b25fc7b831 pkg/csource: add option to trace syscall results
This will be needed for testing of generated programs.
2018-07-27 10:22:23 +02:00
Dmitry Vyukov
9d92841b4e pkg/csource: tidy generated code
1. Remove unnecessary includes.
2. Remove thunk function in threaded mode.
3. Inline syscalls into main for the simplest case.
4. Define main in common.h rather than form with printfs.
5. Fix generation for repeat mode
   (we had 2 infinite loops: in main and in loop).
6. Remove unused functions (setup/reset_loop, setup/reset_test,
   sandbox_namespace, etc).
2018-07-27 10:22:23 +02:00
Dmitry Vyukov
9fe4bdc5f1 executor: overhaul
Make as much code as possible shared between all OSes.
In particular main is now common across all OSes.
Make more code shared between executor and csource
(in particular, loop function and threaded execution logic).
Also make loop and threaded logic shared across all OSes.
Make more posix/unix code shared across OSes
(e.g. signal handling, pthread creation, etc).
Plus other changes along similar lines.
Also support test OS in executor (based on portable posix)
and add 4 arches that cover all execution modes
(fork server/no fork server, shmem/no shmem).

This change paves way for testing of executor code
and allows to preserve consistency across OSes and executor/csource.
2018-07-24 12:04:27 +02:00
Dmitry Vyukov
7b45fa115b pkg/csource: support fuchsia
Lots of assorted heavylifting to support csource on fuchsia.
2018-06-29 10:47:42 +02:00
Dmitry Vyukov
6479ab2a75 Makefile, sys/targets: move all native compilation logic to sys/targets
We currently have native cross-compilation logic duplicated
in Makefile and in sys/targets. Some pieces are missed in one
place, some are in another. Only pkg/csource knows how to check
for -static support.

Move all CC/CFLAGS logic to sys/targets and pull results in Makefile.

This should make Makefile work on distros that have broken x86_64-linux-gnu-gcc,
now we will use just gcc. And this removes the need to define NOSTATIC,
as it's always auto-detected.

This also paves the way for making pkg/csource work on OSes other than Linux.
2018-06-06 10:02:03 +02:00
Dmitry Vyukov
738d58ade0 pkg/csource: minimize netdevices and net reset
Add separate options to minimize netdevices setup and net namespace reset.

Fixes #581
2018-05-17 19:57:54 +02:00
Dmitry Vyukov
2675f92065 sys/linux: add cgroup descriptions 2018-03-25 12:46:05 +02:00
Dmitry Vyukov
36d1c4540a all: fix gometalinter warnings
Fix typos, non-canonical code, remove dead code, etc.
2018-03-08 18:48:26 +01:00
Dmitry Vyukov
6051a5b552 prog: combine RequiresBitmasks and RequiresChecksums into RequiredFeatures 2018-02-19 21:48:20 +01:00
Dmitry Vyukov
08146b1a84 sys/linux: extend netfilter descriptions 2018-01-27 17:08:43 +01:00
Dmitry Vyukov
fd3e9f2b97 executor: introduce uint64/32/16/8 types
The "define uint64_t unsigned long long" were too good to work.
With a different toolchain I am getting:

cstdint:69:11: error: expected unqualified-id
  using ::uint64_t;
          ^
executor/common.h:34:18: note: expanded from macro 'uint64_t'

Do it the proper way: introduce uint64/32/16/8 types and use them.

pkg/csource then does s/uint64/uint64_t/ to not clutter code with
additional typedefs.
2017-12-27 11:15:04 +01:00
Dmitry Vyukov
431d3c90b1 pkg/csource: refactor
csource.go is too large and messy.
Move Build/Format into buid.go.
Move generation of common header into common.go.
Split generation of common header into smaller managable functions.
2017-12-17 11:39:14 +01:00
Dmitry Vyukov
f78642861b pkg/csource: support akaros 2017-10-16 14:21:54 +02:00
Dmitry Vyukov
f0565e6231 executor: write debug output to stderr
We print all other output to stderr, write debug output to stderr as well.
This does not matter for the main use case of running syz-execprog -debug,
but can is helpful if we want to communicate with syz-executor via stdin/stdout.
2017-10-16 14:21:54 +02:00
Dmitry Vyukov
c2aee24101 executor: include missing header
writev requires <sys/uio.h>. Include it.
2017-10-10 19:03:04 +02:00
Dmitry Vyukov
eb97aa0610 executor: support fragmentation in syz_emit_ethernet
A recent linux commit "tun: enable napi_gro_frags() for TUN/TAP driver"
added support for fragmentation when emitting packets via tun.
Support this feature in syz_emit_ethernet.
2017-10-02 13:56:36 +02:00
Dmitry Vyukov
bdffe2484c executor: fix execution of windows syscalls
First, they must be called with stdcall convention.
Second, wrap them in __try/__except because they can crash.
2017-09-27 18:59:50 +02:00
Dmitry Vyukov
af442a22d9 executor, sys/windows: initial windows support 2017-09-25 15:19:06 +02:00
Dmitry Vyukov
913d592f97 all: more assorted fuchsia support 2017-09-22 13:10:55 +02:00
Dmitry Vyukov
a3c5751de3 executor: sandbox with RLIMIT_MEMLOCK
Locking memory is a reasonably legitimate local DoS vector.
E.g. bpf maps allow allocation of large chunks of kernel memory
without RLIMIT_MEMLOCK, which leads to hangups.
Set RLIMIT_MEMLOCK=8MB in executor.
2017-08-08 13:24:46 +02:00
Andrey Konovalov
e83310d8a2 pkg/csource: make all usleeps random
We can't know the exact values of those sleeps in advance, they can be
different for different bugs. Making them random increases the chance that
the C repro executes with the right timings at some point.
2017-07-24 14:22:54 +02:00
Dmitry Vyukov
d8daf57eca pkg/csource: regenerate 2017-06-26 15:34:54 +02:00
Dmitry Vyukov
baad3b4b02 pkg/csource: move from csource 2017-06-17 14:41:15 +02:00