Commit Graph

382 Commits

Author SHA1 Message Date
Dmitry Vyukov
335cf4f4fd prog: fix crash in createResource
We may be in createResource but have no resources at all because of ANYRES
that are not in target.Resources.
This is actually the case for some test targets. We have resources there,
but syscalls that create them are disabled.
In such case we crash in Intn(0).
Check that we have some resources before calling Intn.
2019-04-23 18:59:49 +03:00
Dmitry Vyukov
8095117313 all: fix some static analysis warnings
Fix warnings produced by golangci-lint.

Update #977
2019-04-23 17:58:54 +03:00
Dmitry Vyukov
4f421599f9 sys/linux: add simple io_uring descriptions
We don't actually communicate with the uring yet,
but this already finds a bunch of bugs.
2019-04-12 16:19:23 +02:00
Dmitry Vyukov
44fe9159be prog/test: rename prog/fuzz to prog/test
gometalinter complained about fuzz.FuzzFoo names,
but go-fuzz now requires all fuzz functions to start with Fuzz.
So move the package to prog/test.
2019-04-01 12:20:19 +02:00
Dmitry Vyukov
c35ee0ea6d prog, pkg/compiler: fix warnings
gometalinter says:

pkg/compiler/consts.go:192:⚠️ internal error: no range for "n" (vetshadow)
pkg/compiler/consts.go:197:⚠️ internal error: no range for "n" (vetshadow)
prog/encoding.go:862:⚠️ declaration of "v" shadows declaration at prog/encoding.go:852 (vetshadow)

This somehow happens only with Go1.11 but not 1.12 so wasn't detected locally.
The prog warnings looks legit.
The pkg/compiler warning was amusingly introduced to please golangci-lint checker,
revert that fix for now.
2019-03-29 19:04:30 +01:00
Dmitry Vyukov
c84501fe70 prog: fix a bunch of bugs in parsing
Add fuzzer for Deserialize and fix 5 or so bugs it found.

Fixes #1086
2019-03-29 08:56:02 +01:00
Dmitry Vyukov
4a9fce1952 all: fix warnings pointed to by golangci-lint
Update #977
2019-03-28 15:30:18 +01:00
Dmitry Vyukov
d23e90a7b4 all: switch to Go 1.12
Differences in code formatting between Go versions cause constant
problems for us (https://github.com/golang/go/issues/25161).
Currently we support 1.9 and 1.10. Switch to newer 1.11 and 1.12.

Fixes #1013
2019-03-14 14:55:59 +01:00
Dmitry Vyukov
0278574b21 prog: add a test for ChoiceTable 2019-02-21 10:08:34 +01:00
Dmitry Vyukov
a39e52b1cd all: reformat with Go 1.10 2019-02-11 18:13:34 +01:00
Dan Robertson
13f1d0047a sys/linux: add NDISC packet formats to vnet.txt
Add the basic NDISC (RFC 4861) packet formats to sys/linux/vnet.txt.
2019-02-11 18:10:35 +01:00
Dmitry Vyukov
fa6c7b7080 sys/linux: prohibit opening /proc/self/exe
Fuzzer manages to open it and do bad things with it.
Prevent it from doing so.
2019-02-08 16:30:44 +01:00
Andrey Konovalov
ceb907750f prog: fix checksum dependencies
Make pseudo checksums depend (via csumUses) on the arg it requires for
calculation. Otherwise we fail to assign addrs to those args during encoding
for execution. Also add a test.
2019-02-01 16:52:54 +01:00
Dmitry Vyukov
8e579f27d6 prog: fix escaping of C strings
C's \xHH hex constants in strings accept any number of hex digits
(not just 2 or 4). So later non-hex escaped chars glue to the \x construct.
Use \OOO instead as it accepts at most 3 octal digits.
2019-01-31 11:35:53 +01:00
houjingyi
69d69aa92d Update hints_test.go 2019-01-07 10:01:28 +01:00
Dmitry Vyukov
709e893d24 prog: don't produce the same program when mutating with hints
No point in producing the same program as result of mutation with hints.
So don't do it.
2019-01-03 13:39:30 +01:00
Dmitry Vyukov
adddc5fd46 prog: remove several sources of non-determinism
Non-determinism is bad:
 - it leads to flaky coverage reports
 - it makes test failures non-reproducible

Remove 4 sources of non-determinism related to maps:
 - file name generation
 - string generation
 - resource generation
 - hints generation

All a test that ensures all main operations are fully deterministic.
2019-01-03 12:23:57 +01:00
Dmitry Vyukov
06a2b89fc3 prog, pkg/{csource,ifuzz,ipc,repro}: make tests deterministic on travis
Don't use random seed on travis as it produces flaky coverage reports,
and probably generally better for CI setting.
2019-01-02 11:57:53 +01:00
Dmitry Vyukov
c5499485c2 prog: speed up TestResourceCtors
We check each resource multiple times. Check each resource once.
2018-12-31 12:32:14 +01:00
Dmitry Vyukov
2b084c9886 pkg/csource: use 0 for missing syscall args
We don't specify trailing unused args for some syscalls
(e.g. ioctl that does not use its arg).
Executor always filled tailing unsed args with 0's
but pkg/csource didn't. Some such syscalls actually
check that the unsed arg is 0 and as the result failed with C repro.

We could statically check and eliminate all such cases,
but it turns out the warning fires in 1500+ cases:
a3ace5a63f/gistfile1.txt

So instead fill such args with 0's in pkg/csource too.
2018-12-27 13:11:57 +01:00
Dmitry Vyukov
def91db3fe prog, pkg/csource: more readable serialization for strings
Always serialize strings in readable format (non-hex).
Serialize binary data in readable format in more cases.

Fixes #792
2018-12-15 15:17:13 +01:00
Greg Steuck
7795ae03c0 prog: detect invalid target.Syscalls in BuildChoiceTable
Without this check programs may end up panicing in places far away
from the real cause. E.g.

worker# ./syz-fuzzer -executor=./syz-executor -name=vm-0 -arch=amd64 -manager=10.128.0.101:21386 -sandbox=setuid -procs=2 -v=0 -cover=true -debug=false -test=false
2004/02/03 12:11:11 fuzzer started
2004/02/03 12:11:11 dialing manager at 10.128.0.101:21386
2004/02/03 12:11:12 syscalls: 1
2004/02/03 12:11:12 code coverage: enabled
2004/02/03 12:11:12 comparison tracing: support is not implemented in syzkaller
2004/02/03 12:11:12 setuid sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 namespace sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 Android sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 fault injection: support is not implemented in syzkaller
2004/02/03 12:11:12 leak checking: support is not implemented in syzkaller
2004/02/03 12:11:12 net packet injection: enabled
2004/02/03 12:11:12 net device setup: support is not implemented in syzkaller
panic: invalid argument to Intn

goroutine 27 [running]:
math/rand.(*Rand).Intn(0xc000dff530, 0x0, 0x40)
        /usr/local/go/src/math/rand/rand.go:169 +0x9c
github.com/google/syzkaller/prog.(*ChoiceTable).Choose(0xc000d92ec0, 0xc000dff530, 0xffffffffffffffff, 0xc000dff650)
        /syzkaller/gopath/src/github.com/google/syzkaller/prog/prio.go:241 +0x1a0
github.com/google/syzkaller/prog.(*randGen).generateCall(0xc000e145a0, 0xc000c2a200, 0xc000ce7f80, 0x2348f1940, 0xc000ce3440, 0xc000e6ee01)
        /syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:451 +0x69
github.com/google/syzkaller/prog.(*Target).Generate(0xc00007f1e0, 0x8f8680, 0xc000ce3440, 0x1e, 0xc000d92ec0, 0x0)
        /syzkaller/gopath/src/github.com/google/syzkaller/prog/generation.go:19 +0x2b2
main.(*Proc).loop(0xc000d92f40)
        /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:93 +0x2a1
created by main.main
        /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:236 +0xfe2
2018-12-11 11:14:20 +01:00
Dmitry Vyukov
28bd3e371b prog: support AUTO args in programs
AUTO arguments can be used for:
 - consts
 - lens
 - pointers

For const's and len's AUTO is replaced with the natural value,
addresses for AUTO pointers are allocated linearly.

This greatly simplifies writing test programs by hand
as most of the time we want these natural values.

Update tests to use AUTO.
2018-12-10 16:37:02 +01:00
Dmitry Vyukov
ba64d006de prog: implement strict parsing mode
Add bulk of checks for strict parsing mode.
Probably not complete, but we can extend then in future as needed.
Turns out we can't easily use it for serialized programs
as they omit default args and during deserialization it looks like missing args.
2018-12-10 16:37:01 +01:00
Dmitry Vyukov
95fe19c19e prog: introduce strict parsing mode
Over time we relaxed parsing to handle all kinds of invalid programs
(excessive/missing args, wrong types, etc).
This is useful when reading old programs from corpus.
But this is harmful for e.g. reading test inputs as they can become arbitrary outdated.
For runtests which creates additional problem of executing not
what is actually written in the test (or at least what author meant).
Add strict parsing mode that does not tolerate any errors.
For now it just checks excessive syscall arguments.
2018-12-10 16:37:01 +01:00
Dmitry Vyukov
a5efea3ec3 prog: refactor deserialization code
Move target and vars into parser and make all
parsing functions methods of the parser.
This reduces number of args that we need to pass around
and eases adding more state that needs to be passed around.
2018-12-10 16:37:01 +01:00
Dmitry Vyukov
b80cc86486 prog: rename ProgGen to Builder
golint suggests that "prog.Prog" is a bad naming
because everything in prog package is ProgSomething.
Rename to Builder, "prog.Builder" sounds right.
2018-12-08 08:40:03 +01:00
Dmitry Vyukov
eada53b810 tools/syz-trace2syz/proggen: fix vma allocation
There are 2 bugs:
1. We always allocate 1 page, even if use more.
2. VMA addresses are not aligned, so most mmap-like functions fail with EINVAL.
The added test currently panics with "unaligned vma address".
2018-12-07 12:56:38 +01:00
Dmitry Vyukov
9e8a45fe27 tools/syz-trace2syz/proggen: replace memoryTracker with prog.memAlloc 2018-12-07 12:44:45 +01:00
Dmitry Vyukov
ab4b148b34 prog: add Prog.Finalize
Prog.Finalize combines assignSizesCall, SanitizeCall and validate.
Intended for users who build own programs,
so that we don't need to expose all individual methods.
2018-12-06 18:56:08 +01:00
Dmitry Vyukov
ceaec61a83 prog: export Type.DefaultArg
It's effectively exported anyway.
So export it the proper way.
2018-12-06 18:55:46 +01:00
shankarapailoor
6a60a19530 tools/syz-trace2syz: add tool to convert strace output to programs
* fixing weird merge error

* fixing presubmit

* fixing presubmit

* removing parsing code because of -Xraw option

* fix presubmit

* update

* deleting vma_call_handlers as we are currently skipping most vma calls. This simplifies memory_tracker as we don't need to keep track of vma allocations

* removing custom handling of bpf_instruction union

* removing ifconf parsing

* update

* removed all expression types and replaced them with constant types. removing ipv6_addr parsing while -Xraw is getting fixed. Removing constants.go

* removing ipv6 parsing

* presubmit

* moving direction check from ipv4_addr out to genUnion

* removing code that parses kcov

* removing redundant test

* removing custom code in generate unions to fill ipv4_addr

* proggen: changing order of imports to make external packages import first

fixing presubmit

* changing log messages to lower case to be consistent with other packages.

* removing pointer type and simplifying memory_tracker

removing comment

* moving context and return_cache to seaparate files

* deleting default argument generation when we should probably throw an error
2018-12-06 16:25:37 +01:00
Greg Steuck
0b29b7f952 prog: prevent sandbox escaping files from entering s.files 2018-11-27 13:16:05 +01:00
Andrey Konovalov
5a0d6e039d prog: try to nullify pointers when minimizing
This patch changes minimization routines to try assigning a.Res to nil
for each pointer arg.
2018-11-21 05:30:44 +01:00
Dmitry Vyukov
8bd6bd6365 prog: allow escaping paths but don't generate them
Filename generated escaping paths in the past.
The reason for the check during validation is to
wipe old program from corpuses. Now that they are
hopefully wiped everywhere, we can relax the check
to restrict only filename to not produce escaping paths,
but allow existing programs with escaping paths.
This is useful in particular if we generate syzkaller
programs from strace output.
2018-11-02 17:31:59 +01:00
Dmitry Vyukov
ecb386fe6f sys: check that target consts are defined
Currently when we get target consts with target.ConstMap["name"]
during target initialization, we just get 0 for missing consts.
This is error-prone as we can mis-type a const, or a const may
be undefined only on some archs (as we have common unix code
shared between several OSes).
Check that all the consts are actually defined.
The check detects several violations, to fix them:
1. move mremap to linux as it's only defined on linux
2. move S_IFMT to openbsd, as it's only defined and used on openbsd
3. define missing MAP_ANONYMOUS for freebsd and netbsd
4. fix extract for netbsd
2018-10-19 19:11:22 +01:00
Dmitry Vyukov
1ba7fd7e65 all: fix code formatting
Reformat, remove debug leftovers, fix comment style.
2018-10-16 13:57:24 +02:00
Zach Riggle
f37861df63 targets: Use OS=linux when GOOS=android
This avoids the issue of "android" not having any registered configurations
or syscalls / ioctls / etc, when built with GOOS=android.

This occurs when building in Google3, since --config=android_arm64 selects
the Android toolchain.
2018-10-10 11:54:53 +02:00
Dmitry Vyukov
a4718693a3 sys/linux: add syz_execute_func
The function executes random code.

Update #310
2018-08-30 21:45:04 -07:00
Dmitry Vyukov
e8dd2c6713 prog: add concept of "special pointers"
Currently we only generate either valid user-space pointers or NULL.
Extend NULL to a set of special pointers that we will use in programs.
All targets now contain 3 special values:
 - NULL
 - 0xfffffffffffffff (invalid kernel pointer)
 - 0x999999999999999 (non-canonical address)
Each target can add additional special pointers on top of this.

Also generate NULL/special pointers for non-opt ptr's.
This restriction was always too restrictive. We may want to generate
them with very low probability, but we do want to generate them.

Also change pointers to NULL/special during mutation
(but still not in the opposite direction).
2018-08-30 21:45:03 -07:00
Dmitry Vyukov
6ba5fe3e62 sys/openbsd: disable mknod sanitization as tests fail
TestSerializeDeserializeRandom fails from time to time
because program is different after we serialize/deserialize it.
Turns out openbsd SanitizeCall is not idempotent.
Add a test for this and disable the logic for now.
2018-08-30 21:44:56 -07:00
Dmitry Vyukov
ee42876f95 prog: fix corner case in normalizePrio
Based on twitter bug report:
https://twitter.com/panicaII/status/1035058001269248000
2018-08-30 21:44:00 -07:00
Dmitry Vyukov
2dc4378f02 prog: don't add fallback signal after seccomp
seccomp filter can produce arbitrary errno values for subsequent syscalls.
Don't trust anything afterwards.
2018-08-19 00:13:24 -07:00
Dmitry Vyukov
c00da3df66 prog: collect all prog comments
Parse and collect and prog comments.
Will be needed for runtest annotations
(e.g. "requires threaded mode", etc).
2018-08-08 13:07:49 +02:00
Dmitry Vyukov
95a080a682 prog: strenghten type checking during validation
Check that argument types match expected static types.
I.e. detect when, say, syscall argument is a resource,
but actual generated argument is a pointer.
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
ae2f24aa70 prog: refactor calcStaticPriorities
Factor out several helper functions.

Update #538
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
c56465d568 prog: split and simplify Mutate
Update #538
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
1da82ae0f0 prog: introduce debugValidate
Move debug validation into a separate function.

Update #538
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
c8643744fe prog: refactor defaultArg/isDefaultArg
Refactor from single-big-switch to type methods.

Update #538
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
e002278dfb prog: refactor SerializeForExec
Factor copyin, copyout and checksums into separate functions.
Also slightly tidy csum analysis.

Update #538
2018-08-02 16:57:31 +02:00