* mmap syscall is special on Linux s390x because
the parameters for this syscall are passed as a struct
on user stack instead of registers.
* Introduce the SyscallTrampolines table into targets.Target
to address the above problem.
* There is a bug in Linux kernel s390x which causes QEMU TCG
to hang when KASAN is enabled. The bug has been fixed
in the forthcoming Linux 5.8 version. Until then do not enable
KASAN when using QEMU TCG, QEMU KVM shall have no problems with
KASAN.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
csum_inet_update does not handle odd number of bytes
on big-endian architectures correctly. When calculating
the checksum of odd number of bytes, the last byte must be
interpreted as LSB on little-endian architectures and
as MSB on big-endian ones in a 16-bit half-word.
Futhermore, the checksum tests assume that the underlying architecture
is always little-endian. When a little-endian machine stores
a calculated checksum into memory, then the checksum's bytes
are automatically swapped. But this is NOT true on a big-endian
architecture.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
Improve used terminology by using better verbs to express the effect of
the whitelist/blacklist.
This also changes executor to exclusively show respectful log messages,
and as per recent conversion, converts the last such case.
Some terms are normalised on the technical level
but may be oppressive on a societal level.
Replace them with more technically neutral terms.
See the following doc for a longer version:
https://tools.ietf.org/id/draft-knodel-terminology-00.html
Fuchsia has strict controls over who can map memory as executable.
Refactoring syz-executor to be able to do that involves a non trivial
amount of work: it needs to run as a fuchsia component and replace stdin
for some other mechanism to communicate with syz-fuzzer (probably a fidl
service and a thin client that proxies stdin/stdout to syz-fuzzer via
ssh).
Mapping memory as executable doesn't seem to be used or needed in
syz-executor at all. After talking with Dmitry, he mentioned that it was
used in a deprecated feature: `syz_execute_func` which would execute
random code. It also allows more scenarios during fuzzing.
For now, I'm removing that option to allow syzkaller continue fuzzing.
This change also refactors all of the error messages adding a string
representation of the `zx_status_t` in error logs.
This patch changes syz_usb_ep_read/write pseudo-syscalls to accept endpoint
address as specified in its endpoint descriptor, instead of endpoint index.
Renamed Target.BrokenCrossCompiler to Target.BrokenCompiler and
Target.CrossCFlags to Target.CFlags
"Everything in Target is about Cross now."
Signed-off-by: Alexander Potapenko <glider@google.com>
In preparation to running some tests as github actions.
Both Travis and Github define CI env var, while TRAVIS is, well,
too Travis-specific.
Update #1699
It seems that gcc in ubuntu on travis got dumber:
<stdin>: In function ‘execute_call’:
<stdin>:1741:6: error: ‘res’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
cc1: all warnings being treated as errors
compiler invocation: arm-linux-gnueabi-gcc [-o /tmp/syz-executor675297211 -DGOOS_linux=1 -DGOARCH_arm=1 -DHOSTGOOS_linux=1 -x c - -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=16384 -D__LINUX_ARM_ARCH__=6 -march=armv6 -static -Wno-overflow]
https://travis-ci.com/github/dvyukov/syzkaller/jobs/327487382
Though, we generate the same code and res seems to be initialized on all paths.
Initialize it explicitly.
1. Detect when compiler is present, but is not functioning
(can't build a simple program, common for Linux distros).
2. Be more strict with skipping tests due to missing/broken compilers on CI
(on CI they should work, so fail loudly if not).
3. Dedup this logic across syz-env and pkg/csource tests.
4. Add better error reporting for syz-env.
Fixes#1606
Move additional call/prog timeouts to descriptions.
Due to this logic duplication executor used 50ms
for syz_mount_image, while pkg/csource used 100ms.
In some configurations tun_frags_enabled ends up being unused
with a compiler warning and failed build.
Remove mode code if ENABLE_NAPI_FRAGS is not enabled.
Make MakeMmap return more than 1 call.
This is a preparation for future changes.
Also remove addr/size as they are effectively
always the same and can be inferred from the target
(will also conflict with the future changes).
Also rename to MakeDataMmap to better represent
the new purpose: it's just some arbitrary mmap,
but rather mapping of the data segment.
The feature gets enabled when /dev/raw-gadget is present and accessible.
With this feature enabled, executor will do chmod 0666 /dev/raw-gadget on
startup, which makes it possible to do USB fuzzing in setuid and namespace
sandboxes. There should be no backwards compatibility issues with syz
reproducers that don't explicitly enable this feature, as they currently only
work in none sandbox.
Among other things this changes timeout for USB programs from 2 to 3 seconds.
ath9k fuzzing also requires ath9k firmware to be present, so system images
need to be regenerated with the updated script.
This adds support for the seccomp filters that are part of Android into
the sandbox. A process running as untrusted_app in Android has a
restricted set of syscalls that it is allow to run. This is
accomplished by setting seccomp filters in the zygote process prior to
forking into the application process. The seccomp filter list comes
directly from the Android source, it cannot be dynamically loaded from
an Android phone because libseccomp_policy.so does not exist as a
library on the system partition.
NETLINK_GENERIC isn't supported in gVisor.
Fixes: c5ed587f4a ("wireguard: setup some initial devices in a triangle")
Signed-off-by: Andrei Vagin <avagin@google.com>
* wireguard: setup some initial devices in a triangle
The fuzzer will wind up undoing some of this, which is fine, but at
least it now has the chance of hitting some other paths it wasn't
before.
Closes: #1599
* wireguard: make code ugly after `make generate` pass
* wireguard: get rid of unused structs that are still interesting
* wireguard: compile in C++ mode with gcc 7
Complex designated initializers are only supported in C++ mode from gcc
8, and for whatever reason syzkaller wants to be compiled in C++ mode.
* wireguard: add braces around debug statements for checker
* wireguard: regenerate go source
