Hints for data args don't work.
We do all the work, but at the final stage we patch
arg in the _old_ program, not in the _new_ one.
So programs passed to the callback are all the same
and don't contain any mutations.
Tests did not catch this because they work right before that point
(don't test the actual interface function MutateWithHints).
Fix that and add a test that catches this.
exitf function was not defined with some combinations of options in csource.
Fix defines and switch exitf back to fail, fail already checks ENOMEM/EAGAIN,
so there is no reason to use exitf in this particular case.
Unshare as much as we can for all sandboxing modes.
This fixes "kernel panic: Attempted to kill init!" crashes
under sandbox=none. And should just generally improve
reproducibility, e.g. if we unshare SYSVSEM fuzzer won't
collide with any existing semaphores.
For string[N] we successfully deserialize a string of any length.
Similarly for a fixed-size array[T, N] we successfully deserialize
an array of any size.
Such programs later crash in foreachSubargOffset because static size
Type.Size() does not match what we've calculated iterating over fields.
The crash happens only in SerializeForExec in syz-fuzzer,
which is especially bad.
Fix this from both sides:
1. Validate sizes of arrays/buffers in Validate.
2. Repair incorrect sizes in Deserialize.
KEYCTL_DH_COMPUTE used the old fixed list of algorithm names.
Use the new code for algorithm generation.
+ it needs only SHASH algs, but we passed in all alg names.
Pass only SHASH algs.
There is effectively infinite number of possible crypto
algorithm names due to templates. Plus there is tricky
relation between algorithms and algorithm type names.
This change adds custom mutator for sockaddr_alg struct
to improve variance in generated algorithms.
executor: changed kOutputDataAddr so that it works on 32-bit kernels
executor: simplified ifdefs for arm in executor_linux.cc
executor: removed empty lines that were accidentally added.
For some racy bugs syzkaller can generate a C reproducer with tun
enabled, when it's not actuallly required to trigger the bug.
Some kernel developers (that don't have CONFIG_TUN=y on their setups)
complain about such C repros.
When tun is not available, instead of exiting, print a message that tun
initialization failed and proceed.
Add a definition for keyctl_dh_compute(), which was added in the v4.7
kernel, then in the v4.12 kernel extended to take in an optional
'keyctl_kdf_params' argument. (Requires CONFIG_KEY_DH_OPERATIONS=y.)
Many functions in the keys API take in an ID parameter that is expected
to refer to a keyring, not to any key. Therefore, define a resource
subtype 'keyring' which can be created by add_key("keyring", ...) or by
using one of the special keyring IDs.
Also define a resource subtype 'user_key', since we'll be adding a
definition for KEYCTL_DH_COMPUTE which takes in a struct containing
"user" key IDs.
Add to key.txt all key types that currently might be present in the
kernel. It was missing a few important ones such as "asymmetric", which
has a significant attack surface since the payloads are run through an
ASN.1 decoder.
RLIMIT_AS auses frequent random aborts on netbsd.
Reason unknown. Disable it for now.
Documentation says that __syscall should be used
for syscalls with 64-bit arguments. On amd64 most
syscalls have 64-bit arguments (incl mmap),
so switch to it.
* Lots of changes to sys/netbsd:
- Removed a few syscalls that did not have proper constants defined.
- Autogenerated *.const files.
- Removed a few types like uid and gid, that were not available.
- Ran make generate
* Few changes for NetBSD support:
- Added sys/netbsd/init.go
- Added netbsd to sys/sys.go
* Fix order in sys/sys.go
* Update documentation for NetBSD
When comparisons are enabled fuzzer somehow manages to discover
the output region and corrupt it. It seems to fetch the address
from some memory operations (mmap/munmap).
Don't leak the output region address.
This is mostly copied form linux.
We probably need better support for sharing descriptions
between multiple OSes. But there are lots of differences,
so this is not trivial.
1. remove workaround for pthread attrs (was fixed in akaros)
2. remove workaround for dup2 (was fixed in akaros)
3. check that we receive a program
4. implement timeout for test processes
