reactos/syzkaller
1
0
Fork 0
mirror of https://github.com/reactos/syzkaller.git synced 2024-11-24 20:09:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
995 Commits 4 Branches 0 Tags 180 MiB
1ab96df885
Commit Graph

58 Commits

Author SHA1 Message Date
Andrey Konovalov
1ab96df885 executor: call flush_tun for repeat repros 2017-06-12 19:48:23 +02:00
Andrey Konovalov
7b43c5f9f7 executor: move inet checksum code under ifdef 2017-06-12 19:48:23 +02:00
Dmitry Vyukov
66fd442d48 pkg/fileutil: move from fileutil 2017-06-03 10:41:09 +02:00
Dmitry Vyukov
48d4af340f csource: regenerate 2017-06-03 10:41:09 +02:00
Dmitry Vyukov
0fcd5fd3dd all: speed up tests 
Mark tests as parallel where makes sense.
Speed up sys.TransitivelyEnabledCalls.

Execution time is now:

ok  	github.com/google/syzkaller/config		0.172s
ok  	github.com/google/syzkaller/cover		0.060s
ok  	github.com/google/syzkaller/csource		3.081s
ok  	github.com/google/syzkaller/db			0.395s
ok  	github.com/google/syzkaller/executor		0.060s
ok  	github.com/google/syzkaller/fileutil		0.106s
ok  	github.com/google/syzkaller/host		1.530s
ok  	github.com/google/syzkaller/ifuzz		0.491s
ok  	github.com/google/syzkaller/ipc			1.374s
ok  	github.com/google/syzkaller/log			0.014s
ok  	github.com/google/syzkaller/prog		2.604s
ok  	github.com/google/syzkaller/report		0.045s
ok  	github.com/google/syzkaller/symbolizer		0.062s
ok  	github.com/google/syzkaller/sys			0.365s
ok  	github.com/google/syzkaller/syz-dash		0.014s
ok  	github.com/google/syzkaller/syz-hub/state	0.427s
ok  	github.com/google/syzkaller/vm			0.052s

However, main time is still taken by rebuilding sys package.

Fixes #182
 2017-05-29 13:15:07 +02:00
Dmitry Vyukov
220dc49106 csource: reproduce crashes with fault injection 2017-05-26 17:22:57 +02:00
Andrey Konovalov
f919224c44 sys, executor: extract tcp sequence numbers from /dev/net/tun 
This commit adds a new pseudo syscall syz_extract_tcp_res, that reads
a packet from /dev/net/tun and extracts tcp sequence numbers to be used
in subsequent packets.

As a result this syzkaller program:

mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
listen(r0, 0x5)
syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}})
syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0)
syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}})
r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10)

established a TCP connection:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:20000           0.0.0.0:*               LISTEN      5477/a.out
tcp        2      0 172.20.0.170:20000      172.20.0.187:20001      ESTABLISHED 5477/a.out

Similar program for IPv6:

mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c)
listen(r0, 0x5)
syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}})
syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}})
r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::20001                :::*                    LISTEN      5527/a.out
tcp6       0      0 fe80::aa:20001          fe80::bb:20000          ESTABLISHED 5527/a.out
 2017-05-26 14:28:09 +02:00
Dmitry Vyukov
a2ef63b51f csource: regenerate 2017-05-25 12:40:06 +02:00
Andrey Konovalov
ac0c70f74a prog, executor: move checksum computation to executor 
This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.
 2017-05-12 15:47:59 +02:00
Dmitry Vyukov
03afd0afa2 csource: strip __STDC_VERSION__ macro from generated source 2017-05-06 15:29:18 -07:00
Andrey Konovalov
91ea49ce25 vm: add Odroid support 
This commit adds Odroid C2 support to syzkaller.
It's now possible to specify "type": "odroid" in manager config.

Documentation on how to setup fuzzing with Odroid C2 board is here:
https://github.com/google/syzkaller/wiki/Setup:-Odroid-C2

Note, that after this change libusb-1.0-0-dev package should be
installed to build syzkaller.
 2017-03-10 17:10:52 +01:00
Dmitry Vyukov
895e034a4d csource: regenerate 2017-03-05 14:44:32 +01:00
Dmitry Vyukov
d0a89289d5 csource: fix parallel mode to wait for subprocesses 
Currently it lefts some orphaned children,
so that ctrl+C does not kill them.
Wait for the children.
 2017-02-02 20:23:40 +01:00
Andrey Konovalov
f81d9da13a executor: fix undefined setup_tun() function error in c repros 2017-02-01 14:52:35 +01:00
Dmitry Vyukov
1d3ef1f50a csource: regenerate and reformat 2017-02-01 10:16:19 +01:00
Andrey Konovalov
f3bb6d96be executor: fix tun initialization when sandbox != none 2017-01-31 18:40:10 +01:00
Dmitry Vyukov
4ee789185b sys: improve kvm description 
Allow fuzzer to change types of segment descriptors.
Alter more flags.
Allow fuzzer to do a random vmwrite.
 2017-01-28 19:58:31 +01:00
Dmitry Vyukov
83cf8e3924 csource, syz-gce: regenerate and reformat 2017-01-27 20:51:41 +01:00
Dmitry Vyukov
f810d08444 executor: protect against memory corruptions better 
Fuzzer has figured out how to corrupt input/output shmem regions
abusing the text memcpy in syz_kvm_setup_cpu. It guessed a negative
text_size value that causes the memcpy to overwrite shmem regions.
Protect better against such cases:
1. Make text_size unsigned (there is already a check that it is less than 1000).
2. Map input region as readable only, we don't write to it.
3. Add address sanity check to segv_handler, if we see that we are writing
   into executable data, it's better to crash instantly.
 2017-01-25 11:01:30 +01:00
Andrey Konovalov
f8ecf0862d executor: change tun subnet to 172.20.* 2017-01-23 18:17:15 +01:00
Andrey Konovalov
07880f3c01 csource: use 0x%x format for printing bitfield addr and arg 2017-01-23 18:13:11 +01:00
Dmitry Vyukov
a7e4a49fae all: spot optimizations 
A bunch of spot optmizations after cpu/memory profiling:
1. Optimize hot-path coverage comparison in fuzzer.
2. Don't allocate and copy serialized program, serialize directly into shmem.
3. Reduce allocations during parsing of output shmem (encoding/binary sucks).
4. Don't allocate and copy coverage arrays, refer directly to the shmem region
   (we are not going to mutate them).
5. Don't validate programs outside of tests, validation allocates tons of memory.
6. Replace the choose primitive with simpler switches.
   Choose allocates fullload of memory (for int, func, and everything the func refers).
7. Other minor optimizations.
 2017-01-20 23:55:25 +01:00
Andrey Konovalov
9d7a67da1f executor: fix warning regarding type cast in STORE_BY_BITMASK 2017-01-20 14:20:43 +01:00
Andrey Konovalov
44e91ae900 csource: fix STORE_BY_BITMASK in prog2c 2017-01-20 14:20:43 +01:00
Dmitry Vyukov
1ac75f06ad executor: fix copyin of values 
Currently non-bitfield values are copied incorrectly.
Probably all turned into zeros or something.
Fix that. Add test.
 2017-01-17 19:04:37 +01:00
Dmitry Vyukov
8ead82246b csource: regenerate 2017-01-17 17:20:01 +01:00
Andrey Konovalov
54e0cede43 prog: add bitfields to templates 
Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field.

This fixes #72.
 2017-01-17 13:25:33 +01:00
Dmitry Vyukov
ff8c0180ab sys, executor: more kvm improvements 
1. Basic support for arm64 kvm testing.
2. Fix compiler warnings in x86 kvm code.
3. Test all pseudo syz calls in csource.
4. Fix handling of real code in x86.
 2017-01-12 11:57:17 +01:00
Dmitry Vyukov
bbd4840872 sys: extend kvm support 
Add new pseudo syscall syz_kvm_setup_cpu that setups VCPU into
interesting states for execution. KVM is too difficult to setup otherwise.
Lots of improvements possible, but this is a starting point.
 2017-01-09 20:28:10 +01:00
Dmitry Vyukov
bdc6d550b0 executor: use NONFAILING strcpy in syz_open_dev 
The source is fuzzer provided memory, it can be non-addressable.
 2017-01-09 20:20:49 +01:00
Dmitry Vyukov
c5f38186d2 csource: compile with -Werror 
Check for compiler warnings during compilation.
Don't require -std=c99.
Fix existing compiler warnings.
 2017-01-09 20:20:49 +01:00
Dmitry Vyukov
4ca49b389a csource: fix fork bomb 2017-01-09 20:19:44 +01:00
Dmitry Vyukov
746f74d254 csource: remove more predefined defines from generated source 2017-01-09 20:19:44 +01:00
Dmitry Vyukov
5d23ba9171 executor: don't fail on ENOMEM 2016-12-16 15:36:29 +01:00
Dmitry Vyukov
9c94dffdc5 executor: handle exit failures 
See the added comment for explanation.
 2016-12-08 17:38:31 +01:00
Dmitry Vyukov
72a439b447 executor: add struct to cap structs 
Otherwise it does not compile as C.
Also regenerate csource/common.go (it misses the MAX_PIDS change).
 2016-12-07 16:00:20 +01:00
Andrey Konovalov
346fb4e5e9 executor: don't try to open tun if it's not enabled 2016-12-02 19:21:33 +01:00
Andrey Konovalov
11e1b430a8 csourse: emit remove_dir only when needed 2016-11-29 19:02:58 +01:00
Andrey Konovalov
b13dc4bf50 csourse: fix emitting syz_* syscalls in c reproducer 2016-11-29 18:53:41 +01:00
Andrey Konovalov
c5707f5e57 executor: emit ethernet traffic 2016-11-29 17:39:38 +01:00
Dmitry Vyukov
c732a41acb csource: don't emit syz_ syscalls is they are not used 2016-11-26 16:41:40 +01:00
Andrey Konovalov
253a40f30d sys: add proc type to denote per proccess integers 2016-11-25 17:51:41 +01:00
Dmitry Vyukov
ab3f4a0736 executor: fix sandbox=setuid 
Need to chmod(0777) the work dir before we do setuid(nobody).
Otherwise nobody user won't have rights to use the temp dir.
 2016-11-22 15:51:00 +01:00
Dmitry Vyukov
431793d307 csourceL add missing include and define 2016-11-22 15:50:31 +01:00
Dmitry Vyukov
c9ae0f69d8 vm: add ability to interrupt commands 
This is required for crash reproduction in manager.
 2016-11-19 11:14:11 +01:00
Dmitry Vyukov
59f7c210d0 repro: factor out of syz-repro tool 
Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.
 2016-11-19 10:00:36 +01:00
Dmitry Vyukov
11a690d275 sys, prog: add tests for description parsing and serialization 
Add sys/test.txt file with description of syscalls for tests.
These descriptions can be used to ensure that we can parse everything we clain we can parse.
Use these descriptions to write several tests for exec serialization
(one test shows that alignment handling is currently incorrect).
These test descriptions can also be used to write e.g. mutation tests.

Update #78
 2016-09-28 20:06:42 +02:00
Dmitry Vyukov
1f9bd1e845 csource: make collide mode more random 
Update #59
 2016-08-28 16:37:24 +02:00
Dmitry Vyukov
8278953eb4 csource: teach how to execute pseudo syz_ syscalls 
Update #59
 2016-08-28 16:33:32 +02:00
Dmitry Vyukov
9b91ede860 executor, csource: share some common code between executor and csource 2016-08-28 14:59:48 +02:00