If we have:
ioctl(fd fd, cmd int32)
ioctl$FOO(fd fd, cmd const[FOO])
Currently we assume that cmd size in ioctl$FOO is sizeof(void*).
However, we know that in ioctl it's specified as int32,
so we can infer that the actual syscall size is 4.
This massively reduces sizes of socket/setsockopt/getsockopt/ioctl
and some other syscalls, which is good because we now use physical
size in mutation/hints and some other places.
This will also enable not morphing ioctl's into other ioctl's.
Update #477
Update #502
Add errors3.txt with tests for errors that are produced during generation phase.
Refactor tests to reduce duplication.
Tidy struct/union size errors: better locations and make testable.
Ensure that we don't have conflicting sizes for the same argument
of the same syscall, e.g.:
foo$1(a int16)
foo$2(a int32)
This is useful for several reasons:
- we will be able avoid morphing syscalls into other syscalls
- we will be able to figure out more precise sizes for args
(lots of them are implicitly intptr, which is the largest
type on most important arches)
- found few bugs in linux descriptions
Update #477
Update #502
Description generation can also produce errors.
We don't want to emit warnings if there are any errors.
Move warnings emission to the very end of compilation.
Among other things this changes timeout for USB programs from 2 to 3 seconds.
ath9k fuzzing also requires ath9k firmware to be present, so system images
need to be regenerated with the updated script.
This adds support for the seccomp filters that are part of Android into
the sandbox. A process running as untrusted_app in Android has a
restricted set of syscalls that it is allow to run. This is
accomplished by setting seccomp filters in the zygote process prior to
forking into the application process. The seccomp filter list comes
directly from the Android source, it cannot be dynamically loaded from
an Android phone because libseccomp_policy.so does not exist as a
library on the system partition.
nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
It happens a lot in qemu, and the messages are frequently corrupted
(intermixed with other kernel output as they are printed from NMI)
and are not matched against the suppression in pkg/report.
This write prevents these messages from being printed.
NETLINK_GENERIC isn't supported in gVisor.
Fixes: c5ed587f4af5 ("wireguard: setup some initial devices in a triangle")
Signed-off-by: Andrei Vagin <avagin@google.com>
unshare(CLONE_NEWPID) was commented out in 4428511d10687cb446ad705148333478437d3f23 accidentially.
Uncomment it.
Spotted by @xairy:
4428511d10 (r37456572)
* wireguard: setup some initial devices in a triangle
The fuzzer will wind up undoing some of this, which is fine, but at
least it now has the chance of hitting some other paths it wasn't
before.
Closes: #1599
* wireguard: make code ugly after `make generate` pass
* wireguard: get rid of unused structs that are still interesting
* wireguard: compile in C++ mode with gcc 7
Complex designated initializers are only supported in C++ mode from gcc
8, and for whatever reason syzkaller wants to be compiled in C++ mode.
* wireguard: add braces around debug statements for checker
* wireguard: regenerate go source
We print whole reproducer programs on failure,
if lots of programs fail, this results in thousands
of lines of output, which is esp bad on travis.
Limit amount of output.
The stringnozescapes does not make sense with filename,
also we may need similar escaping for string flags.
Handle escaped strings on ast level instead.
This avoids introducing new type and works seamleassly with flags.
As alternative I've also tried using strconv.Quote/Unquote
but it leads to ugly half-escaped strings:
"\xb0\x80s\xe8\xd4N\x91\xe3ڒ,\"C\x82D\xbb\x88\\i\xe2i\xc8\xe9\xd85\xb1\x14):M\xdcn"
Make hex-encoded strings a separate string format instead.
0. Remove aetest build tag. We don't need it anymore, go test should work.
1. IsDevAppServer does not return true in tests anymore, so don't use it
2. Use a different mechanism to register test/prod config.
We don't have aetest tag anymore, so we need something even more dynamic.
3. Fix new golangci-lint warnings: all test files are checked now.
Update #1461
If we are going to write all values, don't write field names.
This only increases size of generated files.
The change reduces size of generated files by 5.8%
(62870496-59410354=3460142 bytes saved).
SHA-1 is insecure. See a representative summary of known attacks here:
https://en.wikipedia.org/wiki/Hash_function_security_summary
Some external build systems warn about sha1 uses and reject to build.
Whitelisting is pain. Switch to sha256.
Overall idea of netlink checking.
Currnetly we check netlink policies for common detectable mistakes.
First, we detect what looks like a netlink policy in our descriptions
(these are structs/unions only with nlattr/nlnext/nlnetw fields).
Then we find corresponding symbols (offset/size) in vmlinux using nm.
Then we read elf headers and locate where these symbols are in the rodata section.
Then read in the symbol data, which is an array of nla_policy structs.
These structs allow to easily figure out type/size of attributes.
Finally we compare our descriptions with the kernel policy description.
Update #590
They can't be a bitmask. This fixes important cases
of "0, 1" and "0, 1, 2" flags. Fix some descriptions
that added 0 to bitmasks explicitly (we should do it
automatically instead).
Will simplify runtime analysis of flags.
Also just no reason to make it more deterministic
and avoid unnecessary diffs in future if values are reordered.
