Commit Graph

5523 Commits

Author SHA1 Message Date
Dmitry Vyukov
2111afe851 pkg/cover: test that CSV profile contains main function
The test also passed if there is no main at all.

Follow up to #2074
2020-09-28 09:41:25 +02:00
Dmitry Vyukov
f9bcf3095b pkg/cover: fix error message capitalization in tests
Follow up to #2074
2020-09-28 09:41:25 +02:00
Dmitry Vyukov
3bbd2f185f pkg/cover: unexport CSVHeader
No point for it to be a part of the package public interface.

Follow up to #2074
2020-09-28 09:41:25 +02:00
Jouni Hogander
5dd8aee810 docs/coverage.md: update coverage document 2020-09-26 17:47:37 +02:00
m5imunovic
84141e4bab tools/syz-cover: add command line option for coverage export
Add new command line option for exporting coverage information
calculated form rawcover file input into CSV file. The columns of
the exported file are:
Filename - function source file path
Function - function name
Percent  - coverage percentage
PCs      - number of total program counters

Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
2020-09-26 17:47:37 +02:00
Jouni Hogander
769c9b7a94 pkg/cover: add new view for function coverage
Add new view where function coverage is shown when clicking file coverage
percent
2020-09-26 17:47:37 +02:00
Jouni Hogander
6f0ea384b1 pkg/cover: implement function coverage calculation 2020-09-26 17:47:37 +02:00
Jouni Hogander
0b9318b447 Makefile: add new make target for syz-cover tool 2020-09-26 17:47:37 +02:00
Dmitry Vyukov
2d5ea0cb6e syz-ci: disable CONFIG_DEBUG_INFO_BTF during patch testing
This is a hack as noted in the comment.
A proper support would require touching lots of files,
and we only need this temporary until #2096 is resolved.

One recent example of failed patch testing:
https://groups.google.com/g/syzkaller-bugs/c/O8CkScAt9ck/m/E3CYKSGSAgAJ
2020-09-26 12:58:18 +02:00
Radoslav Gerganov
4a006f636c sys/linux: descriptions for /dev/vmci 2020-09-25 14:12:45 +02:00
Radoslav Gerganov
54289b0835 tools/create-gce-image.sh: mount the root filesystem read-write
Add fstab entry to mount the root filesystem read-write after boot. This
has been done with commit 873745 for create-image.sh. Maybe this hint is
not necessary for GCE but it is required when running on other platforms
(e.g. VMware).
2020-09-23 17:21:11 +02:00
Dmitry Vyukov
3489f2f32e
docs: add link for another clang compiler version 2020-09-23 17:17:16 +02:00
Radoslav Gerganov
b70f2394ec docs/linux: add instructions for fuzzing on VMware hosted hypervisors
Add new page for fuzzing x86-64 Linux kernel on VMware VMs.
It explains how to create a VMDK image and how to run it on Ubuntu host
with Workstation installed. For now only the isolated mode of syzkaller
is supported.
2020-09-23 17:13:28 +02:00
Dmitry Vyukov
287cd75a6d pkg/report: fix a test 2020-09-23 08:42:25 +02:00
Dmitry Vyukov
d983f3059e pkg/report: detect hrtimer_run as stall anchor frame 2020-09-23 08:27:07 +02:00
Aleksandr Nogikh
3e8f6c2755 executor: make exit code during fail() depend on fault injection
fail()'s are often used during the validation of kernel reactions to
queries that were issued by pseudo syscalls implementations. As fault
injection may cause the kernel not to succeed in handling these
queries (e.g. socket writes or reads may fail), this could ultimately
lead to unwanted "lost connection to test machine" crashes.

In order to avoid this and, on the other hand, to still have the
ability to signal a disastrous situation, the exit code of this
function now depends on the current context.

All fail() invocations during system call execution with enabled fault
injection lead to termination with zero exit code. In all other cases,
the exit code is kFailStatus.

This is achieved by introduction of a special thread-specific variable
`current_thread` that allows to access information about the thread in
which the current code is executing.

Also, this commit eliminates current_cover as it is no longer needed.
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
2450c42f1b sys/linux: enhance ifreq_dev_t definition by setting attribute directions
This modification allows to remove [opt] modified for all uses of
ifreq_dev_t and ifreq_t
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
85685b5d63 sys/linux: adjust nl80211 descriptions to match net_80211.txt
nl80211 descriptions depend on a variety of parameters specific to the
wireless devices/networks that we act upon. This patch adjusts these
values to match the hard-coded parameters of the pre-created virtual
wireless devices.
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
9133037195 all: integrate with mac80211_hwsim
Two virtual wireless devices are instantiated during network devices
initialization.

A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.

Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.

Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)

Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.

Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
1125444eb8 executor/common_linux.h: refactor __NR_syz_genetlink_get_family_id
As netlink helpers now include a function to query generic netlink
familty id, it makes no sense to duplicate implementation of
essentially the same function.
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
a44e0f15f3 executor/common_linux.h: remove assumption that netlink always returns nonpositive error codes
The code in common_linux.h assumes that nlmsgerr can either be 0 or a
negative value in case of an error. However, this is not always the
case. For example, some commands of mac80211_hwsim use nonnegative
values to indicate success (e.g. HWSIM_CMD_NEW_RADIO returns either a
negative error or a nonnegative radio index). Therefore, negation of
error code inside netlink_send_ext is not correct.

This patch changes this behavior. Now netlink_send_ext returns the
exact value it received via netlink.
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
6304883e1b sys/common_linux.h: replace netlink_devlink_id_get and netlink_wireguard_id_get by a more generic function
These two functions are almost entirely idential. In order to avoid
adding similar functions later on, a generic one is created.
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
56f696d1d0 sys/common_linux.h: move the definition of a global nlmsg variable
This global variable cannot be used for pseudo syscalls as they can
run concurrently (in threaded mode). It can only be used during
initialization, and if initialization routines are not enabled, nlmsg
will become an unused variable.
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
aff59df257 executor/common_linux.h: extend netlink helpers to support zero-payload attributes (flags)
This is required for 802.11 pseudo syscalls (that will be added
later).
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
f7907acd76 executor/common_linux.h: increase default nlmsg buffer size
1024 bytes are not enough to contain an arbirary 802.11 MAC frame
together with netlink protocol overhead.
2020-09-22 10:12:23 +02:00
Aleksandr Nogikh
eb2b629d3c CONTRIBUTORS: add Aleksandr Nogikh to the file 2020-09-22 10:12:23 +02:00
Jouni Hogander
9e1fa68ee1 CONTRIBUTORS: add name to CONTRIBUTORS file 2020-09-21 11:23:04 +02:00
Jouni Hogander
bbb921d248 pkg/bisect: add ccache option
Add option to use ccache in kernel builds.

Signed-off-by: Jouni Hogander <jouni.hoegander@partner.bmw.de>
2020-09-21 11:23:04 +02:00
Jouni Hogander
5e8f0f25fa Makefile: add target for syz-bisect tool 2020-09-21 11:23:04 +02:00
Tetsuo Handa
c81d99c89a Makefile: try to install python-is-python3 package as needed
Since some scripts are executed using "python", create a symlink when "python3" exists
and "python" does not exist, by installing python-is-python3 package.

  /bin/sh: 1: python: not found
  make[2]: *** [Makefile:364: check_links] Error 127
2020-09-21 09:47:13 +02:00
Dmitry Vyukov
9564d2e982 tools/syz-imagegen: add 20 more filesystems
And populate images with some files,
which should make both mounting and resulting dir more interesting.

Note: this adds 100MB of image files into the repo...
Maybe we need to think of some other way of string these images...
2020-09-20 15:12:12 +02:00
Dmitry Vyukov
bee38a2be5 dashboard/config: enable more filesystems
+CONFIG_NILFS2_FS=y
+CONFIG_ORANGEFS_FS=y
+CONFIG_ADFS_FS=y
+CONFIG_AFFS_FS=y
+CONFIG_BEFS_FS=y
+CONFIG_EFS_FS=y
+CONFIG_JFFS2_FS=y
+CONFIG_CRAMFS=y
+CONFIG_VXFS_FS=y
+CONFIG_OMFS_FS=y
+CONFIG_HPFS_FS=y
+CONFIG_QNX4FS_FS=y
+CONFIG_QNX6FS_FS=y
+CONFIG_ROMFS_FS=y
+CONFIG_SYSV_FS=y
+CONFIG_UFS_FS=y
2020-09-20 15:12:12 +02:00
Dmitry Vyukov
8394d04bf6 sys/linux: add syz_mount_image for 20 more file systems 2020-09-20 15:12:12 +02:00
Dmitry Vyukov
a5e37d4a8e pkg/runtest: split parsing tests into OS/arch subtests 2020-09-20 15:12:12 +02:00
Dmitry Vyukov
7b84681e92 pkg/csource: don't test auto-generated files
syz_mount_image tests are very large and TestSysTests takes too long.
syz-imagegen that generates them does some of this testing
(Deserialize/SerializeForExec).
2020-09-20 15:12:12 +02:00
Dmitry Vyukov
5620c9c4db prog: allow arbitrary long lines in serialized programs
We use bufio.Scanner and it has mandatory limit on line length.
The file system tests (sys/linux/test/syz_mount_image_*) has
very long lines (megabytes).
Remove the restriction on line length.
2020-09-20 15:12:12 +02:00
Dmitry Vyukov
43f95803e9 prog: extend error message on deserialization error 2020-09-20 15:12:12 +02:00
Dmitry Vyukov
9371418543 tools/syz-imagegen: add few more f2fs features
Add flexible_inline_xattr, inode_checksum, inode_crtime, project_quota features.
2020-09-20 15:12:12 +02:00
Dmitry Vyukov
4dc0927070 syz-manager: fix logical races in rpc request handling
It is possible that we already called shutdownInstance,
but have some requests from this instance already in-flight.
Handle this case gracefully.
2020-09-20 15:12:12 +02:00
Dmitry Vyukov
1c1eb4919d tools/syz-imagegen: generate full test files instead of bash scripts
tools/create_{f2fs,btrfs}_image.sh are... well, shell scripts.
It's hard to scale this appraoch to more file systems
avoiding duplication and stupid errors while doing proper
error handling and parallelization.
Upgrade syz-imagegen to generate full test files and replace
the shell scripts.

f2fs -O=compression options is removed, it does not seem to be
supported by mkfs.f2fs, it always says:
Error: Wrong features
The shell script used it, but it seems that the way it passed
arguments (in a single '-quoted string) just made mkfs misparse
the arguments (use only the first one?) and so -O=compression
and most other arguments were simply ignored.
2020-09-20 15:12:12 +02:00
Tetsuo Handa
53ce8104a7 Makefile: try to install g++ package explicitly
Since executor/gen.go invokes "gcc kvm_gen.cc kvm.S -o kvm_gen", g++ is needed.

  go generate ./pkg/csource ./executor ./pkg/ifuzz ./pkg/build ./pkg/html
  gcc: fatal error: cannot execute ‘cc1plus’: execvp: No such file or directory
  compilation terminated.
  executor/gen.go:6: running "bash": exit status 1
2020-09-18 14:01:27 +02:00
Alexander Egorenkov
49ad2baf8c executor: forbid inlining of 'remove_dir'
Fixes the issue with gcc 10 on Fedora 32 s390x:

In file included from ../../executor/executor.cc:147:
../../executor/common.h: In function ‘void remove_dir(const char*)’:
../../executor/common.h:229:44: error: ‘%s’ directive output may be
truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=]
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
| ^~
../../executor/common.h:229:11: note: ‘snprintf’ output between 2 and 4352 bytes into a destination of size 4096
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);

../../executor/common.h:243:1: error: the frame size of 21200 bytes is larger than 16384 bytes
[-Werror=frame-larger-than=]
243 | }
| ^
cc1plus: all warnings being treated as errors

compiler invocation: gcc [-o /tmp/syz-executor383272105 -DGOOS_test=1 -DGOARCH_64_fork=1 -DHOSTGOOS_linux=1
../../executor/executor.cc -m64 -no-pie -O2 -pthread -Wall -Werror -Wparentheses
-Wunused-const-variable -Wframe-larger-than=16384]
FAIL
FAIL github.com/google/syzkaller/pkg/runtest 0.998s
FAIL

Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
2020-09-18 09:58:50 +02:00
Andrew Donnellan
38962c8b05 tools/create-image.sh: map qemu -> Debian architecture names
create-image.sh assumes that the qemu name and the Debian name for the
target architecture are the same. This is not always true.

For comedy and/or historical reasons, Debian refers to 64-bit little
endian PowerPC as ppc64el, whereas qemu and most other things use ppc64le.
Debian refers to aarch64 as arm64, and 32-bit little endian arm as armel.
Add special cases to handle this.

Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
2020-09-18 07:52:38 +02:00
Alexander Egorenkov
8c70a2f7b7 sys/targets: use -m31 gcc option on s390x arch for 32bit targets
In ESA/S390 mode, the CPU is able to address only 31bit of
memory address space. GCC on s390x expects the flag -m31 instead
of -m32 for 32bit code.

Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
2020-09-18 07:49:33 +02:00
Alexander Egorenkov
8247808b71 pkg/host: use 'processor 0' as cpu model on s390x inside container
There is no field 'machine' in /proc/cpuinfo when we run inside
a Docker container but there is a 'processor 0' field which
provides the same information.

Example:

processor 0: version = 00,  identification = 310C57,  machine = 3906

Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
2020-09-16 21:15:40 +02:00
Dmitry Vyukov
5a3d0ca04d dashboard/config: enable UBSAN in KASAN config
Enable CONFIG_UBSAN/CONFIG_UBSAN_BOUNDS.
Regenerate config on linux-next 20200916.

Update #1523
2020-09-16 15:22:52 +02:00
Dmitry Vyukov
da5350eb9a pkg/report: support new linux UBSAN format
Update #1523
2020-09-16 15:22:52 +02:00
Dmitry Vyukov
77507d0229
docs: add another research paper 2020-09-16 13:39:40 +02:00
Dmitry Vyukov
5505e2dcdd prog: add missing \n in printf 2020-09-16 13:33:06 +02:00
Dmitry Vyukov
18d7d030e5 vm/vmimpl: update console code for the new unix package
The current code is now broken on darwin:

syzkaller$ GOOS=darwin go install ./vm/...
vm/vmimpl/console.go:30:33: undefined: unix.SYS_IOCTL
vm/vmimpl/console.go:45:32: undefined: unix.SYS_IOCTL
2020-09-15 19:34:30 +02:00