They can't be a bitmask. This fixes important cases
of "0, 1" and "0, 1, 2" flags. Fix some descriptions
that added 0 to bitmasks explicitly (we should do it
automatically instead).
Will simplify runtime analysis of flags.
Also just no reason to make it more deterministic
and avoid unnecessary diffs in future if values are reordered.
Generate const[0] for flags without values and for flags
with a single value which is 0.
This is the intention in all existing cases (e.g. an enum with types
of something, but there is really only 1 type exists).
They mostly duplicate the warnings we already have for amd64/386.
But uncovered few very interesting local things (e.g. epoll_event
is packed only on amd64, so arm/arm64 layout is wrong, but 386
is correct because int64 alignment is different).
Update #590
We disabled it in configs, now also disable during bisection.
This config only adds debug output. It should not be enabled at all,
but it was accidentially enabled on some instances for some periods of time,
and kernel is boot-broken for prolonged ranges of commits with deadlock
which makes bisections take weeks.
From time to time we get corpus explosion due to different reason:
generic bugs, per-OS bugs, problems with fallback coverage, kcov bugs, etc.
This has bad effect on the instance and especially on instances
connected via hub. Do some per-syscall sanity checking to prevent this.
Never send more than 100K, this is never healthy but happens episodically
due to various reasons: problems with fallback coverage, bugs in kcov,
fuzzer exploiting our infrastructure, etc.
Some prctl commands don't respect the normal convention for return values
(e.g. PR_GET_TIMERSLACK, but there are more) and may produce all possible
errno values. This conflicts with fallback coverage.
On X86-64, dereferencing a non-canonical address normally causes a #GP, for
which syzkaller already has a pattern. However, if the base register of the
non-canonical address is RBP (which can happen in builds that use RBP as a
general-purpose register because they don't use frame pointer unwinding),
#SS is thrown instead, for which syzkaller did not yet have a pattern.
To see this kind of fault, you can insert the following code in
kernel_init() after the call to rcu_end_inkernel_boot():
asm volatile(
"movabs $0x8000000000000000, %rbp\n\t"
"movq (%rbp), %rax\n\t"
"ud2\n\t"
);
Linux prints a different error message for #SS, so add that error message
to syzkaller's list of patterns.
If lots of instances are started at the same time,
it slows down boot of every VMs and delays detection
of configuration bugs, etc. Start VMs with 10 sec delay,
so that checking happens faster.
This config is incomplete and is unusable by syzbot.
But adding this file first will make diff for the real
config submitted in the next commit useful.
* vm/isolated: update isolated vm
Old isolated.go cannot hard reset the target device when the target device is stuck,
because it used SSH command to reboot.
New isolated.go can reboot the target device using USB hub,
so it can reboot the device when its kernel is crashed during fuzzing.
It also doesn't require 'CGO' like odroid.go
* vm/isolated: set default Host, comment modification
* vm/isolated: restore ssh reboot in repair()
In the previous commit, ssh reboot is removed.
but it should be remained, so this commit restore the ssh reboot.
Now, repair() func can reboot the target using ssh or /sys/bus/usb/devices/.../authorized/
* vm/isolated: update USBdev rebooting method and etc, ...
- change reboot method from using /bin/sh to file method
- change USBDevNum to array type
- restore waiting time when rebooting
* vm/isolated: update USBdev rebooting method and etc, ...
- change reboot method from using '/bin/sh' to file i/o
- change USBDevNum to array type
- restore waiting time when rebooting
* vm/isolated: update USBdev rebooting method and etc, ...
- change reboot method from using '/bin/sh' to file i/o
- change USBDevNum to array type
- restore waiting time when rebooting
* vm/isolated: some fixes based on feedback
- change variable name: USBDevNum -> USBDevNums, USBAuth -> usbAuth
- check whether USBDevNums is empty in ctor(), repair()
- move usbAuth declaration from Create() to repair()
* vm/isolated: remove empty line
* vm/isolated: fix some conditions
* vm/isolated: change comment, add validate length of USBDevNums
* vm/isolated: check whether the len(USBDevNums) and len(Targets) is same
* vm/isolated: change repair() func based on review
- wait 30*time.Minute even if TargetReboot is not set.
- reduce/combine logs
- e -> err
* vm/isolated: In repair(), print error log and return error when ssh is failed
Temporary disable corpus rotation b/c we suspect it negatively affects fuzzing.
But we don't have hard data, and the easiest way to check is to disable
and see what happens.
Update #1348
We have strict upper bound of array size 10.
However, for netlink we frequently need lots of attributes in arrays.
Add a mutation that increases array size by few elements
without an upper bound (we should not grow them infinitely due
to coverage feedback?).
BTF fails lots of builds with:
pahole version v1.9 is too old, need at least v1.13
Failed to generate BTF for vmlinux. Try to disable CONFIG_DEBUG_INFO_BTF.
1. Turns out that NLA_F_NESTED is actually used and checked
(nla_parse_nested checks it, while nla_parse_nested_deprecated does not).
Similarly, ipset extensively checks NLA_F_NET_BYTEORDER.
So we need these bits.
2. nla_len must not account for the trailing alighnment padding.
This means we set wrong len for payloads that are not multiple of 4
(int8/int16/strings/arrays/some structs/etc).
