1. Turns out that NLA_F_NESTED is actually used and checked
(nla_parse_nested checks it, while nla_parse_nested_deprecated does not).
Similarly, ipset extensively checks NLA_F_NET_BYTEORDER.
So we need these bits.
2. nla_len must not account for the trailing alighnment padding.
This means we set wrong len for payloads that are not multiple of 4
(int8/int16/strings/arrays/some structs/etc).
String value enforcement broke a number of tests
where we use different values.
Be more string as to what string values we use in tests.
Required to add tmpfs descriptions to test syz_mount_image.
Also special-casing AF_ALG algorithms as these are auto-generated.
Strings with enumerated values are frequently file names
or have complete enumeration of relevant values.
Mutating complete enumeration if not very profitable.
Mutating file names leads to escaping paths and
fuzzer messing with things it is not supposed to mess with as in:
r0 = openat$apparmor_task_exec(0xffffffffffffff9c, &(0x7f0000000440)='/proc/self//exe\x00', 0x3, 0x0)
Mark ifindex as opt in SIOCGIFINDEX.
Otherwise it's considered inout and SIOCGIFINDEX can't be used
to produce ifindex'es on its own. It requires an input ifindex
first and only then it can output own ifindex.
virt_wifi docs say that the enslaved device won't be usable
on itself. It's probably not a good idea to make lo unusable.
Enslave a dedicated veth instead.
1. Use optional[T] instead of array[T, 0:1].
2. Deduplicate 3 copies of ARP packet.
3. Deduplicate IPOPT_LSRR/IPOPT_SSRR/IPOPT_RR.
4. More precise description of IPOPT_TIMESTAMP/IPOPT_LSRR/IPOPT_SSRR/IPOPT_RR.
5. Don't use IPOPT_END/IPOPT_NOOP in generic option (they have different format).
6. Restrict cipso doi values.
7. Fix IPOPT_RA value type (int16 instead of int32).
8. Match ipv4/ipv6 packet type with payload.
9. Prefer 0 frag_off for ipv4 packets (they are extremely hard to get right).
Use a random subset of syscalls/corpus/coverage for each individual VM run.
Hypothesis is that this should allow fuzzer to get more coverage
find more bugs in saturated state (stuck in local optimum).
See the issue and comments for details.
Update #1348
We get them in cross-compilation test where an out const
arg has different values in different archs.
No reason to fail deserialization in that case, replace with default
arg instead.
Currently we print them as part of `make genereate`,
but nobody reads them, too much output each time.
Don't print them in `make generate` and instead
print in syz-check, the warn files are a good mechanism
to handle "known warnings".
All callers of BitfieldMiddle just want static size (0 for middle).
Make it so: Size for middle bitfields just returns 0. Removes lots of if's.
Introduce Type.UnitSize, which now holds the underlying type for bitfields.
This will be needed to fix#1542 b/c even if UnitSize=4 for last bitfield
Size can be anywhere from 0 to 4 (not necessary equal to UnitSize due to overlapping).
We assumed that for ConstType alignment is equal to size,
which is perfectly reasonable for normal int8/16/32/64/ptr.
However, padding is also represented by ConstType of arbitrary size,
so if we added 157 bytes of padding that becomes alignment of
the padding field and as the result of the whole struct.
This affects very few structs, but quite radically and quite
important structs.
Discovered thanks to syz-check.
Update #590
Some sounds ioctls are now explicitly doubled for 32/64 bits. Support that.
Fix mips SOL_SOCKET issues by rearranging includes.
Improve few other fields.
syz-check parses vmlinux dwarf, extracts struct descriptions,
compares them with what we have (size, fields, alignment, etc)
and produces .warn files.
This is first raw version, it can be improved in a number of ways.
But it already helped to identify a critical issue #1542
and shows some wrong struct descriptions.
Update #590
This is not necessary since we build legit object file
for the target binary now. But this breaks mips with:
/linux/arch/mips/include/asm/thread_info.h:53:30: error: register name not specified for ‘__current_thread_info’
register struct thread_info *__current_thread_info __asm__("$28");
So just remove the old hack.
Follow up to #1536
This patch adds all autogenerated files for linux/mips64le. Files are
generated by following commands:
make extract
bin/syz-extract -build -os=linux -arch=mips64le -sourcedir=linux
make generate
Add tests for issue #1542
The correct results are obtained with the following program:
struct foo {
unsigned char f0;
unsigned int f1:4;
unsigned short f2:4;
};
struct bar {
char f0;
struct foo foo;
};
int main() {
struct bar y;
memset(&y, 0, sizeof(y));
y.f0 = 0x12;
y.foo.f0 = 0x34;
y.foo.f1 = 0x56;
y.foo.f2 = 0x78;
int i;
for (i = 0; i < sizeof(y); i++)
printf("%02x", ((unsigned char*)&y)[i]);
printf("\n");
}
1. It always crashed in cover_reset when coverage is disabled.
2. Use NONFAILING when accessing image segments.
3. Give it additional 100 ms as it may be slow.
4. Add a test for syz_mount_image.
This commit adds a new attribute to syzkaller targets that tells
syzkaller how to invoke the syz-executor command.
Some systems, like Fuchsia, are now building syz-executor as part of the
build, and there is no need to copy it over, or to run it from `/tmp`.
In fact, that might stop working at some time in the future in Fuchsia.
All places that used to copy syz-executor into the target machine will
now check for the SyzExecutorCmd flag, and won't copy it if the flag is
set.
Syzkaller binaries are built in C mode even if they are c++ binaries.
Recent clang version (clang++-10) consider this an error/warning,
causing issues during build time.
Change-Id: Ia6d1ab46597efc42772c1c7a63188c3c04a729a7
Enable /dev/tty{1-6}. These seem to be special.
Few first connected to framebuffers. But the rest
seem to be different from e.g. tty20 anyway.
Also /dev/tty is different from the rest.
/dev/ttyS3 and /dev/ttyprintk are different.
Properly pair BSD pty terminals.
Add a second mode that extracts constant values from
ELF object, instead of running the executable.
This allows to not (1) link binaries, (2) use proper cross-compiler.
It finally fixes 386/arm extracts for my distro.
Hopefully not makes things worse for others,
should generally be safer/more reliable.
The current mode is left b/c I can't test all OSes,
windows binaries are not ELF, so we may need it anyway.
But later we may switch more OSes to this new mode
if they break (fuchsia?).
On my Debian gcc -m32 is hopelessly broken.
Using clang fixes at least arch 386.
Arch arm is still broken b/c clang does not like
some of kernel arm inline assemly constraints.
It's /dev/watch_queue not /dev/fd_watch_queue.
Don't know if it was renamed, or alwys wrong, but does not matter much,
now it's /dev/watch_queue.
Also attach v4l ioctls to /dev/swradio,radio,vbi,cec.
It seems that _some_ of them are applicable to these devices as well.
Linux v5.5 extends struct clone_args for clone3() by two additional
parameters:
@set_tid: Pointer to an array of type *pid_t. The size
of the array is defined using @set_tid_size.
This array is used to select PIDs/TIDs for
newly created processes. The first element in
this defines the PID in the most nested PID
namespace. Each additional element in the array
defines the PID in the parent PID namespace of
the original PID namespace. If the array has
less entries than the number of currently
nested PID namespaces only the PIDs in the
corresponding namespaces are set.
@set_tid_size: This defines the size of the array referenced
in @set_tid. This cannot be larger than the
kernel's limit of nested PID namespaces.
Cc: Adrian Reber <areber@redhat.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Add new crypto algorithms from linux-next (future v5.5):
- BLAKE2b and BLAKE2s
- "-arm" implementations of ChaCha and XChaCha
- "-arm" and "-neon" implementations of Poly1305
Regenerate consts on linux-next next-20191125.
DEVLINK_ATTR_NETNS_* consts were chifted by 1.
__BPF_FUNC_MAX_ID increased as usual.
CRYPTO_ALG_TYPE_BLKCIPHER, CRYPTO_ALG_TYPE_ABLKCIPHER were removed,
replace them with CRYPTO_ALG_TYPE_SKCIPHER.
Move HostFuzzer from vm/qemu.
It's needed in a number of other packages
and strictly saying is not specific to qemu
(it just happened that both fuchsia and akaros only support qemu).
The port-based exception APIs have been deprecated on Fuchsia and will
be removed shortly. Delete them from the syscall definitions and
modify the Fuchsia executor to use the new channel-based APIs instead.
In case there is a fixed pci devlink handle "pci/pci/0000:00:10.0"
on the system (initial network namespace), it is moved to a working
network namespace.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Update #533
This patch update tca_polices by adding new polices TCA_POLICE_RATE64
and TCA_POLICE_PEAKRATE64
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Update #533
In this patch I added new classes: cake, cbs, fq_codel, mq, mqprio,
multiq, netem, prio, red, sfb, sfq, skbprio, taprio, tbf, ingress,
clsact.
These classes has Qdisc_class_ops in kernel, but no netlink parameters.
So we can testing them by just calling them directly.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Update #533
Don't know why I didn't add tcm__pad in tcm_info structure
at the begining. But let's fix it now.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
When generating a USB config, disable USB symbols that are disabled in the
base config, as they might have been enabled when some of the dependecies
got enabled.
Due to issues with ASLR + ASan on ppc64le (see #1446), add the -no-pie
flag to the test target so tests will pass.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
It was reported that binder isn't covered when using syzkaller on a real
Android device, since the binder device names are different. Update the
descriptions to know about the real-world device names too.
- For v5.4: new ioctls FS_IOC_ADD_ENCRYPTION_KEY,
FS_IOC_REMOVE_ENCRYPTION_KEY, FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS,
FS_IOC_GET_ENCRYPTION_KEY_STATUS, and FS_IOC_GET_ENCRYPTION_POLICY_EX.
- For v5.4: FS_IOC_SET_ENCRYPTION_POLICY now accepts an
fscrypt_policy_v2 argument in addition to the original fscrypt_policy
which is now called fscrypt_policy_v1.
- For v5.4: the fscrypt definitions were moved to a new header
<linux/fscrypt.h>, and some constants were given new FSCRYPT_* names
instead of FS_*. Handle this, and to keep things organized similarly
move the syzkaller descriptions to a new file fscrypt.txt.
- For v5.0: remove the removed Speck modes and add Adiantum.
- For v5.0: add the DIRECT_KEY encryption policy flag.
Also fix the argument types for FS_IOC_GET_ENCRYPTION_POLICY and
FS_IOC_GET_ENCRYPTION_PWSALT, which had been mixed up.
The BPF template currently only defines helper calls. BPF function calls
(bpf-to-bpf calls) are however supported in Linux since v4.16.
This patch defines bpf-to-bpf calls in the template.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
A new BPF instruction that allows lookup-free map value accesses was added
in Linux v5.2, with commit d8eca5b ("bpf: implement lookup-free direct
value access for maps"). It enables direct access to map values without
having to call a BPF helper. It is currently used to implement global
variable support.
This commit adds support for that new instruction.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
bNumEndpoints is defined as len[endpoints]. This initially assumed that
endpoints is an array, which is not the case for descriptions for
particular USB classes. Improve it by defining a new template for interfaces
and passing in a value range for bNumEndpoints for these cases.
Currently build on darwin crashes when we try to access host.CCompiler/CPP
(there is no darwin target). Check that we have the host target before using it,
otherwise use default gcc/cpp.
Some USB drivers don't depend on core USB symbols, but rather depend on a
generic symbol for some input subsystem (e.g. HID). Account for that when
extracting USB configs.
Update socket timeval, timestamp options and flags.
v2: separate SO_{TIMESTAMP, TIMESTAMPNS}_{OLD, NEW} as they only need
enable/disable option value.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Default value for ProcType is 0 (same for all PID's).
Usually 0 either does not make sense at all or make different PIDs collide
(since we use ProcType to separate value ranges for different PIDs).
So don't change ProcType to 0 unless the type is explicitly marked as opt
(in that case we will also generate 0 anyway).
* sys/linux: extract USB HID ids
As it turns out the HID kernel subsystem registers only one USB driver that
checks that the interface of the connected device has HID class and then looks
up its own list of vendor/device ids to find a matching driver. This means
that we currently don't generate proper vendor/device ids for USB HID devices.
This patch updates the syz-usbgen tool to also extract USB HID vendor/device
ids from a running kernel and makes the generated descriptions for HID devices
to be patched using the extracted ids.
This patch also contains some minor improvements to USB descriptions
(better HID descriptions and more replies for some USB classes/drivers).
* sys/linux: run make generate
Currently we use AT_FDCWD as a special value for all file descriptors,
but it does not make sense for almost all of them (sockets, bpf, etc).
Use it as a special value only for fd_dir.
A process with CAP_SYS_NICE can bring kernel down by asking for too high SCHED_DEADLINE priority,
as the result rcu and other system services that use kernel threads will stop functioning.
Some parameters for SCHED_DEADLINE should be OK, but we don't have means to enforce
values of indirect syscall arguments. Peter Zijlstra proposed sysctl_deadline_period_{min,max}
which could be used to enfore safe limits without droppping CAP_SYS_NICE, but we don't have it yet.
See the following bug for details:
https://groups.google.com/forum/#!topic/syzkaller-bugs/G6Wl_PKPIWI
Running sys/*/test programs requires real machines and kernels for each OS.
We can't do that in unit tests, but at least try to deserialize these programs
so that they don't get rotten.
* sys/fuchsia: update zx_clock_get.
zx_clock_get was deprecated and replaced by zx_clock_get_new. In a
recent CL[0], they replaced the zx_clock_get by zx_clock_get_new and
moved all client. This commit updates syzkaller to use the new function.
[0]: https://fuchsia-review.googlesource.com/c/fuchsia/+/298575
* run make extract && make generate
Instead of defining the __GLIBC_USE macro on every OS, we are just
defining it based on a parameter. That parameter is set to false for all
OSs except for fuchsia.
When I try to run `make extract` for fuchsia, the clang compiler
complains that __GLIBC_USE is undefined.
This CL just defines it to be an always false function-like macro if it
was not defined.
This commit removes the fuchsia-power fidl definitions. The interface
doesn't have a service implementing it in fuchsia, and it is causing
issues in make extract.
1. Change HID descriptions to allow devices to have two interrupt endpoints.
2. Remove unneeded responses to OUT control requests from descriptions.
3. Add some debugging code to detect and report missing descriptions.
Update descriptions to be compatible with latest linux-next
(next-20190715), which in theory will match v5.3-rc1 when the merge
window closes.
- KEYCTL_GRANT_PERMISSION was reverted. So remove its description.
- CRYPTO_ALG_TYPE_DIGEST was removed. So remove its description.
- IB_QP_CREATE_SIGNATURE_EN was renamed to IB_QP_CREATE_INTEGRITY_EN.
Also remove the sys/linux/rdma_*.const files which were incorrectly
checked into git. The real copies of those files are in
sys/linux/dev_infiniband_rdma_*.const.
For now I did *not* check for other new APIs that need to be described.
- Add KEYCTL_MOVE (new in v5.3)
- Add KEYCTL_CAPABILITIES (new in v5.3)
- Add KEYCTL_GRANT_PERMISSION (new in v5.3)
- Remove KEY_PERM_UNDEF (was only ever in an internal kernel header,
not in UAPI; removed in v5.3)
Kernel get mpls lable like
```
unsigned entry = be32_to_cpu(hdr->label_stack_entry);
result.label = (entry & MPLS_LS_LABEL_MASK) >> MPLS_LS_LABEL_SHIFT;
```
So we just need to store the label in big endian order.
For mpls rta types, kernel accpet only one lable for RTA_DST and
multi labels for RTA_NEWDST.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
The sanitizer fails to sanitize programs like the following:
setrlimit(0x10000000000002, &(0x7f0000000080))
... due to presence of the most significant bit. Therefore mask of all
bits that cannot form a valid rlimit resource.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
Locking down future mappings will most likely cause syz-executor to run
out of memory.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
Do not allow the stack to grow beyond the initial soft limit chosen by
syz-executor. Otherwise, syz-executor will most likely not be able to
perform any more heap allocations since they majoriy of memory is
reserved for the stack.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
OpenBSD performs a strict validation of the RLIMIT_DATA soft limit
during memory allocation. Lowering the same limit could cause
syz-executor to run out of memory quickly. Therefore make sure to not go
lower than the default soft limit for the staff group.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
One of the root causes to reported "lost connection to test machine" is
when the egress network interface is being used as a multicast
interface:
setsockopt$inet6_MRT6_ADD_MIF(r0, 0x29, 0x66, &(0x7f0000000180)={0x2}, 0xc)
Prevent such syscalls from being generated by limiting the range of
allowed interface indices.
To allow future extensions of USB descriptions to fuzz particular USB
classes this patch changes the structure of USB descriptions to use
templates.
This will invalidate all existing USB corpus.
Add -B/usr/lib32 to 386 build flags.
The story behind -B/usr/lib32 is not completely clear, but it helps in some cases.
For context see discussion in https://github.com/google/syzkaller/pull/1202
Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).
This commit introduces an optional annotate function on a per target basis.
Example for the OpenBSD target:
$ cat prog.in
mknod(0x0, 0x0, 0x4503)
getpid()
$ syz-prog2c -prog prog.in
int main(void)
{
syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
syscall(SYS_getpid);
return 0;
}
Consolidating FIDL library build mappings in one place, so that it can
be used from extraction, and script invoking fidlgen. This also makes
code clearer, and provides a more natural path for evolutions / dealing
with oddities.
Minor doc update post fx command changes.
A const can be used as array size. Then if the const is not present
on all arches, compiler will produce an error about 0-sized-array.
There is no easy way to work around this for a user.
Use value of 1 for missing consts. It's just a bit safer.
Using a build tag to exclude files for golangci-lint
reduces memory consumption (it does not parse them).
The naive attempt with skip-dirs did not work.
So add codeanalysis build tag and use it in auto-generated files.
Update #977
Now that we have the len path expressions we can fix the TODO
in btf descriptions to properly specify offsets of btf sections.
Also add proper descriptions for btf type section
and few other minor things around.
This is especially problematic for file descriptors referring to tty/pty
devices since it can cause the SSH connection to the VM to die.
The ambition here is reduce the number of "lost connection/no output" failures
at the cost of limiting the coverage of chflags(2).
This is done via a custom Kconfiglib based script, that allows to merge
in all USB configs from a provided one into the current. The script finds
and enabled all USB configs and their dependencies.
make extract recently broke for powerpc on linux-next with:
include/uapi/linux/byteorder/big_endian.h:6:2: error: #error "Unsupported endianness, check your toolchain"
#error "Unsupported endianness, check your toolchain"
Turns out we always built ppc64le headers as big-endian.
First, kernel was configured as BE.
Then, we used gcc to build an executable program for host
and on x86 gcc does not define __LITTLE_ENDIAN__ so kernel
thought that the toolchain is BE too.
Configure kernel as LE and define __LITTLE_ENDIAN__.
This actually changes values of some consts,
but fortunately just few of them.
Due to missing padding arguments, stack garbage could end up being used as
actual arguments. More reading for the curious[1].
While here, add missing descriptions for pread and pwrite.
[1] https://flak.tedunangst.com/post/syzkaller-found-a-bug
Most probably limited to input validation for now. In the future, it
could be extended to provide a bootable kernel during vm create (/bsd)
and turn vmid into a proper resource.
The OpenBSD VMs on GCE does support vmm(4).
* sys/fuchsia: update all syscalls.
This commit modifies all the existing syscalls definitions to match more
closely the documentation in the Fuchsia repo.
* run make extract && make generate
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
This commit adds syzkaller descriptions for USB fuzzing. The descriptions in
vusb.txt are written manually and cover different kinds of USB descriptors.
The descriptions in init_vusb_ids.go are generated automanitally by the
syz-usbgen tool and contain the vendor, device and some other IDs that
map to different USB drivers.
Ptr type has special handling of direction (pointers are always input).
But buffer type missed this special case all the time.
Make buffer less special by aliasing to the ptr[array[int8]] type.
As the result buffer type can't have optional trailing "opt" attribute
because we don't have such support for templates yet.
Change such cases to use ptr type directly.
Fixes#1097
Initial description of the kernel's RDMA subsystem.
This patch covers most of the older write() interface as well as the
some ioctl functions.
Also disable rdma_cm's ib_qp_type flags as it conflicts with rdma's
definition, and rdma builds first.
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Apparently, sysroot/include doesn't exist in the build-zircon path
anymore. I changed the path in sys-extract to make it point to the
exported sdk include path.
I also ran make extract and make generate to add new fidl definitions.
TEST=ran make extract and make generate.
Separate kernel and syzkaller build failures.
Fix logic to understand when a build is fixed:
look if kernel/syzkaller commit changes to understand
if it's a new good build or re-upload of an old build.
Fixes#1014
Recently the fuchsia team decided to merge all their subrepos into one
big git repo. This meant that the "zircon" repo doesn't exist anymore.
Instead almost everything is under the fuchsia repo.
This change updates all the reference I could find in the code that
point to the zircon and docs repo to make them point to the new fuchsia
repo.
The latter contains only debug symbols and is meant to be used with the
kernel executable. That is, the kernel executable contains a
.gnu_debuglink pointer to kernel.debug. kernel.full contains
everything, including a copy of the kernel's text section, which we want
when enumerating __sanitizer_cov_trace_pc() calls for a coverage report.
1. Move fsverity descriptions to a separate file which
is not regenerated automatically. It was dropped from linux-next.
2. Fix tlk_device.txt name in syz-extract.
3. Update some socket consts e.g. s/SO_TIMESTAMPING/SO_TIMESTAMPING_OLD/.
4. Regenerate const files on current upstream head.
The problem is stupid: <endian.h> should be included as <sys/endian.h> on freebsd.
Pass actual host OS to executor build as HOSTGOOS and use it to figure out
how we should include this header.
syz-extract was removing certain prefixes from syscall names, but this
caused some problems:
- freebsd* prefixes are for compatibility syscalls when the syscall ABI
has changed. For instance, we have both fstat() and
freebsd11_fstat(), and it is desirable to fuzz them both.
- Stripping prefixes may leave us with undefined SYS_ constants. This
resulted in some test failures in pkg/csource, which emitted code
referencing SYS_semctl when it should have been SYS___semctl.
Fix the problem by updating syscall descriptions to match the names
given by the FreeBSD kernel. Add some new descriptions for
compatibility syscalls, fix the mknodat() description (dev_t is now 64
bits wide on FreeBSD), and remove mknod$loop, which appears to be
Linux-specific.
Garnet-layer FIDL descriptions are in a new subdirectory.
This CL changes it to the proper directory, and performed a "make
extract" shortly after.
This should fix some of the errors on the Syzkaller hub.
When we run with sandbox=none, test program can do EXT4_IOC_RESIZE_FS which
shrinks rootfs basically to 0. This breaks the machine as all tests then fail with:
failed to create temp dir: mkdir syzkaller-testdir077269498: no space left on device
This is the most common source of "lost connection" crashes overall and
they are not actually kernel bugs.
Prohibit EXT4_IOC_RESIZE_FS for now.
Alternatively we can mount tmpfs with sandbox=none.
Update #971
* sys/fuchsia: fix fidlgen issues.
This change modifies fidlgen removing fuchsia.mediacodec and renaming
zircon-ethernet to fuchsia-hardware-ethernet.
fuchsia.mediacodec has most of its functionality merged into
fuchsia.media and it's not included in the default amd64 builds.
zircon-ethernet has been renamed to fuchsia-hardware-ethernet
recently:
https://fuchsia-review.googlesource.com/c/zircon/+/237178
* docs/fuchsia: Add troubleshooting sections
This commit adds a troubleshooting section in the fuchsia syzkaller docs
that mentions how to solve fidlgen issues when fidl interfaces are
removed or renamed.
* sys/fuchsia: remove stale autogenerated files.
* sys/fucsia run make extract && make generate.
This ability was never used but we maintain a bunch of code for it.
syzkaller also recently learned to spoof this error code
with some ptrace magic (probably intercepted control flow again
and exploited executor binary).
Drop all of it.
C's \xHH hex constants in strings accept any number of hex digits
(not just 2 or 4). So later non-hex escaped chars glue to the \x construct.
Use \OOO instead as it accepts at most 3 octal digits.
1. Generate .const files for all arches.
2. Don't extract mptcp consts on android.
3. Remove mptcp includes from vnet.txt.
4. Enable CONFIG_MPTCP in syz-extract (mptcp is not like all other kernel headers).
