Commit Graph

363 Commits

Author SHA1 Message Date
Dmitry Vyukov
2b084c9886 pkg/csource: use 0 for missing syscall args
We don't specify trailing unused args for some syscalls
(e.g. ioctl that does not use its arg).
Executor always filled tailing unsed args with 0's
but pkg/csource didn't. Some such syscalls actually
check that the unsed arg is 0 and as the result failed with C repro.

We could statically check and eliminate all such cases,
but it turns out the warning fires in 1500+ cases:
a3ace5a63f/gistfile1.txt

So instead fill such args with 0's in pkg/csource too.
2018-12-27 13:11:57 +01:00
Dmitry Vyukov
def91db3fe prog, pkg/csource: more readable serialization for strings
Always serialize strings in readable format (non-hex).
Serialize binary data in readable format in more cases.

Fixes #792
2018-12-15 15:17:13 +01:00
Greg Steuck
7795ae03c0 prog: detect invalid target.Syscalls in BuildChoiceTable
Without this check programs may end up panicing in places far away
from the real cause. E.g.

worker# ./syz-fuzzer -executor=./syz-executor -name=vm-0 -arch=amd64 -manager=10.128.0.101:21386 -sandbox=setuid -procs=2 -v=0 -cover=true -debug=false -test=false
2004/02/03 12:11:11 fuzzer started
2004/02/03 12:11:11 dialing manager at 10.128.0.101:21386
2004/02/03 12:11:12 syscalls: 1
2004/02/03 12:11:12 code coverage: enabled
2004/02/03 12:11:12 comparison tracing: support is not implemented in syzkaller
2004/02/03 12:11:12 setuid sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 namespace sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 Android sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 fault injection: support is not implemented in syzkaller
2004/02/03 12:11:12 leak checking: support is not implemented in syzkaller
2004/02/03 12:11:12 net packet injection: enabled
2004/02/03 12:11:12 net device setup: support is not implemented in syzkaller
panic: invalid argument to Intn

goroutine 27 [running]:
math/rand.(*Rand).Intn(0xc000dff530, 0x0, 0x40)
        /usr/local/go/src/math/rand/rand.go:169 +0x9c
github.com/google/syzkaller/prog.(*ChoiceTable).Choose(0xc000d92ec0, 0xc000dff530, 0xffffffffffffffff, 0xc000dff650)
        /syzkaller/gopath/src/github.com/google/syzkaller/prog/prio.go:241 +0x1a0
github.com/google/syzkaller/prog.(*randGen).generateCall(0xc000e145a0, 0xc000c2a200, 0xc000ce7f80, 0x2348f1940, 0xc000ce3440, 0xc000e6ee01)
        /syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:451 +0x69
github.com/google/syzkaller/prog.(*Target).Generate(0xc00007f1e0, 0x8f8680, 0xc000ce3440, 0x1e, 0xc000d92ec0, 0x0)
        /syzkaller/gopath/src/github.com/google/syzkaller/prog/generation.go:19 +0x2b2
main.(*Proc).loop(0xc000d92f40)
        /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:93 +0x2a1
created by main.main
        /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:236 +0xfe2
2018-12-11 11:14:20 +01:00
Dmitry Vyukov
28bd3e371b prog: support AUTO args in programs
AUTO arguments can be used for:
 - consts
 - lens
 - pointers

For const's and len's AUTO is replaced with the natural value,
addresses for AUTO pointers are allocated linearly.

This greatly simplifies writing test programs by hand
as most of the time we want these natural values.

Update tests to use AUTO.
2018-12-10 16:37:02 +01:00
Dmitry Vyukov
ba64d006de prog: implement strict parsing mode
Add bulk of checks for strict parsing mode.
Probably not complete, but we can extend then in future as needed.
Turns out we can't easily use it for serialized programs
as they omit default args and during deserialization it looks like missing args.
2018-12-10 16:37:01 +01:00
Dmitry Vyukov
95fe19c19e prog: introduce strict parsing mode
Over time we relaxed parsing to handle all kinds of invalid programs
(excessive/missing args, wrong types, etc).
This is useful when reading old programs from corpus.
But this is harmful for e.g. reading test inputs as they can become arbitrary outdated.
For runtests which creates additional problem of executing not
what is actually written in the test (or at least what author meant).
Add strict parsing mode that does not tolerate any errors.
For now it just checks excessive syscall arguments.
2018-12-10 16:37:01 +01:00
Dmitry Vyukov
a5efea3ec3 prog: refactor deserialization code
Move target and vars into parser and make all
parsing functions methods of the parser.
This reduces number of args that we need to pass around
and eases adding more state that needs to be passed around.
2018-12-10 16:37:01 +01:00
Dmitry Vyukov
b80cc86486 prog: rename ProgGen to Builder
golint suggests that "prog.Prog" is a bad naming
because everything in prog package is ProgSomething.
Rename to Builder, "prog.Builder" sounds right.
2018-12-08 08:40:03 +01:00
Dmitry Vyukov
eada53b810 tools/syz-trace2syz/proggen: fix vma allocation
There are 2 bugs:
1. We always allocate 1 page, even if use more.
2. VMA addresses are not aligned, so most mmap-like functions fail with EINVAL.
The added test currently panics with "unaligned vma address".
2018-12-07 12:56:38 +01:00
Dmitry Vyukov
9e8a45fe27 tools/syz-trace2syz/proggen: replace memoryTracker with prog.memAlloc 2018-12-07 12:44:45 +01:00
Dmitry Vyukov
ab4b148b34 prog: add Prog.Finalize
Prog.Finalize combines assignSizesCall, SanitizeCall and validate.
Intended for users who build own programs,
so that we don't need to expose all individual methods.
2018-12-06 18:56:08 +01:00
Dmitry Vyukov
ceaec61a83 prog: export Type.DefaultArg
It's effectively exported anyway.
So export it the proper way.
2018-12-06 18:55:46 +01:00
shankarapailoor
6a60a19530 tools/syz-trace2syz: add tool to convert strace output to programs
* fixing weird merge error

* fixing presubmit

* fixing presubmit

* removing parsing code because of -Xraw option

* fix presubmit

* update

* deleting vma_call_handlers as we are currently skipping most vma calls. This simplifies memory_tracker as we don't need to keep track of vma allocations

* removing custom handling of bpf_instruction union

* removing ifconf parsing

* update

* removed all expression types and replaced them with constant types. removing ipv6_addr parsing while -Xraw is getting fixed. Removing constants.go

* removing ipv6 parsing

* presubmit

* moving direction check from ipv4_addr out to genUnion

* removing code that parses kcov

* removing redundant test

* removing custom code in generate unions to fill ipv4_addr

* proggen: changing order of imports to make external packages import first

fixing presubmit

* changing log messages to lower case to be consistent with other packages.

* removing pointer type and simplifying memory_tracker

removing comment

* moving context and return_cache to seaparate files

* deleting default argument generation when we should probably throw an error
2018-12-06 16:25:37 +01:00
Greg Steuck
0b29b7f952 prog: prevent sandbox escaping files from entering s.files 2018-11-27 13:16:05 +01:00
Andrey Konovalov
5a0d6e039d prog: try to nullify pointers when minimizing
This patch changes minimization routines to try assigning a.Res to nil
for each pointer arg.
2018-11-21 05:30:44 +01:00
Dmitry Vyukov
8bd6bd6365 prog: allow escaping paths but don't generate them
Filename generated escaping paths in the past.
The reason for the check during validation is to
wipe old program from corpuses. Now that they are
hopefully wiped everywhere, we can relax the check
to restrict only filename to not produce escaping paths,
but allow existing programs with escaping paths.
This is useful in particular if we generate syzkaller
programs from strace output.
2018-11-02 17:31:59 +01:00
Dmitry Vyukov
ecb386fe6f sys: check that target consts are defined
Currently when we get target consts with target.ConstMap["name"]
during target initialization, we just get 0 for missing consts.
This is error-prone as we can mis-type a const, or a const may
be undefined only on some archs (as we have common unix code
shared between several OSes).
Check that all the consts are actually defined.
The check detects several violations, to fix them:
1. move mremap to linux as it's only defined on linux
2. move S_IFMT to openbsd, as it's only defined and used on openbsd
3. define missing MAP_ANONYMOUS for freebsd and netbsd
4. fix extract for netbsd
2018-10-19 19:11:22 +01:00
Dmitry Vyukov
1ba7fd7e65 all: fix code formatting
Reformat, remove debug leftovers, fix comment style.
2018-10-16 13:57:24 +02:00
Zach Riggle
f37861df63 targets: Use OS=linux when GOOS=android
This avoids the issue of "android" not having any registered configurations
or syscalls / ioctls / etc, when built with GOOS=android.

This occurs when building in Google3, since --config=android_arm64 selects
the Android toolchain.
2018-10-10 11:54:53 +02:00
Dmitry Vyukov
a4718693a3 sys/linux: add syz_execute_func
The function executes random code.

Update #310
2018-08-30 21:45:04 -07:00
Dmitry Vyukov
e8dd2c6713 prog: add concept of "special pointers"
Currently we only generate either valid user-space pointers or NULL.
Extend NULL to a set of special pointers that we will use in programs.
All targets now contain 3 special values:
 - NULL
 - 0xfffffffffffffff (invalid kernel pointer)
 - 0x999999999999999 (non-canonical address)
Each target can add additional special pointers on top of this.

Also generate NULL/special pointers for non-opt ptr's.
This restriction was always too restrictive. We may want to generate
them with very low probability, but we do want to generate them.

Also change pointers to NULL/special during mutation
(but still not in the opposite direction).
2018-08-30 21:45:03 -07:00
Dmitry Vyukov
6ba5fe3e62 sys/openbsd: disable mknod sanitization as tests fail
TestSerializeDeserializeRandom fails from time to time
because program is different after we serialize/deserialize it.
Turns out openbsd SanitizeCall is not idempotent.
Add a test for this and disable the logic for now.
2018-08-30 21:44:56 -07:00
Dmitry Vyukov
ee42876f95 prog: fix corner case in normalizePrio
Based on twitter bug report:
https://twitter.com/panicaII/status/1035058001269248000
2018-08-30 21:44:00 -07:00
Dmitry Vyukov
2dc4378f02 prog: don't add fallback signal after seccomp
seccomp filter can produce arbitrary errno values for subsequent syscalls.
Don't trust anything afterwards.
2018-08-19 00:13:24 -07:00
Dmitry Vyukov
c00da3df66 prog: collect all prog comments
Parse and collect and prog comments.
Will be needed for runtest annotations
(e.g. "requires threaded mode", etc).
2018-08-08 13:07:49 +02:00
Dmitry Vyukov
95a080a682 prog: strenghten type checking during validation
Check that argument types match expected static types.
I.e. detect when, say, syscall argument is a resource,
but actual generated argument is a pointer.
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
ae2f24aa70 prog: refactor calcStaticPriorities
Factor out several helper functions.

Update #538
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
c56465d568 prog: split and simplify Mutate
Update #538
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
1da82ae0f0 prog: introduce debugValidate
Move debug validation into a separate function.

Update #538
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
c8643744fe prog: refactor defaultArg/isDefaultArg
Refactor from single-big-switch to type methods.

Update #538
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
e002278dfb prog: refactor SerializeForExec
Factor copyin, copyout and checksums into separate functions.
Also slightly tidy csum analysis.

Update #538
2018-08-02 16:57:31 +02:00
Dmitry Vyukov
97bce4e2ce prog: refactor program serialization
Make argument serialization Arg method.
This eliminates a very long function
that serializes all arguments.

Update #538
2018-07-31 18:43:50 +02:00
Dmitry Vyukov
46b824df22 prog: refactor SerializeForExec
Reduce cyclomatic complexity.

Update #538
2018-07-31 18:38:54 +02:00
Dmitry Vyukov
0e9b376bc3 prog: refactor Minimize
Reduce cyclomatic complexity of argument minimization
by moving type-specific logic into separate functions.
Fix few bugs along the way.

Update #538
2018-07-31 16:06:21 +02:00
Dmitry Vyukov
f5d67fbd9c .gometalinter.json: enable gofmt
The part that we want from gofmt is simplify (-s).
Fix all code that needs fixing.

Update #538
2018-07-31 12:16:54 +02:00
Dmitry Vyukov
1a381291a3 executor: collect coverage from unfinished syscalls
Write coverage from unfinished syscalls.
Also detect when a syscall was blocked during execution,
even if it finished. Helpful for fallback coverage.

Fixes #580
2018-07-29 19:46:05 +02:00
Dmitry Vyukov
68faa52582 prog: parse comments in serialized programs
Remember per-call comments, will be useful for annotating tests.
Also support this form:
call() # comment
2018-07-27 10:22:23 +02:00
Dmitry Vyukov
e0c1bcbabc prog: move MaxPids const to prog
The const may be needed by other packages.
E.g. when checking manager config.
2018-07-25 10:39:29 +02:00
Dmitry Vyukov
9fe4bdc5f1 executor: overhaul
Make as much code as possible shared between all OSes.
In particular main is now common across all OSes.
Make more code shared between executor and csource
(in particular, loop function and threaded execution logic).
Also make loop and threaded logic shared across all OSes.
Make more posix/unix code shared across OSes
(e.g. signal handling, pthread creation, etc).
Plus other changes along similar lines.
Also support test OS in executor (based on portable posix)
and add 4 arches that cover all execution modes
(fork server/no fork server, shmem/no shmem).

This change paves way for testing of executor code
and allows to preserve consistency across OSes and executor/csource.
2018-07-24 12:04:27 +02:00
Anton Lindqvist
54bb6b9222 prog: add missing Default() implementation for ConstType 2018-07-23 11:11:32 +02:00
Dmitry Vyukov
06c33b3af0 prog: sanitize calls after hints mutation
Hints mutation could produce unsanitized calls.
Sanitize calls after hints mutation.
Also sanitize on load (in validate), because bad programs
can already be in corpuses. And it's just the right thing
to do because sanitization rules can change over time.
2018-07-12 12:40:30 +02:00
Dmitry Vyukov
fb2fc0f4dc prog: fix pointer validation
Query size after validating the object itself,
otherwise size can panic on corrupted object.
2018-07-08 22:52:24 +02:00
Dmitry Vyukov
1c667063a8 prog: don't generate filenames that escape sandbox
All files that fuzzer works with must be in the working dir.
Using "/" is known to cause problems when fuzzer
removes files there or mounts something.
2018-07-08 22:52:24 +02:00
Dmitry Vyukov
306ca0571c prog, pkg/compiler: support fmt type
fmt type allows to convert intergers and resources
to string representation.
2018-07-08 22:52:24 +02:00
Dmitry Vyukov
57799a834f prog: fix and improve fallback coverage
First we emitted fallbackSignalFlags inside of the loop,
while we need to this outside of the loop.
Second, make flags signal weaker otherwise we get all 256
signals for open, chmod, etc.
Third, simplify and speedup code.
2018-06-30 13:28:11 +02:00
Dmitry Vyukov
5012ddc8eb prog: detect when flags are a bitmask 2018-06-30 13:27:24 +02:00
Dmitry Vyukov
f7498af7af prog: add stronger fallback signal
Also mixin resource constructors and some signature
of flags values for successful calls into fallback coverage.
2018-06-29 20:34:43 +02:00
Dmitry Vyukov
dcb1eebb7f prog: more precise constructor calculation
Currently a call that both accepts and creates a resource
self-justifies itself and thus is always enabled.
A good example is accept call. Accepts are always self-enable
and thus enable all other syscalls that work with the socket.

Calculate TransitivelyEnabledCalls in the opposite direction
to resolve this. Start with empty set of enable syscalls,
then enable syscalls that don't accept any resources,
then enable syscalls that accept resources created by the
previous batch of syscalls, and so on.

This prevents self-enablement of accept.
2018-06-18 19:45:48 +02:00
Dmitry Vyukov
2dcee3b338 prog: use all resource special values for opt args 2018-06-18 19:45:46 +02:00
Dmitry Vyukov
598eb19243 prog: mutate fixed-size strings more
Allow removing/inserting ranges of bytes from fixed-size strings,
provided we truncate/extend resulting string to keep original size.
2018-06-12 19:09:26 +02:00