Commit Graph

413 Commits

Author SHA1 Message Date
Paul Chaignon
997ccc675b pkg/compiler: define fileoff template
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
2019-11-01 19:14:49 +01:00
Paul Chaignon
713f727d98 prog, pkg/compiler: alignment for integer ranges
Enables the syntax intN[start:end, alignment] for integer ranges.  For
instance, int32[0:10, 2] represents even 32-bit numbers between 0 and 10
included.  With this change, two NEED tags in syscall descriptions can be
addressed.

Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
2019-10-25 18:16:59 +02:00
Veronica Radu
1a3bad9041 prog: mutate length of output buffers
Update #480
2019-10-10 14:37:42 +02:00
Veronica Radu
fc17ba4941 prog: add size checks for const arguments during hints mutation
Update #507
2019-10-03 10:57:55 +02:00
Veronica Radu
2e29b53400 prog: fix plain priority for integers 2019-10-02 11:14:42 +02:00
Veronica Radu
e38a6630eb syz-manager: fix unwanted syscalls that were enabled
Update #1424
2019-09-24 20:13:37 +02:00
Andrey Konovalov
2b854f96b1 tools: add syz-expand
The syz-expand tools allows to parse a program and print it including all
the default values. This is mainly useful for debugging, like doing manual
program modifications while trying to come up with a reproducer for some
particular kernel behavior.
2019-09-23 17:13:23 +02:00
Veronica Radu
1e9788a0d9 prog: add insertionPoint param in generateCall func 2019-09-23 15:35:26 +02:00
Veronica Radu
8491e03fb2 prog: add better call-to-call priority calculation
Update #1380
2019-09-23 15:35:26 +02:00
Veronica Radu
bf7e28925b prog: use type size when generating/mutating ints
Update #1381
2019-09-23 15:33:19 +02:00
Veronica Radu
5de425bc59 prog: implemented argument and call priorities 2019-09-04 10:46:46 +02:00
Andrey Konovalov
526709ff04
prog: move all flag mutation logic into flags() (#1362)
This makes it a bit easier to understand.

Also fix an issue with using flag value as bit number.
2019-09-03 17:02:04 +02:00
Veronica Radu
dbd627eb61 prog: add implementation for resource centric 2019-09-03 16:30:45 +02:00
Andrey Konovalov
bcd7bcc296 prog: speed up resource ctors detection
When we build a list of resource constructors we over and over iterate through
all types in a syscall to find resource types. Speed it up by iterating only
once to build a list of constructors for each resource and then reuse it.
This significantly speeds up syz-exeprog startup time on Raspberry Pi Zero.
2019-08-30 12:51:28 -07:00
Dmitry Vyukov
b65356b565 prog: measure memory allocation in benchmarks
Enable ReportAllocs.
Also factor out common code into a helper function
(duplicated in 3 places now).
2019-08-13 17:02:48 +02:00
Veronica Radu
aff9e255cd prog: add special mutation for binary flags 2019-08-09 15:02:02 +02:00
Dmitry Vyukov
7c7ded697e prog: fix out-of-bounds access
ParseLog can access data out-of-bounds.
Fix that and fix regression fuzz tests to catch this.
2019-07-30 19:33:02 +02:00
Dmitry Vyukov
3e5d1beb82 prog: fix crash in blob mutation
If we deserialized a huge blob (larger than max blob size),
then we can get a negative size in the "Insert random bytes" case at:

		if r := int(maxLen) - len(data); n > r {
			n = r
		}

Don't insert bytes if data is already larger than maxLen.
2019-07-26 10:43:08 +02:00
Dmitry Vyukov
cf49ed5769 prog: don't minimize ProcType to 0
Default value for ProcType is 0 (same for all PID's).
Usually 0 either does not make sense at all or make different PIDs collide
(since we use ProcType to separate value ranges for different PIDs).
So don't change ProcType to 0 unless the type is explicitly marked as opt
(in that case we will also generate 0 anyway).
2019-07-26 10:29:36 +02:00
Andrey Konovalov
9ba1e9ae4b prog: fix updating triedPaths when minimizing resources 2019-07-16 15:20:33 +02:00
Dmitry Vyukov
55565fa037 prog: fix minimization bugs
Fix several nasty bugs in minimization that could lead
to almost arbitrary results. These bugs affected both
crash minimization and corpus population.
Extend the randomized test to catch these bugs.
Add additional asserts to code to catch similar bugs in future.

Reported-by @xairy
2019-07-02 14:49:44 +02:00
Marco Elver
ce9107d086 prog/mutation: Add internal comments 2019-06-07 14:03:39 +02:00
Anton Lindqvist
85c573157d pkg/csource: add ability to annotate syscalls using comments in C reproducers
Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).

This commit introduces an optional annotate function on a per target basis.

Example for the OpenBSD target:

  $ cat prog.in
  mknod(0x0, 0x0, 0x4503)
  getpid()
  $ syz-prog2c -prog prog.in
  int main(void)
  {
    syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
    syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
    syscall(SYS_getpid);
    return 0;
  }
2019-05-24 22:33:56 +02:00
Dmitry Vyukov
76fc461b55 pkg/compiler: add offsetof type
Similar to C offsetof gives offset of a field
from the beginning of the parent struct.
We have several TODOs in descriptions asking for this.
2019-05-16 18:05:05 +02:00
Dmitry Vyukov
bd4e3ac77b prog: fix crash in assignSize on optional pointer 2019-05-14 20:58:33 +02:00
Dmitry Vyukov
2376f0f937 pkg/compiler: allow to refer to syscall arguments in len paths
This allows to use len[syscall:arg] expressions.
2019-05-14 19:28:01 +02:00
Dmitry Vyukov
9a4969814e pkg/compiler: refactor len target checking
Create named const for "parent" and move some code into a helper function.
2019-05-14 19:28:01 +02:00
Dmitry Vyukov
93dcf0adc8 prog: implement complex len target support
This actually implements support for complex len targets
during program generation and mutation.
2019-05-14 19:28:01 +02:00
Dmitry Vyukov
16c881ad85 pkg/compiler: generate complex len targets
Change the generated format for len type to support multiple path elements.
2019-05-14 19:28:01 +02:00
Dmitry Vyukov
da22883527 prog: fix TestTransitivelyEnabledCalls
We now have io_uring on all arches so remove the hack.
2019-05-10 13:04:27 +02:00
Kaipeng Zeng
c2aed7c7e3 sys/linux: update descriptions of sendmsg/sendmmsg
Fix the descriptions of cmsghdr.
Add sendmsg$sock and sendmmsg$sock for __sock_cmsg_send.
2019-05-10 13:00:44 +02:00
Dmitry Vyukov
335cf4f4fd prog: fix crash in createResource
We may be in createResource but have no resources at all because of ANYRES
that are not in target.Resources.
This is actually the case for some test targets. We have resources there,
but syscalls that create them are disabled.
In such case we crash in Intn(0).
Check that we have some resources before calling Intn.
2019-04-23 18:59:49 +03:00
Dmitry Vyukov
8095117313 all: fix some static analysis warnings
Fix warnings produced by golangci-lint.

Update #977
2019-04-23 17:58:54 +03:00
Dmitry Vyukov
4f421599f9 sys/linux: add simple io_uring descriptions
We don't actually communicate with the uring yet,
but this already finds a bunch of bugs.
2019-04-12 16:19:23 +02:00
Dmitry Vyukov
44fe9159be prog/test: rename prog/fuzz to prog/test
gometalinter complained about fuzz.FuzzFoo names,
but go-fuzz now requires all fuzz functions to start with Fuzz.
So move the package to prog/test.
2019-04-01 12:20:19 +02:00
Dmitry Vyukov
c35ee0ea6d prog, pkg/compiler: fix warnings
gometalinter says:

pkg/compiler/consts.go:192:⚠️ internal error: no range for "n" (vetshadow)
pkg/compiler/consts.go:197:⚠️ internal error: no range for "n" (vetshadow)
prog/encoding.go:862:⚠️ declaration of "v" shadows declaration at prog/encoding.go:852 (vetshadow)

This somehow happens only with Go1.11 but not 1.12 so wasn't detected locally.
The prog warnings looks legit.
The pkg/compiler warning was amusingly introduced to please golangci-lint checker,
revert that fix for now.
2019-03-29 19:04:30 +01:00
Dmitry Vyukov
c84501fe70 prog: fix a bunch of bugs in parsing
Add fuzzer for Deserialize and fix 5 or so bugs it found.

Fixes #1086
2019-03-29 08:56:02 +01:00
Dmitry Vyukov
4a9fce1952 all: fix warnings pointed to by golangci-lint
Update #977
2019-03-28 15:30:18 +01:00
Dmitry Vyukov
d23e90a7b4 all: switch to Go 1.12
Differences in code formatting between Go versions cause constant
problems for us (https://github.com/golang/go/issues/25161).
Currently we support 1.9 and 1.10. Switch to newer 1.11 and 1.12.

Fixes #1013
2019-03-14 14:55:59 +01:00
Dmitry Vyukov
0278574b21 prog: add a test for ChoiceTable 2019-02-21 10:08:34 +01:00
Dmitry Vyukov
a39e52b1cd all: reformat with Go 1.10 2019-02-11 18:13:34 +01:00
Dan Robertson
13f1d0047a sys/linux: add NDISC packet formats to vnet.txt
Add the basic NDISC (RFC 4861) packet formats to sys/linux/vnet.txt.
2019-02-11 18:10:35 +01:00
Dmitry Vyukov
fa6c7b7080 sys/linux: prohibit opening /proc/self/exe
Fuzzer manages to open it and do bad things with it.
Prevent it from doing so.
2019-02-08 16:30:44 +01:00
Andrey Konovalov
ceb907750f prog: fix checksum dependencies
Make pseudo checksums depend (via csumUses) on the arg it requires for
calculation. Otherwise we fail to assign addrs to those args during encoding
for execution. Also add a test.
2019-02-01 16:52:54 +01:00
Dmitry Vyukov
8e579f27d6 prog: fix escaping of C strings
C's \xHH hex constants in strings accept any number of hex digits
(not just 2 or 4). So later non-hex escaped chars glue to the \x construct.
Use \OOO instead as it accepts at most 3 octal digits.
2019-01-31 11:35:53 +01:00
houjingyi
69d69aa92d Update hints_test.go 2019-01-07 10:01:28 +01:00
Dmitry Vyukov
709e893d24 prog: don't produce the same program when mutating with hints
No point in producing the same program as result of mutation with hints.
So don't do it.
2019-01-03 13:39:30 +01:00
Dmitry Vyukov
adddc5fd46 prog: remove several sources of non-determinism
Non-determinism is bad:
 - it leads to flaky coverage reports
 - it makes test failures non-reproducible

Remove 4 sources of non-determinism related to maps:
 - file name generation
 - string generation
 - resource generation
 - hints generation

All a test that ensures all main operations are fully deterministic.
2019-01-03 12:23:57 +01:00
Dmitry Vyukov
06a2b89fc3 prog, pkg/{csource,ifuzz,ipc,repro}: make tests deterministic on travis
Don't use random seed on travis as it produces flaky coverage reports,
and probably generally better for CI setting.
2019-01-02 11:57:53 +01:00
Dmitry Vyukov
c5499485c2 prog: speed up TestResourceCtors
We check each resource multiple times. Check each resource once.
2018-12-31 12:32:14 +01:00