Temporary disable corpus rotation b/c we suspect it negatively affects fuzzing.
But we don't have hard data, and the easiest way to check is to disable
and see what happens.
Update #1348
We have strict upper bound of array size 10.
However, for netlink we frequently need lots of attributes in arrays.
Add a mutation that increases array size by few elements
without an upper bound (we should not grow them infinitely due
to coverage feedback?).
BTF fails lots of builds with:
pahole version v1.9 is too old, need at least v1.13
Failed to generate BTF for vmlinux. Try to disable CONFIG_DEBUG_INFO_BTF.
1. Turns out that NLA_F_NESTED is actually used and checked
(nla_parse_nested checks it, while nla_parse_nested_deprecated does not).
Similarly, ipset extensively checks NLA_F_NET_BYTEORDER.
So we need these bits.
2. nla_len must not account for the trailing alighnment padding.
This means we set wrong len for payloads that are not multiple of 4
(int8/int16/strings/arrays/some structs/etc).
The USB config extraction script properly works with symbols that
are either enabled as =m or =y or disabled. This change adds support
for hex, int and string symbol types. (The current distro config used
for USB config generation doesn't contain any values of those types yet.)
String value enforcement broke a number of tests
where we use different values.
Be more string as to what string values we use in tests.
Required to add tmpfs descriptions to test syz_mount_image.
Also special-casing AF_ALG algorithms as these are auto-generated.
Strings with enumerated values are frequently file names
or have complete enumeration of relevant values.
Mutating complete enumeration if not very profitable.
Mutating file names leads to escaping paths and
fuzzer messing with things it is not supposed to mess with as in:
r0 = openat$apparmor_task_exec(0xffffffffffffff9c, &(0x7f0000000440)='/proc/self//exe\x00', 0x3, 0x0)
1. Show all syscalls even if they don't have coverage yet.
2. Show full syscall names.
3. Show prio/corpus/cover for paticular syscall descrimination.
This allows to check what exactly syscalls are enabled
and see prio/corpus/cover for a single syscall.
Now other machines failed with redefinition IPVLAN_F_VEPA.
The #ifndef does not really work the way it should due
to the way pkg/csource preprocesses sources.
IPVLAN_F_VEPA is never defined during preprocessing.
Let's try this.
Enable AFS.
Enable PHONET (enabled in Debian).
Enable IEEE802154_FAKELB (may allow us to reach some of IEEE802154 code).
Enable USB4.
Enable some misc networking configs.
Mark ifindex as opt in SIOCGIFINDEX.
Otherwise it's considered inout and SIOCGIFINDEX can't be used
to produce ifindex'es on its own. It requires an input ifindex
first and only then it can output own ifindex.
virt_wifi docs say that the enslaved device won't be usable
on itself. It's probably not a good idea to make lo unusable.
Enslave a dedicated veth instead.
Looks for source files in object dir.
This is required for out-of-tree linux builds.
E.g. security/selinux/flask.h contains some sources
with coverage callbacks, but it's auto-generated
and located in the build dir.
1. Use optional[T] instead of array[T, 0:1].
2. Deduplicate 3 copies of ARP packet.
3. Deduplicate IPOPT_LSRR/IPOPT_SSRR/IPOPT_RR.
4. More precise description of IPOPT_TIMESTAMP/IPOPT_LSRR/IPOPT_SSRR/IPOPT_RR.
5. Don't use IPOPT_END/IPOPT_NOOP in generic option (they have different format).
6. Restrict cipso doi values.
7. Fix IPOPT_RA value type (int16 instead of int32).
8. Match ipv4/ipv6 packet type with payload.
9. Prefer 0 frag_off for ipv4 packets (they are extremely hard to get right).
Use a random subset of syscalls/corpus/coverage for each individual VM run.
Hypothesis is that this should allow fuzzer to get more coverage
find more bugs in saturated state (stuck in local optimum).
See the issue and comments for details.
Update #1348
