The sanitizer fails to sanitize programs like the following:
setrlimit(0x10000000000002, &(0x7f0000000080))
... due to presence of the most significant bit. Therefore mask of all
bits that cannot form a valid rlimit resource.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
Locking down future mappings will most likely cause syz-executor to run
out of memory.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
Do not allow the stack to grow beyond the initial soft limit chosen by
syz-executor. Otherwise, syz-executor will most likely not be able to
perform any more heap allocations since they majoriy of memory is
reserved for the stack.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
OpenBSD performs a strict validation of the RLIMIT_DATA soft limit
during memory allocation. Lowering the same limit could cause
syz-executor to run out of memory quickly. Therefore make sure to not go
lower than the default soft limit for the staff group.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
One of the root causes to reported "lost connection to test machine" is
when the egress network interface is being used as a multicast
interface:
setsockopt$inet6_MRT6_ADD_MIF(r0, 0x29, 0x66, &(0x7f0000000180)={0x2}, 0xc)
Prevent such syscalls from being generated by limiting the range of
allowed interface indices.
Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).
This commit introduces an optional annotate function on a per target basis.
Example for the OpenBSD target:
$ cat prog.in
mknod(0x0, 0x0, 0x4503)
getpid()
$ syz-prog2c -prog prog.in
int main(void)
{
syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
syscall(SYS_getpid);
return 0;
}
Using a build tag to exclude files for golangci-lint
reduces memory consumption (it does not parse them).
The naive attempt with skip-dirs did not work.
So add codeanalysis build tag and use it in auto-generated files.
Update #977
This is especially problematic for file descriptors referring to tty/pty
devices since it can cause the SSH connection to the VM to die.
The ambition here is reduce the number of "lost connection/no output" failures
at the cost of limiting the coverage of chflags(2).
Due to missing padding arguments, stack garbage could end up being used as
actual arguments. More reading for the curious[1].
While here, add missing descriptions for pread and pwrite.
[1] https://flak.tedunangst.com/post/syzkaller-found-a-bug
Most probably limited to input validation for now. In the future, it
could be extended to provide a bootable kernel during vm create (/bsd)
and turn vmid into a proper resource.
The OpenBSD VMs on GCE does support vmm(4).
Ptr type has special handling of direction (pointers are always input).
But buffer type missed this special case all the time.
Make buffer less special by aliasing to the ptr[array[int8]] type.
As the result buffer type can't have optional trailing "opt" attribute
because we don't have such support for templates yet.
Change such cases to use ptr type directly.
Fixes#1097
Prevent nodes that maps to an already open kcov fd from being created since
they can corrupt the coverage buffer.
Partial revert of commit 04aed72692 with some
tweaks and testing.
We don't specify trailing unused args for some syscalls
(e.g. ioctl that does not use its arg).
Executor always filled tailing unsed args with 0's
but pkg/csource didn't. Some such syscalls actually
check that the unsed arg is 0 and as the result failed with C repro.
We could statically check and eliminate all such cases,
but it turns out the warning fires in 1500+ cases:
a3ace5a63f/gistfile1.txt
So instead fill such args with 0's in pkg/csource too.
* OpebBSD: remove socketpair() for AF_INET and AF_INET6.
socketpair() is only supported on AF_UNIX.
* NetBSD: remove socketpair() for AF_INET and AF_INET6.
socketpair() is only supported for AF_UNIX.
* FreeBSD: remove socketpair() for AF_INET and AF_INET6.
socketpair() only supports AF_UNIX.
* Linux: remove socketpair for AF_INET and AF_INET6.
socketpair only supports AF_UNIX.
* Autogenerated files.
These are manually generated for all platforms you are not
running on. FreeBSD in this case.
* executor: rebase.
* sys/freebsd: rebase.
* sys/linux: use AF_UNIX based socketpair for nbd.
This was suggested by Dmitry.
Fixes#845
Squash of:
* Doc typo
* Ported some tun related functions.
* Copy vnet.txt from linux to openbsd.
* Simplified syz_emit_ethernet and stubbed out vnet.txt.
* Undo clang-format header sorting: headers are order sensitive.
* Uniquify tap devices by pid.
* clang-format off for includes
* Happier clang-format.
* Partially revert "Uniquify tap devices by pid."
Just rely on procid magic instead of getting it from a flag.
* sys/openbsd: added minherit, extended/simplified mmap.
Added a script from anton_at_openbsd.org for regenerating syscalls.
Generated by ksh ./sys/openbsd/extract-openbsd.sh
* Undo whitespace change not passing on CI
* No need for magic script.
Currently when we get target consts with target.ConstMap["name"]
during target initialization, we just get 0 for missing consts.
This is error-prone as we can mis-type a const, or a const may
be undefined only on some archs (as we have common unix code
shared between several OSes).
Check that all the consts are actually defined.
The check detects several violations, to fix them:
1. move mremap to linux as it's only defined on linux
2. move S_IFMT to openbsd, as it's only defined and used on openbsd
3. define missing MAP_ANONYMOUS for freebsd and netbsd
4. fix extract for netbsd
On OpenBSD, the vnode type for a device node of type S_IFMT is interpreted as
VBAD. Such vnodes often causes assertion failures inside kernel producing noisy
crashes. The goal of the OpenBSD specific SanitizeCall() is to prevent such
device nodes from being created. The S_IFMT constant is a mask covering all
possible device types, thus covering both character and block devices. Therefore
when the fuzzer generates a mknod{,at}() syscall with the S_IFMT type we cannot
known if the intent was to create a block or character device. Therefore
simplify the code to create a character device under such circumstances.
The observed failure is caused by the interaction between the OpenBSD specific
SanitizeCall() and the Unix one. The Unix sanitizer will not modify the mode
argument if it contains the S_IFMT mask. But on the second invocation when the
mode no longer contains S_IFMT it would modify it, causing a different program
to be produced. Therefore only delegate to the Unix sanitizer if the syscall is
not equal to mknod{,at}().
Regression introduces in commit b771b17e ("Add mandatory OpenBSD bits (#689)").
TestSerializeDeserializeRandom fails from time to time
because program is different after we serialize/deserialize it.
Turns out openbsd SanitizeCall is not idempotent.
Add a test for this and disable the logic for now.
