All callers of EnvForCommit need the compiler path,
so move this logic into EnvForCommit to avoid duplication.
Also simplifies tests because test impl can now return
an empty compiler (which should be unused).
(note: incomplete change)
Refactor existing code as follows:
* Move reusable test utility functions from git_repo_test.go to
pkg/vcs/test_util.go and make them exported.
* Split Run() into Run()+runImpl().
* Change type of bisect.go:env.inst to `instance.BuilderTester`.
Change usage inside syz-testbuild/testbuild.go accordingly.
* Move most of linux.PreviousReleaseTags() into vcs/git.go as
git.previousReleaseTags().
* Allow build.CompilerIdentity to be mocked.
Introduce the following changes:
* instance.BuilderTester is an interface with methods
BuildSyzkaller()
BuildKernel()
Test()
NewEnv() now returns this interface.
* type testEnv implements instance.BuilderTester.
* type testBuilder implements builder interface. Add a entry into table
inside pkg/build/build.go:getBuilder() to return testBuilder object.
The problem with task hung reports is that they manifest at random victim stacks,
rather at the root cause stack. E.g. if there is something wrong with RCU subsystem,
we are getting hangs all over the kernel on all synchronize_* calls.
So before resotring to the common logic of skipping some common frames,
we look for 2 common buckets: hangs on synchronize_rcu and hangs on rtnl_lock
and group these together.
Currently we replace a template argument and then recurse
into the new type AST to see if there is more to replace.
If the description is buggy and the template argument
contains itself, then we will recurse infintiely trying
to replace it more and more.
Use post-order traversal when replacing template argument to fix this.
By default, the current KCSAN .config does not enable KCSAN during boot,
since we encounter races during boot which would prevent syzkaller from
ever executing.
This adds support to detect if KCSAN is available, and enables it on the
fuzzer host.
OpenBSD uses cvs and does not enforce the standard Git convention for
commit messages of putting a summary followed by a new line and body.
If such commit[1] contains a `Reported-by` header, it's currently not
detected. Instead, if the body is empty try to extract data from the
commit summary.
[1] bdbfbec5ce
This commit fixes a handle leak in syz_mmap. The bug was pointed out by
mdempsky during a code review.
The `syz_mmap` function creates a VMO and maps it to a VMAR in the address
specified by the `syz_mmap` parameters. Once a VMO is mapped to a vmar,
the handle to the vmo can be closed without problems.
The new code makes sure that `zx_handle_close(vmo_handle)` gets called before
the `syz_mmap` function returns.
syz_mmap is a pseudo-syscall that can be used by syzkaller in fuzzing
programs, however, it is also used to setup the environment for
syz-executor. syz-executor already checks the return value[0] when it is
used for setting up the environment, so it doesn't make sense for the
function to crash (most probably, in a fuzzing program it will be called
with arguments that would make it fail).
The previous behavior was causing a bunch of "Lost connection to test
machine" syzkaller crashes which were meaningless. An example of a
program in which syz_mmap would crash would be any program in which the
handle to the root vmar is closed before calling syz_mmap.
[0]:
a60cb4cd84/executor/executor_fuchsia.h (L15)
This change reuses the logic for sending the output back from
syz-executor to syz-fuzzer that forkserver oses use: reading it
periodically. This will be useful for debugging issues in Fuchsia that
does not support forkserver yet.
syz-symbolize did not use the common mgrconfig logic
to calculate kernel dirs. Thus KernelBuildSrc ended up empty,
+dirs were not extended to absolute paths.
Use the common mgrconfig logic to calculate kernel dirs.
Kbuild inserts build timestamp into every build.
This makes vmlinux change always even if no present.
Make the build more deterministic.
We plan to use it for detecting no-op changes during bisection.
Update #1271
* Modify mail_bisect_result.txt to allow for sending fix bisection
results.
* Modify BisectResult to have a Fix field; introduce selectBisect for
use within the template for choosing between BisectCause/BisectFix
fields.
* Modify bisectFromJob() to return BisectResult with Fix field set if
relevant.
* Modify the tests inside bisect_test.go to account for bisect fix
related reporting emails.
* Modify incomingMail() to ignore any emails from syzbot itself.
Reports from witness regarding returning to userspace with locks held is not
unique enough, causing all lock leaks to be grouped under the same bug.
Instead try to extract the name of syscall where the first held lock was
grabbed.
While here, shorten the title a bit.
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
MAX_STACK_TRACE_ENTRIES crash reports caused by a particular issues can come
from any part of the kernel, so bucketing them based on the stack trace is
pointless and only creates duplicate bug reports.
We have noticed that the build process was being invoked as root. This
change modifies the calls to use osutil.Sandbox before invoking cmds to
build fuchsia.
This is required for the process to use goma, as goma is running under
the syzkaller user.
* Modify uiBug type. Rename BisectCause to BisectCauseDone. Introduce
BisectFixDone.
* Modify createUIBug() and MergeUIBug() to set the above fields
appropriately.
* Modify bug_list to display the bisection status; remove yesSort() as
it is not used anymore. Adjust ".list_table .stat" to appropriate width.
* Add TestBugBisectionStatus() to check bisection status on main page.
* Add file from running "make generate": pkg/html/generated.go
Better coverage reports with hierarchical coverage information,
number of programs covering each line,
handling of partially covered lines,
links to programs covering lines.
Fixes#682
After f613a7c4 ("pkg/cover: fix prefix computation") we stopped trimming
starting "/" from linux path names. This broke get_maintainers.pl script
which is now given non-existent absolute paths (e.g. "/mm/mmap.c"),
as the result syzbot can't find any maintainers for bug reports
and mails them into lkml limbo.
Trim starting slashes and dots. Extend tests for catch this.
We now pass 5 arguments through a bunch of functions,
this is quite inconvinient when the set of arguments changes.
Incapsulate all arguments in a struct and pass/store it as a whole.
This change modifies the way fuchsia is built to add the ssh keys to the
zbi image after building it. Previously that was done via the
"extra_ssh_keys" argument to the build system, but that was removed
recently.
A process with CAP_SYS_NICE can bring kernel down by asking for too high SCHED_DEADLINE priority,
as the result rcu and other system services that use kernel threads will stop functioning.
Some parameters for SCHED_DEADLINE should be OK, but we don't have means to enforce
values of indirect syscall arguments. Peter Zijlstra proposed sysctl_deadline_period_{min,max}
which could be used to enfore safe limits without droppping CAP_SYS_NICE, but we don't have it yet.
See the following bug for details:
https://groups.google.com/forum/#!topic/syzkaller-bugs/G6Wl_PKPIWI
Running sys/*/test programs requires real machines and kernels for each OS.
We can't do that in unit tests, but at least try to deserialize these programs
so that they don't get rotten.
Ensure that we have at least 1GB per Makefile job.
Go compiler/linker can consume significant amount of memory
(observed to consume at least 600MB). See #1276 for context.
Update #1276
One instance we observed that objdump hanged due to stdout
pipe overflow due to panic in archCallInsn.
The reason for the original panic is still unclear,
but fix the objdump hang. We need to terminate objdump
and propagate the panic.
Also extend the panic messages.
* sys/fuchsia: update zx_clock_get.
zx_clock_get was deprecated and replaced by zx_clock_get_new. In a
recent CL[0], they replaced the zx_clock_get by zx_clock_get_new and
moved all client. This commit updates syzkaller to use the new function.
[0]: https://fuchsia-review.googlesource.com/c/fuchsia/+/298575
* run make extract && make generate
1. Change HID descriptions to allow devices to have two interrupt endpoints.
2. Remove unneeded responses to OUT control requests from descriptions.
3. Add some debugging code to detect and report missing descriptions.
On OpenBSD, the executor sometimes manages to set the memory resource
limit 0 causing any following memory allocation to fail. Since threads
are potentially created from such a thread which cannot allocate any
memory, the executor will exit non-zero which in turn will cause
false-positive panics to be reported. For more info see the
discussion[1] in PR #1243.
Instead, if hitting a fatal error during thread creation exit zero.
[1] https://github.com/google/syzkaller/pull/1243
* Add support for non-obvious open commands
* Adding Michael Specter to CONTRIBUTORS
* update
* /pkg/host/host_linux.go: leverage .txt for OpenAt
Allows users to specify OpenAt flags. Currently, Syzkaller will
automatically attempt to open device nodes at startup, and ignore
descriptions that do not exist. Unfortunately, Syzkaller only opens with
read-only permissions, and some device drivers will
return -EINVAL or likewise if the correct flags are not specified.
Add retry logic that detects and ignores episodic flakes.
This test episodically flakes on syzbot.
We run with the default timeout, but require a test
to pass in 50+% of cases.
Running 72 test binaries in parallel I am getting 35-44 failures out of 72
with 1 retry. With 3 retries it drops to ~7. With 5 it is close to 0.
Use 7 retries for now. Let's see if it still flakes.
* Remove the environment variable: AKAROS_XCC_ROOT
(refer to commit: brho/akaros bdab8c3a)
* Add environment variable AKAROS_TOOLCHAINS which
points to the parent directory of the old AKAROS_XCC_ROOT.
(refer to commit: brho/akaro 62ec5c3c)
* Add "$AKAROS_TOOLCHAINS/x86_64-ucb-akaros-gcc/bin" to PATH.
Signed-off-by: Aditya Basu <mitthu@google.com>
For extractProgSingle() lastEntries are already reversed, so no need to
call reverseEntries().
Also for extractProgBisect() there's no point in reversing the entries,
as the idea is to try connecting multiple programs in chronological order.
Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).
This commit introduces an optional annotate function on a per target basis.
Example for the OpenBSD target:
$ cat prog.in
mknod(0x0, 0x0, 0x4503)
getpid()
$ syz-prog2c -prog prog.in
int main(void)
{
syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
syscall(SYS_getpid);
return 0;
}
The csource options lack any relation to the tested OS,
while they do depend on the tested OS (most are linux-specific).
As the result we enable binfmt_misc, but its setup fails on anything
other than linux. As a work-around don't enable binfmt_misc on non-linux.
Currently we have them duplicated in docs/configuration.md
and the actual source in pkg/mgrconfig/config.go.
Documentation is missing in one place or another,
some is outdated, some is phrased slightly differently.
Move all docs to pkg/mgrconfig/config.go and reference it
from docs/configuration.md instead.
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.
1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.
2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.
3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.
4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.
5. Fix pkg/repro to do something more sane for leak bugs.
Few other minor fixes here and there.
We duplicated the no output timeout in the repro package,
and it got out of sync. It's not 3 mins now, but 5 mins.
Remove the duplication and fix this.
In several places we do special handling for some crash types.
Currently we compare report title with magic strings,
which is error-prone. Add explicit Type to reports.
A const can be used as array size. Then if the const is not present
on all arches, compiler will produce an error about 0-sized-array.
There is no easy way to work around this for a user.
Use value of 1 for missing consts. It's just a bit safer.
Using a build tag to exclude files for golangci-lint
reduces memory consumption (it does not parse them).
The naive attempt with skip-dirs did not work.
So add codeanalysis build tag and use it in auto-generated files.
Update #977
This change adds compiler support for complex path
expressions in len targets. E.g. it allows to refer
to a sibling field as len[parent_struct:field:another_field].
See the docs change for details.
This is just a compiler change.
The feature is not yet supported by the prog package.
This prepared for handling of bytesize[parent:foo:bar] expressions
by allowing multiple identifiers after colon.
No functional changes for now, just preparation for storing more
than one identifier after colon.
For some bug types kernel produces traceback of all CPUs
(which is presumably useful for these crashes).
However, we currently throw it away because it has context
different from the oops context.
Detect such traceback and preserve output.
On powerpc, the "stat" syscall is implemented by "sys_newstat" entry point.
This causes a test failure as we can't find "sys_stat" in kallsyms.
Add "stat" -> "newstat" to the kallsyms rename map to work around this.
Closes: #1083 ("pkg/host: TestSupportedSyscalls fails on ppc64le")
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
After commit 9ad9ef29ca
we started saying "your command '3' is accepted"
because we use numbers now. Keep string representation
of the command when parsing and use it in reply emails.
2 recent commits conflict and cause test 380 to fail:
pkg/report: improve warning titles
pkg/report: Handle powerpc stack traces correctly
Currently 380 is detected as "WARNING in program_check_exception"
rather than the expected "WARNING in assert_slb_presence".
The reason is that we started parsing WARNING stack trace and applying
proper skip patterns to frames.
Adjust WARNING matching and skip common powerpc WARNING frames.
powerpc stack traces are printed a bit differently from x86 stack traces.
Adjust the regexes accordingly to cope with this format.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Enable the Linux builder for ppc64le.
For ppc64le, we use zImage rather than bzImage as our kernel target. Pass
through the target architecture to buildKernel() so we can pick the right
target based on arch.
Closes: #1084 ("pkg/build: Support building Linux on ppc64le")
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Add support for generating ppc64le pseries disk images. This will create a
disk image with a PowerPC PReP boot partition at the start, and install
the IEEE1275/OpenFirmware version of GRUB.
If we ever support the powernv platform in the future we're going to have
to do something different here.
Add a command line argument to specify architecture, defaulting to amd64.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Limit the amount of bisection chunks to 8. Going over this value probably
means that we are bisection a flaky crash, and continuing bisection would
just take a lot of time and likely produce no result.
Not using `elif GOOS_freebsd' since it could cause breakage on other *BSDs
due to unused variables.
Regression introduced in commit c7c3f772 (executor: improve setup for packet
handling on *BSD).
Most probably limited to input validation for now. In the future, it
could be extended to provide a bootable kernel during vm create (/bsd)
and turn vmid into a proper resource.
The OpenBSD VMs on GCE does support vmm(4).
Improve the handling of packets by:
* setting the local MAC address.
* configuring the local IPv4 address with prefix /24.
* adding an entry in the arp cache for the remote IPv4 address.
* adding an entry in the IPv6 neighbour cache for the remote
IPv6 address.
Allow 2000 ms of waiting time for syz_usb_connect and and the same time for
the whole program is this syzkall is present. Allow 200 ms of waiting time
for syz_usb_disconnect. Remove sleep from syz_usb_control_io.
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.
USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
