Commit Graph

61 Commits

Author SHA1 Message Date
Dmitry Vyukov
40280fa543 syz-repro: fix false "not executing programs" 2016-09-05 12:49:47 +02:00
Dmitry Vyukov
2c881152ef syz-report: fix printing of report 2016-09-05 12:49:47 +02:00
Dmitry Vyukov
0e77b5a187 manager, repro: unify VM monitoring
Unify and factor out VM monitoring loop used in syz-manager and syz-repro.
This allows syz-repro to detect all the same bugs (e.g. "no output", "lost connection", etc).
And also just deduplicates code.
2016-09-01 19:54:55 +02:00
Dmitry Vyukov
9ec6b54fae report: add a function that symbolizes reports 2016-09-01 15:09:39 +02:00
Dmitry Vyukov
bb1e3bfda5 report: extract better, unique identifiers of oopses 2016-08-31 13:20:57 +02:00
Dmitry Vyukov
14dfa4f109 report: add a new package for report parsing and processing
Move vm.FindCrash to the new package.
2016-08-30 15:19:28 +02:00
Dmitry Vyukov
bc9b349bd7 vm/adb: support multiple adb devices
Device IDs are specified in "devices" config param.
2016-08-30 14:33:39 +02:00
Dmitry Vyukov
0113f7f048 repro: a little bit more graceful shutdown
Bring down at least some VM instances.
Booting instances can still leak.
2016-08-28 20:09:05 +02:00
Dmitry Vyukov
f0eccc7052 repro: use correct sandbox mode
Update #59
2016-08-28 13:51:09 +02:00
Dmitry Vyukov
888b041f6d csource: support nonfailing argument copyin/copyout
Update #59
2016-08-28 12:24:39 +02:00
Dmitry Vyukov
4782c2b8e6 executor: revive setuid sandbox
The new namespace-based sanboxing is good,
but it's not always what one wants
(and also requires special kernel configs).

Change dropprivs config value to sandbox,
which can have different values (currently: none, setuid, namespace).
Setuid mode uses setuid(nobody) before fuzzing as before.

In future we can add more sandboxing modes or, say,
extend -sandbox=setuid to -sandbox=setuid:johndoe
to impersonolate into given user.
2016-07-01 22:26:33 +02:00
Dmitry Vyukov
85da6413f9 stress: expect syz-executor to be in the current dir by default 2016-06-22 15:23:56 +02:00
Jamie Liu
016f6be69b stress: fix "assignment to entry in nil map" panic 2016-06-14 16:03:26 -07:00
Alexander Potapenko
ed787856f2 Use readelf to obtain the upper 32 bits of addresses returned by kcov.
When executors send coverage data to the manager, they clamp the addresses
of covered blocks to 32 bits. Manager uses RestorePC() to restore the original
addresses.
Previously, RestorePC() assumed that the upper 4 bytes of a kernel code
address were 0xffffffff, which is not so on Android.
Instead we now parse `readelf -SW vmlinux` output to obtain the upper bytes of
PROGBITS sections VMAs in the case those VMAs are non-zero. We assume that
the upper 4 bytes are the same for every section.
2016-05-03 11:06:27 +02:00
Dmitry Vyukov
7bc74c0b97 stress: print program and output on more types of bugs 2016-04-04 20:22:10 +02:00
Dmitry Vyukov
9851bc6a97 fuzzer: improve kmemleak logic
Kmemleak has false positives. To mitigate most of them, it checksums
potentially leaked objects, and reports them only on the next scan
iff the checksum does not change. Because of that we do the following
intricate dance:
Scan, sleep, scan again. At this point we can get some leaks.
If there are leaks, we sleep and scan again, this can remove
false leaks. Then, read kmemleak again. If we get leaks now, then
hopefully these are true positives during the previous testing cycle.
2016-03-10 17:47:13 +01:00
Lorenzo Stoakes
827a93b21a tools: fix multi-line string.
An error in the multi-line string results in apt-get install not running in
create-image.sh, this fixes that.
2016-03-08 15:14:48 +00:00
Lorenzo Stoakes
b21724820c tools: fix path on create-image.sh chroot.
When chroot'ing into the generated debian rootfs PATH is inherited from the host
and assumed to reference each of: /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin and /usr/local/sbin. Not all distros use all of these, so enforce
these in the chroot command.
2016-03-06 18:47:43 +00:00
Dmitry Vyukov
96949534ae execprog: properly cleanup on ctrl+C 2016-02-18 21:41:50 +01:00
Dmitry Vyukov
9724efa335 config: check presence of syz-execprog only in syz-repro
syz-execprog is not built by 'make', so syz-manager fails for first-timers.
2016-02-16 15:14:25 +01:00
Dmitry Vyukov
d1163f0480 ipc: unify command line flag handling
It was duplicated in 3 programs.
2016-01-27 14:22:48 +01:00
Dmitry Vyukov
9aec072a77 ipc: remove strace support traces
It is not working and not tested,
and can't be restored with new namespace sandboxing code.
2016-01-27 13:42:00 +01:00
Dmitry Vyukov
1e06d2bafc executor: new namespace-based sandbox 2016-01-22 18:09:32 +01:00
Dmitry Vyukov
891b46a9a5 vm: faster output oops grepping
Use manual parsing instead of a regexp.
Regexp takes ~220ms for typical output size. New code takes ~2ms.
Brings manager CPU consumption from ~250% down to ~25%.
2016-01-19 17:22:36 +01:00
Dmitry Vyukov
7a94216729 csource: format source with clang-format 2016-01-15 20:32:32 +01:00
Dmitry Vyukov
4d906f05d4 vm/adb: add adb-based VM
vm/adb can be used to fuzz on real android devices.
2016-01-11 17:40:26 +01:00
Dmitry Vyukov
de48f7b019 vm: refactor VM interface in preparation for adb support
adb has more complex port forwarding setup, also / is mounted read-only.
Make VM interface more flexible to support such cases.
2016-01-11 17:33:44 +01:00
Dmitry Vyukov
ad969c98f1 tools: add script that creates a Linux image suitable for syzkaller 2016-01-07 13:12:36 +01:00
Dmitry Vyukov
3ccc84556b tools/stress: disable unsupported syscalls 2015-12-30 18:24:08 +01:00
Dmitry Vyukov
9f9ae3fcc3 tools/syz-upgrade: helper tool for corpus format upgrades 2015-12-28 12:49:19 +01:00
Dmitry Vyukov
80d60f7305 tools/syz-repro: fix repeat multiplier
For loop already increases multiplier on exit,
so additional incrase is not necessary.
2015-12-24 12:06:15 +01:00
Dmitry Vyukov
d4180ca5c7 tools/syz-repro: add reproduction tool 2015-12-23 19:19:45 +01:00
Dmitry Vyukov
1c801e8512 prog: factor out execution log parsing functionality
It will be needed to reproduction tool.
2015-12-23 19:18:13 +01:00
Dmitry Vyukov
7f3186abbb execprog: detect executor-detected bugs 2015-12-23 19:09:48 +01:00
Dmitry Vyukov
6af1c1f308 execprog: replace loop flag with repeat
This will be necessary for reproduction tool.
It needs to run a program a fixed number of times
instead of loop infinitely.
2015-12-23 13:39:14 +01:00
Dmitry Vyukov
e253cbc79f csource: new package
Move C source generation into a separate package.
Prog is too bloated already.
2015-12-23 13:38:31 +01:00
Dmitry Vyukov
bd75706280 add a flag to disable setpgid syscall
It is broken on some of our test systems.
2015-12-17 17:31:11 +01:00
Dmitry Vyukov
bbf4e35323 executor: export syscall execution results
Errno can be used to guide fuzzing, or detect not implemented syscalls.
2015-12-17 17:31:11 +01:00
Dmitry Vyukov
8e7ca7c5ff remove master and naming overhaul
Remove master process entirely, it is not useful in its current form.
We first need to understand what we want from it, and them re-implement it.

Prefix all binaries with syz- to avoid name clashes.
2015-12-17 16:06:33 +01:00
Dmitry Vyukov
d665e11e9d move Gate type to ipc package and use it in stress tool
This allows to print what programs stress executes.
2015-12-17 14:38:46 +01:00
Dmitry Vyukov
48d0a3662e tools/stress: minor improvements 2015-12-17 14:38:46 +01:00
Dmitry Vyukov
8bda33214d execprog: rate limit printing
Otherwise it happen too frequently when executing a single program in a loop.
2015-11-28 11:27:44 +01:00
Dmitry Vyukov
83e92abf50 tools/stress: support missing flags 2015-11-23 17:08:53 +01:00
Dmitry Vyukov
0165a4b2e4 use fork server in executor
This avoids exec per test.
Also allows to pre-map shared memory regions.
And will allow to pre-map coverage regions, etc.

Seems to work already, but probably there are still some bugs.
2015-11-10 20:30:50 +01:00
Dmitry Vyukov
760fa7e724 go fmt 2015-11-10 14:32:37 +01:00
Dmitry Vyukov
54af41532d merge execlog and execprog tools
Functionality was duplicated to significant degree.
Now execprog can do all execlog could do.
2015-11-10 13:56:10 +01:00
Dmitry Vyukov
18220dd54e support parallel execution in stress utility 2015-11-10 13:38:08 +01:00
Dmitry Vyukov
a44473e4a4 add collide mode to executor
In this mode we execute pairs of syscalls concurrently
to provoke data races in kernel.
2015-11-06 23:15:40 +01:00
Dmitry Vyukov
a7d2a521f3 support dropprivs in execlog/execprog 2015-11-05 10:30:39 +01:00
Dmitry Vyukov
727e8240ff read corpus from a zip archive in stress tool 2015-10-20 15:46:04 +02:00