Remove a single template parameter to v4l2_buffer, as it should always
use a fd_request descriptor. Update all syscalls that use it.
Refactor the VIDIOC_STREAMON and VIDIOC_STREAMOFF vim2m ioctls to use
v4l2_buf_type_vim2m as a parameter instead of an union.
Remove ioctl$VIDIOC_RESERVED from dev_video4linux.txt (not defined in
upstream kernel).
Add a set of descriptions to focus the fuzzing process on the V4L2 vim2m
test driver. This should be useful to test the M2M framework.
The syscalls are based on a specific file descriptor for the vim2m
device and a selection of v4l2 ioctls that operate on it. Some of the
existing v4l2 data structure definitions have been extended to allow
restricting and selecting some options in order to narrow down the
fuzzing process.
Initial support for Request API added.
- Give some extra clarifications and examples about resources in syscall
descriptions.
- More details about how to use the "enable_syscalls" option.
- Mention pseudo-syscalls in the general syscall description doc file.
The test is random and needs some large number of iterations to pass.
It failed for me after an unrelated change in descriptions.
So bump number of iterations.
The linux string dictionary comes from extremely old times
when we did not have proper descriptions for almost anything,
and the dictionary was a quick hack to guess at least some
special strings.
Now we have way better descriptions and the dictionary
become both unnecessary and probably even harmful.
Fuchsia has strict controls over who can map memory as executable.
Refactoring syz-executor to be able to do that involves a non trivial
amount of work: it needs to run as a fuchsia component and replace stdin
for some other mechanism to communicate with syz-fuzzer (probably a fidl
service and a thin client that proxies stdin/stdout to syz-fuzzer via
ssh).
Mapping memory as executable doesn't seem to be used or needed in
syz-executor at all. After talking with Dmitry, he mentioned that it was
used in a deprecated feature: `syz_execute_func` which would execute
random code. It also allows more scenarios during fuzzing.
For now, I'm removing that option to allow syzkaller continue fuzzing.
This change also refactors all of the error messages adding a string
representation of the `zx_status_t` in error logs.
FIDL fuzzing hasn't been working for a while, and it's further
bit-rotted as upstream FIDL functionality has continued to evolve.
This commit updates enough FIDL functionality to get a minimal FIDL
test case to work again.
These are disabled by default, so this does not change behavior.
But it's good to see whole list and this makes it clear
that they are not missed accidentially.
If there are compilation errors in tests, golangci-lint
produces then in the following format:
level=warning msg="[runner] Can't run linter unused: buildssa: analysis skipped: errors in package: [/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/mab_reward_test.go:26:35: cannot use rawCov (variable of type []float64) as float64 value in argument to status.Reward.RawAllTasks.Update /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/mab_reward_test.go:26:43: cannot use rawTime (variable of type []float64) as float64 value in argument to status.Reward.RawAllTasks.Update /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/mab_reward_test.go:27:38: cannot use totalReward (variable of type []float64) as float64 value in argument to status.Reward.RewardAllTasks.Update /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/mab_reward_test.go:33:2: reward declared but not used]"
Transform this to github format.
Manager has already checked what features are present on the target.
But if we detected that, say, USB is missing, we still enabled it
in the starting csource options. This is wrong, increases configuration
minimization time and may lead to some obscure bugs.
HostFuzzer targets require that we cross-compile the csource tests and
then copy them to the target system. The code to copy files is
currently missing from syz-runtest; also, at least for Fuchsia (which
uses HostFuzzer mode), cross-compiling is non-trivial.
This is useful for integrating into Fuchsia's build system, where we
need to be able to run syz-sysgen with a read-only source directory,
and emit the output files elsewhere.
I though maybe we need special handling for them:
stop at kmem_cache_alloc function. But now I am not sure.
This can also be an infinite loop which calls kmalloc/kfree.
Let's not change code for now, just fix things with tests
(this is a good representative set).
On top of syz-env it provides akaros/fuchsia/netbsd toolchains and gcloud sdk.
With this it's possible to run dashboard/app tests on CI and locally
and test executor build and pkg/{csource,cover} for these OSes.
Update #1765
