Commit Graph

719 Commits

Author SHA1 Message Date
Dmitry Vyukov
4744d8ccac pkg/report: fix guilty file extraction
reportPrefixLen can become wrong after symbolization
if we symbolize any lines in the prefix.
Adjust reportPrefixLen during symbolization.

Automatic testing of this is problematic
because we would need to symbolize which requires
the object file with debug info.
Tested manually with syz-symbolize.
2018-10-28 19:07:22 +01:00
Dmitry Vyukov
1ba7fd7e65 all: fix code formatting
Reformat, remove debug leftovers, fix comment style.
2018-10-16 13:57:24 +02:00
Dmitry Vyukov
8cd30605ce tools/create-gce-image.sh: create ext4 image without journalling
We don't need consistent image after reboot since we always reimage.
We know of some use cases that don't use journalling, but don't know
of any that use journalling.
2018-10-15 18:56:55 +02:00
Zach Riggle
751b7baf94 Android: Fix sandbox implementation
My test harness for this code performed some steps that are not
performed when syz-executor is invoked directy.

Specifcally, we need to operate from a directory under /data/data,
and have the correct UID/GID set as the owner of the directory.

My test harness now correctly sets these, all sandbox operations
succeed, and loop() is invoked.
2018-10-12 16:39:26 +02:00
Dmitry Vyukov
ba6ddb4336 pkg/report: improve OpenBSD output parsing
OpenBSD produces \n\r for new lines and split output at 79 column.
Handle both of these things.
2018-10-11 19:47:32 +02:00
Dmitry Vyukov
c3772ff106 pkg/email, pkg/vcs: test that OpenBSD-style commits are handled
OpenBSD does not use "first line is title" convention,
so test that this is parsed properly.
Also test that multi-line fix/dup commands are properly parsed.
2018-10-11 19:47:32 +02:00
Scott Graham
5f818b4b9f executor: Fuchsia: Use zx_task_resume_from_exception()
zx_task_resume() is deprecated; switch to using
zx_task_resume_from_exception() instead.
2018-10-10 19:45:24 +02:00
Dmitry Vyukov
ba8cd6d708 pkg/report: ignore arch/.*/mm/physaddr.c as guilty file
This is called from kfree in the added test.
We already ignore everything related to kmalloc/free
and e.g. arch/.*/mm/fault.c, so it looks reasonable
to ignore this one too.
2018-10-10 17:32:28 +02:00
Dmitry Vyukov
a9495352a0 pkg/host: improve KMEMLEAK detection
EBUSY is returned when KMEMLEAK is in fact turned off,
not when scanning is already turned off.
That can't be recovered.
So instead check that we can write to the file in the check
function and give useful diagnostics.
2018-10-10 15:38:06 +02:00
Dmitry Vyukov
adedaf77a1 executor: tune memcg container logic
The current memcg container seems to lead to lots of hangs/stalls.
Presumably the problem is with oom_score_adj and KASAN.
Executor process tree eats all memory and then the leaf process is killed
but the memory is not returned to memcg due to KASAN quarantine;
and the parent processes are protected from killing with oom_score_adj=-1000.
As the result the kernel locks up.

1. Don't use oom_score_adj=-1000. Instead bump leaf process score to 1000 (kill always).
2. Increase size of memcg to be larger than expected KASAN quarantine size.
2018-10-10 14:22:09 +02:00
Dmitry Vyukov
41e4b32952 pkg/report: ignore printk as guilty file 2018-09-28 16:46:41 +02:00
Dmitry Vyukov
7296c0747f pkg/host: improve KMEMLEAK support
Rewind kmemleak fd before reading it second time,
otherwise we will read truncated reports.

Auto-learn what leak reports we've already seen
and ignore them in future. This is required because
there are some false positives and some fire too frequently.
So now we will hit each leak only once per manager run,
but we still will try to reproduce them.
2018-09-28 14:57:20 +02:00
Dmitry Vyukov
a6143bc982 pkg/report: improve KMEMLEAK report parsing
Skip few more common allocation functions.
2018-09-28 14:57:20 +02:00
Dmitry Vyukov
0c2fa87bc6 executor: fix build on newer linux distros
This sucks a lot, but ebtables.h is now broken too on Debian 4.17:

ebtables.h: In function ‘ebt_entry_target* ebt_get_target(ebt_entry*)’:
ebtables.h:197:19: error: invalid conversion from ‘void*’ to ‘ebt_entry_target*’
2018-09-27 15:34:52 +02:00
Dmitry Vyukov
98b28ead6c pkg/report: fix few fuzz bugs
Improve go-fuzz fuzzer function and fix few new bugs it finds:
1. Panic in linux parser (bad).
2. Akaros can report empty rep.Report.
3. Fuchsia can return empty rep.Report.
2018-09-27 12:50:25 +02:00
Dmitry Vyukov
8899d58437 tools/create-gce-image.sh: mount securityfs and configfs 2018-09-26 14:06:11 +02:00
Dmitry Vyukov
db716d6653 pkg/report: fix guilty file extraction
Account for the case that some file names can appear _before_ crash report starts.
Start extracting guilty file starting from StartPos.
2018-09-26 12:02:43 +02:00
Alexander Popov
0e7547d77c executor: make the debug output useful for race condition debugging
Sometimes race conditions are reproduced by syz-execprog and are not
reproduced by the programs generated with syz-prog2c. In such cases
it's very helpful to know when exactly the fuzzing syscalls are executed.

Unfortunately, adding timestamps to the output of the original 'debug'
mode doesn't work. This mode provides very verbose output, which slows
down executor and breaks the repro.

So let's make the executor debug output less verbose and add
the timestamps.

Signed-off-by: Alexander Popov <alex.popov@linux.com>
2018-09-24 14:55:35 +02:00
Dmitry Vyukov
684e7e3250 pkg/report: ignore more str* functions 2018-09-24 10:59:44 +02:00
Anton Lindqvist
e029c3e058 pkg/symbolizer: favor portable nm(1) format
On OpenBSD, nm(1) does not support the `-S' option.

The order of symbols from nm(1) varies between platforms, therefore rework the
test case to cope with that.

Fixes #723
2018-09-24 10:12:38 +02:00
Dmitry Vyukov
9a6f6af645 syz-ci: upload coverage reports to GCS
Upload coverage reports from all managers to GCS
after 6 hours of runtime (to make it more apples-to-apples).
2018-09-20 18:29:38 +02:00
Dmitry Vyukov
6c662d569b executor: fix build
Move debug_dump_data back to executor.cc.
debug_dump_data in common_linux.h does not play well
with pkg/csource debug stripping logic. It strips a large
random piece of code since it thinks debug_dump_data
definition is actually debug_dump_data call site.
2018-09-20 14:46:58 +02:00
Anton Lindqvist
5f78ab4b81 executor: move debug_dump_data() into common_linux.h
Compiling the executor on OpenBSD currently fails:

  executor/executor.cc:1316:6: error: unused function 'debug_dump_data'
2018-09-20 11:17:14 +02:00
Dmitry Vyukov
98f4a9612d executor: make sandboxes more modular
Currently we have a global fixed set of sandboxes,
which makes it hard to add new OS-specific ones
(all OSes need to updated to say that they don't
support this sandbox).
Let it each OS say what sandboxes it supports instead.
2018-09-17 11:39:04 +02:00
Zach Riggle
0eca949a6c RFC: android: Add support for untrusted_app sandboxing (#697)
executor: add support for android_untrusted_app sandbox

This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.

In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.

Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files.  The underlying mechanisms are relatively simple.

Fixes google/syzkaller#643

Test: make presubmit
Bug: http://b/112900774
2018-09-17 11:33:11 +02:00
Dmitry Vyukov
fd85ed4885 pkg/runtest, pkg/csource: don't run tests on openbsd
The tests are currently broken on openbsd.
2018-09-17 10:59:06 +02:00
Dmitry Vyukov
2e81ad1926 pkg/symbolizer: skip nm tests on non-linux
The test fails on openbsd, and probably everything else other than linux.
2018-09-17 10:53:13 +02:00
Dmitry Vyukov
a0be1d1210 pkg/build: copy image to output dir
For vmm we need a pre-created image.
So if one is provided in the userspace dir,
copy it to output. This should be enough
to get vmm working.

Update #712
2018-09-17 10:53:06 +02:00
Anton Lindqvist
43f25323dc pkg/build: OpenBSD support, currently limited to building a kcov enabled kernel 2018-09-17 10:49:33 +02:00
Anton Lindqvist
e9b51a9024 pkg/build: fix typo in error messages 2018-09-17 10:49:33 +02:00
Dmitry Vyukov
19e9088bb7 syz-ci: use gmake instead of make on openbsd
Update #712
2018-09-13 12:13:54 +02:00
Dmitry Vyukov
0e29942f77 pkg/report: improve KMSAN report parsing
Extract guilty frame from stack.
Add few more ignored functions.
Add more tests.
2018-09-13 11:21:29 +02:00
Dmitry Vyukov
4ae17b1f4c pkg/instance: support injected boot for vmm
If pkg/build produces a kernel, inject it into vmm config too.
This will allow continuous build with vmm VM type.

Update #712
2018-09-11 16:10:50 +02:00
Dmitry Vyukov
ff2962ae80 syz-ci: de-hardcode kernel object file names
We used to have this list in syz-ci and syz-managers.
Now we have kernel object in sys/targets, so use it instead.

Update #712
2018-09-11 15:43:55 +02:00
Dmitry Vyukov
a54c2b7b92 syz-ci: de-hardcode list of VMs that support overcommit
We currently have this list in multiple places (somewhat diverged).
Specify this "overcommit" property in VM implementations.
In particular, we also want to allow overcommit for "vmm" type.

Update #712
2018-09-11 15:33:45 +02:00
Dmitry Vyukov
472947468d pkg/vcs: add openbsd support
This just says that we want to use git to checkout OpenBSD
without any special/complex features.

Update #712
2018-09-11 14:47:38 +02:00
Dokyung Song
11c256cdcd sys/fuchsia: prune unused structs in syscall description generated by fidlgen
After generating syscall description for fidl files using fidlgen, prune
all unused structs using the exact same mechanism used by the compiler's
check for unused structs. This allows the FIDL compiler to support
modular compilation; it does not need to have global knowledge of
whether each struct is used or not.
2018-09-11 13:01:53 +02:00
Dmitry Vyukov
e3d1d545d3 executor: reset oom_score_adj for test process
oom_score_adj is inherited, so we need to reset it to 0.
2018-09-11 12:39:25 +02:00
Dmitry Vyukov
f167cb6b09 executor: sandbox with memory/pid cgroups
Set limit of 32 pids and 200MB per test process.
This should prevent things like fork bombs and frequent OOMs.

Fixes #589
2018-09-10 16:19:47 +02:00
Dmitry Vyukov
b692332724 pkg/report: improve rcu stall/lockup reports
During rcu stalls and cpu lockups kernel loops in some part of code,
usually across several functions. When the stall is detected, traceback
points to a random stack within the looping code. We generally take
the top function in the stack (with few exceptions) as the bug identity.
As the result stalls with the same root would produce multiple reports
in different functions, which is bad.
Instead we identify a representative function deeper in the stack.
For most syscalls it can be the syscall entry function (e.g. SyS_timer_create).
However, for highly discriminated functions syscalls like ioctl/read/write/connect
we take the previous function (e.g. for connect the one that points to exact
protocol, or for ioctl the one that is related to the device).

Fixes #710
2018-09-10 16:19:47 +02:00
Dmitry Vyukov
58f18e3f60 tools/create-gce-image.sh: disable ftrace_dump_on_oops
We don't have anything useful there.
But sometimes fuzzer somehow poppulates it with some nonsense,
and then it all dumped in crashes.
Disable it.
2018-09-10 16:19:40 +02:00
Dmitry Vyukov
6b5120a464 tools/create-gce-image.sh: auto-detect block device type
Currently we choose block device to use (nbd/loop) based on SYZ_VM_TYPE.
Strictly saying these things are orthogonal.
losetup is broken on Ubuntu. qemu-nbd is broken on Debian.
Try to auto-detect what will work based on uname.
2018-09-07 19:04:47 +02:00
Dmitry Vyukov
596466b38c pkg/runtest: fixes for fuchsia
Add simple fuchsia program, the one that is run during image testing.
Fix csource errno printing for fuchsia.
Fix creation of executable files (chmod is not implemented on fuchsia).
Check that we get signal/coverage from all syscalls.
2018-09-06 10:56:09 +02:00
Dmitry Vyukov
196410e4f5 dashboard/config: re-enable selinux
Upstream "selinux: fix mounting of cgroup2 under older policies"
commit fixes mounting of cgroup2 under wheezy selinux policy.
So don't disable selinux on start.
Create separate cmdline arguments that enable selinux and apparmor.
2018-09-05 12:50:53 +02:00
Dmitry Vyukov
59e97f7e17 pkg/report: refine fuchsia function name regexp
C++ function names can contain '~'.
2018-09-04 16:40:27 +02:00
Dmitry Vyukov
98bfd6d34c tools/create-gce-image.sh: add default ext4 options
Set some realistic modern ext4 options when creating the image.
2018-09-03 16:42:59 +02:00
Dmitry Vyukov
a4718693a3 sys/linux: add syz_execute_func
The function executes random code.

Update #310
2018-08-30 21:45:04 -07:00
Dmitry Vyukov
938220fdbb pkg/report: ignore mm/memory.c as guilty file 2018-08-29 21:27:37 -07:00
Dmitry Vyukov
6c7e9d3daa pkg/instance: fix gometalinter warnings 2018-08-29 17:54:51 -07:00
Dmitry Vyukov
a1b245b4dd pkg/instance: fix job testing
New FuzzerCmd generates flags that can't be parsed by an old fuzzer.
Fix that and add a test.
2018-08-29 17:45:13 -07:00