The usage of current create-image.sh:
```
./create-image.sh -d=stretch -f=minimal --add-perf
The options are in the following:
-d, --distribution Set on which debian distribution to create
-f, --feature Check what packages to install in the image, options are minimal, full
-p, --add-perf Add perf support with this option enabled
The default image is stretch with minimal feature, without perf.
SKIP/BROKEN distract too much attention from FAIL tests
and are not usually interesting. Add Verbose flag that
controls printing of SKIP/BROKEN tests. Enable it in
pkf/runtest/run_test.go by default and disable in tools/syz-runtest.
A line length of 79 in the ddb output does not necessarily imply that the
following line is a continuation of the current line. Since there's no way
to distinguish between ordinary and continuation lines, it could end up
corrupting the report by joining two lines that are disjoint[1].
Instead, disable line wrapping in ddb. If we want some kind of wrapping in
the future it's easier done by pkg/report.
[1] https://syzkaller.appspot.com/bug?extid=03f7377a9848d7d008c9
This ability was never used but we maintain a bunch of code for it.
syzkaller also recently learned to spoof this error code
with some ptrace magic (probably intercepted control flow again
and exploited executor binary).
Drop all of it.
We started building netbsd executor on linux.
This fails on CI since cross-compiler is missing.
But we don't want to exclude netbsd from presubmit entirely.
So check if cross-compiler is missing and just produce a warning.
This should unbreak CI and humans will see the warning.
trace2syz has trouble generating structs like sockaddr_storage_in6 which are
wrappers around other structs like sockaddr_in6 because strace just decodes the
wrapped struct (sockaddr_in6). This causes trace2syz to generate the addr field
of sockaddr_storage_in6 from the af_family field of sockaddr_in6 which triggers
an error. We now try and detect these cases and recursively generate the struct.
Right now syzkaller only supports coverage collected from the threads that
execute syscalls. However some useful things happen in background threads,
and it would be nice to collect coverage from those threads as well.
This change adds extra coverage support to syzkaller. This coverage is not
associated with a particular syscall, but rather with the whole program.
Executor passes extra coverage over the same ipc mechanism to syz-fuzzer
with syscall number set to -1. syz-fuzzer then passes this coverage to
syz-manager with the call name "extra".
This change requires the following kcov patch:
https://github.com/xairy/linux/pull/2
Add support to accurately select variants for open and openat system calls.
This is needed because in order to accurately select ioctl variants we need
to use device resource types. The device resource types can only be created
by syz_open_dev and openat variants.
genSockaddrStorage() determines the correct sockaddr_storage union option when we
cannot identify the system call variant. We used to have custom logic per system
call which was not tested and is actually unnecessary. This patch deletes that
code and adds a test to make sure there are no regressions.
strace incorrectly printed sin6_addr before sin6_flowinfo. To fix this,
trace2syz added reorderStructFields() which swapped back the order. Incorrect
orderings of structs is a bug in strace or in our descriptions so we should
fix the source rather than work around. We have submitted a patch to fix the
sockaddr_in6 decoding in strace so we can safely delete this function.
strace decodes certain arguments like sockaddr_in.sin_port or sin_addr
as hex strings under -Xraw. This is because the arguments are in network byte
order. This patch supports converting those hex strings to int args if the size
of the string is 1, 2, 4, or 8.
trace2syz used to always add a null byte to strings.
This isn't correct behavior since we may end up writing null bytes to files.
The extra byte can affect system calls like ioctl FS_IOC_ENABLE_VERITY.
We now only add the byte for filenames.
We don't properly parse octal numbers which is an issue because that's how strace decodes file permissions even under -Xraw.
We used to do so but we didn't have a test for it so as when we added support for negative numbers we broke how we parse octals.
This commit fixes how we parse octals and includes a test to catch future regressions.
Strace decodes bitsets like fd_set or sa_mask into the following structure: [a b c d e].
Before we couldn't parse these structures, but now parse them into the Group IR Type
Currently we only support canExit flag.
However there are actually 3 separate conditions:
- program can exit normally
- program can timeout (e.g. fuzzer test or runtest can't)
- program can exit with error (e.g. C test can)
Allow to specify these 3 conditions separately.
Over time we relaxed parsing to handle all kinds of invalid programs
(excessive/missing args, wrong types, etc).
This is useful when reading old programs from corpus.
But this is harmful for e.g. reading test inputs as they can become arbitrary outdated.
For runtests which creates additional problem of executing not
what is actually written in the test (or at least what author meant).
Add strict parsing mode that does not tolerate any errors.
For now it just checks excessive syscall arguments.
syz-cover generates coverage HTML report from raw coverage files.
Raw coverage files are text files with one PC in hex form per line, e.g.:
0xffffffff8398658d
0xffffffff839862fc
0xffffffff8398633f
Raw coverage files can be obtained either from /rawcover manager HTTP handler,
or from syz-execprog with -coverfile flag.
Usage:
syz-cover [-os=OS -arch=ARCH -kernel_src=. -kernel_obj=.] rawcover.file*
golint suggests to comment all blank imports.
But actually we don't need whole sys, we can import only sys/linux.
Also rename target var to prevent name shadowing.
It's used only by 2 functions: genSockaddrNetlink and genIfrIfru.
Majority of functions just accept the straceType as argument,
which looks like a much more appropriate way to pass an argument to a function.
Amusingly, both functions already accept and use the straceType as argument.
This has number of advantages:
1. Tests are readable and writable.
The current checks [1] are neither.
2. Tests are much more compact.
3. Tests verify all aspects rather than just
1 aspect of the resulting program.
4. Tests are much less fragile.
5. Any diffs in the results will be more clearly visible.
[1]
switch a := p.Calls[1].Args[0].(type) {
case *prog.ResultArg:
if a.Res != p.Calls[0].Ret {
switch a := p.Calls[1].Args[0].(type) {
case *prog.ResultArg:
pipeSecondFd := p.Calls[0].Args[0].(*prog.PointerArg).Res.(*prog.GroupArg).Inner[1]
if a.Res != pipeSecondFd {
write := p.Calls[len(p.Calls)-2]
inotifyRmWatch := p.Calls[len(p.Calls)-1]
switch a := write.Args[0].Type().(type) {
case *prog.ResourceType:
if a.TypeName != "fd" {
t.Fatalf("expected first argument of write to have type fd, got: %s", a.TypeName)
}
default:
t.Fatalf("first argument of write is not resource type: %s", a.Name())
}
switch a := inotifyRmWatch.Args[1].(type) {
case *prog.ResultArg:
b := a.Type().(*prog.ResourceType)
if b.TypeName != "inotifydesc" {
t.Fatalf("expected second argument of inotify_rm_watch to have type inoitfydesc, got: %s", b.TypeName)
}
if a.Res != p.Calls[2].Ret {
t.Fatalf("inotify_rm_watch's second argument should match the result of inotify_add_watch.")
}
}
sockaddr, ok := a.(*prog.PointerArg).Res.(*prog.GroupArg)
if !ok {
t.Fatalf("%s", a.Type().Name())
}
ipv4Addr, ok := sockaddr.Inner[2].(*prog.UnionArg)
if !ok {
t.Fatalf("expected 3rd argument to be unionArg, got %s", sockaddr.Inner[2].Type().Name())
}
optName := ipv4Addr.Option.Type().FieldName()
if !strings.Contains(optName, "rand") {
t.Fatalf("expected ip option to be random opt, got: %s", optName)
}
ip, ok := ipv4Addr.Option.(*prog.ConstArg)
if !ok {
t.Fatalf("ipv4Addr option is not IntType")
}
if ip.Val != expectedIp {
t.Fatalf("parsed != expected, %d != %d", ip.Val, expectedIp)
}
There are 2 bugs:
1. We always allocate 1 page, even if use more.
2. VMA addresses are not aligned, so most mmap-like functions fail with EINVAL.
The added test currently panics with "unaligned vma address".
Current code structuring has 2 problems:
1. parsing anything with proggen requires complex multistep dance including
- parsing data with parser
- walking the resulting tree manually and calling proggen on each
- then for each context
- calling FillOutMemory (unclear why it's not part of parsing)
- calling prog.Finalize
- checking is the program is not too large
All of this duplicated across trace2syz and tests.
And any new tests or fuzzers we will write will need to duplicate
all of this logic too.
2. As the result of this structuring, lots of proggen guts
and implementation details are exposed.
While none of the callers are actually intersted in Context details,
they are not interested in Context itself whatsoever.
What every caller wants is "here is data to parse, give me programs".
Add such function.
We already printed file name of the trace in parseTraces,
no need to print it again and again.
Consequently we don't need Filename in TraceTree.
If needed, caller can always log it before parsing,
or pass along with the TraceTree.
