Commit Graph

130 Commits

Author SHA1 Message Date
Dmitry Vyukov
1a381291a3 executor: collect coverage from unfinished syscalls
Write coverage from unfinished syscalls.
Also detect when a syscall was blocked during execution,
even if it finished. Helpful for fallback coverage.

Fixes #580
2018-07-29 19:46:05 +02:00
Dmitry Vyukov
ebf656d79b syz-fuzzer: generate programs more frequently if no coverage
Generating every other time should be good,
because fallback signal is really weak.
2018-07-27 21:13:10 +02:00
Dmitry Vyukov
92a4950507 pkg/host: add "network devices" feature
Linux executor sets up some network devices for testing,
detect when that's supported on the machine and don't
do it if it's not supported.
2018-07-13 12:46:32 +02:00
Dmitry Vyukov
0b95b8ec49 pkg/host: disable for akaros
akaros can't have own host version
because fuzzer does not run on akaros,
so just disable it all.
2018-07-06 20:18:05 +02:00
Dmitry Vyukov
8c2335a205 vm/vmimpl: factor out common code for ssh args and waiting for ssh
Move common code from 4 vm implementations to vmimpl.
2018-07-06 14:02:06 +02:00
Dmitry Vyukov
2eaf564197 syz-fuzzer: fix revision checking in case executor is wrapped with ssh
Some ssh close connection on stdin eof. So give it a pipe.
2018-07-06 10:30:04 +02:00
Dmitry Vyukov
18403e654c syz-fuzzer: show executor output on failure 2018-07-06 10:04:19 +02:00
Dmitry Vyukov
85bb4718fb syz-fuzzer: allow wrapping executor
Allow wrapping executor e.g. under strace or something else.
First, split executor string to binary and args.
Second, read version output only from stdout.
2018-07-05 10:44:34 +02:00
Dmitry Vyukov
bc1210b614 pkg/ipc: create default config based on target
Pass actual target to DefaultConfig, that's what we really want,
not the stray ipc flag.
2018-07-05 10:44:34 +02:00
Dmitry Vyukov
1974bc48ee syz-fuzzer: generate programs more frequently with fallback signal 2018-06-29 20:55:08 +02:00
Dmitry Vyukov
9dd8cf63e0 executor, pkg/ipc: support output over pipes 2018-06-29 16:33:07 +02:00
Dmitry Vyukov
ecbe6d99d3 syz-fuzzer: fix testing when shmem is not used
We get program output info only if shmem is used.
Output info over pipes is not implemented.
So don't fail when we got nothing.
2018-06-26 18:59:39 +02:00
Dmitry Vyukov
b0294c53d0 syz-fuzzer: partially revert "syz-fuzzer: fix gvisor testing"
This breaks patch testing on syz-ci as it can use older version of syz-fuzzer.
2018-06-26 16:42:22 +02:00
Dmitry Vyukov
089f11817e syz-fuzzer: fix gvisor testing
Testing code wasn't ready to dial stdin.
Make it use the same logic rpc package uses
to connecto to host.
2018-06-26 14:12:43 +02:00
Dmitry Vyukov
e726bdf922 syz-manager: make rpc communication finer grained
RPC package does excessive caching per connection,
so if a larger object is ever sent in any direction,
rpc connection consumes large amount of memory persistently.
This makes manager consume gigs of memory with large
number of VMs and larger corpus/coverage.

Make all communication done in very limited batches.
2018-06-26 13:59:47 +02:00
Dmitry Vyukov
b9c7c31970 syz-fuzzer: prevent not output crashes during machine checking
Machine checking can be very slow on some machines
(qemu without kvm, KMEMLEAK linux, etc),
so print periodic heartbeats for vm.MonitorExecution
so that it does not decide that we are dead.
2018-06-22 20:32:54 +02:00
Dmitry Vyukov
91f52697d1 syz-fuzzer: panic less
Use log.Fatalf with readable messages instead of panic's.
2018-06-22 16:40:45 +02:00
Dmitry Vyukov
c31f96a8c6 executor: rework fallback coverage
We have fallback coverage implmentation for freebsd.
1. It's broken after some recent changes.
2. We need it for fuchsia, windows, akaros, linux too.
3. It's painful to work with C code.

Move fallback coverage to ipc package,
fix it and provide for all OSes.
2018-06-22 16:40:45 +02:00
Dmitry Vyukov
87dda8591f syz-fuzzer: use single connection to manager
This will simplify gvisor support as it's somewhat problematic
to proxy multiple connections between host and guest.
2018-06-22 16:40:45 +02:00
Dmitry Vyukov
27c5f59f50 all: fix gometalinter warnings 2018-06-12 20:10:58 +02:00
Dmitry Vyukov
6dcbc4355b syz-fuzzer: fix image testing
During image testing we don't pass any enabledCalls,
so use all syscalls in such case.
2018-06-12 19:53:24 +02:00
Dmitry Vyukov
06ece2ca66 pkg/host: rework host feature detection/setup
Currently host feature detection/setup code is spread
across platform-independent fuzzer code, pkg/host, pkg/ipc
and executor.
Move this all into pkg/host and show readable info
about features on manager start.

Fixes #46
2018-06-12 14:53:22 +02:00
Dmitry Vyukov
ae8bdb5058 syz-fuzzer: don't crash on commit mismatch
We now check for manager-fuzzer-executor commit mismatch (see Manager.Check).
But in some cases commit mismatch is not detected gracefully, and instead
leads to panics in fuzzer. Namely, when -enabled_syscalls fuzzer flag includes
large syscalls numbers, so large that they are no present at all in the an old
revision that fuzzer uses, in such case fuzzer panics.

Notify manager about invalid calls instead.

Fixes #464
2018-06-11 12:12:01 +03:00
Dmitry Vyukov
7efe08c90a syz-fuzzer: write programs directly to stdout
On fuchsia log package misbehaves and programs are lost:
https://fuchsia.atlassian.net/browse/TC-151
Write directly to stdout. Also should be slightly faster and shorter.
2018-06-06 20:39:36 +02:00
Dmitry Vyukov
78b251cbd7 all: fix too long lines
Not sure why I have not seen warnings about
these lines on another machine...
2018-05-05 16:00:01 +02:00
Dmitry Vyukov
9fe5658a1b gometalinter: check dot imports
Update #538
2018-05-03 14:41:34 +02:00
Dmitry Vyukov
39302300d9 gometalinter: check unkeyed composite literals
Update #538
2018-05-03 14:01:48 +02:00
Dmitry Vyukov
733e69fd24 syz-fuzzer: fix kcov detection for cross-arch testing 2018-04-27 15:42:48 +02:00
Dmitry Vyukov
6bd8902381 syz-fuzzer: clean up after probing coverage
We left mmap memory and comparison tracing enabled.
2018-04-27 14:33:01 +02:00
Dmitry Vyukov
ebfe5a54b7 syz-fuzzer: use proper pointer size when checking coverage 2018-04-27 14:33:01 +02:00
Dmitry Vyukov
cde43bc6bc syz-fuzzer: add a TODO for fault injection 2018-04-11 11:23:44 +02:00
Dmitry Vyukov
53196ce262 syz-manager: warn about disabled syscalls in enable_syscalls
syz-manager used to silently transitively disable syscalls
for which input resources can't be created.
This caused lots of confusion, or worse, users did not notice
that syzkaller does not actually test what they want.
Fail loudly with a readable explanation when a syscall
explicitly enabled in enable_syscalls is actually disabled.

Note: this requires to slightly change enable/disable_syscalls
matching logic. Previously "foo" would match "foo" and all "foo$BAR",
now it matches only "foo". But "foo*" can be used to match all
disciminations.
2018-04-06 21:08:54 +02:00
Dmitry Vyukov
2a9c3edcda pkg/prog: explain why syscalls are transitively disabled 2018-04-06 19:43:06 +02:00
Dmitry Vyukov
4daf8570eb pkg/host: explain why syscalls are disabled 2018-04-06 18:47:56 +02:00
Dmitry Vyukov
6a1a7543db syz-fuzzer: revert "syz-fuzzer: relax triage signal conditions"
"syz-fuzzer: relax triage signal conditions" commit caused doubling of corpuses.
So that was probably a mistake. Revert it.
2018-03-31 18:46:34 +02:00
Dmitry Vyukov
fef07bd04c syz-manager: add special type=none
Type "none" is a special case for debugging/development when manager
does not start any VMs, but instead you start them manually
and start syz-fuzzer there.
2018-03-31 16:25:15 +02:00
Dmitry Vyukov
99fa39ccb1 syz-fuzzer: relax triage signal conditions
Don't discard programs if signal is flaky.
We already do this for inputs from corpus,
do this for all inputs.
2018-03-28 18:17:44 +02:00
Dmitry Vyukov
36d1c4540a all: fix gometalinter warnings
Fix typos, non-canonical code, remove dead code, etc.
2018-03-08 18:48:26 +01:00
Dmitry Vyukov
42467f5b7b sys/linux: add syz_init_net_socket syscall
The new pseudo syscall allows opening sockets that can only
be created in init net namespace (BLUETOOTH, NFC, LLC).
Use it to open these sockets.

Unfortunately this only works with sandbox none at the moment.
The problem is that setns of a network namespace requires CAP_SYS_ADMIN
in the target namespace, and we've lost all privs in the init namespace
during creation of a user namespace.
2018-03-05 12:10:27 +01:00
Dmitry Vyukov
9fe8aa42c5 prog: add arbitrary mutation of complex structs
Squash complex structs into flat byte array and mutate this array
with generic blob mutations. This allows to mutate what we currently
consider as paddings and add/remove paddings from structs, etc.
2018-02-25 18:22:02 +01:00
Dmitry Vyukov
04cbdbd1ae syz-fuzzer: prioritize signal from successful syscalls
Signal on successful syscalls is more valuable than
signal on unsuccessful syscalls.y
2018-02-20 20:51:41 +01:00
Dmitry Vyukov
2be2288ee2 syz-fuzzer: don't break syscalls during minimization
If the original call was successful, keep it successful during minimization.
Successful calls are much more valuable.
2018-02-19 21:48:20 +01:00
Dmitry Vyukov
b99141b797 syz-fuzzer: refactor proc.execute arguments
5 bool's in a row is too much.
2 are unnecessary because they control execOpts,
and we already pass execOpts in.
Combine the remaining 3 into ProgFlags field.
2018-02-19 21:48:20 +01:00
Dmitry Vyukov
dd768bf1c6 prog: reorder Minimize arguments
Make the predicate the last argument.
It's more common and convenient (arguments are not separated by multiple lines).
2018-02-19 21:48:20 +01:00
Dmitry Vyukov
6bfc81c142 syz-fuzzer: improve kmemleak support
Don't print object size (can change from kernel to kernel
and from config to config).
Fix function extraction regexp (must be non-eager).
Account for MSECS_MIN_AGE.
Ignore some known false positives.
2018-01-09 21:24:29 +01:00
Dmitry Vyukov
cb9c49e859 syz-fuzzer: separate programs in output by newline
Greatly improves log readability at a cost of minimal size increase.
2018-01-08 13:20:44 +01:00
Dmitry Vyukov
25793abb59 syz-fuzzer: wipe all global state 2017-12-19 10:53:39 +01:00
Dmitry Vyukov
8d5ba3821f syz-fuzzer: move program logging into a separate function 2017-12-18 15:51:00 +01:00
Dmitry Vyukov
1c4160efd5 syz-fuzzer: encapsulate signal 2017-12-18 14:52:50 +01:00
Dmitry Vyukov
a20097eafe syz-manager, syz-fuzzer: allow re-minimizing/re-smashing inputs
By default we don't re-minimize/re-smash programs from corpus,
it takes lots of time on start and is unnecessary.
However, when we improve/fix minimization/smashing,
we may want to.

Introduce corpus database versions and allow to re-minimize/re-smash
on version bumps.
2017-12-18 14:10:56 +01:00