reactos/syzkaller
1
0
Fork 0
mirror of https://github.com/reactos/syzkaller.git synced 2024-12-04 09:43:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,926 Commits 4 Branches 0 Tags 180 MiB
90c33e5d0c
Commit Graph

48 Commits

Author SHA1 Message Date
Dmitry Vyukov
a8927abe6c prog: support opt for proc types 2018-01-06 17:40:49 +01:00
Dmitry Vyukov
3645389673 pkg/csource: fix handling of proc types 
Generated program always uses pid=0 even when there are multiple processes.
Make each process use own pid.

Unfortunately required to do quite significant changes to prog,
because the current format only supported fixed pid.

Fixes #490
 2017-12-22 11:59:46 +01:00
Dmitry Vyukov
dcfdc02b77 prog: minor refactoring around arguments 
Introduce isUsed(arg) helper, use it in several places.
Move method definitions closer to their types.
Simplify presence check for ArgUsed.Used() in several places.
 2017-12-17 11:39:14 +01:00
Dmitry Vyukov
8ef0050706 prog: don't serialize output data args 
Fixes #188

We now will write just ""/1000 to denote a 1000-byte output buffer.
Also we now don't store 1000-byte buffer in memory just to denote size.
Old format is still parsed.
 2017-12-17 11:39:14 +01:00
Dmitry Vyukov
0da2fed84f prog: simplify MakeResultArg 
Fixes #445
 2017-12-17 11:39:14 +01:00
Dmitry Vyukov
5e7b20cfc3 prog: fix a data race 
The race initially showed up on the new benchmark (see race report below).
The race indicated a wrong call passed to replaceArg,
as the result we sanitized the wrong call and left the new call un-sanitized.

Fix this.
Add test that exposes this.
Run benchmarks in race mode during presubmit
(benchmarks have higher chances of uncovering races than tests).

WARNING: DATA RACE
Write at 0x00c42000d3f0 by goroutine 18:
  github.com/google/syzkaller/sys/linux.(*arch).sanitizeCall()
      sys/linux/init.go:155 +0x256
  github.com/google/syzkaller/sys/linux.(*arch).(github.com/google/syzkaller/sys/linux.sanitizeCall)-fm()
      sys/linux/init.go:42 +0x4b
  github.com/google/syzkaller/prog.(*Prog).replaceArg()
      prog/prog.go:357 +0x239
  github.com/google/syzkaller/prog.generateHints.func2()
      prog/hints.go:105 +0x124
  github.com/google/syzkaller/prog.checkConstArg()
      prog/hints.go:128 +0xf3
  github.com/google/syzkaller/prog.generateHints()
      prog/hints.go:120 +0x495
  github.com/google/syzkaller/prog.(*Prog).MutateWithHints.func1()
      prog/hints.go:72 +0x67
  github.com/google/syzkaller/prog.foreachSubargImpl.func1()
      prog/analysis.go:86 +0x9f
  github.com/google/syzkaller/prog.foreachSubargImpl()
      prog/analysis.go:104 +0xc8
  github.com/google/syzkaller/prog.foreachArgArray()
      prog/analysis.go:113 +0x89
  github.com/google/syzkaller/prog.foreachArg()
      prog/analysis.go:121 +0x50
  github.com/google/syzkaller/prog.(*Prog).MutateWithHints()
      prog/hints.go:71 +0x18e
  github.com/google/syzkaller/prog.BenchmarkHints.func1()
      prog/hints_test.go:477 +0x77
  testing.(*B).RunParallel.func1()
      testing/benchmark.go:626 +0x156

Previous read at 0x00c42000d3f0 by goroutine 17:
  github.com/google/syzkaller/prog.clone()
      prog/clone.go:38 +0xbaa
  github.com/google/syzkaller/prog.(*Prog).cloneImpl()
      prog/clone.go:21 +0x17f
  github.com/google/syzkaller/prog.generateHints()
      prog/hints.go:95 +0xd0
  github.com/google/syzkaller/prog.(*Prog).MutateWithHints.func1()
      prog/hints.go:72 +0x67
  github.com/google/syzkaller/prog.foreachSubargImpl.func1()
      prog/analysis.go:86 +0x9f
  github.com/google/syzkaller/prog.foreachSubargImpl()
      prog/analysis.go:104 +0xc8
  github.com/google/syzkaller/prog.foreachArgArray()
      prog/analysis.go:113 +0x89
  github.com/google/syzkaller/prog.foreachArg()
      prog/analysis.go:121 +0x50
  github.com/google/syzkaller/prog.(*Prog).MutateWithHints()
      prog/hints.go:71 +0x18e
  github.com/google/syzkaller/prog.BenchmarkHints.func1()
      prog/hints_test.go:477 +0x77
  testing.(*B).RunParallel.func1()
      testing/benchmark.go:626 +0x156
 2017-12-08 11:33:30 +01:00
Dmitry Vyukov
1808de66ce prog: repair arrays/buffers with incorrect size in Deserialize 
For string[N] we successfully deserialize a string of any length.
Similarly for a fixed-size array[T, N] we successfully deserialize
an array of any size.
Such programs later crash in foreachSubargOffset because static size
Type.Size() does not match what we've calculated iterating over fields.
The crash happens only in SerializeForExec in syz-fuzzer,
which is especially bad.
Fix this from both sides:
1. Validate sizes of arrays/buffers in Validate.
2. Repair incorrect sizes in Deserialize.
 2017-11-28 19:15:28 +01:00
Dmitry Vyukov
ddf7b3e065 sys/linux: improve AF_ALG alg name generation 
There is effectively infinite number of possible crypto
algorithm names due to templates. Plus there is tricky
relation between algorithms and algorithm type names.

This change adds custom mutator for sockaddr_alg struct
to improve variance in generated algorithms.
 2017-11-24 13:56:20 +01:00
Dmitry Vyukov
7e076b78b4 prog: export MakeData/UnionArg as we do for other arg types 
Target code can use these to generate special structs.
 2017-11-22 11:46:26 +01:00
Dmitry Vyukov
52a33fd516 prog: remove default target and all global state 
Now each prog function accepts the desired target explicitly.
No global, implicit state involved.
This is much cleaner and allows cross-OS/arch testing, etc.
 2017-09-15 16:02:37 +02:00
Dmitry Vyukov
ffe7e17368 prog, sys: move types to prog 
Large overhaul moves syscalls and arg types from sys to prog.
Sys package now depends on prog and contains only generated
descriptions of syscalls.
Introduce prog.Target type that encapsulates all targer properties,
like syscall list, ptr/page size, etc. Also moves OS-dependent pieces
like mmap call generation from prog to sys.

Update #191
 2017-09-05 15:52:42 +02:00
Dmitry Vyukov
4fc4702694 prog: dot-import sys 
In preparation for moving sys types to prog to reduce later diffs.
 2017-09-05 10:46:34 +02:00
Dmitry Vyukov
5db39ab953 sys: rename Call to Syscall 
In preparation for moving sys types to prog
to avoid confusion between sys.Call and prog.Call.
 2017-09-05 10:38:22 +02:00
Dmitry Vyukov
1c0d4caf7c sys: change BitfieldLast to BitfieldMiddle 
That's the condition we always want.
Currently we always check:
t.BitfieldOffset() == 0 || t.BitfieldLast()
now can check just:
!t.BitfieldMiddle()
 2017-09-04 20:51:56 +02:00
Dmitry Vyukov
399addc875 sys, pkg/compiler: move padding computation to compiler 
This makes types constant during execution, everything is precomputed.
 2017-09-04 20:25:23 +02:00
Dmitry Vyukov
838e336594 sys, prog: switch values to to uint64 
We currently use uintptr for all values.
This won't work for 32-bit archs.
Moreover in some cases we use uintptr but assume
that it is always 64-bits (e.g. in encodingexec).
Switch everything to uint64.

Update #324
 2017-08-19 10:16:23 +02:00
Dmitry Vyukov
0939075822 prog: reuse defaultArg 
Reuse defaultArg in generateArg. There is code that does the same.
Also, don't generate pointer value for output arguments.
 2017-08-09 10:38:38 +02:00
Dmitry Vyukov
c3ba5e72f5 prog: fix restoration of default arguments 
Currently fails on:
 - pointers
 - VMAs
 - structs
 - fixed-size structs
 2017-08-09 10:28:10 +02:00
Andrey Konovalov
1517bd9548 prog: generate missing syscall args when decoding 
After a change in syscall description the number of syscall arguments
might change and some of the programs in corpus get invalidated.

This change makes syzkaller to generate missing arguments when decoding a
program as an attempt to fix and keep more programs from corpus.
 2017-08-01 19:19:05 +02:00
Andrey Konovalov
cfc46d9d0b prog: split Arg into smaller structs 
Right now Arg is a huge struct (160 bytes), which has many different fields
used for different arg kinds. Since most of the args we see in a typical
corpus are ArgConst, this results in a significant memory overuse.

This change:
- makes Arg an interface instead of a struct
- adds a SomethingArg struct for each arg kind we have
- converts all *Arg pointers into just Arg, since interface variable by
  itself contains a pointer to the actual data
- removes ArgPageSize, now ConstArg is used instead
- consolidates correspondence between arg kinds and types, see comments
  before each SomethingArg struct definition
- now LenType args that denote the length of VmaType args are serialized as
  "0x1000" instead of "(0x1000)"; to preserve backwards compatibility
  syzkaller is able to parse the old format for now
- multiple small changes all over to make the above work

After this change syzkaller uses twice less memory after deserializing a
typical corpus.
 2017-07-17 14:34:09 +02:00
Andrey Konovalov
f919224c44 sys, executor: extract tcp sequence numbers from /dev/net/tun 
This commit adds a new pseudo syscall syz_extract_tcp_res, that reads
a packet from /dev/net/tun and extracts tcp sequence numbers to be used
in subsequent packets.

As a result this syzkaller program:

mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
listen(r0, 0x5)
syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}})
syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0)
syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}})
r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10)

established a TCP connection:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:20000           0.0.0.0:*               LISTEN      5477/a.out
tcp        2      0 172.20.0.170:20000      172.20.0.187:20001      ESTABLISHED 5477/a.out

Similar program for IPv6:

mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c)
listen(r0, 0x5)
syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}})
syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}})
r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::20001                :::*                    LISTEN      5527/a.out
tcp6       0      0 fe80::aa:20001          fe80::bb:20000          ESTABLISHED 5527/a.out
 2017-05-26 14:28:09 +02:00
Andrey Konovalov
ac0c70f74a prog, executor: move checksum computation to executor 
This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.
 2017-05-12 15:47:59 +02:00
Andrey Konovalov
63b16a5d5c prog, sys: add csum type, embed checksums for ipv4 packets 
This change adds a `csum[kind, type]` type.
The only available kind right now is `ipv4`.
Using `csum[ipv4, int16be]` in `ipv4_header` makes syzkaller calculate
and embed correct checksums into ipv4 packets.
 2017-01-25 20:31:13 +01:00
Andrey Konovalov
872e436375 prog, sys: fix padding varlen structs 2017-01-19 15:22:04 +01:00
Andrey Konovalov
023345d694 prog, sys: correctly calculate size of varlen structs 2017-01-18 19:16:11 +01:00
Andrey Konovalov
11fa77cbbe prog, sys: fix struct with bitfields size calculation 2017-01-18 13:07:53 +01:00
Andrey Konovalov
9d963ea599 prog: fix Size() for unions args 2017-01-18 13:07:53 +01:00
Dmitry Vyukov
5d94283455 ipc, prog, sysgen: format code 2016-11-25 20:17:32 +01:00
Andrey Konovalov
253a40f30d sys: add proc type to denote per proccess integers 2016-11-25 17:51:41 +01:00
Andrey Konovalov
fa9c44b568 prog: minimize based on individual args 2016-11-25 17:22:42 +01:00
Dmitry Vyukov
588a542b2a sys: add string flags 
Allow to define string flags in txt descriptions. E.g.:

  filesystem = "ext2", "ext3", "ext4"

and then use it in string type:

  ptr[in, string[filesystem]]
 2016-11-11 14:33:37 -08:00
Dmitry Vyukov
f085c198ba sys: replace FileoffType with IntType{Kind: IntFileoff} 
FileoffType is effectively an int, no need for a separate type.
Also remove fd option from fileoff as it is unused and use story is unclear.
 2016-11-11 14:32:38 -08:00
Dmitry Vyukov
8b731ed4b7 sys: replace FilenameType with BufferType{Kind: BufferFilename} 
FilenameType is effectively a buffer, there is no need for a separate type.
 2016-11-11 14:32:19 -08:00
Dmitry Vyukov
b40d502736 prog: remote Type argument from Arg.Size/Value 
They are not necessary since we now always have types attached to args.
Also remove sys.Type.InnerType as it is not necessary now as well.
 2016-11-11 14:31:55 -08:00
Dmitry Vyukov
1a85811d68 prog: assign types to args during construction 
Eliminate assignTypeAndDir function and instead assign
types to all args during construction.
This will allow considerable simplifation of assignSizes.
 2016-11-11 14:29:52 -08:00
Dmitry Vyukov
d3a93e8370 sys: attach Dir to all types 
Dir is a static info, so we don't need to compute, propagate and
attach it in prog whenever we generate/change programs.
Attach Dir to all types.
 2016-11-11 14:27:54 -08:00
Dmitry Vyukov
959ec07095 sys: always use pointers to types 
Currently we store most types by value in sys.Type.
This is somewhat counter-intuitive for C++ programmers,
because one can't easily update the type object.
Store pointers to type objects for all types.
It also makes it easier to update types, e.g. adding paddings.
 2016-11-11 14:25:13 -08:00
Andrey Konovalov
7686d19aff Add big-endian ints 2016-10-13 15:38:53 +02:00
Andrey Konovalov
78f79fee93 Refactor & improve len type handling 2016-10-11 20:09:19 +02:00
Dmitry Vyukov
852e3d2eae sys: support recursive structs 
A struct can have a pointer to itself directly or indirectly.
Currently it leads to inifinite recursion when generating descriptions.
Fix this.
 2016-09-05 12:49:47 +02:00
Dmitry Vyukov
8bdf62d1b7 sys: implement array byte size arguments 2016-01-23 00:37:08 +01:00
Dmitry Vyukov
4eb9d403e8 prog: implement mutation of union args 2015-12-31 16:03:01 +01:00
Dmitry Vyukov
e6529b30ec sys: add union type 2015-12-29 15:00:57 +01:00
Dmitry Vyukov
4eda9b07e5 prog: don't serialize paddings 
Paddings in serialized programs are unnecessary and confusing.
Instead restore them implicitly.
Also use [,,,,] for arrays.
 2015-12-28 12:58:10 +01:00
Dmitry Vyukov
9980a72713 sys: automatically add padding to structs 2015-12-17 14:38:46 +01:00
Dmitry Vyukov
6892001bbc add tty-related ioctl's 2015-11-16 19:14:05 +01:00
Dmitry Vyukov
f8f416fb8f preliminary description of kdbus syscalls 2015-10-16 18:16:10 +02:00
Dmitry Vyukov
874c5754bb initial commit 2015-10-12 10:16:57 +02:00