bNumEndpoints is defined as len[endpoints]. This initially assumed that
endpoints is an array, which is not the case for descriptions for
particular USB classes. Improve it by defining a new template for interfaces
and passing in a value range for bNumEndpoints for these cases.
Currently build on darwin crashes when we try to access host.CCompiler/CPP
(there is no darwin target). Check that we have the host target before using it,
otherwise use default gcc/cpp.
Some USB drivers don't depend on core USB symbols, but rather depend on a
generic symbol for some input subsystem (e.g. HID). Account for that when
extracting USB configs.
Update socket timeval, timestamp options and flags.
v2: separate SO_{TIMESTAMP, TIMESTAMPNS}_{OLD, NEW} as they only need
enable/disable option value.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Default value for ProcType is 0 (same for all PID's).
Usually 0 either does not make sense at all or make different PIDs collide
(since we use ProcType to separate value ranges for different PIDs).
So don't change ProcType to 0 unless the type is explicitly marked as opt
(in that case we will also generate 0 anyway).
* sys/linux: extract USB HID ids
As it turns out the HID kernel subsystem registers only one USB driver that
checks that the interface of the connected device has HID class and then looks
up its own list of vendor/device ids to find a matching driver. This means
that we currently don't generate proper vendor/device ids for USB HID devices.
This patch updates the syz-usbgen tool to also extract USB HID vendor/device
ids from a running kernel and makes the generated descriptions for HID devices
to be patched using the extracted ids.
This patch also contains some minor improvements to USB descriptions
(better HID descriptions and more replies for some USB classes/drivers).
* sys/linux: run make generate
Currently we use AT_FDCWD as a special value for all file descriptors,
but it does not make sense for almost all of them (sockets, bpf, etc).
Use it as a special value only for fd_dir.
A process with CAP_SYS_NICE can bring kernel down by asking for too high SCHED_DEADLINE priority,
as the result rcu and other system services that use kernel threads will stop functioning.
Some parameters for SCHED_DEADLINE should be OK, but we don't have means to enforce
values of indirect syscall arguments. Peter Zijlstra proposed sysctl_deadline_period_{min,max}
which could be used to enfore safe limits without droppping CAP_SYS_NICE, but we don't have it yet.
See the following bug for details:
https://groups.google.com/forum/#!topic/syzkaller-bugs/G6Wl_PKPIWI
Running sys/*/test programs requires real machines and kernels for each OS.
We can't do that in unit tests, but at least try to deserialize these programs
so that they don't get rotten.
* sys/fuchsia: update zx_clock_get.
zx_clock_get was deprecated and replaced by zx_clock_get_new. In a
recent CL[0], they replaced the zx_clock_get by zx_clock_get_new and
moved all client. This commit updates syzkaller to use the new function.
[0]: https://fuchsia-review.googlesource.com/c/fuchsia/+/298575
* run make extract && make generate
Instead of defining the __GLIBC_USE macro on every OS, we are just
defining it based on a parameter. That parameter is set to false for all
OSs except for fuchsia.
When I try to run `make extract` for fuchsia, the clang compiler
complains that __GLIBC_USE is undefined.
This CL just defines it to be an always false function-like macro if it
was not defined.
This commit removes the fuchsia-power fidl definitions. The interface
doesn't have a service implementing it in fuchsia, and it is causing
issues in make extract.
1. Change HID descriptions to allow devices to have two interrupt endpoints.
2. Remove unneeded responses to OUT control requests from descriptions.
3. Add some debugging code to detect and report missing descriptions.
Update descriptions to be compatible with latest linux-next
(next-20190715), which in theory will match v5.3-rc1 when the merge
window closes.
- KEYCTL_GRANT_PERMISSION was reverted. So remove its description.
- CRYPTO_ALG_TYPE_DIGEST was removed. So remove its description.
- IB_QP_CREATE_SIGNATURE_EN was renamed to IB_QP_CREATE_INTEGRITY_EN.
Also remove the sys/linux/rdma_*.const files which were incorrectly
checked into git. The real copies of those files are in
sys/linux/dev_infiniband_rdma_*.const.
For now I did *not* check for other new APIs that need to be described.
- Add KEYCTL_MOVE (new in v5.3)
- Add KEYCTL_CAPABILITIES (new in v5.3)
- Add KEYCTL_GRANT_PERMISSION (new in v5.3)
- Remove KEY_PERM_UNDEF (was only ever in an internal kernel header,
not in UAPI; removed in v5.3)
Kernel get mpls lable like
```
unsigned entry = be32_to_cpu(hdr->label_stack_entry);
result.label = (entry & MPLS_LS_LABEL_MASK) >> MPLS_LS_LABEL_SHIFT;
```
So we just need to store the label in big endian order.
For mpls rta types, kernel accpet only one lable for RTA_DST and
multi labels for RTA_NEWDST.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
The sanitizer fails to sanitize programs like the following:
setrlimit(0x10000000000002, &(0x7f0000000080))
... due to presence of the most significant bit. Therefore mask of all
bits that cannot form a valid rlimit resource.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
Locking down future mappings will most likely cause syz-executor to run
out of memory.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
Do not allow the stack to grow beyond the initial soft limit chosen by
syz-executor. Otherwise, syz-executor will most likely not be able to
perform any more heap allocations since they majoriy of memory is
reserved for the stack.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
OpenBSD performs a strict validation of the RLIMIT_DATA soft limit
during memory allocation. Lowering the same limit could cause
syz-executor to run out of memory quickly. Therefore make sure to not go
lower than the default soft limit for the staff group.
This is one of the root causes of the high amount of reported "lost
connection to test machine".
One of the root causes to reported "lost connection to test machine" is
when the egress network interface is being used as a multicast
interface:
setsockopt$inet6_MRT6_ADD_MIF(r0, 0x29, 0x66, &(0x7f0000000180)={0x2}, 0xc)
Prevent such syscalls from being generated by limiting the range of
allowed interface indices.
To allow future extensions of USB descriptions to fuzz particular USB
classes this patch changes the structure of USB descriptions to use
templates.
This will invalidate all existing USB corpus.
Add -B/usr/lib32 to 386 build flags.
The story behind -B/usr/lib32 is not completely clear, but it helps in some cases.
For context see discussion in https://github.com/google/syzkaller/pull/1202
Providing additional info, especially regarding syscall arguments, in reproducers
can be helpful. An example is device numbers passed to mknod(2).
This commit introduces an optional annotate function on a per target basis.
Example for the OpenBSD target:
$ cat prog.in
mknod(0x0, 0x0, 0x4503)
getpid()
$ syz-prog2c -prog prog.in
int main(void)
{
syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0);
syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */
syscall(SYS_getpid);
return 0;
}
Consolidating FIDL library build mappings in one place, so that it can
be used from extraction, and script invoking fidlgen. This also makes
code clearer, and provides a more natural path for evolutions / dealing
with oddities.
Minor doc update post fx command changes.
A const can be used as array size. Then if the const is not present
on all arches, compiler will produce an error about 0-sized-array.
There is no easy way to work around this for a user.
Use value of 1 for missing consts. It's just a bit safer.
Using a build tag to exclude files for golangci-lint
reduces memory consumption (it does not parse them).
The naive attempt with skip-dirs did not work.
So add codeanalysis build tag and use it in auto-generated files.
Update #977
Now that we have the len path expressions we can fix the TODO
in btf descriptions to properly specify offsets of btf sections.
Also add proper descriptions for btf type section
and few other minor things around.
