Commit Graph

115 Commits

Author SHA1 Message Date
Dmitry Vyukov
a6e3054436 executor: rename some macros
Rename some macros in preparation for subsequent changes
which will align names across the code base.
2019-11-16 09:58:54 +01:00
Marco Elver
b2f369e56e executor, host, csource: Add support to enable KCSAN
By default, the current KCSAN .config does not enable KCSAN during boot,
since we encounter races during boot which would prevent syzkaller from
ever executing.

This adds support to detect if KCSAN is available, and enables it on the
fuzzer host.
2019-10-04 13:44:09 +02:00
Matthew Dempsky
fd37b39ea8 all: convert Fuchsia to use "host fuzzing" mode
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.

This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
2019-08-27 14:39:18 -07:00
Andrey Konovalov
c6c81a0bd3
executor: fix procid not declared properly for netbsd (#1358) 2019-08-22 14:49:06 +02:00
Anton Lindqvist
429efa16d6 executor: make errors during thread creation exit zero
On OpenBSD, the executor sometimes manages to set the memory resource
limit 0 causing any following memory allocation to fail. Since threads
are potentially created from such a thread which cannot allocate any
memory, the executor will exit non-zero which in turn will cause
false-positive panics to be reported. For more info see the
discussion[1] in PR #1243.

Instead, if hitting a fatal error during thread creation exit zero.

[1] https://github.com/google/syzkaller/pull/1243
2019-07-04 20:26:46 +02:00
Andrey Konovalov
c054a92dde pkg/csource: generate timeouts for USB syzcalls
This patch only covers per call timeouts, per prog one is not adjusted yet.
2019-05-31 13:35:25 +02:00
Dmitry Vyukov
8285069f89 executor: implement support for leak checking
Leak checking support was half done and did not really work.
This is heavy-lifting to make it work.

1. Move leak/fault setup into executor.
pkg/host was a wrong place for them because we need then in C repros too.
The pkg/host periodic callback functionality did not work too,
we need it in executor so that we can reuse it in C repros too.
Remove setup/callback functions in pkg/host entirely.

2. Do leak setup/checking in C repros.
The way leak checking is invoked is slightly different from fuzzer,
but much better then no support at all.
At least the checking code is shared.

3. Add Leak option to pkg/csource and -leak flag to syz-prog2c.

4. Don't enalbe leak checking in fuzzer while we are triaging initial corpus.
It's toooo slow.

5. Fix pkg/repro to do something more sane for leak bugs.

Few other minor fixes here and there.
2019-05-20 19:40:20 +02:00
Andrey Konovalov
f4a3dc9128 all: add basic USB fuzzing support
This commits implements 4 syzcalls: syz_usb_connect, syz_usb_io_control,
syz_usb_ep_write and syz_usb_disconnect. Those syzcalls are used to emit USB
packets through a custom GadgetFS-like interface (currently exposed at
/sys/kernel/debug/usb-fuzzer), which requires special kernel patches.

USB fuzzing support is quite basic, as it mostly covers only the USB device
enumeration process. Even though the syz_usb_ep_write syzcall does allow to
communicate with USB endpoints after the device has been enumerated, no
coverage is collected from that code yet.
2019-04-11 16:24:45 +02:00
Andrey Konovalov
5c51045d28 all: add optional close_fds feature to reproducers
Instead of always closing open fds (number 3 to 30) after each program,
add an options called EnableCloseFds. It can be passed to syz-execprog,
syz-prog2c and syz-stress via the -enable and -disable flags. Set the
default value to true. Also minimize C repros over it, except for when
repeat is enabled.
2019-04-09 10:53:11 +02:00
Andrey Konovalov
e619f52452 csource: use /*FOO*/ instead of [[FOO]]
The latter differently confuses different versions of clang-format.
2019-04-09 10:53:11 +02:00
Marco Vanotti
6a475fffec executor: move syz_execute_func after os imports. (#1107)
This commit moves the definition of the `syz_execute_func` after the
block of code that imports all the OS specific common headers.

This is required because after commit
dfd3394d42 `syz_execute_func` started
using the `NONFAILING` macro, which is defined in those header files for
each OS.

I also ran `make generate`.

TEST=I only tested that the executor works for Fuchsia with:

```shell
$ make executor TARGETOS=fuchsia TARGETARCH=amd64 SOURCEDIR=~/fuchsia
```
2019-04-03 16:46:38 -07:00
Dmitry Vyukov
dfd3394d42 executor: try to prevent machine outbreak
The fuzzer gained control over host machines again with something like:

syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030062e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02")

Let's see if perturbing syz_execute_func a bit and wiping registers
will stop the outbreak.
2019-04-02 13:43:46 +02:00
Dmitry Vyukov
44270612b4 executor: prevent non-null expected warnings
The added test triggers warnings like these:

<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
 extern int mkdir (const char *__path, __mode_t __mode)
            ^~~~~
cc1: all warnings being treated as errors

<stdin>: In function ‘syz_open_procfs.constprop’:
<stdin>:530:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:532:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:534:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’

Use volatile for all arguments of syz_ functions to prevent
compiler from treating the arguments as constants in reproducers.

Popped up during bisection that used a repro that previously worked.
Update #501
2019-03-21 13:27:41 +01:00
Dmitry Vyukov
4b69c3cbac pkg/runtest: make tests pass on freebsd
The problem is stupid: <endian.h> should be included as <sys/endian.h> on freebsd.
Pass actual host OS to executor build as HOSTGOOS and use it to figure out
how we should include this header.
2019-03-07 20:37:43 +01:00
Andrey Konovalov
dfd609eca1 execprog, stress, prog2c: unify flags to enable additional features
This change makes all syz-execprog, syz-prog2c and syz-stress accept
-enable and -disable flags to enable or disable additional features
(tun, net_dev, net_reset, cgroups and binfmt_misc) instead of having
a separate flag for each of them.

The default (without any flags) behavior isn't changed: syz-execprog
and syz-stress enabled all the features (provided the runtime supports
them) and syz-prog2c disables all of them.
2019-03-05 14:30:10 +01:00
Dmitry Vyukov
e34c330b57 executor: add missing include
thread_start now uses errno, so include <errno.h>
2019-02-01 19:43:52 +01:00
Dmitry Vyukov
0e8ea0a357 executor, pkg/ipc: simplify retry handling
Remove kRetryStatus, it's effectively the same as exiting with 0.
Remove ipc.ExecutorFailure, nobody uses it.
Simplify few other minor things around exit status handling.
2019-01-31 11:35:53 +01:00
Dmitry Vyukov
25e10a0434 executor: remove ability to detect kernel bugs
This ability was never used but we maintain a bunch of code for it.
syzkaller also recently learned to spoof this error code
with some ptrace magic (probably intercepted control flow again
and exploited executor binary).
Drop all of it.
2019-01-31 11:35:53 +01:00
Dmitry Vyukov
937e1ba861 executor: fix do_sandbox_none on akaros and test
do_sandbox_none must not exit, it needs to return.
2019-01-31 11:35:53 +01:00
Dmitry Vyukov
6fb60a4813 executor: handle pthread_create errors better
See the added comment for explanation.
2019-01-31 11:35:53 +01:00
Dmitry Vyukov
7e81a53230 pkg/csource: write tracing output to stderr
stdout is not flushed on abnormal exit.
2019-01-31 11:35:53 +01:00
Dmitry Vyukov
dd61e58d94 sys/linux: extend AX25/ROSE/NETROM descriptions 2018-12-24 18:56:06 +01:00
Greg Steuck
f3d9d5948c pkg/csource: support tun and setuid repros on {free,open}bsd
* expose procid on BSD for tun, always declare loop()
* deal with terrible bsd includes
* replicate loop() declaration
2018-12-13 09:44:24 +01:00
Dmitry Vyukov
c791837863 executor: fix handling of big-endian bitfields
Currently we apply big-endian-ness and bitfield-ness in the wrong order in copyin.
This leads to totally bogus result. Fix this.
2018-12-08 19:08:08 +01:00
msvoelker
0ab8db6467 executor: FreeBSD: fixed endian.h path
The include statement for endian.h failed on FreeBSD. Changed include statement to syz/endian.h for FreeBSD.
2018-11-23 11:50:41 +01:00
Zach Riggle
751b7baf94 Android: Fix sandbox implementation
My test harness for this code performed some steps that are not
performed when syz-executor is invoked directy.

Specifcally, we need to operate from a directory under /data/data,
and have the correct UID/GID set as the owner of the directory.

My test harness now correctly sets these, all sandbox operations
succeed, and loop() is invoked.
2018-10-12 16:39:26 +02:00
Alexander Popov
0e7547d77c executor: make the debug output useful for race condition debugging
Sometimes race conditions are reproduced by syz-execprog and are not
reproduced by the programs generated with syz-prog2c. In such cases
it's very helpful to know when exactly the fuzzing syscalls are executed.

Unfortunately, adding timestamps to the output of the original 'debug'
mode doesn't work. This mode provides very verbose output, which slows
down executor and breaks the repro.

So let's make the executor debug output less verbose and add
the timestamps.

Signed-off-by: Alexander Popov <alex.popov@linux.com>
2018-09-24 14:55:35 +02:00
Zach Riggle
0eca949a6c RFC: android: Add support for untrusted_app sandboxing (#697)
executor: add support for android_untrusted_app sandbox

This adds a new sandbox type, 'android_untrusted_app', which restricts
syz-executor to the privileges which are available to third-party applications,
e.g. those installed from the Google Play store.

In particular, this uses the UID space reserved for applications (instead of
the 'setuid' sandbox, which uses the traditional 'nobody' user / 65534)
as well as a set of groups which the Android-specific kernels are aware of,
and finally ensures that the SELinux context is set appropriately.

Dependencies on libselinux are avoided by manually implementing the few
functions that are needed to change the context of the current process,
and arbitrary files.  The underlying mechanisms are relatively simple.

Fixes google/syzkaller#643

Test: make presubmit
Bug: http://b/112900774
2018-09-17 11:33:11 +02:00
Dmitry Vyukov
a4718693a3 sys/linux: add syz_execute_func
The function executes random code.

Update #310
2018-08-30 21:45:04 -07:00
Anton Lindqvist
b771b17ec9 Add mandatory OpenBSD bits (#689)
all: add openbsd support

squash of the following commits:

* openbsd: add mandatory bits
* report: add OpenBSD support
* executor: skip building kvm on OpenBSD
* executor: add OpenBSD support
Linking against libutil is necessary due to usage of openpty(3).
* executor: fix typo in fail() message
* fixup! report: add OpenBSD support
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! openbsd: add mandatory bits
* fixup! report: add OpenBSD support
* gometalinter: skip sys/openbsd
2018-08-28 10:07:26 -07:00
Dmitry Vyukov
7067e78fd6 executor: fix gcc warnings in fuchsia generated code
gcc complains about function declarations not being prototypes,
signed/unsigned cast mismatch and casts between incompatible functions.
Fix them.
2018-08-19 01:53:59 +02:00
Dmitry Vyukov
3a2fe60529 executor: fix cgroups
1. Create per-proc cgroup in executor.
2. Setup cgroups after chdir into test dir
   (it assumes relative paths against test dir).
3. Add test.
2018-08-09 16:05:46 +02:00
Dmitry Vyukov
922e8e2734 executor: mount binfmt_mist
We forgot to mount binfmt_misc. Mount it. Add a test.
Increase per-call timeout, otherwise last execve timesout.
Fix csource waiting for call completion at the end of program.
2018-08-09 16:05:46 +02:00
Dmitry Vyukov
1beb81367c executor: check write return value
gcc complains:

error: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Werror=unused-result]

Also fix includes.
2018-08-05 13:05:47 +02:00
Dmitry Vyukov
3a7200e49b executor: abort fuse connection
If the test process is not dying after 100ms,
abort all fuse connections in the system.
This gets rid at least of simple fuse deadlocks,
let's see how well this works in all cases.
2018-08-04 17:50:58 +02:00
Dmitry Vyukov
b8bd991ee2 executor: make current_time_ms/sleep_ms
Fix conditions for when current_time_ms/sleep_ms are used
and make them static.
2018-07-30 11:17:44 +02:00
Dmitry Vyukov
9faf980ad5 executor: disable clang-format for some parts
clang-format badly mishandles this part,
moreover different versions mishandle it differently.
2018-07-27 13:48:44 +02:00
Dmitry Vyukov
b25fc7b831 pkg/csource: add option to trace syscall results
This will be needed for testing of generated programs.
2018-07-27 10:22:23 +02:00
Dmitry Vyukov
9d92841b4e pkg/csource: tidy generated code
1. Remove unnecessary includes.
2. Remove thunk function in threaded mode.
3. Inline syscalls into main for the simplest case.
4. Define main in common.h rather than form with printfs.
5. Fix generation for repeat mode
   (we had 2 infinite loops: in main and in loop).
6. Remove unused functions (setup/reset_loop, setup/reset_test,
   sandbox_namespace, etc).
2018-07-27 10:22:23 +02:00
Dmitry Vyukov
c3da5dc5e0 executor: simplify event_timedwait
We always have current_time_ms in event_timedwait
so use it instead of manual clock_gettime calls
which tend to be bulkier.
2018-07-27 10:22:23 +02:00
Dmitry Vyukov
9fe4bdc5f1 executor: overhaul
Make as much code as possible shared between all OSes.
In particular main is now common across all OSes.
Make more code shared between executor and csource
(in particular, loop function and threaded execution logic).
Also make loop and threaded logic shared across all OSes.
Make more posix/unix code shared across OSes
(e.g. signal handling, pthread creation, etc).
Plus other changes along similar lines.
Also support test OS in executor (based on portable posix)
and add 4 arches that cover all execution modes
(fork server/no fork server, shmem/no shmem).

This change paves way for testing of executor code
and allows to preserve consistency across OSes and executor/csource.
2018-07-24 12:04:27 +02:00
Anton Lindqvist
912c93d745 executor: fix typo in comment 2018-07-23 11:11:32 +02:00
Dmitry Vyukov
7b45fa115b pkg/csource: support fuchsia
Lots of assorted heavylifting to support csource on fuchsia.
2018-06-29 10:47:42 +02:00
Dmitry Vyukov
645e75f803 executor: make syscall table and number constant
We see some crashes that suggest corruption of the syscall number:

invalid command number 1296 (errno 11)
invalid command number 107 (errno 110)

Make the table and the number constant to prevent corruption.
2018-06-07 15:32:30 +02:00
Dmitry Vyukov
2675f92065 sys/linux: add cgroup descriptions 2018-03-25 12:46:05 +02:00
Dmitry Vyukov
11cf581658 executor: fix ifdef's for csource
There is test failure on travis:
https://travis-ci.org/google/syzkaller/jobs/349948391
I can't reproduce it locally, and it only happened on 1.8, but not on 1.9?
But this seems to be what could have provoked such failure.
2018-03-07 10:50:09 +01:00
Dmitry Vyukov
bbd5104f06 executor: fix includes
We use errno, vaargs, printf in all of fail/error/exitf,
but we include the corresponding headers only when SYZ_USE_TMP_DIR.
Include them whenever fail/error/exitf are used.
2018-03-05 12:59:12 +01:00
Dmitry Vyukov
42467f5b7b sys/linux: add syz_init_net_socket syscall
The new pseudo syscall allows opening sockets that can only
be created in init net namespace (BLUETOOTH, NFC, LLC).
Use it to open these sockets.

Unfortunately this only works with sandbox none at the moment.
The problem is that setns of a network namespace requires CAP_SYS_ADMIN
in the target namespace, and we've lost all privs in the init namespace
during creation of a user namespace.
2018-03-05 12:10:27 +01:00
Dmitry Vyukov
fd3e9f2b97 executor: introduce uint64/32/16/8 types
The "define uint64_t unsigned long long" were too good to work.
With a different toolchain I am getting:

cstdint:69:11: error: expected unqualified-id
  using ::uint64_t;
          ^
executor/common.h:34:18: note: expanded from macro 'uint64_t'

Do it the proper way: introduce uint64/32/16/8 types and use them.

pkg/csource then does s/uint64/uint64_t/ to not clutter code with
additional typedefs.
2017-12-27 11:15:04 +01:00
Dmitry Vyukov
b7b7ac19fd executor: check format strings
I see a crash which says:

	#0: too much cover 0 (errno 0)

while the code is:

	uint64_t n = ...;
	if (n >= kCoverSize)
		fail("#%d: too much cover %u", th->id, n);

It seems that the high part of n is set, but we don't see it.

Add printf format attribute to fail and friends and fix all similar cases.
Caught a bunch of similar cases and a missing argument in:

exitf("opendir(%s) failed due to NOFILE, exiting");
2017-12-27 09:18:26 +01:00