Constant 64-bit arguments to the variadic syscall(2) must have their
width specified explicitly. In practice this is not necessary most of
the time, but on amd64/freebsd with clang the compiler can and does
store the constant 32-bit value to the stack, leaving garbage in the
upper 32 bits.
This makes C reproducers somewhat uglier, but I see no other solution.
Detect bisection to merge commits and to commits that don't affect
kernel binary (comments, other arches, whitespaces, etc).
Such bisections are not reported in emails (but shown on web).
Update #1271
Test presence of a working compiler before running any tests for a target.
This helps to make tests pass even if some cross-compilers are not installed properly.
Some syzkaller panics happen due to memory corruptions,
but it still would be useful at least to get some visibility into these crashes.
On some OSes we actualy already detect them as they have "panic:" oops pattern,
but not e.g. on linux.
Fixes#318
Add optional build signature for images, currently only implemented for linux.
This can be used in bisection process to detect changes that does not affect kernel.
Update #1271
Image takes too many arguments, so we need to do lots of forwarding,
adding new argumnets is painful and most OSes are not interested
in lots of arguments.
Combine all arguments into a params struct.
* Modify Run() to return the commit object when a failure occurs on the
oldest tested release(for BisectCause) and latest tested
release(for BisectFix).
* Modify tests to check the returned commit object.
Add tests for the following cases(1 each for cause and fix):
- bisection returns the correct commit
- bisection failed due to crash not occuring on the original commit
- bisection failed as crash occurs on oldest/latest commit
- bisection is inconclusive
Remove a check that was mistakenly added with devlink_pci feature and is
duplicate of the existing check.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
In case there is a fixed pci devlink handle "pci/pci/0000:00:10.0"
on the system (initial network namespace), it is moved to a working
network namespace.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Enables the syntax intN[start:end, alignment] for integer ranges. For
instance, int32[0:10, 2] represents even 32-bit numbers between 0 and 10
included. With this change, two NEED tags in syscall descriptions can be
addressed.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
Other packages should use ast.Recursive and ast.PostRecursive to ensure
the root node is visited as well.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
Without this fix, the compiler throws an error 'template argument BASE is
not used' for the following typedef.
type templ1[BASE] BASE
foo(a ptr[in, templ1[int64]])
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
All callers of EnvForCommit need the compiler path,
so move this logic into EnvForCommit to avoid duplication.
Also simplifies tests because test impl can now return
an empty compiler (which should be unused).
(note: incomplete change)
Refactor existing code as follows:
* Move reusable test utility functions from git_repo_test.go to
pkg/vcs/test_util.go and make them exported.
* Split Run() into Run()+runImpl().
* Change type of bisect.go:env.inst to `instance.BuilderTester`.
Change usage inside syz-testbuild/testbuild.go accordingly.
* Move most of linux.PreviousReleaseTags() into vcs/git.go as
git.previousReleaseTags().
* Allow build.CompilerIdentity to be mocked.
Introduce the following changes:
* instance.BuilderTester is an interface with methods
BuildSyzkaller()
BuildKernel()
Test()
NewEnv() now returns this interface.
* type testEnv implements instance.BuilderTester.
* type testBuilder implements builder interface. Add a entry into table
inside pkg/build/build.go:getBuilder() to return testBuilder object.
The problem with task hung reports is that they manifest at random victim stacks,
rather at the root cause stack. E.g. if there is something wrong with RCU subsystem,
we are getting hangs all over the kernel on all synchronize_* calls.
So before resotring to the common logic of skipping some common frames,
we look for 2 common buckets: hangs on synchronize_rcu and hangs on rtnl_lock
and group these together.
Currently we replace a template argument and then recurse
into the new type AST to see if there is more to replace.
If the description is buggy and the template argument
contains itself, then we will recurse infintiely trying
to replace it more and more.
Use post-order traversal when replacing template argument to fix this.
By default, the current KCSAN .config does not enable KCSAN during boot,
since we encounter races during boot which would prevent syzkaller from
ever executing.
This adds support to detect if KCSAN is available, and enables it on the
fuzzer host.
OpenBSD uses cvs and does not enforce the standard Git convention for
commit messages of putting a summary followed by a new line and body.
If such commit[1] contains a `Reported-by` header, it's currently not
detected. Instead, if the body is empty try to extract data from the
commit summary.
[1] bdbfbec5ce
This commit fixes a handle leak in syz_mmap. The bug was pointed out by
mdempsky during a code review.
The `syz_mmap` function creates a VMO and maps it to a VMAR in the address
specified by the `syz_mmap` parameters. Once a VMO is mapped to a vmar,
the handle to the vmo can be closed without problems.
The new code makes sure that `zx_handle_close(vmo_handle)` gets called before
the `syz_mmap` function returns.
syz_mmap is a pseudo-syscall that can be used by syzkaller in fuzzing
programs, however, it is also used to setup the environment for
syz-executor. syz-executor already checks the return value[0] when it is
used for setting up the environment, so it doesn't make sense for the
function to crash (most probably, in a fuzzing program it will be called
with arguments that would make it fail).
The previous behavior was causing a bunch of "Lost connection to test
machine" syzkaller crashes which were meaningless. An example of a
program in which syz_mmap would crash would be any program in which the
handle to the root vmar is closed before calling syz_mmap.
[0]:
a60cb4cd84/executor/executor_fuchsia.h (L15)
This change reuses the logic for sending the output back from
syz-executor to syz-fuzzer that forkserver oses use: reading it
periodically. This will be useful for debugging issues in Fuchsia that
does not support forkserver yet.
syz-symbolize did not use the common mgrconfig logic
to calculate kernel dirs. Thus KernelBuildSrc ended up empty,
+dirs were not extended to absolute paths.
Use the common mgrconfig logic to calculate kernel dirs.
Kbuild inserts build timestamp into every build.
This makes vmlinux change always even if no present.
Make the build more deterministic.
We plan to use it for detecting no-op changes during bisection.
Update #1271
* Modify mail_bisect_result.txt to allow for sending fix bisection
results.
* Modify BisectResult to have a Fix field; introduce selectBisect for
use within the template for choosing between BisectCause/BisectFix
fields.
* Modify bisectFromJob() to return BisectResult with Fix field set if
relevant.
* Modify the tests inside bisect_test.go to account for bisect fix
related reporting emails.
* Modify incomingMail() to ignore any emails from syzbot itself.
Reports from witness regarding returning to userspace with locks held is not
unique enough, causing all lock leaks to be grouped under the same bug.
Instead try to extract the name of syscall where the first held lock was
grabbed.
While here, shorten the title a bit.
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
MAX_STACK_TRACE_ENTRIES crash reports caused by a particular issues can come
from any part of the kernel, so bucketing them based on the stack trace is
pointless and only creates duplicate bug reports.
We have noticed that the build process was being invoked as root. This
change modifies the calls to use osutil.Sandbox before invoking cmds to
build fuchsia.
This is required for the process to use goma, as goma is running under
the syzkaller user.
* Modify uiBug type. Rename BisectCause to BisectCauseDone. Introduce
BisectFixDone.
* Modify createUIBug() and MergeUIBug() to set the above fields
appropriately.
* Modify bug_list to display the bisection status; remove yesSort() as
it is not used anymore. Adjust ".list_table .stat" to appropriate width.
* Add TestBugBisectionStatus() to check bisection status on main page.
* Add file from running "make generate": pkg/html/generated.go
Better coverage reports with hierarchical coverage information,
number of programs covering each line,
handling of partially covered lines,
links to programs covering lines.
Fixes#682
After f613a7c4 ("pkg/cover: fix prefix computation") we stopped trimming
starting "/" from linux path names. This broke get_maintainers.pl script
which is now given non-existent absolute paths (e.g. "/mm/mmap.c"),
as the result syzbot can't find any maintainers for bug reports
and mails them into lkml limbo.
Trim starting slashes and dots. Extend tests for catch this.
We now pass 5 arguments through a bunch of functions,
this is quite inconvinient when the set of arguments changes.
Incapsulate all arguments in a struct and pass/store it as a whole.
This change modifies the way fuchsia is built to add the ssh keys to the
zbi image after building it. Previously that was done via the
"extra_ssh_keys" argument to the build system, but that was removed
recently.
A process with CAP_SYS_NICE can bring kernel down by asking for too high SCHED_DEADLINE priority,
as the result rcu and other system services that use kernel threads will stop functioning.
Some parameters for SCHED_DEADLINE should be OK, but we don't have means to enforce
values of indirect syscall arguments. Peter Zijlstra proposed sysctl_deadline_period_{min,max}
which could be used to enfore safe limits without droppping CAP_SYS_NICE, but we don't have it yet.
See the following bug for details:
https://groups.google.com/forum/#!topic/syzkaller-bugs/G6Wl_PKPIWI
Running sys/*/test programs requires real machines and kernels for each OS.
We can't do that in unit tests, but at least try to deserialize these programs
so that they don't get rotten.
Ensure that we have at least 1GB per Makefile job.
Go compiler/linker can consume significant amount of memory
(observed to consume at least 600MB). See #1276 for context.
Update #1276
One instance we observed that objdump hanged due to stdout
pipe overflow due to panic in archCallInsn.
The reason for the original panic is still unclear,
but fix the objdump hang. We need to terminate objdump
and propagate the panic.
Also extend the panic messages.
* sys/fuchsia: update zx_clock_get.
zx_clock_get was deprecated and replaced by zx_clock_get_new. In a
recent CL[0], they replaced the zx_clock_get by zx_clock_get_new and
moved all client. This commit updates syzkaller to use the new function.
[0]: https://fuchsia-review.googlesource.com/c/fuchsia/+/298575
* run make extract && make generate
1. Change HID descriptions to allow devices to have two interrupt endpoints.
2. Remove unneeded responses to OUT control requests from descriptions.
3. Add some debugging code to detect and report missing descriptions.
On OpenBSD, the executor sometimes manages to set the memory resource
limit 0 causing any following memory allocation to fail. Since threads
are potentially created from such a thread which cannot allocate any
memory, the executor will exit non-zero which in turn will cause
false-positive panics to be reported. For more info see the
discussion[1] in PR #1243.
Instead, if hitting a fatal error during thread creation exit zero.
[1] https://github.com/google/syzkaller/pull/1243
* Add support for non-obvious open commands
* Adding Michael Specter to CONTRIBUTORS
* update
* /pkg/host/host_linux.go: leverage .txt for OpenAt
Allows users to specify OpenAt flags. Currently, Syzkaller will
automatically attempt to open device nodes at startup, and ignore
descriptions that do not exist. Unfortunately, Syzkaller only opens with
read-only permissions, and some device drivers will
return -EINVAL or likewise if the correct flags are not specified.
