Among other things this changes timeout for USB programs from 2 to 3 seconds.
ath9k fuzzing also requires ath9k firmware to be present, so system images
need to be regenerated with the updated script.
This adds support for the seccomp filters that are part of Android into
the sandbox. A process running as untrusted_app in Android has a
restricted set of syscalls that it is allow to run. This is
accomplished by setting seccomp filters in the zygote process prior to
forking into the application process. The seccomp filter list comes
directly from the Android source, it cannot be dynamically loaded from
an Android phone because libseccomp_policy.so does not exist as a
library on the system partition.
nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
It happens a lot in qemu, and the messages are frequently corrupted
(intermixed with other kernel output as they are printed from NMI)
and are not matched against the suppression in pkg/report.
This write prevents these messages from being printed.
NETLINK_GENERIC isn't supported in gVisor.
Fixes: c5ed587f4af5 ("wireguard: setup some initial devices in a triangle")
Signed-off-by: Andrei Vagin <avagin@google.com>
unshare(CLONE_NEWPID) was commented out in 4428511d10687cb446ad705148333478437d3f23 accidentially.
Uncomment it.
Spotted by @xairy:
4428511d10 (r37456572)
* wireguard: setup some initial devices in a triangle
The fuzzer will wind up undoing some of this, which is fine, but at
least it now has the chance of hitting some other paths it wasn't
before.
Closes: #1599
* wireguard: make code ugly after `make generate` pass
* wireguard: get rid of unused structs that are still interesting
* wireguard: compile in C++ mode with gcc 7
Complex designated initializers are only supported in C++ mode from gcc
8, and for whatever reason syzkaller wants to be compiled in C++ mode.
* wireguard: add braces around debug statements for checker
* wireguard: regenerate go source
We print whole reproducer programs on failure,
if lots of programs fail, this results in thousands
of lines of output, which is esp bad on travis.
Limit amount of output.
The stringnozescapes does not make sense with filename,
also we may need similar escaping for string flags.
Handle escaped strings on ast level instead.
This avoids introducing new type and works seamleassly with flags.
As alternative I've also tried using strconv.Quote/Unquote
but it leads to ugly half-escaped strings:
"\xb0\x80s\xe8\xd4N\x91\xe3ڒ,\"C\x82D\xbb\x88\\i\xe2i\xc8\xe9\xd85\xb1\x14):M\xdcn"
Make hex-encoded strings a separate string format instead.
0. Remove aetest build tag. We don't need it anymore, go test should work.
1. IsDevAppServer does not return true in tests anymore, so don't use it
2. Use a different mechanism to register test/prod config.
We don't have aetest tag anymore, so we need something even more dynamic.
3. Fix new golangci-lint warnings: all test files are checked now.
Update #1461
If we are going to write all values, don't write field names.
This only increases size of generated files.
The change reduces size of generated files by 5.8%
(62870496-59410354=3460142 bytes saved).
SHA-1 is insecure. See a representative summary of known attacks here:
https://en.wikipedia.org/wiki/Hash_function_security_summary
Some external build systems warn about sha1 uses and reject to build.
Whitelisting is pain. Switch to sha256.
Overall idea of netlink checking.
Currnetly we check netlink policies for common detectable mistakes.
First, we detect what looks like a netlink policy in our descriptions
(these are structs/unions only with nlattr/nlnext/nlnetw fields).
Then we find corresponding symbols (offset/size) in vmlinux using nm.
Then we read elf headers and locate where these symbols are in the rodata section.
Then read in the symbol data, which is an array of nla_policy structs.
These structs allow to easily figure out type/size of attributes.
Finally we compare our descriptions with the kernel policy description.
Update #590
They can't be a bitmask. This fixes important cases
of "0, 1" and "0, 1, 2" flags. Fix some descriptions
that added 0 to bitmasks explicitly (we should do it
automatically instead).
Will simplify runtime analysis of flags.
Also just no reason to make it more deterministic
and avoid unnecessary diffs in future if values are reordered.
Generate const[0] for flags without values and for flags
with a single value which is 0.
This is the intention in all existing cases (e.g. an enum with types
of something, but there is really only 1 type exists).
We disabled it in configs, now also disable during bisection.
This config only adds debug output. It should not be enabled at all,
but it was accidentially enabled on some instances for some periods of time,
and kernel is boot-broken for prolonged ranges of commits with deadlock
which makes bisections take weeks.
On X86-64, dereferencing a non-canonical address normally causes a #GP, for
which syzkaller already has a pattern. However, if the base register of the
non-canonical address is RBP (which can happen in builds that use RBP as a
general-purpose register because they don't use frame pointer unwinding),
#SS is thrown instead, for which syzkaller did not yet have a pattern.
To see this kind of fault, you can insert the following code in
kernel_init() after the call to rcu_end_inkernel_boot():
asm volatile(
"movabs $0x8000000000000000, %rbp\n\t"
"movq (%rbp), %rax\n\t"
"ud2\n\t"
);
Linux prints a different error message for #SS, so add that error message
to syzkaller's list of patterns.
BTF fails lots of builds with:
pahole version v1.9 is too old, need at least v1.13
Failed to generate BTF for vmlinux. Try to disable CONFIG_DEBUG_INFO_BTF.
