We forgot to mount binfmt_misc. Mount it. Add a test.
Increase per-call timeout, otherwise last execve timesout.
Fix csource waiting for call completion at the end of program.
Support checking "blocked"/"unfinished" flags for calls.
Support test constanints, e.g. "requires: threaded" or "requires: -sandbox=setuid".
Some improvements in tools/syz-runtest.
Update #603
If the test process is not dying after 100ms,
abort all fuse connections in the system.
This gets rid at least of simple fuse deadlocks,
let's see how well this works in all cases.
The tool is run as:
$ syz-runtest -config manager.config
This runs all programs from sys/*/test/* in different modes
on actual VMs and checks results.
Fixes#603
Add syz_errno syscall which sets errno to the argument,
and add a test with different errno values.
This mostly tests the testing infrastructure itself.
Add syz_compare syscall which compare two blobs,
this can be used for testing of argument memory layout.
Implement syz_mmap and fix Makefile to allow building syz-execprog for test OS.
Useful for debugging.
Update #603
Package runtest is a driver for end-to-end testing of syzkaller programs.
It tests program execution via both executor and csource,
with different sandboxes and execution modes (threaded, repeated, etc).
It can run test OS programs locally via run_test.go
and all other real OS programs via tools/syz-runtest
which uses manager config to wind up VMs.
Test programs are located in sys/*/test/* files.
Update #603
Currently target binaries contain support for all OS/arch combinations.
However, obviously a fuchsia target binary won't test windows.
For target binaries we need support only for a single target
(with the exception of 386/arm target in amd64/arm64 binaries).
So compile in only _the_ target into target binaries.
This reduces akaros/amd64 fuzzer binary from 33 to 7 MB
and execprog from 28 to 2 MB.
Make as much code as possible shared between all OSes.
In particular main is now common across all OSes.
Make more code shared between executor and csource
(in particular, loop function and threaded execution logic).
Also make loop and threaded logic shared across all OSes.
Make more posix/unix code shared across OSes
(e.g. signal handling, pthread creation, etc).
Plus other changes along similar lines.
Also support test OS in executor (based on portable posix)
and add 4 arches that cover all execution modes
(fork server/no fork server, shmem/no shmem).
This change paves way for testing of executor code
and allows to preserve consistency across OSes and executor/csource.
Add interface specified policies for IFLA_LINKINFO. I only added the
interfaces we create in initial setup. Remain other types of interfaces
in the TODO list.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
RVERSION needs to use 0xffff tag, otherwise parsing fails.
Use only tags 1 and 2. They are densely allocated,
so most of the time it's 1. And it needs to be correct in
multiple replies for mount to succeed. So limit tag space.
We have fallback coverage implmentation for freebsd.
1. It's broken after some recent changes.
2. We need it for fuchsia, windows, akaros, linux too.
3. It's painful to work with C code.
Move fallback coverage to ipc package,
fix it and provide for all OSes.
Split sockaddr_xdp for bind.
Bind accepts another sock_xdp in addr.
Without the split getsockaddr "can" create sock_xdp's
because it returns generic sockaddr which contains
all addresses, including sockaddr_xdp, which in turn
contains sock_xdp.
We see some crashes that suggest corruption of the syscall number:
invalid command number 1296 (errno 11)
invalid command number 107 (errno 110)
Make the table and the number constant to prevent corruption.
We currently have native cross-compilation logic duplicated
in Makefile and in sys/targets. Some pieces are missed in one
place, some are in another. Only pkg/csource knows how to check
for -static support.
Move all CC/CFLAGS logic to sys/targets and pull results in Makefile.
This should make Makefile work on distros that have broken x86_64-linux-gnu-gcc,
now we will use just gcc. And this removes the need to define NOSTATIC,
as it's always auto-detected.
This also paves the way for making pkg/csource work on OSes other than Linux.
The id field in the v4l2_event_subscription structure
currently described as: id len[type, int32].
But all the documentation states is:
"id - ID of the event source. If there is no ID associated
with the event source, then set this to 0. Whether or not
an event needs an ID depends on the event type."
So, the documentation clearly states that:
1. id - is the source of an event
2. type - is the type of an event
3. for some types of events there is no source and id can be 0
According to this 'id int32' is more accurate description of
the field.
Print each constant on separate line.
When compiler prints error messages it prints whole line
containing an error. So currently it prints all constants (thousands).
With this change it prints just the problematic constant.
For now other arches are regenerated on upstream tree.
It does not contain a bunch of consts, so we define them to 1 for now.
arm64 consts are left intact.
video4linux.txt is added to "android" files in syz-extract,
so that future make extract runs don't overwrite arm64 consts.
Also fix VIDIOC_G_FBUF argument direction, currently tests crash with:
panic: call ioctl$VIDIOC_G_FBUF: pointer arg 'buffer' has output direction [recovered]
panic: call ioctl$VIDIOC_G_FBUF: pointer arg 'buffer' has output direction
Update #533
As TC(net sched) is a large group, I separate it from socket_netlink_route.txt.
Currently I only implement the framework with two qdisc/tclass/filters.
I will add the others later.
v2: Fix tcm_handle major and minor order. Add tcm_handle_offsets.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Move generated files to gen subdir. This allows to:
1. Rebuild init.go without rebuilding generated code.
2. Excluding generated files from gometalinter checking.
This makes faster and consume less memory.
Update #538
Also fix RTA_MULTIPATH data type. We only need struct rtnexthop,
no need to use array type.
v1 -> v2:
Use uid and sock_port instead of int32/16. Use flags for FRA_PROTOCOL
and FRA_IP_PROTO.
Add type fib_rule_hdr because even though the structure is same with rtmsg.
The table, action and flags values are not same.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Bridge device is used for forwarding. Bond/team device is used for
load balance and fail over. So it would make more sense to add two
slave interfaces for these devices.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
1. Create ifindex_team, because TEAM_ATTR_TEAM_IFINDEX must
always point to a team device.
2. Remove output only attributes like team_attr_item_port, TEAM_ATTR_LIST_PORT,
TEAM_ATTR_OPTION_CHANGED.
3. Restructure team_nl_option_policy: we always want TEAM_ATTR_OPTION_NAME/TYPE/DATA
+ optionally TEAM_ATTR_OPTION_ARRAY_INDEX and TEAM_ATTR_OPTION_PORT_IFINDEX.
4. Provide specialized team_nl_option_policy_per_port and team_nl_option_policy_array.
5. Make team_attr_option varlen.
6. Remove unnecessary indirection via team_attr_list_option/team_attr_list_port.
7. Fix data type for bpf_hash_func and lb_tx_hash_to_port_mapping.
Now file names become:
string[filename]
with a possibility of using other string features:
stringnoz[filename]
string[filename, CONST_SIZE]
and filename is left as type alias as it is commonly used:
type filename string[filename]
At some point extract for linux/arm started to fail with:
extracting from key.txt
failed to run compiler: exit status 1
/tmp/ccT6o7iZ.s: Assembler messages:
/tmp/ccT6o7iZ.s:4: Error: unknown pseudo-op: `.syntax'
This is caused by arch/arm/include/asm/unified.h:
__asm__(".syntax unified");
Ignore all __asm__ directives as we are cross compiling.
Turns out creating a cgroup per test is too expensive.
Moreover, it leads to hanged tasks as cgroup destruction
is asynchronous and overloads kernel work queues.
Create only a single cgroup per proc, but restrict
descriptions to mess with that single group,
instead test processes create own nested cgroups for messing.
* fuchsia: Fix the `extractor` tool.
The include path in Zircon has changed; updated syz-extract/fuchsia.go
to include this, and re-ran extract to get updated *.const files.
* fuchsia: Update syzkaller to build with current Fuchsia API.
Fuchsia doesn't have a stable API right now, so alas, this will probably
continue to change until that's nailed down.
But, useful to get this up-to-date at least.
Relevant notes:
* zx_channel_call_finish and _retry aren't technically public; leave
them out until we have a less-cludgy way to expose them
* musl supports setjmp/longjmp but not _setjmp/_longjump
* remove some unsupported syscalls
* update the build invocation
The new pseudo syscall allows opening sockets that can only
be created in init net namespace (BLUETOOTH, NFC, LLC).
Use it to open these sockets.
Unfortunately this only works with sandbox none at the moment.
The problem is that setns of a network namespace requires CAP_SYS_ADMIN
in the target namespace, and we've lost all privs in the init namespace
during creation of a user namespace.
Handle most of type changes, e.g. const is changed to struct,
or struct to pointers. In all these cases we create default args.
They may not give the coverage anymore, but still better than
losing them right away.
1. Add size attribte on sockaddr.
2. Remove sockaddr's that are larger than 16 bytes from sockaddr.
3. Add size attribute on sockaddr_storage which wasn't actually 128 bytes.
4. Add size attribute to ifreq.
5. Fix ifmap field types as uncovered by the size attributes.
6. Fix sockaddr_storage_tcp from struct to union which is should be.
7. Make sockaddr_un_file fixed size as it should be.
8. Fix some explicit paddings that were only correct for 64 bits.
We now always create net namespace for testing,
so socket ports and other IDs do not overlap between
different test processes.
Proc types play badly with squashing packets to ANYBLOB.
To squash into a block we need concrete value, but it depends
on process id.
Removing proc also makes tun setup and address descriptions simpler.
Squash complex structs into flat byte array and mutate this array
with generic blob mutations. This allows to mutate what we currently
consider as paddings and add/remove paddings from structs, etc.
Fix alignemnt calculation for packed structs with alignment and bitfields.
Amusingly this affected only a single real struct -- ipv6_fragment_ext_header.
1. mmap all memory always, without explicit mmap calls in the program.
This makes lots of things much easier and removes lots of code.
Makes mmap not a special syscall and allows to fuzz without mmap enabled.
2. Change address assignment algorithm.
Current algorithm allocates unmapped addresses too frequently
and allows collisions between arguments of a single syscall.
The new algorithm analyzes actual allocations in the program
and places new arguments at unused locations.
Make Foreach* callback accept the arg and a context struct
that can contain lots of aux info.
This (1) removes lots of unuser base/parent args,
(2) provides foundation for stopping recursion,
(3) allows to merge foreachSubargOffset.
Put the underflow entry at the end.
Entries must end on an unconditional, non-goto entry,
otherwise fallthrough from the last entry is invalid.
Add arp tables support.
Split unspec matches/targets to unspec and inet.
Reset ipv6 and arp tables in executor.
Fix number of counters in tables.
Plus a bunch of assorted fixes for matches/targets.
We currently print unsupported consts to console during make extract.
But this is not very useful as there are too many output now.
This also does not allow to understand what's unsupported
in newly checked-in descriptions, or what's unsupported in all current
decriptions.
Save unsupported consts to the const files instead.
This solves all of the above problems.
Unions with only 1 field are not actually unions,
and can always be replaced with the option type.
However, they are still useful when there will be
more options in future but currently only 1 is described.
Alternatives are:
- not using union (but then all existing programs will be
broken when union is finally introduced)
- adding a fake field (ugly and reduces fuzzer efficiency)
Allow unions with only 1 field.
Consider the following example:
type len_templ1[DATA1, DATA2] {
data DATA1
inner len_temp2[DATA2]
}
type len_temp2[DATA] {
data DATA
len len[len_templ1, int8]
}
Here len refers to a parent struct, but the struct is a template,
so it's actual name is something like "len_templ1[int8, int16]".
Currently this does not work as compiler barks at incorrect
len target.
Make this work.
mknod$loop contains proc type as dev number.
Current sanitization code truncates 64-bit -1 to 32-bits
which later causes validation failure.
Don't do that, it's unnecessary for proc type.
