Commit Graph

132 Commits

Author SHA1 Message Date
Dmitry Vyukov
1451a9b65d syz-fuzzer: prefer to mutate instead of generate
Currently we generate 1 program per 9 mutations.
Do it per 99 mutations.
Benchmark shows both coverage increase and corpus reduction:

                    baseline     generate100            diff
coverage               65467           65569             102
corpus                 35423           35363             -60
exec total           5474879         5030990         -443889
2017-01-20 14:56:20 +01:00
Dmitry Vyukov
fdfe23f9f6 syz-fuzzer: don't mutate generated programs
It was never proved to be useful.
We don't have evidence that a partiuclar generated program is interesting,
so don't spend time mutating it. If it is in fact interesting,
then we will add it to corpus and mutate later.
2017-01-18 19:58:12 +01:00
Dmitry Vyukov
b8cb4435c4 syz-fuzzer: check for new coverage during minimization
There is no reason to not check for new coverage during minimization.
We execute new programs, and can well get new interesting programs with new coverage.
So do that. Since execute updates maxCover synchronously, we should not get any
kind of positive feedback loop due to that.
2017-01-18 19:58:12 +01:00
Dmitry Vyukov
ffe327412b syz-fuzzer: don't reminimize all programs from corpus on start
Minimization takes considerable time on start, but the programs were already minimized.
There are some chances that we could minimize it better this time,
but still it does not worth very slow start (which is especially painful for development).
2017-01-18 19:58:12 +01:00
Dmitry Vyukov
f03e9df1b6 syz-fuzzer: slightly tune fuzzing loop
1. Drop non-reproducible programs.
Currently we can fail to execute the target syscall 3 times,
and decided that the program gives new stable coverage.
That's not true. Permit only one failure to execute target syscall.

2. If we see only flaky coverage, bail out of the triage loop sooner.
2017-01-18 19:58:12 +01:00
Dmitry Vyukov
a59452c4b2 vm/gce: handle graceful preemption
In case of graceful preemption fuzzer should be terminated by SIGTERM.
Catch it and propagate to manager.
2016-12-16 16:11:18 +01:00
Andrey Konovalov
346fb4e5e9 executor: don't try to open tun if it's not enabled 2016-12-02 19:21:33 +01:00
Dmitry Vyukov
4278c63e64 ipc: improve handling of executor failures
1. Logical executor failures were not handled in waitServing.
2. Fuzzer did not distinguish temporal errors and logical errors
   and always waited for 10 errors before crashing.
Fix that.
2016-11-29 15:19:29 +01:00
Andrey Konovalov
253a40f30d sys: add proc type to denote per proccess integers 2016-11-25 17:51:41 +01:00
Andrey Konovalov
fa9c44b568 prog: minimize based on individual args 2016-11-25 17:22:42 +01:00
Andrey Konovalov
a5df734b8d fuzzer: combine progs from corpus 2016-11-25 09:58:17 +01:00
Dmitry Vyukov
cd74cc9cf4 syz-hub: add program
syz-hub is used to exchange programs between syz-managers.
2016-11-17 18:38:10 +01:00
Dmitry Vyukov
222090e3b4 log: add package
Log is a simple wrapper around std log package.
It is meant to solve 2 main problems:
1. Logging from non-main packages (mainly, vm/* packages).
   Currently they can either always log or not log at all.
   But they can't respect program verbosity setting.
   Log package allows all packages to use the same verbosity setting.
2. Exposing recent logs in html UI.
   Namely we want to tee logs to console and html UI.
2016-10-09 11:27:48 +02:00
Dmitry Vyukov
f0d0cfcbd6 fuzzer: prioritize triaging of existing corpus on start
That's more important on start than fuzzing.
2016-08-21 18:55:04 -07:00
Dmitry Vyukov
4782c2b8e6 executor: revive setuid sandbox
The new namespace-based sanboxing is good,
but it's not always what one wants
(and also requires special kernel configs).

Change dropprivs config value to sandbox,
which can have different values (currently: none, setuid, namespace).
Setuid mode uses setuid(nobody) before fuzzing as before.

In future we can add more sandboxing modes or, say,
extend -sandbox=setuid to -sandbox=setuid:johndoe
to impersonolate into given user.
2016-07-01 22:26:33 +02:00
Dmitry Vyukov
9851bc6a97 fuzzer: improve kmemleak logic
Kmemleak has false positives. To mitigate most of them, it checksums
potentially leaked objects, and reports them only on the next scan
iff the checksum does not change. Because of that we do the following
intricate dance:
Scan, sleep, scan again. At this point we can get some leaks.
If there are leaks, we sleep and scan again, this can remove
false leaks. Then, read kmemleak again. If we get leaks now, then
hopefully these are true positives during the previous testing cycle.
2016-03-10 17:47:13 +01:00
David Drysdale
d2b9ebea06 More logging from syz-fuzzer 2016-02-18 12:27:45 +00:00
Dmitry Vyukov
68c7a49a96 fuzzer: warn about absent kcov/kmemleak files
Currently the failure mode is too obscure,
so warn explicitly about these common cases.

Also make local mode more usable.
2016-02-16 15:55:44 +01:00
Dmitry Vyukov
50147480de fuzzer: don't panic if kmemleak is already turned off 2016-02-05 22:12:15 +01:00
Dmitry Vyukov
d1163f0480 ipc: unify command line flag handling
It was duplicated in 3 programs.
2016-01-27 14:22:48 +01:00
Dmitry Vyukov
9aec072a77 ipc: remove strace support traces
It is not working and not tested,
and can't be restored with new namespace sandboxing code.
2016-01-27 13:42:00 +01:00
Dmitry Vyukov
62dabb6a64 vm/adb: make more robust
Add timeout to adb invocations and do more reliable reboot.
Clean up temporary files from previous runs.
Also pass enabled syscalls via rpc, as adb barks at too long command line.
Abd is still unreliable, though. Devices hang.
2016-01-26 16:48:37 +01:00
Dmitry Vyukov
fe270dcf86 fuzzer: turn off kmemleak when not used
kmemleak introduces significant slowdown
2016-01-22 18:22:08 +01:00
Dmitry Vyukov
842a74a661 manager: use jsonrpc for communication
It seems to be less agressive with caching.
gob caches tons of memory per connection.

Also fix a timer memory leak.
2016-01-19 12:32:21 +01:00
Dmitry Vyukov
a46b854974 fuzzer: don't store coverage for all inputs 2016-01-19 12:28:07 +01:00
Dmitry Vyukov
62351e3ea5 fuzzer: allow to write programs to dmesg
Mostly useful for local VM.
2015-12-31 16:03:01 +01:00
Dmitry Vyukov
27d5b3f0ec fuzzer: don't print keep-alive
It is not necessary and prevents hang detection.
Programs provide output keep-alive for manager.
2015-12-28 14:11:43 +01:00
Dmitry Vyukov
4d3db6d4c8 host: detect unsupported syscalls
Also detect transitively unsupported syscalls,
that is, syscalls for which all syscalls that can create
input arguments are disabled.
2015-12-27 12:20:00 +01:00
Dmitry Vyukov
2eb388c0f8 vm: improve VM interface
Current interface is suitable only for running syz-fuzzer.
Make the interface more generic (boot, copy file, run an arbitrary command).
This allows to build other tools on top of vm package
(e.g. reproducer creation).
2015-12-23 19:12:45 +01:00
Dmitry Vyukov
bbf4e35323 executor: export syscall execution results
Errno can be used to guide fuzzing, or detect not implemented syscalls.
2015-12-17 17:31:11 +01:00
Dmitry Vyukov
7b5574e9d7 rpctype: remove master messages 2015-12-17 17:31:11 +01:00
Dmitry Vyukov
8e7ca7c5ff remove master and naming overhaul
Remove master process entirely, it is not useful in its current form.
We first need to understand what we want from it, and them re-implement it.

Prefix all binaries with syz- to avoid name clashes.
2015-12-17 16:06:33 +01:00