This adds support for the seccomp filters that are part of Android into
the sandbox. A process running as untrusted_app in Android has a
restricted set of syscalls that it is allow to run. This is
accomplished by setting seccomp filters in the zygote process prior to
forking into the application process. The seccomp filter list comes
directly from the Android source, it cannot be dynamically loaded from
an Android phone because libseccomp_policy.so does not exist as a
library on the system partition.
nmi_check_duration() prints "INFO: NMI handler took too long" on slow debug kernels.
It happens a lot in qemu, and the messages are frequently corrupted
(intermixed with other kernel output as they are printed from NMI)
and are not matched against the suppression in pkg/report.
This write prevents these messages from being printed.
NETLINK_GENERIC isn't supported in gVisor.
Fixes: c5ed587f4a ("wireguard: setup some initial devices in a triangle")
Signed-off-by: Andrei Vagin <avagin@google.com>
* wireguard: setup some initial devices in a triangle
The fuzzer will wind up undoing some of this, which is fine, but at
least it now has the chance of hitting some other paths it wasn't
before.
Closes: #1599
* wireguard: make code ugly after `make generate` pass
* wireguard: get rid of unused structs that are still interesting
* wireguard: compile in C++ mode with gcc 7
Complex designated initializers are only supported in C++ mode from gcc
8, and for whatever reason syzkaller wants to be compiled in C++ mode.
* wireguard: add braces around debug statements for checker
* wireguard: regenerate go source
We print whole reproducer programs on failure,
if lots of programs fail, this results in thousands
of lines of output, which is esp bad on travis.
Limit amount of output.
The stringnozescapes does not make sense with filename,
also we may need similar escaping for string flags.
Handle escaped strings on ast level instead.
This avoids introducing new type and works seamleassly with flags.
As alternative I've also tried using strconv.Quote/Unquote
but it leads to ugly half-escaped strings:
"\xb0\x80s\xe8\xd4N\x91\xe3ڒ,\"C\x82D\xbb\x88\\i\xe2i\xc8\xe9\xd85\xb1\x14):M\xdcn"
Make hex-encoded strings a separate string format instead.
0. Remove aetest build tag. We don't need it anymore, go test should work.
1. IsDevAppServer does not return true in tests anymore, so don't use it
2. Use a different mechanism to register test/prod config.
We don't have aetest tag anymore, so we need something even more dynamic.
3. Fix new golangci-lint warnings: all test files are checked now.
Update #1461
If we are going to write all values, don't write field names.
This only increases size of generated files.
The change reduces size of generated files by 5.8%
(62870496-59410354=3460142 bytes saved).
SHA-1 is insecure. See a representative summary of known attacks here:
https://en.wikipedia.org/wiki/Hash_function_security_summary
Some external build systems warn about sha1 uses and reject to build.
Whitelisting is pain. Switch to sha256.
Overall idea of netlink checking.
Currnetly we check netlink policies for common detectable mistakes.
First, we detect what looks like a netlink policy in our descriptions
(these are structs/unions only with nlattr/nlnext/nlnetw fields).
Then we find corresponding symbols (offset/size) in vmlinux using nm.
Then we read elf headers and locate where these symbols are in the rodata section.
Then read in the symbol data, which is an array of nla_policy structs.
These structs allow to easily figure out type/size of attributes.
Finally we compare our descriptions with the kernel policy description.
Update #590
They can't be a bitmask. This fixes important cases
of "0, 1" and "0, 1, 2" flags. Fix some descriptions
that added 0 to bitmasks explicitly (we should do it
automatically instead).
Will simplify runtime analysis of flags.
Also just no reason to make it more deterministic
and avoid unnecessary diffs in future if values are reordered.
Generate const[0] for flags without values and for flags
with a single value which is 0.
This is the intention in all existing cases (e.g. an enum with types
of something, but there is really only 1 type exists).
We disabled it in configs, now also disable during bisection.
This config only adds debug output. It should not be enabled at all,
but it was accidentially enabled on some instances for some periods of time,
and kernel is boot-broken for prolonged ranges of commits with deadlock
which makes bisections take weeks.
On X86-64, dereferencing a non-canonical address normally causes a #GP, for
which syzkaller already has a pattern. However, if the base register of the
non-canonical address is RBP (which can happen in builds that use RBP as a
general-purpose register because they don't use frame pointer unwinding),
#SS is thrown instead, for which syzkaller did not yet have a pattern.
To see this kind of fault, you can insert the following code in
kernel_init() after the call to rcu_end_inkernel_boot():
asm volatile(
"movabs $0x8000000000000000, %rbp\n\t"
"movq (%rbp), %rax\n\t"
"ud2\n\t"
);
Linux prints a different error message for #SS, so add that error message
to syzkaller's list of patterns.
BTF fails lots of builds with:
pahole version v1.9 is too old, need at least v1.13
Failed to generate BTF for vmlinux. Try to disable CONFIG_DEBUG_INFO_BTF.
Now other machines failed with redefinition IPVLAN_F_VEPA.
The #ifndef does not really work the way it should due
to the way pkg/csource preprocesses sources.
IPVLAN_F_VEPA is never defined during preprocessing.
Let's try this.
virt_wifi docs say that the enslaved device won't be usable
on itself. It's probably not a good idea to make lo unusable.
Enslave a dedicated veth instead.
Looks for source files in object dir.
This is required for out-of-tree linux builds.
E.g. security/selinux/flask.h contains some sources
with coverage callbacks, but it's auto-generated
and located in the build dir.
Use a random subset of syscalls/corpus/coverage for each individual VM run.
Hypothesis is that this should allow fuzzer to get more coverage
find more bugs in saturated state (stuck in local optimum).
See the issue and comments for details.
Update #1348
Combine markBitfields and addAlignment functions.
Fixing #1542 will require doing both at the same time,
they are not really independent.
Also remove the special case for packed structs,
pad them as part of the common procedure.
No functional changes.
PC from the target is address of "jal __sanitizer_cov_trace_pc" + 8.
E.g. case below has address ffffffff80b4eec4 in PC
ffffffff80b4eebc: jal ffffffff80232080 <__sanitizer_cov_trace_pc>
ffffffff80b4eec0: nop
ffffffff80b4eec4: move a1,s0
All callers of BitfieldMiddle just want static size (0 for middle).
Make it so: Size for middle bitfields just returns 0. Removes lots of if's.
Introduce Type.UnitSize, which now holds the underlying type for bitfields.
This will be needed to fix#1542 b/c even if UnitSize=4 for last bitfield
Size can be anywhere from 0 to 4 (not necessary equal to UnitSize due to overlapping).
We assumed that for ConstType alignment is equal to size,
which is perfectly reasonable for normal int8/16/32/64/ptr.
However, padding is also represented by ConstType of arbitrary size,
so if we added 157 bytes of padding that becomes alignment of
the padding field and as the result of the whole struct.
This affects very few structs, but quite radically and quite
important structs.
Discovered thanks to syz-check.
Update #590
This patch adds all autogenerated files for linux/mips64le. Files are
generated by following commands:
make extract
bin/syz-extract -build -os=linux -arch=mips64le -sourcedir=linux
make generate
Amusingly we never passed number of threads to wake for FUTEX_WAKE.
It somehow worked reliably on linux (we just needed it to not be 0,
so presumably garbage in registers did it).
However, in gVisor every other syscall wasn't even started
(first syscall on a thread started, but second on the same worker
thread wasn't unable to start).
If you try to run git-using tests while the GIT_DIR environment variable
(and GIT_WORK_TREE, etc) happens to be set, the tests are going to do fun
and exciting things on a repository that isn't the test repository it tries
to set up.
As it turns out, if you try to run "make test" using git rebase -x, you'll
end up with GIT_DIR set to the syzkaller tree. Hilarity ensues.
Unset GIT_DIR, GIT_WORK_TREE and a few other environment variables when
invoking git - that way it'll default to looking at the working directory
that we have given it, which is what we expect.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
1. Extract multiple error lines (up to 10).
Gives more complete picture, maybe the first one
is not the most indicative one.
2. Replace weird unicode quotes with normal quotes.
These may be mishandled by some systems that don't understand utf-8.
Build with some gcc's fails:
In file included from executor/executor.cc:133:0:
executor/common_linux.h: In function ‘long int syz_read_part_table(long unsigned int, long unsigned int, long int)’:
executor/common.h:117:15: error: ignoring return value of ‘ssize_t pwrite(int, const void*, size_t, __off_t)’, declared with attribute warn_unused_result [-Werror=unused-result]
__VA_ARGS__; \
^
executor/common_linux.h:1279:3: note: in expansion of macro ‘NONFAILING’
NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset));
^
executor/common_linux.h: In function ‘long int syz_mount_image(long int, long int, long unsigned int, long unsigned int, long int, long int, long int)’:
executor/common.h:117:15: error: ignoring return value of ‘ssize_t pwrite(int, const void*, size_t, __off_t)’, declared with attribute warn_unused_result [-Werror=unused-result]
__VA_ARGS__; \
^
executor/common_linux.h:1364:3: note: in expansion of macro ‘NONFAILING’
NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset));
^
cc1plus: all warnings being treated as errors
1. It always crashed in cover_reset when coverage is disabled.
2. Use NONFAILING when accessing image segments.
3. Give it additional 100 ms as it may be slow.
4. Add a test for syz_mount_image.
This commit adds a new attribute to syzkaller targets that tells
syzkaller how to invoke the syz-executor command.
Some systems, like Fuchsia, are now building syz-executor as part of the
build, and there is no need to copy it over, or to run it from `/tmp`.
In fact, that might stop working at some time in the future in Fuchsia.
All places that used to copy syz-executor into the target machine will
now check for the SyzExecutorCmd flag, and won't copy it if the flag is
set.
The the added test for exception from exception corner case.
"BUG: spinlock lockup" fails to respect panic_on_warn and panic
after printing report (though, it's a BUG already, so it should
have been paniced even without panic_on_warn).
As the result we got "spinlock lockup" followed by "rcu stall" report.
And we have that special exception for rcu stalls b/c for them
the most of the report is irrelevant up to apic_timer_interrupt frame.
The code did not expect this weird double-report case and skipped
everything up to apic_timer_interrupt, though it's actually
a lockup in netfilter code.
The new manager config argument workdir_template refers to a directory. Optional.
Each VM will get a recursive copy of the files that are present in workdir_template.
VM config can then use these private copies as needed. The copy directory
can be referenced with "{{TEMPLATE}}" string. This is different from using
the files directly in that each instance will get own clean, private,
scratch copy of the files. Currently supported only for qemu_args argument
of qemu VM type. Use example:
Create a template dir with necessary files:
$ mkdir /mytemplatedir
$ truncate -s 64K /mytemplatedir/fd
Then specify the dir in the manager config:
"workdir_template": "/mytemplatedir"
Then use these files in VM config:
"qemu_args": "-fda {{TEMPLATE}}/fd"
They should have been detected by "same binary" logic.
But the problem is that we may use different compilers
for different commits and they switch exactly at release commits.
So we can build the release with a differnet compiler than the
rest of commits and then obviously it won't be "same binary".
Detect release commits separately.
Update #1271
3/4 added tests currently fail.
The problem is that we don't collect results
from initial bisection range detection.
As the result we won't detect "same binary"
for release and first commit in a release.
Update #1271
gVisor doesn't support netdevsim and NETLINK_GENERIC and
without this fix, sys-executor always fails:
E openat(AT_FDCWD, /sys/bus/netdevsim/new_device, ...)
X openat(AT_FDCWD, /sys/bus/netdevsim/new_device, ...) = 0x0 errno=2
E socket(AF_NETLINK, SOCK_RAW|0x0, NETLINK_GENERIC)
X socket(AF_NETLINK, SOCK_RAW|0x0, NETLINK_GENERIC) = 0x0 errno=93
E write(0x2 host:[3], "socket(AF_NETLINK) failed\n", 0x1a)
X write(0x2 host:[3], ..., 0x1a) = 0x1a (2.767µs)
E write(0x2 host:[3], " (errno 93)\n", 0xc)
X write(0x2 host:[3], ..., 0xc) = 0xc (2.729µs)
E exit_group(0x43)
X exit_group(0x43) = 0x0 (900ns)
Cc: Jiri Pirko <jiri@mellanox.com>
Fixes: f350e2dc1f ("executor: rename devlink port netdevices to defined names")
Signed-off-by: Andrei Vagin <avagin@google.com>
stdbool.h is required by initialize_devlink_ports(): true define.
fcntl.h is required by initialize_devlink_pci(): O_RDONLY define.
Signed-off-by: Denis Efremov <efremov@linux.com>
An upcoming patch for Linux will change the error reporting pattern for
general protection faults such that the colon doesn't necessarily come
immediately after the string "general protection fault" (see
https://lore.kernel.org/lkml/20191118142144.GC6363@zn.tnic/).
Change the pattern in syzkaller before that happens.
Note that this is not necessarily the final format; in particular, the
ordering of the KASAN note and the "general protection fault" line might
swap.
There is little reason in not doing the chown for sandbox=none.
Simpler and can actually increase coverage if the test program
setuid's itself (since it's root under sandbox=none).
Move HostFuzzer from vm/qemu.
It's needed in a number of other packages
and strictly saying is not specific to qemu
(it just happened that both fuchsia and akaros only support qemu).
In case the dump is empty, NLMSG_DONE type message is received from
kernel right away. Count with this and return 0. Set the reply_len to 0.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: f350e2dc1f ("executor: rename devlink port netdevices to defined names")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
The port-based exception APIs have been deprecated on Fuchsia and will
be removed shortly. Delete them from the syscall definitions and
modify the Fuchsia executor to use the new channel-based APIs instead.
Devlink port netdevices stay in the form of eth%d. Rename then to
defined names so they could be used for system calls.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Don't rely on global "nlmsg" struct and rather pass the structure to
netlink_* helpers. That allows to possibly work with multiple netlink
messages (sending while receiving for example) at the same time.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Constant 64-bit arguments to the variadic syscall(2) must have their
width specified explicitly. In practice this is not necessary most of
the time, but on amd64/freebsd with clang the compiler can and does
store the constant 32-bit value to the stack, leaving garbage in the
upper 32 bits.
This makes C reproducers somewhat uglier, but I see no other solution.
Detect bisection to merge commits and to commits that don't affect
kernel binary (comments, other arches, whitespaces, etc).
Such bisections are not reported in emails (but shown on web).
Update #1271
Test presence of a working compiler before running any tests for a target.
This helps to make tests pass even if some cross-compilers are not installed properly.
Some syzkaller panics happen due to memory corruptions,
but it still would be useful at least to get some visibility into these crashes.
On some OSes we actualy already detect them as they have "panic:" oops pattern,
but not e.g. on linux.
Fixes#318
Add optional build signature for images, currently only implemented for linux.
This can be used in bisection process to detect changes that does not affect kernel.
Update #1271
Image takes too many arguments, so we need to do lots of forwarding,
adding new argumnets is painful and most OSes are not interested
in lots of arguments.
Combine all arguments into a params struct.
* Modify Run() to return the commit object when a failure occurs on the
oldest tested release(for BisectCause) and latest tested
release(for BisectFix).
* Modify tests to check the returned commit object.
Add tests for the following cases(1 each for cause and fix):
- bisection returns the correct commit
- bisection failed due to crash not occuring on the original commit
- bisection failed as crash occurs on oldest/latest commit
- bisection is inconclusive
Remove a check that was mistakenly added with devlink_pci feature and is
duplicate of the existing check.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
In case there is a fixed pci devlink handle "pci/pci/0000:00:10.0"
on the system (initial network namespace), it is moved to a working
network namespace.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Enables the syntax intN[start:end, alignment] for integer ranges. For
instance, int32[0:10, 2] represents even 32-bit numbers between 0 and 10
included. With this change, two NEED tags in syscall descriptions can be
addressed.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
Other packages should use ast.Recursive and ast.PostRecursive to ensure
the root node is visited as well.
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
Without this fix, the compiler throws an error 'template argument BASE is
not used' for the following typedef.
type templ1[BASE] BASE
foo(a ptr[in, templ1[int64]])
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
All callers of EnvForCommit need the compiler path,
so move this logic into EnvForCommit to avoid duplication.
Also simplifies tests because test impl can now return
an empty compiler (which should be unused).
(note: incomplete change)
Refactor existing code as follows:
* Move reusable test utility functions from git_repo_test.go to
pkg/vcs/test_util.go and make them exported.
* Split Run() into Run()+runImpl().
* Change type of bisect.go:env.inst to `instance.BuilderTester`.
Change usage inside syz-testbuild/testbuild.go accordingly.
* Move most of linux.PreviousReleaseTags() into vcs/git.go as
git.previousReleaseTags().
* Allow build.CompilerIdentity to be mocked.
Introduce the following changes:
* instance.BuilderTester is an interface with methods
BuildSyzkaller()
BuildKernel()
Test()
NewEnv() now returns this interface.
* type testEnv implements instance.BuilderTester.
* type testBuilder implements builder interface. Add a entry into table
inside pkg/build/build.go:getBuilder() to return testBuilder object.
The problem with task hung reports is that they manifest at random victim stacks,
rather at the root cause stack. E.g. if there is something wrong with RCU subsystem,
we are getting hangs all over the kernel on all synchronize_* calls.
So before resotring to the common logic of skipping some common frames,
we look for 2 common buckets: hangs on synchronize_rcu and hangs on rtnl_lock
and group these together.
Currently we replace a template argument and then recurse
into the new type AST to see if there is more to replace.
If the description is buggy and the template argument
contains itself, then we will recurse infintiely trying
to replace it more and more.
Use post-order traversal when replacing template argument to fix this.
By default, the current KCSAN .config does not enable KCSAN during boot,
since we encounter races during boot which would prevent syzkaller from
ever executing.
This adds support to detect if KCSAN is available, and enables it on the
fuzzer host.
OpenBSD uses cvs and does not enforce the standard Git convention for
commit messages of putting a summary followed by a new line and body.
If such commit[1] contains a `Reported-by` header, it's currently not
detected. Instead, if the body is empty try to extract data from the
commit summary.
[1] bdbfbec5ce
This commit fixes a handle leak in syz_mmap. The bug was pointed out by
mdempsky during a code review.
The `syz_mmap` function creates a VMO and maps it to a VMAR in the address
specified by the `syz_mmap` parameters. Once a VMO is mapped to a vmar,
the handle to the vmo can be closed without problems.
The new code makes sure that `zx_handle_close(vmo_handle)` gets called before
the `syz_mmap` function returns.
syz_mmap is a pseudo-syscall that can be used by syzkaller in fuzzing
programs, however, it is also used to setup the environment for
syz-executor. syz-executor already checks the return value[0] when it is
used for setting up the environment, so it doesn't make sense for the
function to crash (most probably, in a fuzzing program it will be called
with arguments that would make it fail).
The previous behavior was causing a bunch of "Lost connection to test
machine" syzkaller crashes which were meaningless. An example of a
program in which syz_mmap would crash would be any program in which the
handle to the root vmar is closed before calling syz_mmap.
[0]:
a60cb4cd84/executor/executor_fuchsia.h (L15)
This change reuses the logic for sending the output back from
syz-executor to syz-fuzzer that forkserver oses use: reading it
periodically. This will be useful for debugging issues in Fuchsia that
does not support forkserver yet.
syz-symbolize did not use the common mgrconfig logic
to calculate kernel dirs. Thus KernelBuildSrc ended up empty,
+dirs were not extended to absolute paths.
Use the common mgrconfig logic to calculate kernel dirs.
Kbuild inserts build timestamp into every build.
This makes vmlinux change always even if no present.
Make the build more deterministic.
We plan to use it for detecting no-op changes during bisection.
Update #1271
* Modify mail_bisect_result.txt to allow for sending fix bisection
results.
* Modify BisectResult to have a Fix field; introduce selectBisect for
use within the template for choosing between BisectCause/BisectFix
fields.
* Modify bisectFromJob() to return BisectResult with Fix field set if
relevant.
* Modify the tests inside bisect_test.go to account for bisect fix
related reporting emails.
* Modify incomingMail() to ignore any emails from syzbot itself.
Reports from witness regarding returning to userspace with locks held is not
unique enough, causing all lock leaks to be grouped under the same bug.
Instead try to extract the name of syscall where the first held lock was
grabbed.
While here, shorten the title a bit.
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
MAX_STACK_TRACE_ENTRIES crash reports caused by a particular issues can come
from any part of the kernel, so bucketing them based on the stack trace is
pointless and only creates duplicate bug reports.
We have noticed that the build process was being invoked as root. This
change modifies the calls to use osutil.Sandbox before invoking cmds to
build fuchsia.
This is required for the process to use goma, as goma is running under
the syzkaller user.
* Modify uiBug type. Rename BisectCause to BisectCauseDone. Introduce
BisectFixDone.
* Modify createUIBug() and MergeUIBug() to set the above fields
appropriately.
* Modify bug_list to display the bisection status; remove yesSort() as
it is not used anymore. Adjust ".list_table .stat" to appropriate width.
* Add TestBugBisectionStatus() to check bisection status on main page.
* Add file from running "make generate": pkg/html/generated.go
Better coverage reports with hierarchical coverage information,
number of programs covering each line,
handling of partially covered lines,
links to programs covering lines.
Fixes#682
After f613a7c4 ("pkg/cover: fix prefix computation") we stopped trimming
starting "/" from linux path names. This broke get_maintainers.pl script
which is now given non-existent absolute paths (e.g. "/mm/mmap.c"),
as the result syzbot can't find any maintainers for bug reports
and mails them into lkml limbo.
Trim starting slashes and dots. Extend tests for catch this.
We now pass 5 arguments through a bunch of functions,
this is quite inconvinient when the set of arguments changes.
Incapsulate all arguments in a struct and pass/store it as a whole.
This change modifies the way fuchsia is built to add the ssh keys to the
zbi image after building it. Previously that was done via the
"extra_ssh_keys" argument to the build system, but that was removed
recently.
A process with CAP_SYS_NICE can bring kernel down by asking for too high SCHED_DEADLINE priority,
as the result rcu and other system services that use kernel threads will stop functioning.
Some parameters for SCHED_DEADLINE should be OK, but we don't have means to enforce
values of indirect syscall arguments. Peter Zijlstra proposed sysctl_deadline_period_{min,max}
which could be used to enfore safe limits without droppping CAP_SYS_NICE, but we don't have it yet.
See the following bug for details:
https://groups.google.com/forum/#!topic/syzkaller-bugs/G6Wl_PKPIWI
Running sys/*/test programs requires real machines and kernels for each OS.
We can't do that in unit tests, but at least try to deserialize these programs
so that they don't get rotten.
Ensure that we have at least 1GB per Makefile job.
Go compiler/linker can consume significant amount of memory
(observed to consume at least 600MB). See #1276 for context.
Update #1276
