virt_wifi docs say that the enslaved device won't be usable
on itself. It's probably not a good idea to make lo unusable.
Enslave a dedicated veth instead.
Looks for source files in object dir.
This is required for out-of-tree linux builds.
E.g. security/selinux/flask.h contains some sources
with coverage callbacks, but it's auto-generated
and located in the build dir.
Use a random subset of syscalls/corpus/coverage for each individual VM run.
Hypothesis is that this should allow fuzzer to get more coverage
find more bugs in saturated state (stuck in local optimum).
See the issue and comments for details.
Update #1348
Combine markBitfields and addAlignment functions.
Fixing #1542 will require doing both at the same time,
they are not really independent.
Also remove the special case for packed structs,
pad them as part of the common procedure.
No functional changes.
PC from the target is address of "jal __sanitizer_cov_trace_pc" + 8.
E.g. case below has address ffffffff80b4eec4 in PC
ffffffff80b4eebc: jal ffffffff80232080 <__sanitizer_cov_trace_pc>
ffffffff80b4eec0: nop
ffffffff80b4eec4: move a1,s0
All callers of BitfieldMiddle just want static size (0 for middle).
Make it so: Size for middle bitfields just returns 0. Removes lots of if's.
Introduce Type.UnitSize, which now holds the underlying type for bitfields.
This will be needed to fix#1542 b/c even if UnitSize=4 for last bitfield
Size can be anywhere from 0 to 4 (not necessary equal to UnitSize due to overlapping).
We assumed that for ConstType alignment is equal to size,
which is perfectly reasonable for normal int8/16/32/64/ptr.
However, padding is also represented by ConstType of arbitrary size,
so if we added 157 bytes of padding that becomes alignment of
the padding field and as the result of the whole struct.
This affects very few structs, but quite radically and quite
important structs.
Discovered thanks to syz-check.
Update #590
This patch adds all autogenerated files for linux/mips64le. Files are
generated by following commands:
make extract
bin/syz-extract -build -os=linux -arch=mips64le -sourcedir=linux
make generate
Amusingly we never passed number of threads to wake for FUTEX_WAKE.
It somehow worked reliably on linux (we just needed it to not be 0,
so presumably garbage in registers did it).
However, in gVisor every other syscall wasn't even started
(first syscall on a thread started, but second on the same worker
thread wasn't unable to start).
If you try to run git-using tests while the GIT_DIR environment variable
(and GIT_WORK_TREE, etc) happens to be set, the tests are going to do fun
and exciting things on a repository that isn't the test repository it tries
to set up.
As it turns out, if you try to run "make test" using git rebase -x, you'll
end up with GIT_DIR set to the syzkaller tree. Hilarity ensues.
Unset GIT_DIR, GIT_WORK_TREE and a few other environment variables when
invoking git - that way it'll default to looking at the working directory
that we have given it, which is what we expect.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
1. Extract multiple error lines (up to 10).
Gives more complete picture, maybe the first one
is not the most indicative one.
2. Replace weird unicode quotes with normal quotes.
These may be mishandled by some systems that don't understand utf-8.
Build with some gcc's fails:
In file included from executor/executor.cc:133:0:
executor/common_linux.h: In function ‘long int syz_read_part_table(long unsigned int, long unsigned int, long int)’:
executor/common.h:117:15: error: ignoring return value of ‘ssize_t pwrite(int, const void*, size_t, __off_t)’, declared with attribute warn_unused_result [-Werror=unused-result]
__VA_ARGS__; \
^
executor/common_linux.h:1279:3: note: in expansion of macro ‘NONFAILING’
NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset));
^
executor/common_linux.h: In function ‘long int syz_mount_image(long int, long int, long unsigned int, long unsigned int, long int, long int, long int)’:
executor/common.h:117:15: error: ignoring return value of ‘ssize_t pwrite(int, const void*, size_t, __off_t)’, declared with attribute warn_unused_result [-Werror=unused-result]
__VA_ARGS__; \
^
executor/common_linux.h:1364:3: note: in expansion of macro ‘NONFAILING’
NONFAILING(pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset));
^
cc1plus: all warnings being treated as errors
1. It always crashed in cover_reset when coverage is disabled.
2. Use NONFAILING when accessing image segments.
3. Give it additional 100 ms as it may be slow.
4. Add a test for syz_mount_image.
This commit adds a new attribute to syzkaller targets that tells
syzkaller how to invoke the syz-executor command.
Some systems, like Fuchsia, are now building syz-executor as part of the
build, and there is no need to copy it over, or to run it from `/tmp`.
In fact, that might stop working at some time in the future in Fuchsia.
All places that used to copy syz-executor into the target machine will
now check for the SyzExecutorCmd flag, and won't copy it if the flag is
set.
The the added test for exception from exception corner case.
"BUG: spinlock lockup" fails to respect panic_on_warn and panic
after printing report (though, it's a BUG already, so it should
have been paniced even without panic_on_warn).
As the result we got "spinlock lockup" followed by "rcu stall" report.
And we have that special exception for rcu stalls b/c for them
the most of the report is irrelevant up to apic_timer_interrupt frame.
The code did not expect this weird double-report case and skipped
everything up to apic_timer_interrupt, though it's actually
a lockup in netfilter code.
The new manager config argument workdir_template refers to a directory. Optional.
Each VM will get a recursive copy of the files that are present in workdir_template.
VM config can then use these private copies as needed. The copy directory
can be referenced with "{{TEMPLATE}}" string. This is different from using
the files directly in that each instance will get own clean, private,
scratch copy of the files. Currently supported only for qemu_args argument
of qemu VM type. Use example:
Create a template dir with necessary files:
$ mkdir /mytemplatedir
$ truncate -s 64K /mytemplatedir/fd
Then specify the dir in the manager config:
"workdir_template": "/mytemplatedir"
Then use these files in VM config:
"qemu_args": "-fda {{TEMPLATE}}/fd"
They should have been detected by "same binary" logic.
But the problem is that we may use different compilers
for different commits and they switch exactly at release commits.
So we can build the release with a differnet compiler than the
rest of commits and then obviously it won't be "same binary".
Detect release commits separately.
Update #1271
3/4 added tests currently fail.
The problem is that we don't collect results
from initial bisection range detection.
As the result we won't detect "same binary"
for release and first commit in a release.
Update #1271
gVisor doesn't support netdevsim and NETLINK_GENERIC and
without this fix, sys-executor always fails:
E openat(AT_FDCWD, /sys/bus/netdevsim/new_device, ...)
X openat(AT_FDCWD, /sys/bus/netdevsim/new_device, ...) = 0x0 errno=2
E socket(AF_NETLINK, SOCK_RAW|0x0, NETLINK_GENERIC)
X socket(AF_NETLINK, SOCK_RAW|0x0, NETLINK_GENERIC) = 0x0 errno=93
E write(0x2 host:[3], "socket(AF_NETLINK) failed\n", 0x1a)
X write(0x2 host:[3], ..., 0x1a) = 0x1a (2.767µs)
E write(0x2 host:[3], " (errno 93)\n", 0xc)
X write(0x2 host:[3], ..., 0xc) = 0xc (2.729µs)
E exit_group(0x43)
X exit_group(0x43) = 0x0 (900ns)
Cc: Jiri Pirko <jiri@mellanox.com>
Fixes: f350e2dc1f59 ("executor: rename devlink port netdevices to defined names")
Signed-off-by: Andrei Vagin <avagin@google.com>
