Regenerate const files on next-20200729.
Change conn handle to 200 because it also seems to be matches
against phy_handle fields which are int8 (current 256 does not fit into int8).
Use 200 for all handle's and all phy_handle's.
Remove hci_evt_le_cis_req, it does not seem to be used in the kernel.
Restrict some event types and statuses.
Add rssi field to hci_ev_le_advertising_info.
Use bytesize for some of the data length fields.
* all: initialize vhci in linux
* executor/common_linux.h: improve vhci initialization
* pkg/repro/repro.go: add missing vhci options
* executor/common_linux.h: fix type and add missing header
* executor, pkg: do it like NetInjection
* pkg/csource/csource.go: do not emit syz_emit_vhci if vhci is not enabled
* executor/common_linux.h: fix format string
* executor/common_linux.h: initialize with memset
For som reason {0} gets complains about missing braces...
* executor/common_linux.h: simplify vhci init
* executor/common_linux.h: try to bring all available hci devices up
* executor/common_linux.h: find which hci device has been registered
* executor/common_linux.h: use HCI_VENDOR_PKT response to retrieve device id
* sys/linux/dev_vhci.txt: fix structs of inquiry and report packets
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* executor/common_linux.h: remove unnecessary return statement and check vendor_pkt read size
* sys/linux/dev_vhci.txt: pack extended_inquiry_info_t
* sys/linux/l2cap.txt: add l2cap_conf_opt struct
* executor/common_linux.h: just fill bd addr will 0xaa
* executor/common_linux.h: just fill bd addr will 0xaa
It is hard for the fuzzer to generate correct programs using mmap calls
with fuzzer-provided mmap length. This wrapper ensures correct length
computation.
They don't contain enough context to be useful.
This change makes `testdata/openbsd/report/0` to be treated as
corrupted, which is desirable since it also lacks context.
* sys/linux: enhanced descs for io_uring
Introduced pseudo-call "syz_io_uring_put_sqes_on_ring()" for writing
submission queue entries (sqes) on sq_ring, which was obtained by
mmap'ping the offsets obtained from io_uring_setup().
Added descriptions for io_ring_register operations that were missing
earlier.
Did misc changes to adapt the descriptions for the updates on the
io_uring subsystem.
* pkg/host: add io_uring pseudo-syscall
* executor/common_linux.h: fix issues with io_uring pseudo-syscall
* executor: fixed io_uring offset computation
* executor: fixes and refactorings in syz_io_uring_submit()
* executor: added syz_io_uring_complete() pseudo-syscall for io_uring
* sys/linux: added descriptions for io_uring operations
Each operation requires a different struct io_uring_sqe set up. Those
are described to be submitted to the sq ring.
* executor: use uint32 instead of uint32_t
* executor: remove nonfailing from pseudo-calls
* sys/linux: fix io_uring epoll_ctl sqe
* prog: fix TestTransitivelyEnabledCallsLinux()
The newly introduced syscall, syz_io_uring_submit$IORING_OP_EPOLL_CTL,
uses fd_epoll. Adapt TestTransitivelyEnabledCallsLinux() to account for
this.
* sys/linux: add IORING_OP_PROVIDE_BUFFERS and IORING_OP_REMOVE_BUFFERS
* sys/linux: fix IORING_OP_WRITE_FIXED and IORING_OP_READ_FIXED
addr and len are for the buffer located at buf_index
* sys/linux: io_uring: use reg. bufs for READ, READV, RECV, RECVMSG
As a result, IOSQE_BUFFER_SELECT_BIT is included in the iosqe_flags.
* sys/linux: io_uring: misc fixes
* sys/linux: io_uring: add IORING_SETUP_ATTACH_WQ
* executor: refactorings on io_uring pseudo syscalls
* sys/linux: io_uring: fix desc for params.cq_entries
* executor: fix SQ_ARRAY_OFFSET computation
This is required with the fix in io_uring kernel code.
https://lore.kernel.org/io-uring/CACT4Y+bgTCMXi3eU7xV+W0ZZNceZFUWRTkngojdr0G_yuY8w9w@mail.gmail.com/T/#t
* executor: added pseudosyscall syz_io_uring_cq_eventfd_toggle()
The usage of cq_ring->flags is only for manipulating
IORING_CQ_EVENTFD_DISABLED bit. This is achieved by a pseudo-syscall,
which toggles the bit.
* executor: added pseudocall syz_io_uring_put_ring_metadata
Removed syz_io_uring_cq_eventfd_toggle() and introduced
syz_io_uring_put_ring_metadata() instead. We have many pieces of
metadata for both sq_ring and cq_ring, for which we are given the
offsets, and some of are not supposed to be manipulated by the
application. Among them, both sq and cq flags can be changed. Both valid
and invalid cases might cause interesting outcomes. Use the newly
introduced pseudo syscall to manipulate them randomly while also
manipulating the flags to their special values.
* executor: added pseudo-syscall syz_memcpy_off
Removed syz_io_uring_put_ring_metadata() and instead added a much more
generic pseudo systemcall to achieve the task. This should benefit other
subsystems as well.
* sys/linux: refactored io_uring descriptions
syz_io_uring_submit() is called with a union of sqes to reduce
duplication of other parameters of the function.
io_uring_sqe is templated with io_uring_sqe_t, and this template type is
used to describe sqes for different ops.
The organization of io_uring.txt is changed.
* sys/linux: io_uring: improved descs to utilize registered files
The files are registered using
io_uring_register$IORING_REGISTER_FILES(). When IOSQE_FIXED_FILE_BIT is
enabled in iosqe_flags in sqe, a variety of operations can use those
registered files using the index of the file instead of fd.
Changed the sqe descriptions for the eligible operations to utilize
this.
* sys/linux: io_uring: improved the descs to utilize personality_id in sqes
A personality_id can be registered for a io_uring fd using
io_uring_register$IORING_REGISTER_PERSONALITY(). This id can be utilized
within sqes. This commit improves the descs for io_uring to utilize it.
In addition, the descriptions for the misc field in io_uring_sqe_t is
refactored as most are shared among sqes.
* sys/linux: io_uring: utilized cqe.res
io_uring_cqe.res is used to carry the return value of operations
achieved through io_uring. The only operations with meaningful return
values (in terms of their possible usage) are openat and openat2. The
pseudo-syscall syz_io_uring_complete() is modified to account for this
and return those fds. The description for sqe_user_data is splitted into
two to identify openat and non-openat io_uring ops.
IORING_OP_IOCTL was suggested but never supported in io_uring. Thus, the
note on this is removed in the descriptions.
tee() expects pipefds, thus, IORING_OP_TEE. The descriptions for the
pipe r/w fds are written as ordinary fd. Thus, in the description for
IORING_OP_TEE, which is io_uring_sqe_tee, fd is used in the place where
pipefds are expected. The note on this is removed in the descriptions.
* sys/linux/test: added test for io_uring
This is not tested yet.
* sys/linux/test: fixed the test for io_uring
The changes successfully pass the sys/linux/test/io_uring test.
sys/linux/io_uring.txt: sq_ring_ptr and cq_ring_ptr are really the same.
Thus, they are replaced with ring_ptr.
executor/common_linux.h: thanks to io_uring test, a bug is found in
where the sq_array's address is computed in syz_io_uring_submit().
Fixed. In addition, similar to the descriptions, the naming for the
ring_ptr is changed from {sq,cq}_ring_ptr to ring_ptr.
* sys/linux: io_uring: misc fixes
* sys/linux: io_uring: changed the sqe_user_data enum
Used a smaller range to ease the collisions. Used comperatively unique
and magic numbers for openat user_data to avoid thinking as if the cqe
belongs to openat while the user_data is coming from some random
location.
* pkg/host: added checks for io_uring syscall
* pkg/host: fixed checks for io_uring syscall
* sys/linux: fixed io_uring test
GCC10 fails to build the code with errors:
executor/common_kvm_amd64.h:143:64: error: ‘gate.kvm_segment::type’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
executor/common_kvm_amd64.h:143:56: error: ‘gate.kvm_segment::base’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
Replace 'case 6' with 'case 5' since 'i % 6' results in [0..5].
Signed-off-by: Denis Efremov <efremov@linux.com>
It seems that different gcc's have different defaults for ASAN flags.
Some fail with:
run.go:67: nonfailing none/thr/repeat : FAIL: run 0: call 0 is not executed
ASAN:DEADLYSIGNAL
=================================================================
==67143==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7b0befb0a2 bp 0x7f7b0cfdad10 sp 0x7f7b0cfda490 T1)
#0 0x7f7b0befb0a1 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d0a1)
#1 0x404bbb in syz_compare(long, long, long, long) (/tmp/utor355225125.0+0x404bbb)
#2 0x403cdf in execute_call(thread_t*) (/tmp/utor355225125.0+0x403cdf)
#3 0x404006 in worker_thread(void*) (/tmp/utor355225125.0+0x404006)
#4 0x7f7b0bc584a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#5 0x7f7b0b99ad0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d0a1)
Thread T1 created by T0 here:
#0 0x7f7b0be9ef59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x406117 in execute_one() (/tmp/utor355225125.0+0x406117)
Currently we sprinkle NONFAILING all over pseudo-syscall code,
around all individual accesses to fuzzer-generated pointers.
This is tedious manual work and subject to errors.
Wrap execute_syscall invocation with NONFAILING in execute_call once instead.
Then we can remove NONFAILING from all pseudo-syscalls and never get back to this.
Potential downsides: (1) this is coarser-grained and we will skip whole syscall
on invalid pointer, but this is how normal syscalls work as well,
so should not be a problem; (2) we will skip any clean up (closing of files, etc)
as well; but this may be fine as well (programs can perfectly leave open file
descriptors as well).
Update #1918
We set HostFuzzer for all test targets b/c in some contexts
they needed the same special behavior as real HostFuzzer targets
(e.g no checking enabled syscalls).
However, in some other contexts they don't the same special
behavior as real HostFuzzer targets. For example, pkg/ipc
does rate limiting for HostFuzzer and pkg/runtest don't run
C tests for HostFuzzer.
Add special case for test targets in pkg/host,
and don't set HostFuzzer for all test targets
(keep it for one target for better coverage).
Add Timeout config param for bisections.
Specify timeout in syz-ci as 8h based on the following data.
Out of 1049 cause bisections that we have now:
- 891 finished under 6h (84.9%)
- 957 finished under 8h (91.2%)
- 980 finished under 10h (93.4%)
- 989 finished under 12h (94.3%)
- 1011 finished under 18h (96.3%)
- 1025 finished under 24h (97.7%)
There is also a significant increase in errors/inconclusive bisections after ~8h.
Out of 4075 fix bisections:
- 4015 finished under 6h (98.5%)
- 4020 finished under 8h (98.7%)
- 4026 finished under 10h (98.8%)
- 4032 finished under 12h (98.9%)
Significant increase in errors starts after ~12h.
The current timeout also take into account that bisection jobs
compete with patch testing jobs (it's bad delaying patch testing).
When/if bisection jobs don't compete with patch testing,
it makes sense to increase this to 12-24h.
Fixes#1923
Currently we sandbox all repos b/c we assumed
that all builds are also sandboxes. But this causes
havoc for bisection/patch testing b/c syzkaller build
is not actually sandboxed anywhere. Build creates
root-owned files and then git can't do anything with them
but don't report errors either:
$ git checkout 8eda0b95 && echo OK
error: unable to unlink old 'sys/linux/gen/386.go': Permission denied
error: unable to unlink old 'sys/linux/gen/ppc64le.go': Permission denied
...
HEAD is now at 8eda0b957e
OK
We trust own sources and we don't test syzkaller patches,
so don't sandbox syzkaller repos.
Currently we have only "fixed" link at the top of the page.
"invalid" is missing and this is not scalable.
Add natigation buttons (tabs) for main pages.
Right after committing the on_each_cpu change,
another report come in where smp_call_function
is not called from on_each_cpu. And there are
actually more such callers in code, and also
as existing tests show. smp_call_function seems
to be the better root cause indication.
config-bisect.pl uses bash-isms and can't run on non-linux.
It also silently ignores all errors which made failures
very obscure -- the script happily succeeds in presence
of any errors. So the test failed later reading .config.
Use "set -eu" to not fail silently.
Also trace all config-bisect.pl invocations and output.
good/bad decisions are important and we always log them
in the normal bisection.
The test requires new git binary.
It's not necessary installed everywhere.
Skip the test if git binary does not support bisection.
Also reoder functions from more important to less important.
Mark the test as parallel.
Move individual tests into subtests.
Split trace per subtest.
It also hash high branching factor and a bug is more likely in the callback.
For the added test we used to say:
INFO: rcu detected stall in __sys_sendmsg
now we say more useful:
INFO: rcu detected stall in tc_modify_qdisc
"git clean -fd" does not remove ignored files,
while can mess state when .gitignore changes across commits.
Use "git clean -fdx" to delete ignored files as well.
Config minimization did not update test results for the starting commit.
Test result for the starting commit still refered to the original config,
not the minimized config that was actually used during bisection.
Change a test to actually produce a new config as it is supposed
to do during config minimization and check the resulting config.
Add a regression test for the bug where we committed a broken config.
One of main outputs of the config minimization is the new config,
but tests don't do any single check of it.
Check the resulting config (is it correct in all cases?).
Ignoring errors is bad. It leads to silent failures.
If there is some particular error condition that is expected
to happen and we want to ignore, we need to ignore that one only
rather than all potenital errors in the whole process.
Implement Linux kernel configuration bisection. Use bisected minimalistic
configuration in commit bisection. Utilizes config_bisect.pl script from Linux
kernel tree in bisection.
Modify syz-bisect to read in kernel.baseline_config. This is used as a "good"
configuration when bisection is run.
Add new new Syzkaller configuration option kernel_baseline_config. This option
is supposed to be used by kernel configruation bisection as a "good" config"
Signed-off-by: Jukka Kaartinen <jukka.kaartinen@unikie.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Use unix.Unmount instead of manually wrapping SYS_UMOUNT2.
Use unix.IoctlSetPointerInt instead of manually wrapping SYS_IOCTL. This
also allows to use FS_IOC_SETFLAGS instead of manually defining it for
each GOARCH.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
* mmap syscall is special on Linux s390x because
the parameters for this syscall are passed as a struct
on user stack instead of registers.
* Introduce the SyscallTrampolines table into targets.Target
to address the above problem.
* There is a bug in Linux kernel s390x which causes QEMU TCG
to hang when KASAN is enabled. The bug has been fixed
in the forthcoming Linux 5.8 version. Until then do not enable
KASAN when using QEMU TCG, QEMU KVM shall have no problems with
KASAN.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
* Introduce the new target flag 'LittleEndian' which specifies
of which endianness the target is.
* Introduce the new requires flag 'littleendian' for tests to
selectively enable/disable tests on either little-endian architectures
or big-endian ones.
* Disable KD unit test on s390x architecture because the test
works only on little-endian architecture.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
Use native byte-order for IPC and program serialization.
This way we will be able to support both little- and big-endian
architectures.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
csum_inet_update does not handle odd number of bytes
on big-endian architectures correctly. When calculating
the checksum of odd number of bytes, the last byte must be
interpreted as LSB on little-endian architectures and
as MSB on big-endian ones in a 16-bit half-word.
Futhermore, the checksum tests assume that the underlying architecture
is always little-endian. When a little-endian machine stores
a calculated checksum into memory, then the checksum's bytes
are automatically swapped. But this is NOT true on a big-endian
architecture.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
Most likely reports without proper stack traces were caused by a bug in the
unwinder and are now fixed in 187b96db5ca7 "x86/unwind/orc: Fix
unwind_get_return_address_ptr() for inactive tasks".
Disable trying to use questionable frames for now.
Fixes#1834
Improve used terminology by using better verbs to express the effect of
the whitelist/blacklist.
This also changes executor to exclusively show respectful log messages,
and as per recent conversion, converts the last such case.
This adds one more pattern in the list of recognized once as this is
what they look like in objdump:
c0000000001c21a8: f9 d2 11 48 bl c0000000002df4a0 <__sanitizer_cov_trace_pc>
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
Some terms are normalised on the technical level
but may be oppressive on a societal level.
Replace them with more technically neutral terms.
See the following doc for a longer version:
https://tools.ietf.org/id/draft-knodel-terminology-00.html
Add a default udev rule file to the image creation process in
create-gce-image.sh and create-image.sh.
This change creates a default rule to make udev create a custom-named
symlink for the specific vim2m device.
Fuchsia has strict controls over who can map memory as executable.
Refactoring syz-executor to be able to do that involves a non trivial
amount of work: it needs to run as a fuchsia component and replace stdin
for some other mechanism to communicate with syz-fuzzer (probably a fidl
service and a thin client that proxies stdin/stdout to syz-fuzzer via
ssh).
Mapping memory as executable doesn't seem to be used or needed in
syz-executor at all. After talking with Dmitry, he mentioned that it was
used in a deprecated feature: `syz_execute_func` which would execute
random code. It also allows more scenarios during fuzzing.
For now, I'm removing that option to allow syzkaller continue fuzzing.
This change also refactors all of the error messages adding a string
representation of the `zx_status_t` in error logs.
Manager has already checked what features are present on the target.
But if we detected that, say, USB is missing, we still enabled it
in the starting csource options. This is wrong, increases configuration
minimization time and may lead to some obscure bugs.
HostFuzzer targets require that we cross-compile the csource tests and
then copy them to the target system. The code to copy files is
currently missing from syz-runtest; also, at least for Fuchsia (which
uses HostFuzzer mode), cross-compiling is non-trivial.
I though maybe we need special handling for them:
stop at kmem_cache_alloc function. But now I am not sure.
This can also be an infinite loop which calls kmalloc/kfree.
Let's not change code for now, just fix things with tests
(this is a good representative set).