reactos/syzkaller
1
0
Fork 0
mirror of https://github.com/reactos/syzkaller.git synced 2024-10-08 09:43:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,079 Commits 4 Branches 0 Tags 180 MiB
e8e63830a6
Commit Graph

137 Commits

Author SHA1 Message Date
Dmitry Vyukov
e8e63830a6 pkg/ipc: move from ipc 2017-06-17 14:41:15 +02:00
Dmitry Vyukov
baad3b4b02 pkg/csource: move from csource 2017-06-17 14:41:15 +02:00
Dmitry Vyukov
ec95d17c32 pkg/cover: move from cover 2017-06-17 14:41:15 +02:00
Dmitry Vyukov
6fd7a75a91 pkg/repro: move from pkg 2017-06-17 14:41:15 +02:00
Dmitry Vyukov
4b2a9e225c pkg/host: move from host 2017-06-17 14:41:15 +02:00
Dmitry Vyukov
a853b91c58 syz-manager/mgrconfig: allow loading from memory 
Allow loading manager config from memory.
Follow pkg/config naming convention,
i.e. LoadFile/LoadData instead of Parse.
 2017-06-17 14:41:15 +02:00
Dmitry Vyukov
75c73461d8 syz-manager/config: rename to syz-manager/mgrconfig 
We have 2 packages with the same name: pkg/config and syz-manager/config.
This leads to constant clashes. We either rename one to pkgconfig or
another to mgrconfig. This is not good and will become worse when/if
we have another program-specific config in a separate package.

Rename manager config to mgrconfig.
Other program-specific configs can use the same convention
in future -- fooconfig.
 2017-06-17 14:41:10 +02:00
Dmitry Vyukov
4cc7e08628 all: use osutil.IsExist instead of os.Stat 2017-06-17 12:23:52 +02:00
Dmitry Vyukov
10d9c52cf0 tools/create-gce-image.sh: add nmi_watchdog=panic to cmd line 2017-06-15 18:29:47 +02:00
Andrey Konovalov
07335203da prog2c: use 1 prog by default 2017-06-12 19:48:23 +02:00
Andrey Konovalov
120e26c2fe csourse: don't generate debug printfs 2017-06-12 19:48:23 +02:00
Andrey Konovalov
c99b02d224 csource: try to simplify repeat loop 2017-06-12 19:48:23 +02:00
Andrey Konovalov
73a895df61 csource: use sandbox only when required 2017-06-12 19:48:23 +02:00
Andrey Konovalov
10c9064bfc csource: only handle SIGSEGV when necessary 2017-06-12 19:48:23 +02:00
Andrey Konovalov
5597911fbf csource: use tmp dir only when necessary 2017-06-12 19:48:23 +02:00
Andrey Konovalov
7d7c9c550f csource: add EnableTun option 2017-06-12 19:48:23 +02:00
Andrey Konovalov
4ca73f9c87 tools: repro: fix vm count calculation 2017-06-12 18:01:38 +02:00
Andrey Konovalov
d8ff00bacc tools: repro: fix vm count calculation 2017-06-07 16:20:53 +02:00
Dmitry Vyukov
af643baa32 vm: overhaul 
VM infrastructure currently has several problems:
 - Config struct is complete mess with a superset of params for all VM types
 - verification of Config is mess spread across several places
 - there is no place where VM code could do global initialization
   like creating GCE connection, uploading GCE image to GCS,
   matching adb devices with consoles, etc
 - it hard to add private VM implementations
   such impl would need to add code to config package
   which would lead to constant merge conflicts
 - interface for VM implementation is mixed with interface for VM users
   this does not allow to provide best interface for both of them
 - there is no way to add common code for all VM implementations

This change solves these problems by:
 - splitting VM interface for users (vm package) and VM interface
   for VM implementations (vmimpl pacakge), this in turn allows
   to add common code
 - adding Pool concept that allows to do global initialization
   and config checking at the right time
 - decoupling manager config from VM-specific config
   each VM type now defines own config

Note: manager configs need to be changed after this change:
VM-specific parts are moved to own "vm" subobject.

Note: this change also drops "local" VM type.
Its story was long unclear and there is now syz-stress which solves the same problem.
 2017-06-03 11:31:42 +02:00
Dmitry Vyukov
ea2295f3e2 pkg/db: move from db 2017-06-03 10:41:09 +02:00
Dmitry Vyukov
23b94422d3 pkg/log: move from log 2017-06-03 10:41:09 +02:00
Dmitry Vyukov
d1032c21a0 pkg/hash: move from hash 2017-06-03 10:41:09 +02:00
Dmitry Vyukov
61a577885b tools: more reliable network config in create-gce-image.sh 
Currently we append to /etc/network/interfaces,
which can lead to duplicate lo entry.
Write out the whole interfaces file instead.
 2017-06-03 10:41:09 +02:00
Dmitry Vyukov
ac2962a1c5 tools: sync create-image.sh and create-gce-image.sh 
Move few additional settings from create-gce-image.sh to create-image.sh.
 2017-06-03 10:41:09 +02:00
Dmitry Vyukov
84eb5fd389 config: split and refactor 
Introduce generic config.Load function that can be
reused across multiple programs (syz-manager, syz-gce, etc).
Move the generic config functionality to pkg/config package.
The idea is to move all helper (non-main) packages to pkg/ dir,
because we have more and more of them and they pollute the top dir.
Move the syz-manager config parts into syz-manager/config package.
 2017-06-01 11:17:54 +02:00
Michael Pratt
29fc5b76cd all: cleanup executor/ipc status checking 
This is mostly a cleanup change with little functional change.

In ipc.command.exec, remove the status fallback from the pipe to the
exit status. Once the executor is serving, it always writes the status
over the pipe; anything else is an error.

Remove the panic check in syz-stress, which is no longer needed.
 2017-05-30 09:33:51 -07:00
Dmitry Vyukov
220dc49106 csource: reproduce crashes with fault injection 2017-05-26 17:22:57 +02:00
Dmitry Vyukov
8f58526cb8 all: add fault injection capability 
Systematically inject faults during smashing.
Requires kernel patch:
"fault-inject: support systematic fault injection"
(currently in linux-next).
 2017-05-26 17:22:57 +02:00
Andrey Konovalov
f919224c44 sys, executor: extract tcp sequence numbers from /dev/net/tun 
This commit adds a new pseudo syscall syz_extract_tcp_res, that reads
a packet from /dev/net/tun and extracts tcp sequence numbers to be used
in subsequent packets.

As a result this syzkaller program:

mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, &(0x7f0000001000)={0x2, 0x0, @empty=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
listen(r0, 0x5)
syz_emit_ethernet(0x36, &(0x7f0000002000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="4c6112cc15d8", [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}})
syz_extract_tcp_res(&(0x7f0000003000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0)
syz_emit_ethernet(0x38, &(0x7f0000004000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @remote={[0xbb, 0xbb, 0xbb, 0xbb, 0xbb], 0x0}, [], {{0x800, @ipv4={{0x5, 0x4, 0x0, 0x0, 0x2a, 0x0, 0x0, 0x0, 0x6, 0x0, @remote={0xac, 0x14, 0x0, 0xbb}, @local={0xac, 0x14, 0x0, 0xaa}, {[]}}, @tcp={{0x1, 0x0, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {"0c10"}}}}}})
r3 = accept$inet(r0, &(0x7f0000005000)={0x0, 0x0, @multicast1=0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000006000)=0x10)

established a TCP connection:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:20000           0.0.0.0:*               LISTEN      5477/a.out
tcp        2      0 172.20.0.170:20000      172.20.0.187:20001      ESTABLISHED 5477/a.out

Similar program for IPv6:

mmap(&(0x7f0000000000/0x10000)=nil, (0x10000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x1, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, 0x1c)
listen(r0, 0x5)
syz_emit_ethernet(0x4a, &(0x7f0000001000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, 0x42424242, 0x42424242, 0x0, 0x0, 0x5, 0x2, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}})
syz_extract_tcp_res(&(0x7f0000002000)={<r1=>0x42424242, <r2=>0x42424242}, 0x1, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000003000)={@local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, @random="de895db1468d", [], {{0x86dd, @ipv6={0x0, 0x6, "a228af", 0x14, 0x6, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, @local={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xaa}, {[], @tcp={{0x0, 0x1, r2, r1, 0x0, 0x0, 0x5, 0x10, 0x0, 0x0, 0x0, {[]}}, {""}}}}}}})
r3 = accept$inet6(r0, &(0x7f0000004000)={0x0, 0x0, 0x0, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0}, &(0x7f0000005000)=0x1c)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::20001                :::*                    LISTEN      5527/a.out
tcp6       0      0 fe80::aa:20001          fe80::bb:20000          ESTABLISHED 5527/a.out
 2017-05-26 14:28:09 +02:00
baishuai
6e254bdd13 manager: save and reuse allSymbols, vmOffset 2017-05-25 17:30:27 +08:00
Dmitry Vyukov
38b947b94f syz-symbolize: symbolize all console output 
Currently syz-symbolize uses report.Parse function
that extracts crash messages from console output.
Symbolize all console output instead.
E.g. there can be something on the console that is not crash.
 2017-05-23 14:44:07 +02:00
Michael Pratt
e19ceedd27 ipc: add an optional 'abort' signal 
If an external sandbox process wraps the executor, it may be helpful to
send a signal other than SIGKILL to the sandbox when the program times
out or fails to respond. This gives the sandbox the opportunity to emit
additional debugging information before exiting.

Add an 'abort' signal to ipc, which is sent to the executor before
SIGKILL. If the executor fails to exit within 5s, the signal is upgraded
to SIGKILL.

The default abort signal remains SIGKILL, maintaining existing behavior.
 2017-05-19 16:14:57 -07:00
Oscar Salvador
28e4817405 Add sudo for mkfs.ext4 2017-03-30 16:50:27 +02:00
Andrey Konovalov
91ea49ce25 vm: add Odroid support 
This commit adds Odroid C2 support to syzkaller.
It's now possible to specify "type": "odroid" in manager config.

Documentation on how to setup fuzzing with Odroid C2 board is here:
https://github.com/google/syzkaller/wiki/Setup:-Odroid-C2

Note, that after this change libusb-1.0-0-dev package should be
installed to build syzkaller.
 2017-03-10 17:10:52 +01:00
Dmitry Vyukov
757a32859a tools/syz-dashtool: allow uploading all crashes for a single bug 2017-03-05 14:41:13 +01:00
Dmitry Vyukov
a460a8a082 syz-dash: assorted improvments 2017-02-24 22:01:03 +03:00
Dmitry Vyukov
19d8bc6235 syz-dash: first version of dashboard app 
syz-dash is an appengine app that aggregates crashes from multiple managers.
Very early version, still flashing out required functionality.
 2017-02-17 22:22:01 +01:00
Andrey Konovalov
b4bdefbe9b prog, sys: add icmp descriptions and checksum 2017-02-06 20:24:49 +01:00
Andrey Konovalov
dd4e19c77a execprog: enable tun when syz_emit_ethernet is used 2017-01-31 18:39:24 +01:00
Dmitry Vyukov
8365c3838d all: implement edge coverage 
Currently syzkaller uses per-call basic block (BB) coverage.
This change implements edge (not-per-call) coverage.
Edge coverage is more detailed than BB coverage as it captures
not-taken branches, looping, etc. So it provides better feedback signal.
This coverage is now called "signal" throughout the code.
BB code coverage is also collected as it is required for visualisation.
Not doing per-call coverage reduces corpus ~6-7x (from ~35K to ~5K),
this has profound effect on fuzzing efficiency.
 2017-01-27 20:46:18 +01:00
Dmitry Vyukov
13134c3cf7 syz-prog2c: fix a typo in error message 2017-01-25 11:05:19 +01:00
Dmitry Vyukov
40c6a8ebf5 tools/create-image.sh: add psmisc package for killall 
+ raise console output level, otherwise stack traces may be dropped
 2017-01-24 10:03:42 +01:00
Dmitry Vyukov
3db67897de tools/kcovtrace: add KCOV-based tracing utility 
kcovtrace is like strace but show kernel coverage collected with KCOV.
It is very simplistic at this point and does not support multithreaded processes, etc.
It can be used to understand, for example, exact location where kernel bails out
with an error for a particular syscall.
 2017-01-20 14:56:20 +01:00
Dmitry Vyukov
f8b6a5831c tools/syz-benchcmp: add utility for visualization of syz-manager benchmarking results 2017-01-20 14:56:20 +01:00
Dmitry Vyukov
52165c91c2 tools/syz-stress: switch to the new corpus database format 2017-01-17 17:14:11 +01:00
Dmitry Vyukov
5d3f1d6614 tools/syz-db: add new utility 
The utility allows to pack/unpack corpus database to/from seprate files.
 2017-01-16 20:44:01 +01:00
Dmitry Vyukov
6f52004fcf tools/create-image.sh: simplify script 
Checkout necessary packages during debootstrap instead of a separate step.
 2017-01-16 20:34:35 +01:00
Dmitry Vyukov
e715b3c803 syz-gce: support continous build 
Add "local" mode in which syz-gce clones, builds and
monitors for updates a linux kernel repo.
 2017-01-16 20:33:22 +01:00
Dmitry Vyukov
83a8f430c9 vm/qemu: add some kvm-related kernel cmd line flags 
In particular it is useful to enable nested.
Enable a bunch of others as well.
 2017-01-09 20:20:49 +01:00
Dmitry Vyukov
b6f204a7e4 syz-stress: add flag that controls generation of new programs 2017-01-09 20:20:49 +01:00