profile
viewpoint

dvyukov/go-fuzz 3318

Randomized testing for Go

dvyukov/relacy 110

Automatically exported from code.google.com/p/relacy

dvyukov/go-fuzz-corpus 65

Corpus for github.com/dvyukov/go-fuzz examples

dvyukov/gosmith 32

Automatically exported from code.google.com/p/gosmith

dvyukov/awesome-go 16

A curated list of awesome Go frameworks, libraries and software

dvyukov/2015-talks 2

Slides from 2015 Talks

dvyukov/linux 2

Linux kernel source tree

push eventgoogle/syzkaller

Dmitry Vyukov

commit sha 03937d85286b6431a66df0f0d28bd04eaa15ec3d

Update README.md

view details

push time in 2 days

push eventgoogle/syzkaller

Dmitry Vyukov

commit sha ff3dfa26b05dac7c589d7ab446e54f31759c29ca

Update research.md

view details

push time in 2 days

CommitCommentEvent

push eventgoogle/syzkaller

Dmitry Vyukov

commit sha 5e0e1d1450d7c3497338082fc28912fdd7f93a3c

executor: uncomment accidentially commented code unshare(CLONE_NEWPID) was commented out in 4428511d10687cb446ad705148333478437d3f23 accidentially. Uncomment it. Spotted by @xairy: https://github.com/google/syzkaller/commit/4428511d10687cb446ad705148333478437d3f23#r37456572

view details

push time in 2 days

push eventgoogle/syzkaller

Mark Johnston

commit sha 502ca6cde7a3897b576b65117bf798f53e63b8d7

tools: avoid hard-coding the path to interpreters On BSD they are usually installed under /usr/local/.

view details

Mark Johnston

commit sha 1253d6f07f7f40d2835e0d1e061dcbad49ae28ee

tools: specify the search path for find(1)

view details

push time in 2 days

PR merged google/syzkaller

Fixups for presubmit scripts on *BSD
+3 -3

1 comment

2 changed files

markjdb

pr closed time in 2 days

Pull request review commentgoogle/syzkaller

dashboard/config: switch to ORC unwinder

 func linuxDisableConfigs(config []byte, tags map[string]bool) []byte { 		// which makes bisections take weeks. 		"CONFIG_DEBUG_KOBJECT": "disable-always", 	}-	for cfg, tag := range prereq {+	for cfg, tag := range disable { 		if !tags[tag] { 			config = bytes.Replace(config, []byte(cfg+"=y"), []byte("# "+cfg+" is not set"), -1) 		} 	}+	alter := []struct {+		From string+		To   string+		Tag  string+	}{+		// Even though ORC unwinder was introduced a long time ago, it might have been broken for+		// some time. 5.4 is chosen as a version tag, where ORC unwinder seems to work properly.+		{"CONFIG_UNWINDER_ORC", "CONFIG_UNWINDER_FRAME_POINTER", "v5.4"},+	}+	for _, a := range alter {+		if !tags[a.Tag] {+			config = bytes.Replace(config, []byte(a.From+"=y"), []byte(a.To+"=y"), -1)

But the config also contains:

CONFIG_UNWINDER_FRAME_POINTER is not set

so after the replacement we will end up with: CONFIG_UNWINDER_FRAME_POINTER=y

CONFIG_UNWINDER_FRAME_POINTER is not set

How does olddefconfig react to this? Won't it be still disabled? Note that for some future config that we will want to alter we may also end up with:

FOO is not set

FOO=y

I assume at least 1 of these combinations won't work. Most likely when somebody will add that FOO in future, they will not test (assuming this functionality already works), so it will silently break.

We may need something more robust here.

xairy

comment created time in 4 days

pull request commentblynn/nex

Remove unnecessary busy waiting

If only true is ever sent to ch_stop (?) then the code may be simplified even more as after the select we know that 1 of the things has happened, so we don't need break and outer loop.

HerrSpace

comment created time in 4 days

issue closeddvyukov/go-fuzz

Q: Debugging abysmal execution numbers

Ahoi!

I'm trying to toy with go-fuzz by fuzzing the MCL language lexer/parser of mgmt. Unfortunately my tests are extremely slow on both macos and linux when go-fuzz calls my Fuzz function. That is not so when calling the function myself.

My overly simple fuzz target in fuzz/fuzz.go looks like this:

package fuzz

import (
	"bytes"
	"github.com/purpleidea/mgmt/lang"
)

func Fuzz(data []byte) int {
	lang.LexParse(bytes.NewReader(data))
	return 0
}

fuzz/corpus/third.mcl only contains:

$three = 3

I'm utilizing this target via a simple main in main-fuzz.go like this:

package main

import (
	"io/ioutil"
	"github.com/purpleidea/mgmt/fuzz"
	"net/http"
	_ "net/http/pprof"
)

func main() {
	// we need a webserver to get the pprof webserver
	go func() {
		http.ListenAndServe("localhost:6060", nil)
	}()

	dat, _ := ioutil.ReadFile("./fuzz/corpus/third.mcl")
	for i := 1; i <= 1000; i++ {
		fuzz.Fuzz(dat)
	}
}

Running this takes only a few seconds. Not amazingly fast, but not too shabby either:

space@FeTAp ..epos/go/src/github.com/purpleidea/mgmt (git)-[master] % time go run main-fuzz.go
go run main-fuzz.go  2.44s user 1.02s system 106% cpu 3.251 total

Unfortunately, when building and running it with go-fuzz, I get abysmal execution numbers:

space@FeTAp ..go/src/github.com/purpleidea/mgmt/fuzz (git)-[master] % go-fuzz --procs=1 -bin=./fuzz-fuzz.zip -workdir=.
2020/02/18 12:52:26 workers: 1, corpus: 1 (3s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 0, uptime: 3s
2020/02/18 12:52:29 workers: 1, corpus: 1 (6s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 0, uptime: 6s
2020/02/18 12:52:32 workers: 1, corpus: 1 (9s ago), crashers: 0, restarts: 1/22, execs: 22 (2/sec), cover: 0, uptime: 9s
2020/02/18 12:52:35 workers: 1, corpus: 1 (12s ago), crashers: 0, restarts: 1/35, execs: 35 (3/sec), cover: 0, uptime: 12s
2020/02/18 12:52:38 workers: 1, corpus: 1 (15s ago), crashers: 0, restarts: 1/37, execs: 37 (2/sec), cover: 0, uptime: 15s
2020/02/18 12:52:41 workers: 1, corpus: 1 (18s ago), crashers: 0, restarts: 1/42, execs: 42 (2/sec), cover: 0, uptime: 18s
2020/02/18 12:52:44 workers: 1, corpus: 1 (21s ago), crashers: 0, restarts: 1/44, execs: 44 (2/sec), cover: 0, uptime: 21s
2020/02/18 12:52:47 workers: 1, corpus: 1 (24s ago), crashers: 0, restarts: 1/44, execs: 44 (2/sec), cover: 0, uptime: 24s
2020/02/18 12:52:50 workers: 1, corpus: 1 (27s ago), crashers: 0, restarts: 1/49, execs: 49 (2/sec), cover: 0, uptime: 27s
2020/02/18 12:52:53 workers: 1, corpus: 1 (30s ago), crashers: 0, restarts: 1/51, execs: 51 (2/sec), cover: 0, uptime: 30s

Any tips how to how to debug this. Can I utilize pprof from inside go-fuzz somehow?

closed time in 4 days

HerrSpace

issue commentdvyukov/go-fuzz

Q: Debugging abysmal execution numbers

Please take it form here.

HerrSpace

comment created time in 4 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string+		if !filepath.IsAbs(fname) {+			// If it's a relative path, it is relative to the build directory.+			fname = filepath.Join(rg.buildDir, fname)

I see. From syzkaller point of view this "out/x64.zircon" is not a build directory, it's juts a random point in file system tree (none of the build/source/object dirs will point to it). The only way to fix this is to special case fuchsia logic. I guess we either need to strip "../../" or prepend "a/b/" somewhere in pkg/cover for fuchsia then.

mvanotti

comment created time in 4 days

push eventgoogle/syzkaller

Dmitry Vyukov

commit sha b6ed1478343c98348649330e66b021faa747b6e5

prog: dump orig prog if Deserialize panics We are seeing some one-off panics during Deserialization and it's unclear if it's machine memory corrpution or an actual bug in prog. I leam towards machine memory corruption but it's impossible to prove without seeing the orig program. Move git revision to prog and it's more base package (sys can import prog, prog can't import sys).

view details

Dmitry Vyukov

commit sha 82d32c2951617f36b787d3214c38385b4b374098

sys/syz-extract: fix output formatting Remove spaces in the beginning of the message. The message is actually multi-line and the spaces are added only before the first line, which makes the subsequent lines inconsistently offsetted.

view details

Dmitry Vyukov

commit sha ed54dfe305cb7b1922689bf6e796d0c20ed27928

sys/linux: add NETLINK_AUDIT descriptions

view details

Dmitry Vyukov

commit sha 4428511d10687cb446ad705148333478437d3f23

sys/linux: add NETLINK_RDMA descriptions

view details

Dmitry Vyukov

commit sha a35df73a561c7c7f2af33482ece6cf87ce090bda

tools/check-copyright.sh: also check cc/h/S files

view details

Dmitry Vyukov

commit sha 2ffa6679c4790a83f26a1b674ed34800e028fe2e

sys/linux: add NETLINK_SOCK_DIAG descriptions Incomplete, but something.

view details

push time in 4 days

Pull request review commentgoogle/syzkaller

Adding seccomp support for Android

+/*+ * Copyright (C) 2017 The Android Open Source Project

I am more interested in how much control we have over this file. Is it copied verbatim from somewhere else and will be overwritten on the next update, or it's our fork that we can change. This is our fork, right?

mspectorgoogle

comment created time in 4 days

Pull request review commentgoogle/syzkaller

Adding seccomp support for Android

+/*+ * Copyright (C) 2017 The Android Open Source Project

I dunno about copyright message, I guess it needs to stay if the code was copied then modified. But maybe we need to have 2 copyrights now as now this is owner by syzkaller project effectively and will be modified by "syzkaller authors" and they will hold copyright.

mspectorgoogle

comment created time in 4 days

Pull request review commentgoogle/syzkaller

Adding seccomp support for Android

 func main() { 		"common_kvm_amd64.h", 		"common_kvm_arm64.h", 		"common_usb.h",+		"android/android_seccomp.h",

This should go to the section below, right?

mspectorgoogle

comment created time in 5 days

issue commentdvyukov/go-fuzz

Q: Debugging abysmal execution numbers

It seems the default case can simply be deleted. Why? And if only true is send to ch_stop, then more code can be deleted. Looks somewhat over-complicated.

HerrSpace

comment created time in 4 days

issue commentdvyukov/go-fuzz

Q: Debugging abysmal execution numbers

I think this is the bug: https://github.com/blynn/nex/blob/master/nex.go#L898-L906 If both channels are not ready, it will actively spin forever. This is never a good idea.

HerrSpace

comment created time in 4 days

pull request commentgoogle/syzkaller

cover: add code coverage for fuchsia.

Hm. sancov stores the return address -1, I assumed that was because of variable length instructions.

I guess sancov just does not care about getting exact address of the call instruction. I guess sancov is fine with just any byte within the instruction, because addr2line does not case, it will work either way. But we do care.

mvanotti

comment created time in 5 days

pull request commentgoogle/syzkaller

cover: add code coverage for fuchsia.

Dmitry, the syscall format just replicates what we have in kcov for fuchsia...

You mean "user space sanitizer coverage", not "kcov", right? kcov is kernel coverage already, and it's per-thread already...

mvanotti

comment created time in 5 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string+		if !filepath.IsAbs(fname) {+			// If it's a relative path, it is relative to the build directory.+			fname = filepath.Join(rg.buildDir, fname)

Here:

$ addr2line -afi -e ~/fuchsia/out/x64.zircon/kernel-x64-sancov/obj/kernel/zircon.elf
ffffffff801c186e
0xffffffff801c186e
PcieRoot
../../out/x64.zircon/../../zircon/kernel/dev/pcie/pcie_root.cc:13

I presume ~/fuchsia is fuchsia checkout dir (what we will use in pkg/vcs/fuchsia).

This:

../../out/x64.zircon/../../zircon/kernel/dev/pcie/pcie_root.cc

reduces to:

../../zircon/kernel/dev/pcie/pcie_root.cc

The question is: is this path a proper source path relative to ~/fuchsia?

mvanotti

comment created time in 5 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string+		if !filepath.IsAbs(fname) {+			// If it's a relative path, it is relative to the build directory.+			fname = filepath.Join(rg.buildDir, fname)

If the source path is relative to the build directory (the one passed to pkg/vcs/fuchsia.go and pkg/build/fuchsia.go, not some other meaning of "build directory"), then we don't need to do anything special as far as I see (besides not producing an error on relative path).

mvanotti

comment created time in 5 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string+		if !filepath.IsAbs(fname) {+			// If it's a relative path, it is relative to the build directory.+			fname = filepath.Join(rg.buildDir, fname)

I thought buildDir was the path where the kernel was being built.

This is correct. buildDir is a dir where kernel source were during the build. sourceDir is a dir where kernel sources are now.

If kernel was not moved, then buildDir == sourceDir. Otherwise, buildDir != sourceDir and it is not useful to prepend buildDir (sources were moved from there), now they are in sourceDir, so we need to prepend sourceDir.

mvanotti

comment created time in 5 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string+		if !filepath.IsAbs(fname) {+			// If it's a relative path, it is relative to the build directory.

Never mind. I guess for relative path build and source are more or less the same.

mvanotti

comment created time in 5 days

issue closedgoogle/syzkaller

syzkaller compilation issues with C

I'm getting a compiliation error of syzkaller. I'm following the steps here : https://github.com/google/syzkaller/blob/master/docs/contributing.md

The only difference is I got the latest go 1.12 from here : https://golang.org/dl/

Host : Ubuntu 14.04 running as a VMware VM

go version go1.12.17 linux/amd64
GOOS=linux GOARCH=amd64 go install ./syz-manager
GOOS=linux GOARCH=amd64 go install ./syz-fuzzer
make fuzzer execprog stress executor
make manager runtest repro mutate prog2c db upgrade
make[1]: Entering directory `/root/go/src/github.com/google/syzkaller'
make[1]: warning: -jN forced in submake: disabling jobserver mode.
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
make[1]: Entering directory `/root/go/src/github.com/google/syzkaller'
make[1]: warning: -jN forced in submake: disabling jobserver mode.
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" -o ./bin/syz-manager github.com/google/syzkaller/syz-manager
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" -o ./bin/syz-runtest github.com/google/syzkaller/tools/syz-runtest
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" -o ./bin/syz-repro github.com/google/syzkaller/tools/syz-repro
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
		-O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=8192 -m64 -static  -DGOOS_linux=1 -DGOARCH_amd64=1 \
		-DHOSTGOOS_linux=1 -DGIT_REVISION=\"bd2a74a31f07d383be203bcd77dfbecbc1205dd3\"
In file included from executor/common.h:393:0,
                 from executor/executor.cc:133:
executor/common_linux.h: In function ‘void netlink_add_geneve(nlmsg*, int, const char*, uint32, in_addr*, in6_addr*)’:
executor/common_linux.h:324:22: error: ‘IFLA_GENEVE_ID’ was not declared in this scope
  netlink_attr(nlmsg, IFLA_GENEVE_ID, &vni, sizeof(vni));
                      ^
executor/common_linux.h:326:23: error: ‘IFLA_GENEVE_REMOTE’ was not declared in this scope
   netlink_attr(nlmsg, IFLA_GENEVE_REMOTE, addr4, sizeof(*addr4));
                       ^
executor/common_linux.h:328:23: error: ‘IFLA_GENEVE_REMOTE6’ was not declared in this scope
   netlink_attr(nlmsg, IFLA_GENEVE_REMOTE6, addr6, sizeof(*addr6));
                       ^
executor/common_linux.h: In function ‘void netlink_add_ipvlan(nlmsg*, int, const char*, const char*, uint16, uint16)’:
executor/common_linux.h:346:22: error: ‘IFLA_IPVLAN_MODE’ was not declared in this scope
  netlink_attr(nlmsg, IFLA_IPVLAN_MODE, &mode, sizeof(mode));
                      ^
In file included from executor/common.h:393:0,
                 from executor/executor.cc:133:
executor/common_linux.h: In function ‘void initialize_netdevices()’:
executor/common_linux.h:1190:60: error: ‘IPVLAN_MODE_L2’ was not declared in this scope
  netlink_add_ipvlan(&nlmsg, sock, "ipvlan0", "veth0_vlan", IPVLAN_MODE_L2, 0);
                                                            ^
make[1]: *** [executor] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/root/go/src/github.com/google/syzkaller'
make: *** [target] Error 2
make: *** Waiting for unfinished jobs....
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" -o ./bin/syz-mutate github.com/google/syzkaller/tools/syz-mutate
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" -o ./bin/syz-prog2c github.com/google/syzkaller/tools/syz-prog2c
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" -o ./bin/syz-db github.com/google/syzkaller/tools/syz-db
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/sys.GitRevision=bd2a74a31f07d383be203bcd77dfbecbc1205dd3 -X 'github.com/google/syzkaller/sys.gitRevisionDate=Thu Feb 20 18:42:57 2020 +0100'" -o ./bin/syz-upgrade github.com/google/syzkaller/tools/syz-upgrade
make[1]: Leaving directory `/root/go/src/github.com/google/syzkaller'

closed time in 5 days

asudhak

issue commentgoogle/syzkaller

syzkaller compilation issues with C

Go always compiles without any problems, it's C that's impossible to compiler on another machine ;) I guess newer kernel headers or something. It's known to work on Ubuntu 16 (CI), latest Debian.

asudhak

comment created time in 5 days

issue openedgoogle/kmsan

trim aux frames from stacks

from one of recent reports:

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:307 [inline]
 kmsan_alloc_page+0x12a/0x310 mm/kmsan/kmsan_shadow.c:336
 __alloc_pages_nodemask+0x5712/0x5e80 mm/page_alloc.c:4775
 alloc_pages_current+0x67d/0x990 mm/mempolicy.c:2211
 alloc_pages include/linux/gfp.h:534 [inline]
 alloc_slab_page+0x111/0x12f0 mm/slub.c:1530
 allocate_slab mm/slub.c:1675 [inline]
 new_slab+0x2bc/0x1130 mm/slub.c:1741
 new_slab_objects mm/slub.c:2492 [inline]
 ___slab_alloc+0x1533/0x1f30 mm/slub.c:2643
 __slab_alloc mm/slub.c:2683 [inline]
 slab_alloc_node mm/slub.c:2757 [inline]
 slab_alloc mm/slub.c:2802 [inline]
 kmem_cache_alloc+0xb23/0xd70 mm/slub.c:2807
 fat_alloc_inode+0x58/0x120 fs/fat/inode.c:748

We 15 frames which are not interesting for user and are internal implementation details. I think we need trim these from reports (including use and stored to memory stacks).

created time in 5 days

push eventgoogle/syzkaller

Dmitry Vyukov

commit sha bd2a74a31f07d383be203bcd77dfbecbc1205dd3

sys/linux: add smc_pnetid genetlink descriptions

view details

push time in 5 days

push eventgoogle/syzkaller

Zubin Mithra

commit sha 02698d8bc45175a6626098daa8badd62ff88dcfb

vm/isolated: add initial support for fuzzing chromebooks (WIP PR) Add support for StartupScript. * Modify Config{} to contain PostRepairScript. * Allow repair() to execute a startup_script after reboot. The contents of this script execute on the DUT. Add pstore support: * Modify Config{} to contain Pstore. * Modify Diagnose() to reboot the DUT and fetch pstore logs, conditional on inst.cfg.Pstore. * Add readPstoreContents(). * Allow clearing previous pstore logs upon Create() and after use inside readPstoreContents(). * Fetching pstore crashlogs relies on reliably getting lost connection on DUT reboot. Use "ServerAliveInterval=6 ServerAliveCountMax=5" ssh options when running syz-fuzzer with Pstore support enabled. Allow parsing pstore contents: * Diagnose() now returns pstore contents. Refactoring: * Move out some reusable parts of repair() to waitRebootAndSSH(). * Have an early return inside repair() if inst.waitForSSH() fails.

view details

push time in 5 days

PR merged google/syzkaller

vm/isolated: add initial support for fuzzing chromebooks

(WIP PR)

Add support for post_repair_script:

  • Modify Config{} to contain PostRepairScript.
  • Allow repair() to execute a post_repair script after reboot. This script executes on the host and expects ssh arguments(user,addr,port,key,options) to be set the environment variable $SSHARGS.

Add pstore support:

  • Modify Config{} to contain Pstore.
  • Modify Diagnose() to reboot the DUT and fetch pstore logs, conditional on inst.cfg.Pstore.
  • Add readPstoreContents().
  • Allow clearing previous pstore logs upon Create() and after use inside readPstoreContents().
  • Fetching pstore crashlogs relies on reliably getting lost connection on DUT reboot. Use "ServerAliveInterval=6 ServerAliveCountMax=5" ssh options when running syz-fuzzer with Pstore support enabled.

Allow passing pstore contents into OutputMerger:

  • Allow isolated.go:instance{} to keep track of instance of *vmimpl.OutputMerger so that it can be used from Diagnose().
  • Allow vmimpl.Multiplex() to take an argument to decide whether or not to close outc when ssh connection is lost.

Refactoring:

  • Move out some reusable parts of repair() to waitRebootAndSSH().
  • Have an early return inside repair() if inst.waitForSSH() fails.
+221 -34

1 comment

3 changed files

zsm-oss

pr closed time in 5 days

Pull request review commentgoogle/syzkaller

Adding seccomp support for Android

+/*+ * Copyright (C) 2017 The Android Open Source Project

Is this whole file copied from Android?

@dvyukov dvyukov 28 days ago Member It mentioned GOARCH_amd64, so I assume it did not come from Android?

@dvyukov dvyukov 28 days ago Member But even if it come from Android, this is a forked copy, right?

mspectorgoogle

comment created time in 5 days

Pull request review commentgoogle/syzkaller

Adding seccomp support for Android

 static int do_sandbox_android(void) { 	setup_common(); 	sandbox_common();+	drop_caps();++#if SYZ_EXECUTOR || SYZ_NET_DEVICES+	initialize_netdevices_init();+#endif+#if SYZ_EXECUTOR || SYZ_DEVLINK_PCI+	initialize_devlink_pci();+#endif+#if SYZ_EXECUTOR || SYZ_NET_INJECTION+	initialize_tun();+#endif+#if SYZ_EXECUTOR || SYZ_NET_DEVICES+	initialize_netdevices();

This all happens in init net namespace, right? I think it will lead to some mess, all test process will use the same devices and try to reinitialize them as other test processes use them. Though, maybe apps can't use these devices under the selinux policy? Then we probably don't need to setup them as well...

mspectorgoogle

comment created time in 5 days

pull request commentgoogle/syzkaller

Adding seccomp support for Android

#1573 can be closed now, right?

mspectorgoogle

comment created time in 5 days

pull request commentgoogle/syzkaller

Adding seccomp support for Android

CI is not happy, errors seem to be related to this change.

mspectorgoogle

comment created time in 5 days

pull request commentgoogle/syzkaller

Update CIFuzz .yml file

This step now always fails, see e.g. https://github.com/google/syzkaller/pull/1615 https://github.com/google/syzkaller/pull/1615/checks?check_run_id=456939726

Build Fuzzers2s Running: docker build -t gcr.io/oss-fuzz-base/ infra/base-images/ Run google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master /usr/bin/docker run --name e87b52bef902bdb8d7480ba185d5db8a550b68_0879d8 --label e87b52 --workdir /github/workspace --rm -e INPUT_PROJECT-NAME -e INPUT_DRY-RUN -e INPUT_OSS-FUZZ-PROJECT-NAME -e OSS_FUZZ_PROJECT_NAME -e DRY_RUN -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/syzkaller/syzkaller":"/github/workspace" e87b52:bef902bdb8d7480ba185d5db8a550b68 invalid argument "gcr.io/oss-fuzz-base/" for "-t, --tag" flag: invalid reference format See 'docker build --help'. docker build failed. 2020-02-20 04:45:21,793 - root - ERROR - Error: building image failed. 2020-02-20 04:45:21,794 - root - ERROR - Could not detect repo from project . 2020-02-20 04:45:21,794 - root - ERROR - Error building fuzzers for project with pull request refs/pull/1615/merge. Running: docker build -t gcr.io/oss-fuzz-base/ infra/base-images/

Leo-Neat

comment created time in 5 days

push eventdvyukov/syzkaller

Dmitry Vyukov

commit sha 0ec6c0fbb463e6d2728a409e8e1919d4f136a462

.github/workflows: add golangci-lint action

view details

push time in 6 days

pull request commentgoogle/syzkaller

Add support for devlink trap syscalls

When I go to https://cla.developers.google.com/ page, it has this part:

Email(s)
Learn more about managing email addresses for your account.
https://support.google.com/accounts/answer/176347

I think you need to link that email to your account... @jpirko you contributed with mellanox email address, what did you do?

amitcohen1

comment created time in 6 days

Pull request review commentgoogle/syzkaller

Add support for devlink trap syscalls

 devlink_port_set { 	port_handle		devlink_port_handle 	DEVLINK_ATTR_PORT_TYPE	nlattr[DEVLINK_ATTR_PORT_TYPE, int16[DEVLINK_PORT_TYPE_NOTSET:DEVLINK_PORT_TYPE_IB]] } [packed, align_4]++type msghdr_nl_devlink_trap_set msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_SET], devlink_trap_set]]+sendmsg$DEVLINK_CMD_TRAP_SET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_set], f flags[send_flags])++devlink_trap_handle {+	DEVLINK_ATTR_TRAP_NAME	nlattr[DEVLINK_ATTR_TRAP_NAME, string["source_mac_is_multicast"]]+} [packed, align_4]++devlink_trap_action_handle {+	DEVLINK_ATTR_TRAP_ACTION	nlattr[DEVLINK_ATTR_TRAP_ACTION, int8[DEVLINK_TRAP_ACTION_DROP:DEVLINK_TRAP_ACTION_TRAP]]+} [packed, align_4]++devlink_trap_set_arg [+	action_handle	devlink_trap_action_handle+] [varlen]++devlink_trap_set {+	dev_handle	devlink_handle+	trap_handle	devlink_trap_handle+	arg		devlink_trap_set_arg+} [packed, align_4]++type msghdr_nl_devlink_trap_get msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_GET], devlink_trap_get]]+sendmsg$DEVLINK_CMD_TRAP_GET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_get], f flags[send_flags])++devlink_trap_get_arg [+	dev_handle	devlink_handle+	trap_handle	devlink_trap_handle+] [varlen]++devlink_trap_get {+	arg	devlink_trap_get_arg+} [packed, align_4]++type msghdr_nl_devlink_trap_group_set msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_GROUP_SET], devlink_trap_group_set]]+sendmsg$DEVLINK_CMD_TRAP_GROUP_SET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_group_set], f flags[send_flags])++devlink_trap_group_handle {

As far as I understand you introduced devlink_trap_group_handle to not repeat the attribute definition twice below. A more direct and shorter way to do this would be:

type devlink_trap_group_handle nlattr[DEVLINK_ATTR_TRAP_GROUP_NAME, string["l2_drops"]]

This applies to few cases above as well.

amitcohen1

comment created time in 6 days

Pull request review commentgoogle/syzkaller

Add support for devlink trap syscalls

 devlink_port_set { 	port_handle		devlink_port_handle 	DEVLINK_ATTR_PORT_TYPE	nlattr[DEVLINK_ATTR_PORT_TYPE, int16[DEVLINK_PORT_TYPE_NOTSET:DEVLINK_PORT_TYPE_IB]] } [packed, align_4]++type msghdr_nl_devlink_trap_set msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_SET], devlink_trap_set]]+sendmsg$DEVLINK_CMD_TRAP_SET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_set], f flags[send_flags])++devlink_trap_handle {+	DEVLINK_ATTR_TRAP_NAME	nlattr[DEVLINK_ATTR_TRAP_NAME, string["source_mac_is_multicast"]]+} [packed, align_4]++devlink_trap_action_handle {+	DEVLINK_ATTR_TRAP_ACTION	nlattr[DEVLINK_ATTR_TRAP_ACTION, int8[DEVLINK_TRAP_ACTION_DROP:DEVLINK_TRAP_ACTION_TRAP]]+} [packed, align_4]++devlink_trap_set_arg [+	action_handle	devlink_trap_action_handle+] [varlen]++devlink_trap_set {+	dev_handle	devlink_handle+	trap_handle	devlink_trap_handle+	arg		devlink_trap_set_arg+} [packed, align_4]++type msghdr_nl_devlink_trap_get msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_GET], devlink_trap_get]]+sendmsg$DEVLINK_CMD_TRAP_GET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_get], f flags[send_flags])++devlink_trap_get_arg [+	dev_handle	devlink_handle+	trap_handle	devlink_trap_handle+] [varlen]++devlink_trap_get {+	arg	devlink_trap_get_arg+} [packed, align_4]++type msghdr_nl_devlink_trap_group_set msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_GROUP_SET], devlink_trap_group_set]]+sendmsg$DEVLINK_CMD_TRAP_GROUP_SET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_group_set], f flags[send_flags])++devlink_trap_group_handle {+	DEVLINK_ATTR_TRAP_GROUP_NAME	nlattr[DEVLINK_ATTR_TRAP_GROUP_NAME, string["l2_drops"]]+} [packed, align_4]++devlink_trap_group_set {+	dev_handle	devlink_handle+	group_handle	devlink_trap_group_handle+	arg		devlink_trap_set_arg+} [packed, align_4]++type msghdr_nl_devlink_trap_group_get msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_GROUP_GET], devlink_trap_group_get]]+sendmsg$DEVLINK_CMD_TRAP_GROUP_GET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_group_get], f flags[send_flags])++devlink_trap_group_get_arg [+	dev_handle	devlink_handle+	group_handle	devlink_trap_group_handle+] [varlen]++devlink_trap_group_get {

The same here: s/devlink_trap_group_get/devlink_trap_group_get_arg/ and remove devlink_trap_group_get.

amitcohen1

comment created time in 6 days

Pull request review commentgoogle/syzkaller

Add support for devlink trap syscalls

 devlink_port_set { 	port_handle		devlink_port_handle 	DEVLINK_ATTR_PORT_TYPE	nlattr[DEVLINK_ATTR_PORT_TYPE, int16[DEVLINK_PORT_TYPE_NOTSET:DEVLINK_PORT_TYPE_IB]] } [packed, align_4]++type msghdr_nl_devlink_trap_set msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_SET], devlink_trap_set]]+sendmsg$DEVLINK_CMD_TRAP_SET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_set], f flags[send_flags])++devlink_trap_handle {+	DEVLINK_ATTR_TRAP_NAME	nlattr[DEVLINK_ATTR_TRAP_NAME, string["source_mac_is_multicast"]]+} [packed, align_4]++devlink_trap_action_handle {+	DEVLINK_ATTR_TRAP_ACTION	nlattr[DEVLINK_ATTR_TRAP_ACTION, int8[DEVLINK_TRAP_ACTION_DROP:DEVLINK_TRAP_ACTION_TRAP]]+} [packed, align_4]++devlink_trap_set_arg [+	action_handle	devlink_trap_action_handle+] [varlen]++devlink_trap_set {+	dev_handle	devlink_handle+	trap_handle	devlink_trap_handle+	arg		devlink_trap_set_arg+} [packed, align_4]++type msghdr_nl_devlink_trap_get msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_GET], devlink_trap_get]]+sendmsg$DEVLINK_CMD_TRAP_GET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_get], f flags[send_flags])++devlink_trap_get_arg [+	dev_handle	devlink_handle+	trap_handle	devlink_trap_handle+] [varlen]++devlink_trap_get {

It looks like this devlink_trap_get is unnecessary, we could use devlink_trap_get_arg directly instead of it.

amitcohen1

comment created time in 6 days

Pull request review commentgoogle/syzkaller

Add support for devlink trap syscalls

 BPF_PROG_TYPE_CGROUP_SOCK = 9 BPF_PROG_TYPE_CGROUP_SOCKOPT = 25 BPF_PROG_TYPE_CGROUP_SOCK_ADDR = 18 BPF_PROG_TYPE_CGROUP_SYSCTL = 23-BPF_PROG_TYPE_EXT = 28+# BPF_PROG_TYPE_EXT is not set

There is a number of such changes in *.const files. You probably used an older linux-next revision. Please fetch linux-next and re-execute 'make extract'.

amitcohen1

comment created time in 6 days

Pull request review commentgoogle/syzkaller

Add support for devlink trap syscalls

 devlink_port_set { 	port_handle		devlink_port_handle 	DEVLINK_ATTR_PORT_TYPE	nlattr[DEVLINK_ATTR_PORT_TYPE, int16[DEVLINK_PORT_TYPE_NOTSET:DEVLINK_PORT_TYPE_IB]] } [packed, align_4]++type msghdr_nl_devlink_trap_set msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_SET], devlink_trap_set]]+sendmsg$DEVLINK_CMD_TRAP_SET(fd sock_nl_generic, msg ptr[in, msghdr_nl_devlink_trap_set], f flags[send_flags])++devlink_trap_handle {+	DEVLINK_ATTR_TRAP_NAME	nlattr[DEVLINK_ATTR_TRAP_NAME, string["source_mac_is_multicast"]]+} [packed, align_4]++devlink_trap_action_handle {+	DEVLINK_ATTR_TRAP_ACTION	nlattr[DEVLINK_ATTR_TRAP_ACTION, int8[DEVLINK_TRAP_ACTION_DROP:DEVLINK_TRAP_ACTION_TRAP]]+} [packed, align_4]++devlink_trap_set_arg [

It looks like this union is unnecessary, we could use devlink_trap_action_handle directly instead of devlink_trap_set_arg.

amitcohen1

comment created time in 6 days

Pull request review commentgoogle/syzkaller

Add support for devlink trap syscalls

 devlink_port_set { 	port_handle		devlink_port_handle 	DEVLINK_ATTR_PORT_TYPE	nlattr[DEVLINK_ATTR_PORT_TYPE, int16[DEVLINK_PORT_TYPE_NOTSET:DEVLINK_PORT_TYPE_IB]] } [packed, align_4]++type msghdr_nl_devlink_trap_set msghdr_netlink[netlink_msg_t[genl_devlink_family_id, genlmsghdr_t[DEVLINK_CMD_TRAP_SET], devlink_trap_set]]

I see this file does the same above, but this leads to some duplication. A better way to do this is: https://github.com/google/syzkaller/blob/master/sys/linux/socket_netlink_netfilter_queue.txt#L10-L14 If we do one template type for netlink msg with CMD and POLICY as arguments, then we can use it for all sendmsg calls in this file. Please do such refactoring.

amitcohen1

comment created time in 6 days

pull request commentgoogle/syzkaller

Add support for devlink trap syscalls

Hummm... somehow @googlebot does not see your CLA... maybe you used a different email address when signed CLA?

amitcohen1

comment created time in 6 days

PR opened google/syzkaller

.github/workflows: add golangci-lint action

Before sending a pull request, please review Contribution Guidelines: https://github.com/google/syzkaller/blob/master/docs/contributing.md


+20 -4

0 comment

1 changed file

pr created time in 6 days

push eventdvyukov/syzkaller

Dmitry Vyukov

commit sha 135c18aadb0147f93d3e2658e42fc7a479b9ad04

tools: add script that checks copyright headers Fixes #1604

view details

Andrey Konovalov

commit sha b4e5deb4365ee0e678d831030cc957609ab27f91

Update syzbot.md

view details

Andrey Konovalov

commit sha 47fae6e9224612a0d0b40f2e39a79323e19855bf

Update syzbot.md

view details

Andrey Konovalov

commit sha b690a6e3360b20e5cbb9fd419a47382281b0d01f

Update syzbot.md

view details

Leo Neat

commit sha 81230308c61b57d9f496c92c439c0d38e07a0d26

CIFuzz: update config file * Update CIFuzz config * Update CIFuzz config

view details

Dmitry Vyukov

commit sha 2dad901a980cab713ca8eadc0b232383bb1ab8f1

.github/workflows: add golangci-lint action

view details

push time in 6 days

pull request commentgoogle/syzkaller

cover: add code coverage for fuchsia.

Are there other users of this coverage interface besides syzkaller? Is this interface more beneficial to them? I counted 7 syscalls + 8 reads/writes of large arrays to collect coverage from 1 syscall. And the size of the array is always O(kernel_size) even if the target syscall exits immediately on the first argument check. With KCOV interface we don't have any of these overheads. Reset of coverage is 1 memory write, after the target syscall coverage is readily available in memory for consumption, and it's O(syscall) rather than O(kernel_size).

I guess if you use libfuzzer extensively, this interface may be more natural. However, KCOV can be mapped onto libfuzzer interface with minimal overhead: https://github.com/google/syzkaller/blob/master/tools/kcovfuzzer/kcovfuzzer.c#L111-L117

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 #include <stdlib.h> #include <string.h> #include <unistd.h>+#include <zircon/process.h> #include <zircon/syscalls.h> -#include "nocover.h"+#define MAX_COVSZ (1ULL << 20)++// In x86_64, sancov stores the return address - 1.+// We add 1 so the stored value points to a valid pc.+static const uint64_t kPcFixup = 1;++static const char* kCovPcsFileName = "/boot/kernel/data/zircon.elf.1.sancov";++typedef struct cover_ctx_t {

executor is C++ code, so we generally do:

struct cover_ctx_t {
...
};
mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 #include <stdlib.h> #include <string.h> #include <unistd.h>+#include <zircon/process.h> #include <zircon/syscalls.h> -#include "nocover.h"+#define MAX_COVSZ (1ULL << 20)++// In x86_64, sancov stores the return address - 1.+// We add 1 so the stored value points to a valid pc.+static const uint64_t kPcFixup = 1;++static const char* kCovPcsFileName = "/boot/kernel/data/zircon.elf.1.sancov";++typedef struct cover_ctx_t {+	uint64_t base_covcount[MAX_COVSZ];+	uint64_t curr_covcount[MAX_COVSZ];+	uint64_t pc_table[MAX_COVSZ];+	uint32_t real_coverage_truncated[MAX_COVSZ];+	size_t total_pcs; // number of elements in pc_table and covcount tables, determined by kernel.+	zx_handle_t covcount_vmo;+} cover_ctx;++static __thread cover_ctx cover;++static void cover_open(cover_t* cov, bool extra)+{+}++static void cover_enable(cover_t* cov, bool collect_comps, bool extra)+{+	zx_status_t status = zx_coverage_ctl(zx_thread_self(), 1, ZX_HANDLE_INVALID);+	if (status != ZX_OK) {+		fail("failed to enable coverage. err: %d\n", status);+	}++	status = zx_vmo_create(sizeof(cover.curr_covcount), 0, &cover.covcount_vmo);+	if (status != ZX_OK) {+		fail("failed to create covcount vmo. err: %d\n", status);+	}+}++static size_t snapshot_sancov(uint64_t* dst, size_t elems, const char* filename)+{+	FILE* f = fopen(filename, "rb");+	if (f == NULL) {+		fail("could not open coverage file '%s'", filename);+	}++	size_t n = fread(dst, sizeof(uint64_t), elems, f);+	if (n == elems) {+		fail("pc table is too small. make it bigger.");+	}++	fclose(f);+	return n;+}++static size_t snapshot_pctable(uint64_t* dst, size_t elems)+{+	return snapshot_sancov(dst, elems, kCovPcsFileName);+}++static void snapshot_covcount(uint64_t* dst, size_t elems)+{+	// TODO: Only read the right amount of coverage.+	zx_status_t status = zx_coverage_ctl(zx_thread_self(), 2, cover.covcount_vmo);+	if (status != ZX_OK) {+		fail("failed to fetch coverage. err: %d\n", status);+	}+	status = zx_vmo_read(cover.covcount_vmo, dst, 0, elems * sizeof(uint64_t));+	if (status != ZX_OK) {+		fail("failed to copy coverage. err: %d\n", status);+	}+}++static void cover_reset(cover_t* cov)+{+	snapshot_covcount(cover.base_covcount, MAX_COVSZ);+}++static void cover_collect(cover_t* cov)

As far as I remember this can be called not on the target thread in some cases (blocked syscalls), so I think this needs to be using the cov argument in some way.

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 #include <stdlib.h> #include <string.h> #include <unistd.h>+#include <zircon/process.h> #include <zircon/syscalls.h> -#include "nocover.h"+#define MAX_COVSZ (1ULL << 20)++// In x86_64, sancov stores the return address - 1.+// We add 1 so the stored value points to a valid pc.+static const uint64_t kPcFixup = 1;++static const char* kCovPcsFileName = "/boot/kernel/data/zircon.elf.1.sancov";++typedef struct cover_ctx_t {+	uint64_t base_covcount[MAX_COVSZ];+	uint64_t curr_covcount[MAX_COVSZ];+	uint64_t pc_table[MAX_COVSZ];+	uint32_t real_coverage_truncated[MAX_COVSZ];+	size_t total_pcs; // number of elements in pc_table and covcount tables, determined by kernel.+	zx_handle_t covcount_vmo;+} cover_ctx;++static __thread cover_ctx cover;++static void cover_open(cover_t* cov, bool extra)+{+}++static void cover_enable(cover_t* cov, bool collect_comps, bool extra)+{+	zx_status_t status = zx_coverage_ctl(zx_thread_self(), 1, ZX_HANDLE_INVALID);+	if (status != ZX_OK) {+		fail("failed to enable coverage. err: %d\n", status);+	}++	status = zx_vmo_create(sizeof(cover.curr_covcount), 0, &cover.covcount_vmo);+	if (status != ZX_OK) {+		fail("failed to create covcount vmo. err: %d\n", status);+	}+}++static size_t snapshot_sancov(uint64_t* dst, size_t elems, const char* filename)+{+	FILE* f = fopen(filename, "rb");+	if (f == NULL) {+		fail("could not open coverage file '%s'", filename);+	}++	size_t n = fread(dst, sizeof(uint64_t), elems, f);+	if (n == elems) {+		fail("pc table is too small. make it bigger.");+	}++	fclose(f);+	return n;+}++static size_t snapshot_pctable(uint64_t* dst, size_t elems)+{+	return snapshot_sancov(dst, elems, kCovPcsFileName);+}++static void snapshot_covcount(uint64_t* dst, size_t elems)+{+	// TODO: Only read the right amount of coverage.+	zx_status_t status = zx_coverage_ctl(zx_thread_self(), 2, cover.covcount_vmo);+	if (status != ZX_OK) {+		fail("failed to fetch coverage. err: %d\n", status);+	}+	status = zx_vmo_read(cover.covcount_vmo, dst, 0, elems * sizeof(uint64_t));+	if (status != ZX_OK) {+		fail("failed to copy coverage. err: %d\n", status);+	}+}++static void cover_reset(cover_t* cov)+{+	snapshot_covcount(cover.base_covcount, MAX_COVSZ);+}++static void cover_collect(cover_t* cov)+{+	snapshot_covcount(cover.curr_covcount, MAX_COVSZ);+	size_t cov_size = snapshot_pctable(cover.pc_table, MAX_COVSZ);+	cover.total_pcs = cov_size;+	size_t num_pcs = 0;+	for (size_t i = 0; i < cov_size; i++) {+		if (cover.pc_table[i] == 0)

What does 0 in the pc table mean?

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 #include <stdlib.h> #include <string.h> #include <unistd.h>+#include <zircon/process.h> #include <zircon/syscalls.h> -#include "nocover.h"+#define MAX_COVSZ (1ULL << 20)++// In x86_64, sancov stores the return address - 1.+// We add 1 so the stored value points to a valid pc.+static const uint64_t kPcFixup = 1;++static const char* kCovPcsFileName = "/boot/kernel/data/zircon.elf.1.sancov";++typedef struct cover_ctx_t {+	uint64_t base_covcount[MAX_COVSZ];+	uint64_t curr_covcount[MAX_COVSZ];+	uint64_t pc_table[MAX_COVSZ];+	uint32_t real_coverage_truncated[MAX_COVSZ];+	size_t total_pcs; // number of elements in pc_table and covcount tables, determined by kernel.+	zx_handle_t covcount_vmo;+} cover_ctx;++static __thread cover_ctx cover;++static void cover_open(cover_t* cov, bool extra)+{+}++static void cover_enable(cover_t* cov, bool collect_comps, bool extra)+{

Check that collect_comps and extra are not set. This should not be called with these flags set, so if they are, some of the assumptions are broken.

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 #include <stdlib.h> #include <string.h> #include <unistd.h>+#include <zircon/process.h> #include <zircon/syscalls.h> -#include "nocover.h"+#define MAX_COVSZ (1ULL << 20)++// In x86_64, sancov stores the return address - 1.+// We add 1 so the stored value points to a valid pc.+static const uint64_t kPcFixup = 1;++static const char* kCovPcsFileName = "/boot/kernel/data/zircon.elf.1.sancov";++typedef struct cover_ctx_t {+	uint64_t base_covcount[MAX_COVSZ];+	uint64_t curr_covcount[MAX_COVSZ];+	uint64_t pc_table[MAX_COVSZ];+	uint32_t real_coverage_truncated[MAX_COVSZ];+	size_t total_pcs; // number of elements in pc_table and covcount tables, determined by kernel.+	zx_handle_t covcount_vmo;+} cover_ctx;++static __thread cover_ctx cover;++static void cover_open(cover_t* cov, bool extra)+{+}++static void cover_enable(cover_t* cov, bool collect_comps, bool extra)+{+	zx_status_t status = zx_coverage_ctl(zx_thread_self(), 1, ZX_HANDLE_INVALID);+	if (status != ZX_OK) {+		fail("failed to enable coverage. err: %d\n", status);+	}++	status = zx_vmo_create(sizeof(cover.curr_covcount), 0, &cover.covcount_vmo);+	if (status != ZX_OK) {+		fail("failed to create covcount vmo. err: %d\n", status);+	}+}++static size_t snapshot_sancov(uint64_t* dst, size_t elems, const char* filename)+{+	FILE* f = fopen(filename, "rb");+	if (f == NULL) {+		fail("could not open coverage file '%s'", filename);+	}++	size_t n = fread(dst, sizeof(uint64_t), elems, f);

Check for n <= 0? Or how does it signal errors?

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 #include <stdlib.h> #include <string.h> #include <unistd.h>+#include <zircon/process.h> #include <zircon/syscalls.h> -#include "nocover.h"+#define MAX_COVSZ (1ULL << 20)++// In x86_64, sancov stores the return address - 1.+// We add 1 so the stored value points to a valid pc.+static const uint64_t kPcFixup = 1;++static const char* kCovPcsFileName = "/boot/kernel/data/zircon.elf.1.sancov";++typedef struct cover_ctx_t {+	uint64_t base_covcount[MAX_COVSZ];+	uint64_t curr_covcount[MAX_COVSZ];+	uint64_t pc_table[MAX_COVSZ];+	uint32_t real_coverage_truncated[MAX_COVSZ];+	size_t total_pcs; // number of elements in pc_table and covcount tables, determined by kernel.+	zx_handle_t covcount_vmo;+} cover_ctx;++static __thread cover_ctx cover;++static void cover_open(cover_t* cov, bool extra)+{+}++static void cover_enable(cover_t* cov, bool collect_comps, bool extra)+{+	zx_status_t status = zx_coverage_ctl(zx_thread_self(), 1, ZX_HANDLE_INVALID);+	if (status != ZX_OK) {+		fail("failed to enable coverage. err: %d\n", status);+	}++	status = zx_vmo_create(sizeof(cover.curr_covcount), 0, &cover.covcount_vmo);+	if (status != ZX_OK) {+		fail("failed to create covcount vmo. err: %d\n", status);+	}+}++static size_t snapshot_sancov(uint64_t* dst, size_t elems, const char* filename)+{+	FILE* f = fopen(filename, "rb");+	if (f == NULL) {+		fail("could not open coverage file '%s'", filename);+	}++	size_t n = fread(dst, sizeof(uint64_t), elems, f);+	if (n == elems) {+		fail("pc table is too small. make it bigger.");+	}++	fclose(f);+	return n;+}++static size_t snapshot_pctable(uint64_t* dst, size_t elems)+{+	return snapshot_sancov(dst, elems, kCovPcsFileName);+}++static void snapshot_covcount(uint64_t* dst, size_t elems)+{+	// TODO: Only read the right amount of coverage.+	zx_status_t status = zx_coverage_ctl(zx_thread_self(), 2, cover.covcount_vmo);+	if (status != ZX_OK) {+		fail("failed to fetch coverage. err: %d\n", status);

fail messages don't end with \n here and below

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 static intptr_t execute_syscall(const call_t* c, intptr_t a[kMaxArgs]) 		res = (intptr_t)-1; 	return res; }++void write_call_output(thread_t* th, bool finished)

This duplicates a large part of the original write_call_output, and it seems that this is mostly !SYZ_EXECUTOR_USES_SHMEM specific, rather than GOOS_fuchsia-specific. It seems that we need to add the coverage bit to the main write_call_output function in the !SYZ_EXECUTOR_USES_SHMEM part.

mvanotti

comment created time in 6 days

pull request commentgoogle/syzkaller

cover: add code coverage for fuchsia.

The coverage obtained from Fuchsia is in Sancov format. For x86_64, the PC is set to the return address of the sanitizer_cov_trace_pc_guard function - 1 (this is because in x86 instruction size is variable).

Isn't it 5 always? We rely on 5 in the pkg/cover/report.go. What are the other possible sizes?

The difference between "the call instruction" and "the instruction after the call" should not matter for syzkaller, as coverage wise it should be the same.

I think the debug info can be different in some cases. But we subtract the call instruction length later and always get PC pointing to the beginning of the call instruction. So strictly saying, it's not that it does not matter, it's that the executor coverage contract specifically requires an implementation to return PCs exactly after the call instruction.

mvanotti

comment created time in 6 days

pull request commentgoogle/syzkaller

cover: add code coverage for fuchsia.

This branch has conflicts that must be resolved pkg/cover/report.go

This probably conflicts with 5e3bc74104143da1d2584bf2bf312ae277caf756 So the base version is older than Jan 3. Please rebase to HEAD.

mvanotti

comment created time in 6 days

pull request commentgoogle/syzkaller

cover: add code coverage for fuchsia.

Yet to read executor code more carefully. But I am excited about coverage for fuchsia!

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string+		if !filepath.IsAbs(fname) {+			// If it's a relative path, it is relative to the build directory.+			fname = filepath.Join(rg.buildDir, fname)+			remain = filepath.Clean(strings.TrimPrefix(fname, rg.srcDir))+		} else if !strings.HasPrefix(fname, rg.buildDir) {

I wonder if we could only change the if condition in the orignal code to:

if filepath.IsAbs(fname) && !strings.HasPrefix(fname, rg.buildDir) {

So that we don't error on relative path. The rest may just work. We will try to strip buildDir, but it can't be a prefix (one starts with /, another doesn't), so that will be a no-op.

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 #include <stdlib.h> #include <string.h> #include <unistd.h>+#include <zircon/process.h> #include <zircon/syscalls.h> -#include "nocover.h"+#define MAX_COVSZ (1ULL << 20)++// In x86_64, sancov stores the return address - 1.+// We add 1 so the stored value points to a valid pc.+static const uint64_t kPcFixup = 1;++static const char* kCovPcsFileName = "/boot/kernel/data/zircon.elf.1.sancov";++typedef struct cover_ctx_t {+	uint64_t base_covcount[MAX_COVSZ];+	uint64_t curr_covcount[MAX_COVSZ];+	uint64_t pc_table[MAX_COVSZ];+	uint32_t real_coverage_truncated[MAX_COVSZ];+	size_t total_pcs; // number of elements in pc_table and covcount tables, determined by kernel.+	zx_handle_t covcount_vmo;+} cover_ctx;++static __thread cover_ctx cover;++static void cover_open(cover_t* cov, bool extra)+{+}++static void cover_enable(cover_t* cov, bool collect_comps, bool extra)+{+	zx_status_t status = zx_coverage_ctl(zx_thread_self(), 1, ZX_HANDLE_INVALID);+	if (status != ZX_OK) {+		fail("failed to enable coverage. err: %d\n", status);+	}++	status = zx_vmo_create(sizeof(cover.curr_covcount), 0, &cover.covcount_vmo);+	if (status != ZX_OK) {+		fail("failed to create covcount vmo. err: %d\n", status);+	}+}++static size_t snapshot_sancov(uint64_t* dst, size_t elems, const char* filename)+{+	FILE* f = fopen(filename, "rb");+	if (f == NULL) {+		fail("could not open coverage file '%s'", filename);+	}++	size_t n = fread(dst, sizeof(uint64_t), elems, f);+	if (n == elems) {+		fail("pc table is too small. make it bigger.");+	}++	fclose(f);+	return n;+}++static size_t snapshot_pctable(uint64_t* dst, size_t elems)+{+	return snapshot_sancov(dst, elems, kCovPcsFileName);+}++static void snapshot_covcount(uint64_t* dst, size_t elems)+{+	// TODO: Only read the right amount of coverage.+	zx_status_t status = zx_coverage_ctl(zx_thread_self(), 2, cover.covcount_vmo);+	if (status != ZX_OK) {

No {} around 1-line statement blocks. Here and everywhere else.

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string+		if !filepath.IsAbs(fname) {+			// If it's a relative path, it is relative to the build directory.+			fname = filepath.Join(rg.buildDir, fname)+			remain = filepath.Clean(strings.TrimPrefix(fname, rg.srcDir))

Wait, we just prepended buildDir and now trying to remove srcDir prefix... I don't understand.

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string

remain := "" is the syntax we generally use

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string+		if !filepath.IsAbs(fname) {+			// If it's a relative path, it is relative to the build directory.+			fname = filepath.Join(rg.buildDir, fname)

This should be srcDir. buildDir is where the sources were when the kernel was built, now we could be on a different machine where source are in different dir (srcDir). In the current impl we strip buildDir and append srcDir. Since here we have relative path, buildDir is effectively stripped already. So now we just need to append srcDir.

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func Check(target *prog.Target) (*Features, error) { 		FeatureDevlinkPCI:       {Name: "devlink PCI setup", Reason: unsupported}, 	} 	if targets.Get(target.OS, target.Arch).HostFuzzer {+		// TODO(1603): HostFuzzer Mode checks have to be run on syz-executor.+		if target.OS == "fuchsia" {+			res[FeatureCoverage].Enabled = true+			res[FeatureCoverage].Reason = "Pending on-target detection, assumed to be available."

nit: we never start these messages from capital letter

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func readSymbols(obj string) ([]symbol, error) { 	return symbols, nil } +func containsTraceFunc(data []byte, traceFuncs []string) bool {+	for _, traceFunc := range traceFuncs {+		if bytes.Contains(data, []byte(traceFunc)) {

That dance around pre-converting the strings to []byte before the outer loop is specifically to avoid allocating temp buffer and generating garbage for each line of output. Maybe compiler is smart enough nowadays to avoid this conversion, I don't know. But __sanitizer_cov_trace_pc is a prefix of __sanitizer_cov_trace_pc_guard and there are unlikely other functions starting with __sanitizer_cov_trace_pc which are not coverage, right? So perhaps we don't need any of changes here. Matching "callq __sanitizer_cov_trace_pc" looks good enough to me. We could add a comment near __sanitizer_cov_trace_pc string to note that it matches _guard version as well.

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (rg *ReportGenerator) generate(w io.Writer, progs []Prog, files map[string] 		Root: new(templateDir), 	} 	for fname, file := range files {-		if !strings.HasPrefix(fname, rg.buildDir) {+		var remain string+		if !filepath.IsAbs(fname) {+			// If it's a relative path, it is relative to the build directory.

s/build/source/

mvanotti

comment created time in 6 days

Pull request review commentgoogle/syzkaller

cover: add code coverage for fuchsia.

 func (c *command) exec(opts *ExecOpts, progData []byte) (output []byte, hanged b 		if _, err := io.ReadFull(c.inrp, callReplyData); err != nil { 			break 		}-		if callReply.signalSize != 0 || callReply.coverSize != 0 || callReply.compsSize != 0 {-			// This is unsupported yet.-			fmt.Fprintf(os.Stderr, "executor %v: got call reply with coverage\n", c.pid)-			os.Exit(1)-		} 		copy(outmem, callReplyData) 		outmem = outmem[len(callReplyData):]+		signalBuf := make([]byte, uint32(unsafe.Sizeof(uint32(0)))*callReply.signalSize)

We can read directly into outmem without generating garbage for temp buffer and copying.

signalSize := int(unsafe.Sizeof(uint32(0))))*int(callReply.signalSize)
if signalSize > len(outmem) {...}
if _, err := io.ReadFull(c.inrp, outmem[:signalSize]); err := nil {...}
outmem = outmem[signalSize:]
mvanotti

comment created time in 6 days

push eventgoogle/syzkaller

Leo Neat

commit sha 81230308c61b57d9f496c92c439c0d38e07a0d26

CIFuzz: update config file * Update CIFuzz config * Update CIFuzz config

view details

push time in 6 days

PR merged google/syzkaller

Reviewers
Update CIFuzz .yml file

This change necessary to keep in sync with the CIFuzz action config. Sorry for the inconvenience, and thanks for dog fooding CIFuzz!

+3 -2

1 comment

1 changed file

Leo-Neat

pr closed time in 6 days

push eventllvm/llvm-project

Daniel Fava

commit sha 9b91bcf6c6187afb488ef6e12b8ef245b6635fd2

tsan: removing redundant loop in ThreadClock::release() The removed loop clears reused for entries at the tail of a SyncClock. The loop is redundant since those entries were already cleared by the immediately preceding loop, which iterates over all entries in the SyncClock (including the tail entries).

view details

push time in 6 days

create barnchdvyukov/llvm-project

branch : dvyukov-pthread-detach-fix

created branch time in 6 days

fork dvyukov/llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies. Note: the repository does not accept github pull requests at this moment. Please submit your patches at http://reviews.llvm.org.

http://llvm.org

fork in 6 days

issue commentdvyukov/go-fuzz

Q: Debugging abysmal execution numbers

Is there some kind of active spinning involved? That would explain the manifestation.

HerrSpace

comment created time in 7 days

issue commentdvyukov/go-fuzz

Q: Debugging abysmal execution numbers

There seems to be some problem with synchronization/scheduling. go-fuzz sets GOMAXPROCS to 1 somewhere, that may be the root cause. Try to call runtime.GOMAXPROCS(1) in your standalone test as well. And comment out GOMAXPROCS(1) in go-fuzz. These 2 experiments should confirm or decline the hypothesis. Where is the source code for NewLexerWithInit? What does it do with select? Can't find it, it does not exist in the sources...

HerrSpace

comment created time in 7 days

issue commentdvyukov/go-fuzz

Q: Debugging abysmal execution numbers

Note that cover does go up eventually if I keep it running for a few more seconds.

Ah, then it's something different. Does it consume 100% CPU? Is it go-fuzz of the subprocess? Profiling one/both with perf may shed some light.

HerrSpace

comment created time in 7 days

PR closed google/syzkaller

.github/workflows: add golangci-lint action

Before sending a pull request, please review Contribution Guidelines: https://github.com/google/syzkaller/blob/master/docs/contributing.md


+26 -4

2 comments

1 changed file

dvyukov

pr closed time in 7 days

pull request commentgoogle/syzkaller

.github/workflows: add golangci-lint action

I gave up, I can't setup any of the golangci-actions.

dvyukov

comment created time in 7 days

PR closed google/syzkaller

adding some files without copyright for testing

Update #1604


Before sending a pull request, please review Contribution Guidelines: https://github.com/google/syzkaller/blob/master/docs/contributing.md


+1 -7

1 comment

3 changed files

dvyukov

pr closed time in 7 days

pull request commentgoogle/syzkaller

adding some files without copyright for testing

fails as expected:

./prog/mutation.go: does not have standard copyright statement
./sys/linux/test.txt: does not have standard copyright statement
./sys/linux/sys.txt: does not have standard copyright statement
dvyukov

comment created time in 7 days

issue commentdvyukov/go-fuzz

Q: Debugging abysmal execution numbers

I suspect the real problem is this corpus: 1, cover: 0. I seen this before with cgo enabled when go-fuzz-build failed to instrument most packages. I don't remember if it also resulted in slow execution or not.

HerrSpace

comment created time in 8 days

PR opened google/syzkaller

adding some files without copyright for testing

Update #1604


Before sending a pull request, please review Contribution Guidelines: https://github.com/google/syzkaller/blob/master/docs/contributing.md


+1 -7

0 comment

3 changed files

pr created time in 8 days

create barnchdvyukov/syzkaller

branch : dvyukov-no-copyright

created branch time in 8 days

issue closedgoogle/syzkaller

all: add static check for copyright messages

We could check all *.go and *.txt files for proper copyright messages. A simple regexp check should do. This comes up periodically on PRs.

closed time in 8 days

dvyukov

push eventgoogle/syzkaller

Dmitry Vyukov

commit sha 135c18aadb0147f93d3e2658e42fc7a479b9ad04

tools: add script that checks copyright headers Fixes #1604

view details

push time in 8 days

push eventdvyukov/syzkaller

Dmitry Vyukov

commit sha 7fece5fe27842a56dc82851ff7a90be4718b22ef

.github/workflows: add golangci-lint action

view details

push time in 8 days

push eventdvyukov/syzkaller

Dmitry Vyukov

commit sha 90532cc101ee05436fd4de8149d5a0c5b334e216

.github/workflows: add golangci-lint action

view details

push time in 8 days

issue commentdvyukov/go-fuzz

Q: Debugging abysmal execution numbers

Please try to export CGO_ENABLED=0 and the re-run go-fuzz-build and go-fuzz.

HerrSpace

comment created time in 8 days

issue commentactions-contrib/golangci-lint

GOPATH is wrong during action execution

Found a way to fix the checkout problem:

  golangci-lint:
    runs-on: ubuntu-latest
    env:
      GOPATH: /home/runner/work/syzkaller/syzkaller/go
    steps:
    - uses: actions/checkout@v2
      with:
        path: 'go/src/github.com/google/syzkaller'
    - name: Run
      uses: actions-contrib/golangci-lint@v1

But the action still fails:

Run actions-contrib/golangci-lint@v1
/usr/bin/docker run --name dfbac039bd7b8c04c1ca2a4a6d0ea881e51_486c93 --label 488dfb --workdir /github/workspace --rm -e GOPATH -e INPUT_GOLANGCI_LINT_VERSION -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e GITHUB_ACTIONS=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/syzkaller/syzkaller":"/github/workspace" 488dfb:ac039bd7b8c04c1ca2a4a6d0ea881e51
level=error msg="Running error: context loading failed: no go files to analyze"
level=error msg="Timeout exceeded: try increase it by passing --timeout option"
##[error]Docker run failed with exit code 4

Presumably it expects sources in the default location? But it can't possibly work with GOPATH...

dvyukov

comment created time in 8 days

push eventdvyukov/syzkaller

Dmitry Vyukov

commit sha ceb7e2e0bd115eecb45f7c588ff6df2b5620dd9d

.github/workflows: add golangci-lint action

view details

push time in 8 days

push eventdvyukov/syzkaller

Dmitry Vyukov

commit sha f27a92cc0a9763600c9e327352815a5b5f9417e3

.github/workflows: add golangci-lint action

view details

push time in 8 days

issue openedactions-contrib/golangci-lint

GOPATH is wrong during action execution

I've tried to use this action in my project following the instruction: https://github.com/google/syzkaller/pull/1608/files

The run failed: https://github.com/google/syzkaller/pull/1608/checks?check_run_id=452499065 The main reason seems to be that the project is checked out outside of GOPATH:

/github/workspace/pkg/cover/report.go:20:2: could not import github.com/google/syzkaller/pkg/osutil (pkg/bisect/bisect.go:15:2: cannot find package \"github.com/google/syzkaller/pkg/osutil\" in any of:\n\t/usr/local/go/src/github.com/google/syzkaller/pkg/osutil (from $GOROOT)\n\t/go/src/github.com/google/syzkaller/pkg/osutil (from $GOPATH)) 

I guess it's very common for any Go project. Is there an example of how to do this properly? The instructions probably need to be updated as well.

created time in 8 days

PR opened google/syzkaller

.github/workflows: add golangci-lint action

Before sending a pull request, please review Contribution Guidelines: https://github.com/google/syzkaller/blob/master/docs/contributing.md


+9 -4

0 comment

1 changed file

pr created time in 8 days

create barnchdvyukov/syzkaller

branch : dyukov-actions

created branch time in 8 days

push eventgoogle/syzkaller

Dmitry Vyukov

commit sha b97f1e694a1c096eac2f48c6e3ca47e8a3c4693c

sys/linux: add broadcast mac address Code in net/ethernet/eth.c does this: __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev) { ... if (unlikely(!ether_addr_equal_64bits(eth->h_dest, dev->dev_addr))) { if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) { if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast)) skb->pkt_type = PACKET_BROADCAST; else skb->pkt_type = PACKET_MULTICAST; } else { skb->pkt_type = PACKET_OTHERHOST; } } Multicast and broadcast are distinct and dev->broadcast seems to be ffffffffffff by default, so add another multicast mac address that will serve as PACKET_MULTICAST.

view details

Dmitry Vyukov

commit sha 39cd0f85a1ac60b88c793bd8f4a981227614da88

executor: disable IFF_NAPI_FRAGS Update #1594

view details

Dmitry Vyukov

commit sha 105edea6a39c242eef7a02d92d84497966e7c81b

sys/linux: fix udp test Fix the packet injection in udp test. Now we know how to do it! And without IFF_NAPI_FRAGS it actually reaches the socket. Update #1594

view details

Dmitry Vyukov

commit sha d52d4872e357a88800726f671e237a2a8e3c201f

sys/linux: don't extract from futex.txt and watch_queue.txt These are not present in linux-next.

view details

Dmitry Vyukov

commit sha 012fbc3229ebef871a201ea431b16610e6e0d345

sys/linux: add descriptions of wireguard packets

view details

push time in 8 days

issue commentgoogle/syzkaller

sys/linux: ingress UDP coverage

I've managed to create a packet that reaches wg_receive, that is:

syz_emit_ethernet(AUTO, &AUTO={@local, @empty, @void, {@ipv4={AUTO, @udp={{AUTO, AUTO, 0x0, 0x0, AUTO, 0x0, 0x0, 0x0, AUTO, 0x0, @empty, @empty, {[]}}, {0x0, 0x4e22, AUTO, 0x0, [], ""/10}}}}}, 0x0)

Had to enumerate all possible combinations of local/remote mac, local/report ip, local/remote port.

However, this is only without IFF_NAPI_FRAGS. With IFF_NAPI_FRAGS it reaches udp_gro_receive, but does not get past:

if (!sk || NAPI_GRO_CB(skb)->encap_mark ||
    (skb->ip_summed != CHECKSUM_PARTIAL &&
     NAPI_GRO_CB(skb)->csum_cnt == 0 &&
     !NAPI_GRO_CB(skb)->csum_valid) ||
    !udp_sk(sk)->gro_receive)
    goto out;
dvyukov

comment created time in 8 days

push eventgoogle/syzkaller

Christoph Paasch

commit sha 1ce142dcc7e25341405592c66bcb7cb0d60d2b3a

dashboard/config: Add CONFIG_MPTCP to default configs and update to 5.6-rc1

view details

push time in 8 days

issue commentgoogle/syzkaller

sys/linux: ingress UDP coverage

Even without IFF_NAPI_FRAGS, all packets we inject get rejected on the following check:

static struct sk_buff *ip_rcv_core(struct sk_buff *skb, struct net *net)
{
	const struct iphdr *iph;
	u32 len;

	/* When the interface is in promisc. mode, drop all the crap
	 * that it receives, do not try to analyse it.
	 */
	if (skb->pkt_type == PACKET_OTHERHOST)
		goto drop;

Somehow we need to get something other than PACKET_OTHERHOST... Why is it dropping all remote packets?... How do remote packets get into stack then?...

dvyukov

comment created time in 8 days

push eventgoogle/syzkaller

Dmitry Vyukov

commit sha ed8812ac86c117831a001923d3048b0acd04ed3e

executor: refactor extra cover handling One observation is that checking for extra cover is very fast (effectively a memory load), so we can simplify code by removing th->extra_cover and just check for it always. Additionally, we may grab some coverage that we would miss otherwise. Don't sleep for 500 ms at the end if colliding, we are not going to use the extra coverage in that case anyway. Check for extra coverage at the end every 100ms to avoid being killed on timeout before we write any. Make the 500ms sleep at the end parametrizable. Enable it for syz_usb syscalls, so we get the same behavior for usb. But this also allows to get extra coverage for other subsystems. Some subsystems don't have a good way to detect if we will get any extra coverage or not. Sleeping for 500ms for all programs slows down fuzzing too much. So we check for extra coverage at the end for all programs (cheap anyway), but sleep only for usb program. This allows to collect extra coverage for vhost and maybe wireguard in future. Update #806

view details

push time in 9 days

PR merged google/syzkaller

executor: refactor extra cover handling

One observation is that checking for extra cover is very fast (effectively a memory load), so we can simplify code by removing th->extra_cover and just check for it always. Additionally, we may grab some coverage that we would miss otherwise.

Don't sleep for 500 ms at the end if colliding, we are not going to use the extra coverage in that case anyway.

Check for extra coverage at the end every 100ms to avoid being killed on timeout before we write any.

Make the 500ms sleep at the end parametrizable. Enable it for syz_usb syscalls, so we get the same behavior for usb.

But this also allows to get extra coverage for other subsystems. Some subsystems don't have a good way to detect if we will get any extra coverage or not. Sleeping for 500ms for all programs slows down fuzzing too much. So we check for extra coverage at the end for all programs (cheap anyway), but sleep only for usb program. This allows to collect extra coverage for vhost and maybe wireguard in future.

Update #806

+16 -18

1 comment

1 changed file

dvyukov

pr closed time in 9 days

push eventgoogle/syzkaller

Dmitry Vyukov

commit sha a416e6ee334c1296afb33357ee1ae0b6f0d16cff

dashboard/app: remove stub test This is not needed anymore since we don't have build tags on all test files.

view details

Dmitry Vyukov

commit sha 72bfa6f2b74dd2db688c0ca737eb6f3fe24b6a86

docs: fix go get instructions

view details

push time in 9 days

issue closedgoogle/syzkaller

OpenBSD 6.6 - fatal error: runtime: out of memory

OpenBSD 6.6

$ gmake all

GOOS=openbsd GOARCH=amd64 go install ./syz-manager
# github.com/google/syzkaller/sys/linux/gen
fatal error: runtime: out of memory

runtime stack:
runtime.throw(0xe3fdd0, 0x16)
    /usr/local/go/src/runtime/panic.go:774 +0x72
runtime.sysMap(0xc054000000, 0x4000000, 0x15bef58)
    /usr/local/go/src/runtime/mem_bsd.go:63 +0xc5
runtime.(*mheap).sysAlloc(0x1597200, 0x2000, 0x41c352, 0x225e36008)
    /usr/local/go/src/runtime/malloc.go:701 +0x1cd
runtime.(*mheap).grow(0x1597200, 0x1, 0xffffffff)
    /usr/local/go/src/runtime/mheap.go:1252 +0x42
runtime.(*mheap).allocSpanLocked(0x1597200, 0x1, 0x15bef68, 0x2ae3d7120)
    /usr/local/go/src/runtime/mheap.go:1163 +0x272
runtime.(*mheap).alloc_m(0x1597200, 0x1, 0x15b0012, 0x2ae3d7120)
    /usr/local/go/src/runtime/mheap.go:1015 +0xc2
runtime.(*mheap).alloc.func1()
    /usr/local/go/src/runtime/mheap.go:1086 +0x4c
runtime.systemstack(0x0)
    /usr/local/go/src/runtime/asm_amd64.s:370 +0x66
runtime.mstart()
    /usr/local/go/src/runtime/proc.go:1146

goroutine 1 [running]:
runtime.systemstack_switch()
    /usr/local/go/src/runtime/asm_amd64.s:330 fp=0xc03c14ca28 sp=0xc03c14ca20 pc=0x458ba0
runtime.(*mheap).alloc(0x1597200, 0x1, 0x10012, 0x0)
    /usr/local/go/src/runtime/mheap.go:1085 +0x8a fp=0xc03c14ca78 sp=0xc03c14ca28 pc=0x42492a
runtime.(*mcentral).grow(0x1597a20, 0x0)
    /usr/local/go/src/runtime/mcentral.go:255 +0x7b fp=0xc03c14cab8 sp=0xc03c14ca78 pc=0x416cbb
runtime.(*mcentral).cacheSpan(0x1597a20, 0x203014)
    /usr/local/go/src/runtime/mcentral.go:106 +0x2fe fp=0xc03c14cb18 sp=0xc03c14cab8 pc=0x4167de
runtime.(*mcache).refill(0x225e29008, 0x12)
    /usr/local/go/src/runtime/mcache.go:138 +0x85 fp=0xc03c14cb38 sp=0xc03c14cb18 pc=0x416285
runtime.(*mcache).nextFree(0x225e29008, 0x12, 0xdb3080, 0xe1e501, 0xffffffffffff)
    /usr/local/go/src/runtime/malloc.go:854 +0x87 fp=0xc03c14cb70 sp=0xc03c14cb38 pc=0x40b4f7
runtime.mallocgc(0x80, 0xe1e5a0, 0xc009750d01, 0xc03c14ccb8)
    /usr/local/go/src/runtime/malloc.go:1022 +0x793 fp=0xc03c14cc10 sp=0xc03c14cb70 pc=0x40be33
runtime.newobject(0xe1e5a0, 0xc009750d00)
    /usr/local/go/src/runtime/malloc.go:1151 +0x38 fp=0xc03c14cc40 sp=0xc03c14cc10 pc=0x40c228
cmd/compile/internal/gc.nodl(0x125c803000000008, 0xc03c14cc05, 0x0, 0x0, 0xc0000657a0)
    /usr/local/go/src/cmd/compile/internal/gc/subr.go:322 +0x11a fp=0xc03c14cc78 sp=0xc03c14cc40 pc=0xcda7fa
cmd/compile/internal/gc.nod(...)
    /usr/local/go/src/cmd/compile/internal/gc/subr.go:299
cmd/compile/internal/gc.nodlit(0xdb3340, 0xc009750d00, 0xdb3340)
    /usr/local/go/src/cmd/compile/internal/gc/const.go:1061 +0x3e fp=0xc03c14ccc8 sp=0xc03c14cc78 pc=0xbf106e
cmd/compile/internal/gc.(*noder).expr(0xc0002ec3f0, 0xfdd360, 0xc01d005440, 0xc053ffff80)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:605 +0x1568 fp=0xc03c14ced8 sp=0xc03c14ccc8 pc=0xc572f8
cmd/compile/internal/gc.(*noder).exprs(0xc0002ec3f0, 0xc01cff7880, 0x2, 0x2, 0x0, 0x0, 0xc053ffff80)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:592 +0x94 fp=0xc03c14cf58 sp=0xc03c14ced8 pc=0xc55cb4
cmd/compile/internal/gc.(*noder).expr(0xc0002ec3f0, 0xfdd4e0, 0xc01d001c20, 0xc053fffe00)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:611 +0x706 fp=0xc03c14d168 sp=0xc03c14cf58 pc=0xc56496
cmd/compile/internal/gc.(*noder).exprs(0xc0002ec3f0, 0xc01d030000, 0x26a2, 0x3000, 0x0, 0x0, 0xc053bf4200)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:592 +0x94 fp=0xc03c14d1e8 sp=0xc03c14d168 pc=0xc55cb4
cmd/compile/internal/gc.(*noder).expr(0xc0002ec3f0, 0xfdd4e0, 0xc01bcd7130, 0x0)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:611 +0x706 fp=0xc03c14d3f8 sp=0xc03c14d1e8 pc=0xc56496
cmd/compile/internal/gc.(*noder).exprList(0xc0002ec3f0, 0xfdd4e0, 0xc01bcd7130, 0x0, 0xc053b2de00, 0x1)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:586 +0x5a fp=0xc03c14d448 sp=0xc03c14d3f8 pc=0xc55b5a
cmd/compile/internal/gc.(*noder).varDecl(0xc0002ec3f0, 0xc01bcd70e0, 0xc01bcd70e0, 0x1027705000000008, 0xc01bcd70e0)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:359 +0x1b4 fp=0xc03c14d4e0 sp=0xc03c14d448 pc=0xc53d04
cmd/compile/internal/gc.(*noder).decls(0xc0002ec3f0, 0xc014b04f00, 0x8, 0x8, 0x0, 0x0, 0xc03c14d610)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:292 +0x1d2 fp=0xc03c14d5b8 sp=0xc03c14d4e0 pc=0xc52f92
cmd/compile/internal/gc.(*noder).node(0xc0002ec3f0)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:244 +0xcc fp=0xc03c14d6e0 sp=0xc03c14d5b8 pc=0xc5248c
cmd/compile/internal/gc.parseFiles(0xc000001490, 0x7, 0x7, 0x2)
    /usr/local/go/src/cmd/compile/internal/gc/noder.go:62 +0x326 fp=0xc03c14d7e8 sp=0xc03c14d6e0 pc=0xc51046
cmd/compile/internal/gc.Main(0xe57170)
    /usr/local/go/src/cmd/compile/internal/gc/main.go:512 +0x254a fp=0xc03c14dee8 sp=0xc03c14d7e8 pc=0xc4507a
main.main()
    /usr/local/go/src/cmd/compile/main.go:51 +0xac fp=0xc03c14df60 sp=0xc03c14dee8 pc=0xd7cb4c
runtime.main()
    /usr/local/go/src/runtime/proc.go:203 +0x21e fp=0xc03c14dfe0 sp=0xc03c14df60 pc=0x42ea3e
runtime.goexit()
    /usr/local/go/src/runtime/asm_amd64.s:1357 +0x1 fp=0xc03c14dfe8 sp=0xc03c14dfe0 pc=0x45aaf1
gmake: *** [Makefile:109: host] Error 2

Contact me on root@mailbsd.org for more Debug Info.

closed time in 9 days

FollowMeDown
more