Git Product home page Git Product logo

google / syzkaller Goto Github PK

View Code? Open in Web Editor NEW
5.1K 197.0 1.2K 256.13 MB

syzkaller is an unsupervised coverage-guided kernel fuzzer

License: Apache License 2.0

Go 81.35% Makefile 0.36% C++ 1.56% C 9.68% Assembly 0.19% HTML 0.93% CSS 0.11% Python 0.94% Shell 1.11% JavaScript 0.07% Yacc 0.12% Ragel 0.10% Roff 3.36% Dockerfile 0.12%
linux kernel fuzz-testing fuzzing fuzzer testing security security-vulnerability security-tools

syzkaller's Introduction

syzkaller - kernel fuzzer

CI Status OSS-Fuzz Go Report Card Coverage Status GoDoc License

syzkaller ([siːzˈkɔːlə]) is an unsupervised coverage-guided kernel fuzzer.
Supported OSes: Akaros, FreeBSD, Fuchsia, gVisor, Linux, NetBSD, OpenBSD, Windows.

Mailing list: [email protected] (join on web or by email).

Found bugs: Akaros, Darwin/XNU, FreeBSD, Linux, NetBSD, OpenBSD, Windows.

Documentation

Initially, syzkaller was developed with Linux kernel fuzzing in mind, but now it's being extended to support other OS kernels as well. Most of the documentation at this moment is related to the Linux kernel. For other OS kernels check: Akaros, Darwin/XNU, FreeBSD, Fuchsia, NetBSD, OpenBSD, Starnix, Windows, gVisor.

Disclaimer

This is not an official Google product.

syzkaller's People

Contributors

a-nogikh avatar ajdlinux avatar avagin avatar blackgnezdo avatar corkamig avatar dependabot[bot] avatar dvyukov avatar eaibmz avatar ebiggers avatar eprucka3 avatar evdenis avatar herrspace avatar hogander-unikie avatar hrutvik avatar joeyjiaojg avatar kalder avatar l0kod avatar markjdb avatar melver avatar mptre avatar mvanotti avatar necipfazil avatar pchaigno avatar r3x avatar ramosian-glider avatar shankarapailoor avatar tarasmadan avatar tklauser avatar tuexen avatar xairy avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

syzkaller's Issues

manager: show uncovered lines in coverage report

syz-manager shows coverage on the web interface.
Currently it highights only covered lines. It would be useful to also highlight uncovered lines with a different color.
Code instrumentation is done in compiler middle end after some optimizations. So sometimes it is difficult to understand if a branch is not covered or compiler just optimized it out (no branch in resulting code).
We need find all __sanitizer_cov_trace_pc calls in the binary, then for each one figure out if it is covered or not. Then highlight covered in bold black, and uncovered with, say, red.

Crasher minimization

It would be very useful to automatically minimize programs that trigger bugs.
The main obstacle here is that currently we don't attribute bugs to particular programs, so we cannot say that this program triggers a bug. Without such signal it is not possible to minimize. The signal is challenging, because console output is processed asynchronously and a VM can run several programs concurrently.
Probably we can separate minimization process from normal testing. That is, once we have a crash log, we can wind up a dedicated VM and run it in special slower mode when we attribute output/bugs to just executed program. This would simplify things significantly.

make error: sys/decl.go:650: undefined: numbers

Seeing error while compiling 'syzkaller'
[root@host syzkaller]# make
go build -o ./bin/syz-manager github.com/google/syzkaller/syz-manager

github.com/google/syzkaller/sys

sys/decl.go:650: undefined: numbers
make: *** [manager] Error 2

syzkaller with go

Hello,
Can someone explain to me how to work with make command with go?
How do I need to configure goroot and gopath?

I want to test it on my VM and after downloading it I can't get it to work.
I can work with go and I also created a program called "Hello World" but I can't understand how to make it work inside my VM and make command to be enable with Go.

If you need more information let me know.

Thank you

syzkaller won't compile with go 1.4.2

go/src/github.com/google/syzkaller/sys/sys_arm64.go:5: numbers redeclared in this block
previous declaration at go/src/github.com/google/syzkaller/sys/sys_amd64.go:5
go/src/github.com/google/syzkaller/sys/sys_ppc64le.go:5: numbers redeclared in this block
previous declaration at go/src/github.com/google/syzkaller/sys/sys_arm64.go:5
...

manager: detect common kernel/image misconfiguration

Kernel and image needs to be configured in a special way for syzkaller. For example, kernel needs CONFIG_KCOV, kernel needs CONFIG_USER_NS, image need to mount debugfs, etc.
Current failure mode is very confusing -- syz-manager is just silent, it is not even clear if something is wrong or not. And if it is clear that something is wrong, it is not clear what exactly.

After booting a VM we need to check that it's suitable for fuzzing. And if it not suitable, detect why and print this info to console. For example: kernel is not built with CONFIG_KCOV.

Additional notes:

  • CONFIG_USER_NS is not required if config contains dropprivs:false, we need to account for that. Similarly CONFIG_KCOV is not required, if config contains cover:false.
  • There are also some optional configs like CONFIG_KASAN, CONFIG_LOCKDEP and CONFIG_DEBUG_KMEMLEAK. We could detect if they are missing and suggest to enable them.
  • When we show coverage we also need to check kernel is configured with CONFIG_DEBUG_INFO.

Feature request: let the user turn syzkaller off for one of VMs

When I'm running syzkaller on two adb devices, I may want to reproduce some crashes on one of them, while still continuing to fuzz the second one, but do not want to restart the master.

It would be nice to have a possibility to temporarily exclude a device from the fuzzing process.

executor: fails to remove temp directories

Sometimes executor test process executes prlimit(parent_process_pid, RLIMIT_NOFILE, 1) on the parent executor process (loop). This prevents the parent process to clean up temp dir as open calls fail with EMFILE. This is now special-cased in executor.cc. But seems there are other similar issues:

crash-qemu-0-1465810690923820201:panic: executor failed: lstat(./0/file0) failed (errno 107)
crash-qemu-10-1460154326349049340:panic: executor failed: umount(./0/bus/file0/file0/file0) failed (errno 22)
crash-qemu-10-1461722452023736934:panic: executor failed: umount(./0/bus) failed (errno 22)
crash-qemu-11-1465810719321691016:panic: executor failed: lstat(./0/bus) failed (errno 107)
crash-qemu-1-1464441238979693868:panic: executor failed: umount(./0/bus/file0/file0) failed (errno 22)
crash-qemu-12-1465810721294337786:panic: executor failed: lstat(./0/bus) failed (errno 107)
crash-qemu-14-1465810640345948719:panic: executor failed: unlink(./0/bus/btrfs/test) failed (errno 1)
crash-qemu-15-1465810334532461566:panic: executor failed: lstat(./0/file0) failed (errno 107)
crash-qemu-2-1465810675617106238:panic: executor failed: unlink(./0/file0/kprobe_profile) failed (errno 1)
crash-qemu-24-1460757759394908332:panic: executor failed: umount(./0/bus/file0/file0/file0) failed (errno 22)
crash-qemu-24-1461895571896083596:panic: executor failed: umount(./0/bus/file0/file0) failed (errno 22)
crash-qemu-26-1460172908744626073:panic: executor failed: umount(./0/bus/file0/file0/file0) failed (errno 22)
crash-qemu-4-1464359721143672462:panic: executor failed: umount(./0/bus/control/control) failed (errno 22)
crash-qemu-6-1465810283197344682:panic: executor failed: unlink(./0/bus/gssd/clntXX/gssd) failed (errno 1)
crash-qemu-6-1465810572484813011:panic: executor failed: unlink(./0/bus/btrfs/test) failed (errno 1)
crash-qemu-6-1465810757057153103:panic: executor failed: unlink(./0/bus/btrfs/test) failed (errno 1)
crash-qemu-6-1465810774045501436:panic: executor failed: lstat(./0/file0) failed (errno 107)
crash-qemu-8-1465810257953443011:panic: executor failed: lstat(./0/bus) failed (errno 107)

That happens very infrequently, so maybe we should just treat all errors in remove_dir() as transient and restart executor.

prog: crash minimization dependent on collider logic

Collider clashes even syscalls with odd syscalls. So if a crash requires colliding syscalls 2 and 3, and we try to remove any unrelated preceding syscall during crash minimization, the crash will not happen. Consequently we will decide that all preceding syscalls are necessary.
I am not sure how to to fix. We either need to explicitly encode what syscalls executor needs to collide, or maybe collide all syscalls during crash minimization (but then this also needs to be reflected in csource package).

Spurious 'no output' errors

I am receiving a lot of 'no output' errors which may or may not be spurious, however it seems possible that they are, and you have mentioned that you've encountered these @dvyukov too so it seems sensible to have an issue.

I am moving the discussion from #32 as I think it makes more sense for this to be discussed in an issue and that PR is closed, hope that's ok!

@dvyukov in that PR thread you mentioned some of the awesome work you've done lately to reduce potential spurious errors, I have pulled all of the latest changes to syzkaller, rebuild, applied the kcov patch and your most recent local kernel changes against kernel commit 8e0f93c.

However, I am still seeing a lot of 'no output's, ~7/minute. I may have something incorrectly configured here however, or otherwise be doing something wrong so the spuriousness may be spurious, I will investigate :)

Reboot the device in the case of OOMs

When the system runs out of memory and starts killing the fuzzer and executors, it's unlikely they'll work well when restarted. We'd better reboot the VM when it OOMs too often.

[ 5986.892103] lowmemorykiller: Killing 'syz-fuzzer' (24327), adj 0,
[ 5986.892103] to free 120804kB on behalf of 'kswapd0' (67) because
[ 5986.892103] cache 72404kB is below limit 73728kB for oom_score_adj 0
[ 5986.892103] Free memory is 6288kB above reserved
...
[ 6286.097923] lowmemorykiller: Killing 'syz-executor' (10766), adj 0,
[ 6286.097923] to free 2768kB on behalf of 'kswapd0' (67) because
[ 6286.097923] cache 68848kB is below limit 73728kB for oom_score_adj 0
[ 6286.097923] Free memory is -1468kB above reserved

prog: mutation generates too long programs

Below is a program with 145 calls, I wasn't specifically looking for the longest one.
We are aiming at <30 calls. 100+ is too much, it degrades mutation efficiency, makes minimization take huge amounts of time, makes minimization inefficient (it is flaky, so huge programs do not help), leads to slow startup and to OOMs as corpus consumes tons of memory.
We need to keep program size under control.

2017/01/30 16:51:14 executing program 1:
mmap(&(0x7f0000000000/0xfff000)=nil, (0xfff000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
mkdir(&(0x7f0000ec2000-0x8)="2e2f66696c653000", 0x0)
mlockall(0x0)
perf_event_open(&(0x7f000002f000-0x78)={0x1, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0xc642, 0x0, 0xd34, 0x0, 0x6, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffff, 0xffffffffffffffff, 0xa)
ioctl$SNDRV_TIMER_IOCTL_STATUS(0xffffffffffffffff, 0x80605414, &(0x7f0000013000-0xf7)="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f00004b6000-0x11)="2f6465762f7667615f6172626974657200", 0x0, 0x0)
ioctl$KVM_SET_REGS(r0, 0x4090ae82, &(0x7f0000068000)={[0xd7, 0x0, 0x8001, 0x60a5, 0x10000, 0x5, 0x6, 0xff, 0xffff, 0xfffffffffffffffe, 0x7fff, 0x400, 0x2, 0x6, 0x1, 0x0], 0xf000, 0x8000})
sendmsg(0xffffffffffffffff, &(0x7f0000007000)={&(0x7f0000005000)=@un=@abs={0x0, 0x0, 0x0}, 0x8, &(0x7f0000054000)=[{&(0x7f0000000000)="46343ebf8dac5c2b440677c405605e49057e36760edfee6cdd4ac3fb53c9dd6ed420cbed074b8bde1d35ec6f108d7cce32b90761db61f6187acb3ef178b13cacacaa4e3d714da37185dc25bb725810fd829ea86060d4485d2fbb28e9daa352376ed016d611bcf960806f6ed9b68480e82f35ba3d6f7f235f245d4c17435b5d103df02ce023fc457297ee097c43743f5023290796c309dcdc9f5c3f32d3000000000000800181b60f1395e03f734ce46e7ae9710cda4f19a5460f4bfe217bf501fb4316f862c6f1839a21ae299d33c30590d2000000000000000862039aa51f52aed49e0bb23136036a6574f2f8000d7f97b106e6d3e62968dd56b0e7f9c2b1f2916751efe5467decb9ea475f1e5c75a9343fcaf434b6965135790c91bbf3354eb307341b8eb69384b86ccf62c9ca3fd3", 0x130}], 0x1, &(0x7f0000027000-0x138)=[], 0x0, 0x20000000}, 0x0)
perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0xfe, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
bind$netrom(0xffffffffffffffff, &(0x7f0000891000)=@full={{0x6, {"9b631434f9a4bf"}, 0xf11e}, [{"c5b6274843be99"}, {"2e9f581f88f468"}, {"f26c159d423e17"}, {"30c44eb40adf10"}, {"4b4fb543807dc3"}, {"22a46f5236e1aa"}, {"e1b69c43a2c0d5"}, {"5cc62c2671d29c"}]}, 0x48)
ioctl$SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE(0xffffffffffffffff, 0xc08c5336, &(0x7f0000002000)={0x1ff, 0x5, 0x2, "71756575653000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x200, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]})
creat(&(0x7f0000019000)="2e2f66696c653000", 0x0)
r1 = open(&(0x7f0000019000-0x8)="2e2f62757300", 0x885d3addd51b95d2, 0x0)
set_mempolicy(0x3, &(0x7f0000cd7000)=0x5, 0x7)
socket$unix(0x1, 0x2, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00005ca000-0x8)={0xffffffffffffffff, 0xffffffffffffffff})
creat(&(0x7f0000cdb000)="2e2f62757300", 0x0)
r2 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r2, &(0x7f000001f000-0x58)={0x26, "726e670000000000000000000000", 0x3, 0x0, "73006131000000000000000000000000000000000000000000000000000000000000000000000000000000000000150000009e00000000000000020000000000"}, 0x58)
r3 = openat$autofs(0xffffffffffffff9c, &(0x7f00009aa000-0xc)="2f6465762f6175746f667300", 0x42, 0x0)
mremap(&(0x7f0000a93000/0x2000)=nil, (0x2000), (0xe000), 0x3, &(0x7f0000b18000/0xe000)=nil)
mprotect(&(0x7f0000b1e000/0x2000)=nil, (0x2000), 0x4)
r4 = openat$rfkill(0xffffffffffffff9c, &(0x7f000015a000-0xc)="2f6465762f72666b696c6c00", 0x40, 0x0)
perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0xde, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r5 = socket(0xa, 0x6, 0x0)
setsockopt$ip_ipsec(r5, 0x0, 0x10, &(0x7f0000b9f000-0xf0)={{{@in6=@loopback={0x0, 0x1}, @in6=@empty={0x0, 0x0}, 0x2, 0x4000, 0x0, 0x9, 0x9, 0x10000, 0x4, 0x8, 0x2, 0x3}, {0x8712, 0x8b, 0xff, 0x6, 0x101, 0x9, 0x2, 0x1000}, {0x1, 0x200, 0x7, 0xe4bb}, 0x20, 0xe41b, 0x2a9d, 0x7fff, 0x8, 0x3ff}, {{@in=@loopback=0x7f000001, 0x1, 0x9}, 0xfffffffffffffffa, @in=@loopback=0x7f000001, 0xd282, 0x5, 0x0, 0x1, 0x8, 0x5, 0xecc}}, 0xf0)
mkdir(&(0x7f000026c000)="2e2f66696c653000", 0x1400103)
r6 = syz_open_dev$sndseq(&(0x7f0000038000)="2f6465762f736e642f73657100", 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r6, 0xc08c5332, &(0x7f0000048000-0x8c)={0x0, 0x0, 0x0, "71756575653100000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]})
r7 = userfaultfd(0x800)
ioctl$UFFDIO_API(r7, 0xc018aa3f, &(0x7f0000000000)={0xaa, 0x0, 0x0})
dup3(r7, r7, 0x80000)
ioctl$PIO_FONTRESET(r1, 0x4b6d, 0x0)
read(r7, &(0x7f0000013000-0xb1)="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0xb1)
r8 = epoll_create1(0x0)
ioctl$UFFDIO_REGISTER(r7, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000012000/0x2000)=nil, (0x2000)}, 0x1, 0x0})
close(r8)
r9 = syz_open_dev$sndtimer(&(0x7f0000000000)="2f6465762f736e642f74696d657200", 0x0, 0x0)
ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(r9, 0xc0145401, &(0x7f0000013000)={0x0, 0x0, 0x0, 0x0, 0x0})
lseek(0xffffffffffffffff, 0x0, 0x7)
ioctl$SNDRV_TIMER_IOCTL_STATUS(r9, 0x80605414, &(0x7f0000001000+0xf42)="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
close(r7)
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r6, 0xc08c5335, &(0x7f000004b000-0x8c)={0x0, 0x80, 0xb5d, "ec306fd83ca199a51d2ba3564fb788e9ed13c848324cabfa36cc218669c5f2a8a170e5fea0a5b47fa6c2ebdf343bdad74c0b60376a6981a156e97a252a7633d4", 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]})
socketpair$unix(0x1, 0x5, 0x0, &(0x7f000002f000-0x8)={0xffffffffffffffff, <r10=>0xffffffffffffffff})
r11 = syz_open_dev$urandom(&(0x7f000002b000-0xd)="2f6465762f7572616e646f6d00", 0x0, 0x0)
close(r11)
perf_event_open(&(0x7f0000001000-0x78)={0x1, 0x78, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xac, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
setsockopt$SCTP_DEFAULT_SEND_PARAM(r4, 0x84, 0xa, &(0x7f000076f000-0x20)={0x4, 0x73, 0x1, 0x9, 0xd8d1, 0x1, 0xfffffffffffffbed, 0xffffffff, 0x400}, 0x20)
inotify_init()
r12 = openat$hwrng(0xffffffffffffff9c, &(0x7f00003b4000-0xb)="2f6465762f6877726e6700", 0x40400, 0x0)
write$fuse_ioctl(r12, &(0x7f0000eb1000)={0x20, 0xff, 0x7fffffff, 0x3, 0x2, 0x4, 0x8001}, 0x20)
seccomp(0x1, 0x0, &(0x7f0000001000-0x10)={0x0, &(0x7f0000022000)=[]})
mprotect(&(0x7f00002b1000/0xc00000)=nil, (0xc00000), 0x7)
r13 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000eb2000-0xf)="2f6465762f73657175656e63657200", 0x2000, 0x0)
r14 = perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0xdd, 0x0, 0xfffffffffffffffe, 0x6, 0x0, 0x2, 0x0, 0x0, 0xfe, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x4000000000, 0xfffffffffffffffd, 0x4, 0xfffffffffffffffc, 0x0, 0x0, 0xfffffffffffffffe, 0x8000000000000, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xfffffffffffffffe, 0xffffffffffffffff, 0x0)
ioctl$PERF_EVENT_IOC_ENABLE(r14, 0x2400, 0x84fe)
r15 = dup3(r14, r14, 0x0)
connect$netrom(r15, &(0x7f0000b11000-0x48)=@full={{0x6, {"85a0a0513e810a"}, 0x7f}, [{"69ce91fe21e0ee"}, {"b709c36c1e16e4"}, {"32a96171496573"}, {"2ae83a62c90848"}, {"21fc1762d5d685"}, {"9e9b02c3d84438"}, {"beff6afd9f7c60"}, {"88401a99930af3"}]}, 0x48)
r16 = socket(0x2, 0x5, 0xffffffffffffffff)
setsockopt$sock_int(r16, 0x1, 0xc, &(0x7f000003b000)=0xfffffffffffffffe, 0x4)
stat(&(0x7f00008be000-0x8)="2e2f66696c653000", &(0x7f0000044000-0x44)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
recvmsg$netrom(r16, &(0x7f0000714000)={&(0x7f0000fad000)=@ax25={0x6, {"639ca3d32884a8"}, 0x10000}, 0x10, &(0x7f00001fe000)=[{&(0x7f0000ebc000-0xc)="70f5696a6f93537d459ffe38", 0xc}, {&(0x7f0000fad000)="", 0x0}], 0x2, &(0x7f0000e47000-0x438)=[{0x20, 0x111, 0x0, "fd6ffd3839d87b009691320570"}, {0x10, 0x1ff, 0x3, ""}], 0x2, 0x0}, 0x2)
openat$kvm(0xffffffffffffff9c, &(0x7f0000ada000)="2f6465762f6b766d00", 0x0, 0x0)
r17 = ioctl$KVM_CREATE_VM(r15, 0xae01, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r17, 0x4010ae67, &(0x7f0000d86000)={0x1, 0x0, 0x0})
ioctl$KVM_REGISTER_COALESCED_MMIO(r17, 0x4010ae67, &(0x7f000085e000)={0x0, 0x0, 0x0})
accept$sctp(0xffffffffffffff9c, &(0x7f0000000000)=@in6={0x0, 0x0, 0x0, @loopback={0x0, 0x0}, 0x0}, &(0x7f0000da2000-0x4)=0x20)
prlimit64(0x0, 0x7, &(0x7f0000002000)={0x0, 0x0}, &(0x7f0000003000-0x10)={0x0, 0x0})
bpf$MAP_CREATE(0x0, &(0x7f0000014000)={0x1, 0x19, 0x6, 0x6, 0x1}, 0x14)
r18 = ioctl$KVM_CREATE_VCPU(r17, 0xae41, 0x2)
r19 = timerfd_create(0x1, 0x80000)
read(r18, &(0x7f0000b63000-0x8)="0000000000000000", 0x8)
r20 = openat$autofs(0xffffffffffffff9c, &(0x7f0000e0a000)="2f6465762f6175746f667300", 0x1, 0x0)
mkdir(&(0x7f000002a000-0xa)="2e2f636f6e74726f6c00", 0x0)
r21 = inotify_init1(0x0)
getsockopt$ip_mreq(r20, 0x0, 0x0, &(0x7f0000cfe000-0x8)={@loopback=0x0, @empty=0x0}, &(0x7f000024b000)=0x8)
r22 = dup3(r19, r19, 0x80000)
setsockopt$NETLINK_NO_ENOBUFS(r22, 0x10e, 0x5, &(0x7f0000203000)=0x80000001, 0x4)
r23 = gettid()
fcntl$setown(r21, 0x8, r23)
r24 = inotify_add_watch(r22, &(0x7f0000b22000)="2e2f66696c653000", 0x4000001)
inotify_rm_watch(r20, r24)
ioctl$EVIOCGKEYCODE_V2(r15, 0x80284504, &(0x7f0000113000)="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
ioctl$PIO_FONTRESET(r20, 0x4b6d, 0x0)
openat$autofs(0xffffffffffffff9c, &(0x7f0000d89000-0xc)="2f6465762f6175746f667300", 0x300003, 0x0)
getsockopt$sock_cred(r16, 0x1, 0x11, &(0x7f000084f000-0xc)={0x0, 0x0, 0x0}, &(0x7f00006b0000)=0xc)
rt_sigprocmask(0x0, &(0x7f000003b000)={0xfffffffffffffffe}, 0x0, 0x8)
fcntl$setsig(r21, 0xa, 0x20)
inotify_add_watch(r21, &(0x7f0000d04000-0xa)="2e2f66696c653000", 0x1)
ioctl$EVIOCSABS2F(r22, 0x401845ef, &(0x7f0000baa000)={0x5, 0x2, 0x4, 0xffffffffffffffff, 0x200, 0x4})
mkdir(&(0x7f0000141000-0x10)="2e2f66696c653000", 0x0)
epoll_create1(0x80000)
timerfd_settime(r19, 0x0, &(0x7f0000000000)={{0x0, 0x989680}, {0x80000000, 0x6}}, &(0x7f0000001000-0x20)={{0x0, 0x0}, {0x0, 0x0}})
syz_kvm_setup_cpu$x86(r17, r18, &(0x7f00002f7000/0x18000)=nil, &(0x7f0000777000)=[@text16={0x10, &(0x7f0000ad5000)="0f20d86635080000000f22d83e660f3a0d8b943200f0822f78676426666566670f0092b72e000064660f1343001b2f26f366363666260f3065d9fd0f017a006764f3f26465260f01c9", 0x49}], 0x1, 0x0, &(0x7f0000ad5000)=[], 0x0)
ioctl$KVM_SET_TSS_ADDR(r15, 0xae47, 0xd000)
syz_open_dev$vcsn(&(0x7f0000b26000)="2f6465762f7663732300", 0x80000001, 0x4c2a80)
add_key(&(0x7f0000d02000)="6465616400", &(0x7f0000e0d000)={0x73, 0x79, 0x7a, 0x0, 0x0}, &(0x7f00003fa000)="44eb63abd2db6fd34e9dfa7d35539035f88d7cbe9491cfb5b5e89347323e1f0f50d8079f65f89f4e2ca858dbe46c357f96348993c0b3eaa014188feeb6ae8b40d03695341017ebbe4dd644f4cd7801638a9ea9bf060c32c74a6334305f577ae7de877e834d7099235d59d0a7d23d020f76e71d7fe23a54ce0d813fddba81e073d5f180216a34b03142db0559d3ea2b811ec2b83f95ac0214b0f7e98c74c083f1e3655b59401ae4f7e17f84489eb0931258a8faefcc8ee00a39ef8ea6dd523da43937", 0xc2, 0xffffffffffffffff)
r25 = request_key(&(0x7f00009b9000-0x5)="7573657200", &(0x7f0000ebe000)={0x73, 0x79, 0x7a, 0x1, 0x0}, &(0x7f0000b1b000)="2f6465762f7663732300", 0xfffffffffffffffb)
add_key(&(0x7f0000ac7000)="73797a6b616c6c657200", &(0x7f0000768000-0x5)={0x73, 0x79, 0x7a, 0x1, 0x0}, 0x0, 0x0, 0xfffffffffffffffb)
request_key(&(0x7f00008d3000-0x12)="2e726571756573745f6b65795f6175746800", &(0x7f0000d03000)={0x73, 0x79, 0x7a, 0x0, 0x0}, &(0x7f0000281000)="297d5d00", 0xfffffffffffffffb)
r26 = add_key(&(0x7f000014d000-0x5)="7573657200", &(0x7f0000f06000-0x5)={0x73, 0x79, 0x7a, 0x1, 0x0}, &(0x7f00000ff000-0x5a)="2faa95927f7fb22c7d2dfe1402e2eb70665dea112fc683b0729afec7f450678eaddcd6f73c66111d85f3481daf7baa82d7005c4f804dc951e241d6432d3f6f3c17e0eadba2950d2be3ea58cb8198b4e7f4dad57496566c856cb9d1dc6a18bee65dd2b3ce08cbe6adb936399e3a1eb2f47fa1b79805af1893a2daa1fe719be87d0a4ab39109e4a8ee417b3bee2553b981efb65309149e68f07503a92ef5c47a44b25486bc08fa16bcd35fe9ddd734988ee0a3d02b8b4aecf4233c", 0xba, 0xfffffffffffffffb)
keyctl$unlink(0x9, r25, r26)
shmget$private(0x0, (0x11000), 0x54000000, &(0x7f0000744000/0x11000)=nil)
shmget(0x3, (0x9000), 0x2000005400007d, &(0x7f00001c9000/0x9000)=nil)
shmget(0x2, (0x1000), 0xfffffffffffffffe, &(0x7f0000872000/0x1000)=nil)
shmget$private(0x0, (0x2000), 0x1, &(0x7f0000ebc000/0x2000)=nil)
shmget(0x1, (0x2000), 0x400, &(0x7f0000b1c000/0x2000)=nil)
shmget(0x2, (0x3000), 0x100, &(0x7f0000f41000/0x3000)=nil)
shmget(0x0, (0x3000), 0x1000, &(0x7f00000dc000/0x3000)=nil)
shmget(0x3, (0x1000), 0x54001018, &(0x7f00004e4000/0x1000)=nil)
shmget$private(0x0, (0x1000), 0x10000014, &(0x7f0000661000/0x1000)=nil)
ioctl$SNDRV_TIMER_IOCTL_SELECT(r13, 0x40345410, &(0x7f0000a2b000-0x34)={{0x0, 0x3, 0x54, 0x3, 0x4}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]})
io_setup(0x1, &(0x7f0000054000-0x8)=<r27=>0x0)
r28 = syz_open_dev$vcsn(&(0x7f0000ff8000)="2f6465762f7663732300", 0xa70, 0x400080)
connect(r28, &(0x7f0000eb2000)=@sco={0x1f, {0x3371ca1a, 0x2, 0x0, 0x5, 0x81, 0x7}}, 0x8)
clock_gettime(0x5, &(0x7f0000eb1000)={<r29=>0x0, 0x0})
io_getevents(r27, 0x1, 0x1, &(0x7f0000aeb000)=[{0x0, 0x0, 0x0, 0x0}], &(0x7f000023c000-0x10)={r29, 0x0})
io_destroy(r27)
set_mempolicy(0x1, &(0x7f0000001000)=0x10001, 0x3)
clock_gettime(0xffffffffffd, &(0x7f0000eb4000-0x10)={0x0, 0x0})
r30 = syz_open_dev$ircomm(&(0x7f0000518000-0xd)="2f6465762f6972636f6d6d2300", 0xc, 0x2)
ioctl$KVM_CREATE_VCPU(r30, 0xae41, 0x0)
r31 = perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0x7ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc, 0x20, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
read(r31, &(0x7f0000055000-0xda)="000000000000000000000000000000000000000000000000", 0x18)
socket(0xa, 0x400000006, 0x0)
r32 = dup3(r10, r11, 0x0)
ioctl$bt(r32, 0x541b, &(0x7f0000578000-0x44)="139e6067738aa558bf2ae9438e3bf77e7db561b4169b0c65b898c6fd4f37b8ef0b9e3cc3f299b787f1ccef75afe8fc32304a2812e38fc30238ae56a14f37c0dd79d7f6c3")
ioctl$SNDRV_TIMER_IOCTL_GPARAMS(r32, 0x40485404, &(0x7f00009ae000)={{0x0, 0x3, 0x8000, 0x1, 0xffffffffffff0001}, 0xffffffffffffffff, 0x3, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]})
write(r6, &(0x7f00006a8000-0x1f)="1f0000000701fff2ffffff00000000ff006d0039090001000300bc1f001900", 0x1f)
mremap(&(0x7f0000d86000/0x3000)=nil, (0x3000), (0x4000), 0x3, &(0x7f0000d27000/0x4000)=nil)
sched_setscheduler(0x0, 0x800000000000000, &(0x7f0000a93000)=0x4)
ioctl$TIOCLINUX3(r28, 0x541c, &(0x7f0000b19000-0x1)=0x3)
timerfd_gettime(0xffffffffffffffff, &(0x7f0000c3e000)={{0x0, 0x0}, {0x0, 0x0}})
getsockopt$BT_CHANNEL_POLICY(r3, 0x112, 0xa, &(0x7f0000e44000-0x4)=0x9, &(0x7f0000e43000)=0x4)
r33 = socket(0x10, 0x2, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000e45000-0x8)={0xffffffffffffffff, 0xffffffffffffffff})
write(r33, &(0x7f0000e26000-0x25)="", 0x0)
getpid()
ioctl$KDSETLED(0xffffffffffffffff, 0x4b32, 0x7f)
fallocate(0xffffffffffffffff, 0x0, 0x40000, 0x18000)
poll(&(0x7f000095d000)=[{0xffffffffffffffff, 0x7, 0x7f}, {0xffffffffffffffff, 0x2, 0x3}, {0xffffffffffffffff, 0x400, 0x1}, {0xffffffffffffffff, 0x2f, 0x3}, {0xffffffffffffffff, 0x8, 0x43}, {0xffffffffffffffff, 0x1, 0x3}, {0xffffffffffffffff, 0x3, 0x5}], 0x7, 0x81)
madvise(&(0x7f00003d1000/0x4000)=nil, (0x4000), 0x11)
recvmmsg(r33, &(0x7f00005fc000-0x1c0)=[{&(0x7f0000a60000)=@hci={0x0, 0x0, 0x0}, 0x6, &(0x7f0000e41000-0x20)=[], 0x0, &(0x7f000083e000-0xfa)="", 0x0, 0x0}], 0x1, 0x0)
setsockopt$ip_pktinfo(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000028000)={0xfffffffffffff800, @loopback=0x7f000001, @empty=0x0}, 0xc)
listen$netrom(0xffffffffffffffff, 0x28)

enable/disable_syscalls does not affect existing corpus

If some syscalls are disabled with disable_syscalls, but these syscalls are already present in corpus, then they still be executed.
That needs to be fixed. However we need to be careful with corpus minimization to not lose all programs with these disabled syscalls.

Detect missing ADB

When adb isn't present in $PATH, syzkaller is unable to run programs on Android devices.
However it doesn't acknowledge that, just infinitely printing: "executed programs: 0, crashes: 0".
It would be great to report that adb is missing instead.

Generate a const array

I want to generate a const array for the following struct in sys/tun.txt, for instance, "wlan0"
ifreq {
name array[int8, 16]
u ifr_ifru
}

I tried with strconst as the following, but it does not work as expected. The expected output should be a const char array filled "wlan0", But it generate a pointer to a buffer that contains the string.
ifreq {
name strconst["wlan0"]
pad array[const[0, int8], 10]
u ifr_ifru
}

The generated output is:
r[1] = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
(uint64_t)0x20000000 = (uint64_t)0x20000b81;
(uint64_t)0x20000008 = (uint64_t)0x0;
(uint16_t)0x20000010 = (uint16_t)0x0;
(uint64_t)0x20000020 = (uint64_t)0x20000ff0; // the address to ifr_ifru
memcpy((void*)0x20000b81, "\x77\x6c\x61\x6e\x30\x00", 6);

The expected output should be:
r[1] = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
memcpy((void_)0x20000000, "\x77\x6c\x61\x6e\x30\x00", 6);
*(uint64_t_)0x20000006 = (uint64_t)0x0;
(uint16_t)0x2000000e = (uint16_t)0x0;
(uint64_t)0x20000010 = (uint64_t)0x20000ff0;
Any suggestion? Thanks.

manager: make it clear if fuzzing works or not

Some users were confused by the fact that syz-manager prints nothing to console when no crashes are found. It appears that fuzzing just does not work. We need to print some periodic messages to console every 10 seconds or so, for example containing total number of executed programs and coverage. Then it will be clear if fuzzing works or not.

Build bug

➜  syzkaller git:(master) make execprog executor 
go build -o ./bin/syz-execprog github.com/google/syzkaller/tools/syz-execprog
# vendor/github.com/google/syzkaller/sys
../../../vendor/github.com/google/syzkaller/sys/align.go:29: undefined: Structs
../../../vendor/github.com/google/syzkaller/sys/decl.go:353: undefined: Resources
../../../vendor/github.com/google/syzkaller/sys/decl.go:384: undefined: Resources
../../../vendor/github.com/google/syzkaller/sys/decl.go:388: undefined: Resources
../../../vendor/github.com/google/syzkaller/sys/decl.go:515: undefined: initCalls
../../../vendor/github.com/google/syzkaller/sys/decl.go:516: undefined: initStructFields
Makefile:31: recipe for target 'execprog' failed
make: *** [execprog] Error 2

And env info

➜  syzkaller git:(master) uname -a
Linux Lenovo-Product 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
go env

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/bai/Syzkaller"
GORACE=""
GOROOT="/usr/lib/go-1.7"
GOTOOLDIR="/usr/lib/go-1.7/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build339475586=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

make error: ‘syscalls’ was not declared in this scope

Hello,

Installed 'numactl-devel'

go env

GOARCH="ppc64le"
GOBIN=""
GOEXE=""
GOHOSTARCH="ppc64le"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/root/golang"
GORACE=""
GOROOT="/usr/lib/golang"
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_ppc64le"
GO15VENDOREXPERIMENT=""
CC="gcc"
GOGCCFLAGS="-fPIC -pthread -fmessage-length=0"
CXX="g++"
CGO_ENABLED="1"

make

go build -o ./bin/syz-manager github.com/google/syzkaller/syz-manager
go build -o ./bin/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
cc -o ./bin/syz-executor executor/executor.cc -lpthread -static -Wall -O1 -g
executor/executor.cc: In function ‘void execute_one()’:
executor/executor.cc:386:26: error: ‘syscalls’ was not declared in this scope
if (call_num >= sizeof(syscalls) / sizeof(syscalls[0]))
^
executor/executor.cc: In function ‘thread_t* schedule_call(int, int, int, uint64_t, uint64_t_, uint64_t_)’:
executor/executor.cc:465:62: error: ‘syscalls’ was not declared in this scope
debug("scheduling call %d [%s] on thread %d\n", call_index, syscalls[call_num].name, th->id);
^
executor/executor.cc: In function ‘void handle_completion(thread_t_)’:
executor/executor.cc:485:69: error: ‘syscalls’ was not declared in this scope
debug("completion of call %d [%s] on thread %d\n", th->call_index, syscalls[th->call_num].name, th->id);
^
executor/executor.cc: In function ‘void execute_call(thread_t_)’:
executor/executor.cc:559:18: error: ‘syscalls’ was not declared in this scope
call_t* call = &syscalls[th->call_num];
^
make: *** [executor] Error 1

did I miss any thing else?

Make it easier to generate syscall descriptions for non-upstream kernels

Users may want to fuzz syscalls that are absent in the upstream tree. Right now the only option they have is to write a hermetic sys/subsystem.txt syscall description without includes (e.g. hard-code constants and manually calculate struct sizes), which is quite tricky.
Some of this information (e.g. struct sizes and layout) is already known to syzkaller, so we can substitute it automatically instead of letting the humans make mistakes.

Coverage issues

Coverage collection has the following issues:

  1. Why does this BUG_ON fires?
    dvyukov/linux@f9fbf6b#diff-b7c3e57590cdf57eaf5b96dc682b41c9R32
    We need to restore it. If execution prematurely exits from a syscall, then we collect unrelated coverage from interrupts (in_interrupt() does not cover all of interrupt code).
  2. Current interface is based on reading/writing from/to /proc/cover file.
    Need to check performance impact of the additional syscalls (we do at least 2 per real syscall: reset cover/read cover).
    We've also considered the following interface:
    User passes to a buffer kernel, kernel locks this buffer in memory and writes coverage directly to it. Current position in the buffer is stored in the first word of the buffer, so it is also shared with user-space. Then, to reset coverage user process just writes 0 to the first word; to read coverage - read first word and then read the filled part of the buffer.
    For safety reasons, kernel should keep a buffer size mask in a location that is not shared with user-space, and apply this mask whenever it writes coverage. This will ensure that all kernel writes are in-bounds.
    On buffer overflow old PCs and the position in the first word will be overwritten. This is safe for kernel as it always applies the mask, and so will not do out-of-bound writes. User process can also write 0 into the last word of the buffer. If that zero if overwritten, then user process can understand that overflow happened.
    This will be zero-copy and no additional syscalls.
  3. If we do what is described in bullet 2, then we don't need to deal with coverage collected during read/write from/to /proc/cover (which is uninteresting coverage). Then maybe we can just improve in_interrupt() check somehow so that it filters out all interrupt related code. Then we don't need syscall interception, which will make the patch simpler and more portable.
  4. Need to figure out exact set of files for which we want to disable coverage instrumentation.

-static should not be used for build

The syz-repro tries to build with -static (csource/csource.go: Build), but this does not work on openSUSE, as we do not have static libraries. -static should be configurable at least.

VMs should merge console/fuzzer output on line granularity

Currently vm/{qemu,kvm,adb} merge console/fuzzer output on a byte level. This frequently leads to corrupted/intermixed output when there is actually console output (e.g. on bugs). Console/fuzzer should be merged on line granularity.

vm/qemu: respect number of CPUs in config file

Currently qemu is started with:

        "-smp", "sockets=2,cores=2,threads=1",

We should support number of CPUs specified in the config file, but also try to distribute them across several sockets, because that will trigger some interesting code paths in kernel.

master is currently broken

system

Linux dweb-linux 4.9.9-1-ARCH #1 SMP PREEMPT Thu Feb 9 19:07:09 CET 2017 x86_64 GNU/Linux

go info

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/dweb/source/go"
GORACE=""
GOROOT="/home/dweb/.gimme/versions/go1.7.4.linux.amd64"
GOTOOLDIR="/home/dweb/.gimme/versions/go1.7.4.linux.amd64/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build237221295=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

make output

../google/syzkaller/sys/align.go:35: undefined: Structs
../google/syzkaller/sys/decl.go:441: undefined: Resources
../google/syzkaller/sys/decl.go:472: undefined: Resources
../google/syzkaller/sys/decl.go:476: undefined: Resources
../google/syzkaller/sys/decl.go:608: undefined: initCalls
../google/syzkaller/sys/decl.go:609: undefined: initStructFields

../google/syzkaller/sys/align.go:35

func initAlign() {
	var rec func(t Type)
	rec = func(t Type) {
		switch t1 := t.(type) {
		case *PtrType:
			rec(t1.Type)
		case *ArrayType:
			rec(t1.Type)
		case *StructType:
			if !t1.padded {
				t1.padded = true
				for _, f := range t1.Fields {
					rec(f)
				}
				t1.Varlen() // dummy call to initialize t1.varlen
				markBitfields(t1)
				addAlignment(t1)
			}
		case *UnionType:
			for _, opt := range t1.Options {
				rec(opt)
			}
		}
	}

	for _, s := range Structs {
		rec(s)
	}
}

search

dweb@dweb-linux sys (master) $ ff Structs                                                                                                 ~/source/go/src/github.com/google/syzkaller/sys  
README.md:95:### Structs
README.md:97:Structs are described as:
README.md:103:Structs can have trailing attributes "packed" and "align_N",
align.go:35:	for _, s := range Structs {

Where are theses?

panic: runtime error: makeslice: len out of range

Hi All,
i'm trying to compile it on:

Description: Ubuntu 16.04.1 LTS
Release: 16.04

and i got this error:
...
go install ./syz-manager ./syz-fuzzer

github.com/google/syzkaller/sys

panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
panic(0x857aa0, 0xc8492a0eb0)
/usr/lib/go-1.6/src/runtime/panic.go:481 +0x3e6
cmd/compile/internal/gc.newliveness(0xc82089ce10, 0xc82b70e000, 0xc84ff54000, 0x35a64, 0x3a000, 0xc849226000, 0xd398, 0xf000, 0xaeb8e98dd304e7f3)
/usr/lib/go-1.6/src/cmd/compile/internal/gc/plive.go:687 +0x161
cmd/compile/internal/gc.liveness(0xc82089ce10, 0xc82b70e000, 0xc82e28ff00, 0xc82e28ff80)
/usr/lib/go-1.6/src/cmd/compile/internal/gc/plive.go:1782 +0x2cf
cmd/compile/internal/gc.compile(0xc82089ce10)
/usr/lib/go-1.6/src/cmd/compile/internal/gc/pgen.go:541 +0xdf2
cmd/compile/internal/gc.funccompile(0xc82089ce10)
/usr/lib/go-1.6/src/cmd/compile/internal/gc/dcl.go:1450 +0x1c0
cmd/compile/internal/gc.Main()
/usr/lib/go-1.6/src/cmd/compile/internal/gc/lex.go:472 +0x2116
cmd/compile/internal/amd64.Main()
/usr/lib/go-1.6/src/cmd/compile/internal/amd64/galign.go:127 +0x58d
main.main()
/usr/lib/go-1.6/src/cmd/compile/main.go:33 +0x395
Makefile:12: recipe for target 'all' failed
make: *** [all] Error 2

Better support for the len type

  1. Allow to use len to denote the length of any other field of the same struct, not just for buffer/vma/arrayptr fields.

  2. Sometimes one of the fields in a struct denotes not the length of the entire struct or the length of some particular field in bytes, but the length in 32-bit words of the length of a few fields. Not sure exactly how to support that, maybe by adding a support of some simple arithmetic for the len type, along the lines of sizeof(field1) / 4.

    A few examples:

    IPv4 packets (https://en.wikipedia.org/wiki/IPv4#Header) contain IHL field, which is "the number of 32-bit words in the header" (the header is variable in size). More over there is a Total Length field, which "defines the entire packet size, including header and data, in bytes".

    Some IPv6 extension headers (https://en.wikipedia.org/wiki/IPv6_packet#Hop-by-hop_options_and_destination_options) contain Hdr Ext Len fields, which is the "length of this header in 8-octet units, not including the first 8 octets" (octet == byte).

Build bug

Building syzkaller failed on my machine:

make
go build -o ./bin/syz-manager github.com/google/syzkaller/syz-manager
github.com/google/syzkaller/sys
sys/sys.go:104: constant 18446744071562067968 overflows uintptr
sys/sys.go:107: constant 18446744071562067968 overflows uintptr
sys/sys.go:110: constant 18446744071562067968 overflows uintptr
sys/sys.go:714: constant 18446744073709551615 overflows uintptr
sys/sys.go:1879: constant 18446744073709551615 overflows uintptr
sys/sys.go:1879: too many errors
Makefile:19: recipe for target 'manager' failed
make: *** [manager] Error 2

uname -a
Linux debian 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux

Errors when "go build -o bin/syz-manager ./syz-manager"

v@/ahdd/syzkaller$
go build -o bin/syz-manager ./syz-manager
# github.com/google/syzkaller/sys
/home/v/tmp/src/github.com/google/syzkaller/sys/align.go:35: undefined: Structs
/home/v/tmp/src/github.com/google/syzkaller/sys/decl.go:441: undefined: Resources
/home/v/tmp/src/github.com/google/syzkaller/sys/decl.go:472: undefined: Resources
/home/v/tmp/src/github.com/google/syzkaller/sys/decl.go:476: undefined: Resources
/home/v/tmp/src/github.com/google/syzkaller/sys/decl.go:608: undefined: initCalls
/home/v/tmp/src/github.com/google/syzkaller/sys/decl.go:609: undefined: initStructFields
v@/ahdd/syzkaller$
go version
go version go1.8 linux/amd64
v@/ahdd/syzkaller$
ndk-build --version
GNU Make 3.81
Copyright (C) 2006  Free Software Foundation, Inc.

So what's going wrong?

prog2c: needs to better mimic the way executor executes programs

There are several problems:

  1. executor has special code to execute syz_* pseudo syscalls. prog2c generates normal syscalls for them, which effectively become no-op since syscall numbers are bogus.
  2. executor now can skip SIGSEGVs during copyin/out of arguments. prog2c does not do it.
  3. executor collider logic is not precisely represented in prog2c.

Versioning of .txt declarations

I've fixed an issue with including the correct header to pull in a constant referenced in the declaratively defined syscalls for 4.4 mainline with PR #28, however I think there is a broader issue.

At the time of writing, linux-next (my masochistically preferred kernel version :) fails with further issues, I think there is as broader issue of versioning these declarative entries to deal with files/consts/etc. changing between kernel versions (this is with my fix mentioned above):

[~/cloud/code/syzkaller]$ make generate LINUX="$HOME/linux"
go run sysgen/*.go -linux=/home/lorenzo/linux sys/sys.txt sys/socket.txt sys/tty.txt sys/perf.txt \
    sys/key.txt sys/bpf.txt sys/fuse.txt sys/dri.txt sys/kdbus.txt sys/sctp.txt \
    sys/kvm.txt sys/sndseq.txt sys/sndtimer.txt sys/sndcontrol.txt sys/input.txt \
    sys/netlink.txt sys/tun.txt sys/random.txt
failed to run gcc: exit status 1
<stdin>: In function ‘main’:
<stdin>:463:6028: error: ‘NETLINK_TX_RING’ undeclared (first use in this function)
<stdin>:463:6028: note: each undeclared identifier is reported only once for each function it appears in
<stdin>:463:7531: error: ‘CRYPTO_ALG_TYPE_PCOMPRESS’ undeclared (first use in this function)
<stdin>:463:17680: error: ‘NETLINK_RX_RING’ undeclared (first use in this function)

exit status 1
Makefile:43: recipe for target 'generate' failed
make: *** [generate] Error 1

Here CRYPTO_ALG_TYPE_PCOMPRESS has been removed altogether, whereas the NETLINK_TX_RING and NETLINK_RX_RING declarations have been put behind an #ifndef __KERNEL__ in commit d1b4c689.

Obviously, for older kernel versions we would like to keep syscalls referencing these, but for newer kernels we would be unable to generate sys/*.go.

@dvyukov do you think a missing constant should result in a warning and syscall entries referencing that constant being removed, or is it an intentional decision to let these fail so the .txt files can be updated accordingly? In that case do you have any plans for versioning?

I think it shouldn't be too hard to write code to do the warning/removal thing in which case the .txt files can be kept up-to-date with the absolute latest kernel version and still work on e.g. mainline.

Also please tell me if I'm being naive/missing something here :)

I am more than happy to work on this change myself.

qemu-system-ppc64: ISA bus not available for sb16

I could start syz-manager but seeing the following error

./bin/syz-manager -config syz-manager/mycfg.cfg

2016/03/30 10:21:41 loading corpus...
2016/03/30 10:21:41 loaded 0 programs
2016/03/30 10:21:41 serving http on http://IPADDRESS:56741
2016/03/30 10:21:41 serving rpc on tcp://127.0.0.1:39881
2016/03/30 10:21:52 failed to create instance: qemu stopped:
qemu-system-ppc64: ISA bus not available for sb16

2016/03/30 10:21:52 failed to create instance: qemu stopped:
qemu-system-ppc64: ISA bus not available for sb16
...
*P.S. IPADDRESS placed here in the output to mask my original IPaddress.

Here is the configuration file I used

cat syz-manager/mycfg.cfg

{
"http": "IPADDRESS:56741",
"workdir": "/syzkaller/workdir",
"kernel": "/root/linux/vmlinux",
"vmlinux": "/root/linux/vmlinux",
"image": "/var/lib/libvirt/images/rhel72-ppc64le.qcow2",
"sshkey": "/var/lib/libvirt/images/rhel72le_rsa",
"syzkaller": "/root/golang/src/github.com/google/syzkaller",
"type": "qemu",
"count": 16,
"procs": 4,
"cpu": 2,
"Bin": "qemu-system-ppc64",
"mem": 2048,
"disable_syscalls": [
"keyctl",
"add_key",
"request_key"
],
"suppressions": [
"some known bug"
]
}

Thanks in advance for your time.

Error during checkout syzkaller sources with all dependencies using GO

Hi all,

I am trying to checkout syzkaller sources with all dependencies and I am getting following error.
What could be the reason for this error? I have set two env variables correctly as the documentation says.

  1. Extracted latest go package at /home/test/kernel_fuzz/go. Set GOROOT env variable to that.
  2. Created empty director for GOPATH, set the env GOPATH to that
  3. Added the path to go/bin to PATH env variable

Following is the error:

[19:41:25] test@foosec:~/kernel_fuzz/go $ echo $GOROOT                          
/home/test/kernel_fuzz/go
[19:41:36] test@foosec:~/kernel_fuzz/go $ echo $GOPATH                          
/home/test/kernel_fuzz/gopath
[19:41:42] test@foosec:~/kernel_fuzz/go $ cd ../gopath                          
[19:41:56] test@foosec:~/kernel_fuzz/gopath $ go get github.com/google/syzkaller/...
# github.com/google/syzkaller/sys
src/github.com/google/syzkaller/sys/align.go:34: undefined: Structs
src/github.com/google/syzkaller/sys/decl.go:361: undefined: Resources
src/github.com/google/syzkaller/sys/decl.go:392: undefined: Resources
src/github.com/google/syzkaller/sys/decl.go:396: undefined: Resources
src/github.com/google/syzkaller/sys/decl.go:530: undefined: initCalls
src/github.com/google/syzkaller/sys/decl.go:531: undefined: initStructFields
# github.com/google/syzkaller/executor
src/github.com/google/syzkaller/executor/test_kvm.cc:4:22: fatal error: syscalls.h: No such file or directory
compilation terminated.
[19:42:01] test@foosec:~/kernel_fuzz/gopath $  

Thank you so much for the time!

In-place buffers in structs

Right now there's a type called buffer, which adds a a pointer to a memory buffer field in a generated struct. It would be nice to have a type to denote an in-place buffer, which would add an actual array of chars field into the struct, not a pointer to this array.

Right now something like array[int8, 128] can be used as an alternative. The only problem is that this array is not considered as a binary blob by syzkaller and is not mutated accordingly.

Avoid draining battery on Android devices

syzkaller may be so stressful that a device runs out of charge and turns off.
We need to pause fuzzing when the charge level goes below specific level.
The charge level can be checked by running dumpsys battery:

dragon:/ # dumpsys battery                                                                                                                          
Current Battery Service state:
  AC powered: true
  USB powered: false
  Wireless powered: false
  Max charging current: 2400000
  Max charging voltage: 5000000
  Charge counter: 0
  status: 2
  health: 2
  present: true
  level: 19
  scale: 100
  voltage: 3764
  temperature: 275
  technology: Li-ion

generate enum type

Hello,
How to generate enums likes (https://android.googlesource.com/kernel/msm.git/+/android-msm-bullhead-3.10-marshmallow-dr-0/include/uapi/linux/ipa_qmi_service_v01.h)
enum ipa_qmi_error_type_v01 {
/* To force a 32 bit signed enum. Do not change or use*/
IPA_QMI_ERROR_TYPE_MIN_ENUM_VAL_V01 = IPA_INT_MIN,
IPA_QMI_ERR_NONE_V01 = 0x0000,
IPA_QMI_ERR_MALFORMED_MSG_V01 = 0x0001,
IPA_QMI_ERR_NO_MEMORY_V01 = 0x0002,
IPA_QMI_ERR_INTERNAL_V01 = 0x0003,
IPA_QMI_ERR_CLIENT_IDS_EXHAUSTED_V01 = 0x0005,
IPA_QMI_ERR_INVALID_ID_V01 = 0x0029,
IPA_QMI_ERR_ENCODING_V01 = 0x003A,
IPA_QMI_ERR_INCOMPATIBLE_STATE_V01 = 0x005A,
IPA_QMI_ERR_NOT_SUPPORTED_V01 = 0x005E,
IPA_QMI_ERROR_TYPE_MAX_ENUM_VAL_V01 = IPA_INT_MAX,
};

/cover is empty

On a running instance:
Uptime: 5m12.616023671s
Corpus: 4674
Triage queue len: 0
Cover mem: 3546524 + 509684
Cover: 34998

Stats:
exec candidate: 549/min
exec fuzz: 95/sec
exec gen: 587/min
exec minimize: 112/sec
exec total: 287/sec
exec triage: 60/sec
executor restarts: 461/hour
fuzzer new inputs: 18/sec
manager new inputs: 14/sec
vm restarts: 115/hour

/cover is empty. the select id="files" is empty in the html.

What should be there, actually?

Cannot build syzkaller over the past half-year

So since updates to the build system, I can no longer build and use syzkaller. And I don't understand the messages at all:

$ go env
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH=""
GORACE=""
GOROOT="/usr/lib64/go"
GOTOOLDIR="/usr/lib64/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build041551092=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

So let's start building:

$ make
make generate
make[1]: Entering directory '/home/latest/repos/syzkaller'
bin/syz-sysgen
generating amd64...
unsupported flag: KVM_ARM_VCPU_POWER_OFF
unsupported flag: KVM_ARM_VCPU_EL1_32BIT
unsupported flag: KVM_ARM_VCPU_PSCI_0_2
unsupported flag: KVM_ARM_VCPU_PMU_V3
unsupported flag: KVM_ARM_TARGET_CORTEX_A53
unsupported flag: KVM_ARM_TARGET_AEM_V8
unsupported flag: KVM_ARM_TARGET_FOUNDATION_V8
unsupported flag: KVM_ARM_TARGET_CORTEX_A57
unsupported flag: KVM_ARM_TARGET_XGENE_POTENZA
unsupported flag: KVM_ARM_TARGET_GENERIC_V8
unsupported flag: KVM_ARM_VCPU_INIT

generating arm64...
unsupported flag: KVM_GET_CPUID2
unsupported flag: PTRACE_GETREGS

and a lot more of these, then it continues:

make[1]: Leaving directory '/home/latest/repos/syzkaller'
go install ./syz-manager ./syz-fuzzer
syz-manager/manager.go:22:2: cannot find package "github.com/google/syzkaller/config" in any of:
        /usr/lib64/go/src/github.com/google/syzkaller/config (from $GOROOT)
        ($GOPATH not set)
syz-manager/cover.go:18:2: cannot find package "github.com/google/syzkaller/cover" in any of:
        /usr/lib64/go/src/github.com/google/syzkaller/cover (from $GOROOT)
        ($GOPATH not set)

and so on. I always had to:

$ mkdir -p go/src/github.com/google/
$ ln -s "$PWD" go/src/github.com/google/syzkaller
export GOPATH="$PWD/go:/usr/share/go/contrib/"
export GOBIN="$PWD/bin"

But it does not help to finish building:

$ make
...
unsupported syscall: shmctl
unsupported syscall: shmdt
unsupported syscall: shmget
unsupported syscall: sync_file_range

make[1]: Leaving directory '/home/latest/repos/syzkaller'
go install ./syz-manager ./syz-fuzzer
go install golang.org/x/net/context: open /usr/share/go/contrib/pkg/linux_amd64/golang.org/x/net/context.a: permission denied
go install golang.org/x/oauth2/jws: open /usr/share/go/contrib/pkg/linux_amd64/golang.org/x/oauth2/jws.a: permission denied
go install google.golang.org/api/googleapi/internal/uritemplates: open /usr/share/go/contrib/pkg/linux_amd64/google.golang.org/api/googleapi/internal/uritemplates.a: permission denied
# golang.org/x/sys/unix
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall.go:74: missing function body for "use"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_linux_amd64.go:65: missing function body for "gettimeofday"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_unix.go:52: missing function body for "Syscall"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_unix.go:53: missing function body for "Syscall6"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_unix.go:54: missing function body for "RawSyscall"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_unix.go:55: missing function body for "RawSyscall6"
make: *** [Makefile:13: all] Error 2

Why does it want to install before building, actually?

Anyway, if I try to make manager after make generate, it still fails:

$ make manager
go build -o ./bin/syz-manager github.com/google/syzkaller/syz-manager
# golang.org/x/sys/unix
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall.go:74: missing function body for "use"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_linux_amd64.go:65: missing function body for "gettimeofday"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_unix.go:52: missing function body for "Syscall"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_unix.go:53: missing function body for "Syscall6"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_unix.go:54: missing function body for "RawSyscall"
/usr/share/go/contrib/src/golang.org/x/sys/unix/syscall_unix.go:55: missing function body for "RawSyscall6"
# github.com/google/syzkaller/gce
go/src/github.com/google/syzkaller/gce/gce.go:129: unknown compute.Scheduling field 'Preemptible' in struct literal
make: *** [Makefile:25: manager] Error 2

FWIW x-sys is from a somewhat old package: golang-org-x-sys-source-0.0.0+git20150612.b4e2899-1.10.x86_64 There is no newer in the distribution.

So I cannot persuaded it to build :(.

Get rid of FdName constants in sys/decl.go

Every time I add a device description, I need to add a corresponding fd type to sys/decl.go.
This is redundant, as the list of possible file descriptor types can be generated as the intersection of all fd[name] parameters and all fd[name] return values of all syscalls.

Additional usage instructions

After getting GCC / kernel up and compiled properly and running syzkaller, I'm getting some crash logs. I think I may have misconfigured something as there is no additional information about the oops -- like stacktrace. Are these crash logs meant to be turned into a trigger using the -repro ?

➜  syzkaller git:(master) ✗ ./bin/syz-repro -config config.cfg syzkaller_data/workdir/crashes/crash-qemu-0-1456169225187357935
2016/02/24 11:12:34 parsed 4 programs
2016/02/24 11:12:34 can't find crash message in the log
➜  syzkaller git:(master) ✗ cat syzkaller_data/workdir/crashes/crash-qemu-3-1456169236767423401
Warning: Permanently added '[localhost]:62919' (ECDSA) to the list of known hosts.
2016/02/22 19:26:06 fuzzer started, log level 0
2016/02/22 19:26:06 dialing manager at 10.0.2.10:49290
2016/02/22 19:26:14 executing program 0:
r0 = socket(0x8, 0x803, 0x1)

[......]

mmap(&(0x7f0000000000)=nil, (0x1000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
setsockopt$udp_int(r0, 0x11, 0x1, &(0x7f0000000000)=0x3f, 0x4)

after running for 1m8.592974344s:
no output

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.