Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

executor: better support for globs #5685

Merged
merged 2 commits into from
Jan 28, 2025
Merged

executor: better support for globs #5685

merged 2 commits into from
Jan 28, 2025

Conversation

keddad
Copy link
Contributor

@keddad keddad commented Jan 20, 2025

  • Linux executor now mounts /syz-inputs folder to sandbox, so user can pass their own files for fuzzing with globs. Folder is mounted as RO, so this shouldn't make sandoxing less effective. (See https://groups.google.com/g/syzkaller/c/U-DISFjKLzg for specific usecase)

  • Timeouts for globs are disabled. They can be quite slow (with default settings, in my tests, globs started timing out on thousands of files), and right now, if glob resolution timeouts, nothing happens. If you are running debug, you can see the timeout error, but in any case, it is ignored and fuzzer runs with less inputs then user expected without any notification. I think that it is reasonable to wait for those longer then default program timeout.

@keddad keddad force-pushed the better_glob_electric_boogalo branch from 4147a27 to b3326d4 Compare January 22, 2025 16:19
dvyukov
dvyukov reviewed Jan 22, 2025
View reviewed changes
executor/common.h Outdated Show resolved Hide resolved
@dvyukov
Copy link
Collaborator

dvyukov commented Jan 22, 2025
edited
Loading

What motivated you to go with this approach rather than the second one I suggested?

Even better: minimize and supply the binaries as seeds for the fuzzer,
then it will even be able to mutate them as well.

@keddad
Copy link
Contributor Author

keddad commented Jan 22, 2025

I didn't want to use syzkaller's mutator here. I want to do some testing of ELF processing in both kernel and userspace applications, so instead I wanted to generate fuzzing artifacts with an external tool (Melkor) and then use those as-is with Syzkaller, as well as some other tools.

@keddad keddad force-pushed the better_glob_electric_boogalo branch from b3326d4 to 8bba7cd Compare January 22, 2025 19:31
dvyukov
dvyukov previously approved these changes Jan 27, 2025
View reviewed changes
@dvyukov dvyukov enabled auto-merge January 27, 2025 14:25
@dvyukov
Copy link
Collaborator

dvyukov commented Jan 27, 2025

CI complains on some non-formatted source files:

diff --git a/executor/common.h b/executor/common.h
index faa7e3f..e7e02ff 100644
--- a/executor/common.h
+++ b/executor/common.h
@@ -700,7 +700,7 @@ static void loop(void)
 			uint64 min_timeout_ms = program_timeout_ms * 3 / 5;
 			uint64 inactive_timeout_ms = syscall_timeout_ms * 20;
 			uint64 glob_timeout_ms = program_timeout_ms * 120;
-			
+
 			uint64 now = current_time_ms();
 			uint32 now_executed = output_data->completed.load(std::memory_order_relaxed);
 			if (executed_calls != now_executed) {
executor/common.h:1:1: The file is not formatted/regenerated. Run 'make generate' and include it into the commit.
Error: The file is not formatted/regenerated. Run 'make generate' and include it into the commit.

This needs to be fixed before we can merge this.

auto-merge was automatically disabled January 27, 2025 20:21

Head branch was pushed to by a user without write access

@keddad keddad force-pushed the better_glob_electric_boogalo branch from 8bba7cd to 3cd41b6 Compare January 27, 2025 20:21
@keddad
Copy link
Contributor Author

keddad commented Jan 27, 2025

Looks like I missed some whitespace differences. Should be fixed now, sorry.

@dvyukov dvyukov enabled auto-merge January 27, 2025 20:36
keddad added 2 commits January 28, 2025 09:48
@keddad @dvyukov
executor: mount /syz-inputs dir to fuzzing sandbox
d737a2e 
Syzkaller allows user to specify filepath arguments in syscalls via globs.
However, on linux, you are effectivly limited to some /sys and /dev paths due to sandboxing.

With this change, user can supply their custom fuzzing artifacts to /syz-inputs to use those in globs.
They are mounted read-only to increase reproducibility.
@keddad @dvyukov
executor: increase timeouts for glob requests
75deab3 
Proper glob resolution is required for fuzzing.
If it times out, it does so silently, and fuzzing dictionary will be smaller then expected, without any obvious errors.
Given that, it makes sense to increase glob timeouts.
@dvyukov dvyukov force-pushed the better_glob_electric_boogalo branch from 3cd41b6 to 75deab3 Compare January 28, 2025 08:48
@dvyukov dvyukov added this pull request to the merge queue Jan 28, 2025
Merged via the queue into google:master with commit ac37c1f Jan 28, 2025
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dvyukov dvyukov dvyukov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@keddad @dvyukov