Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syzkaller targets are broken with native go114-fuzz-build #3639

Closed
inferno-chromium opened this issue Apr 14, 2020 · 7 comments · Fixed by #3646
Closed

Syzkaller targets are broken with native go114-fuzz-build #3639

inferno-chromium opened this issue Apr 14, 2020 · 7 comments · Fixed by #3646

Comments

@inferno-chromium
Copy link
Collaborator 

INFO: Seed: 1337
fatal error: stack growth after fork

runtime stack:
runtime.throw(0x807d03, 0x17)
	runtime/panic.go:1116 +0x74
runtime.newstack()
	runtime/stack.go:922 +0xcf0
runtime.morestack()
	runtime/asm_amd64.s:449 +0x84

goroutine 5 [running]:
runtime.libfuzzerTraceConstCmp8(0x0, 0x0)
	runtime/libfuzzer.go:41 +0x52 fp=0x10c0000f1830 sp=0x10c0000f1828 pc=0x55e3b2
syscall.forkAndExecInChild1(0x10c0000200c0, 0x10c0001ace40, 0x8, 0x8, 0x10c000234000, 0x15, 0x15, 0x0, 0x0, 0x10c0000f1c88, ...)
	syscall/exec_linux.go:206 +0x3c1 fp=0x10c0000f1a10 sp=0x10c0000f1830 pc=0x5c72c1
syscall.forkAndExecInChild(0x10c0000200c0, 0x10c0001ace40, 0x8, 0x8, 0x10c000234000INFO: 17638 Extra Counters
, 0x15, 0x15, 0x0, 0x0, 0x10c0000f1c88, ...)
	syscall/exec_linux.go:72 +0xe0 fp=0x10c0000f1ae0 sp=0x10c0000f1a10 pc=0x5c6c40
syscall.forkExec(0x84275f, 0x20, 0x10c000230d90, 0x7, 0x7, 0x10c0000f1c88, 0x14, 0x9da29dad00000200, 0x10c0001d0700)
	syscall/exec_unix.go:201 +0x496 fp=0x10c0000f1bf8 sp=0x10c0000f1ae0 pc=0x5cb096
syscall.StartProcess(...)
	syscall/exec_unix.go:248
os.startProcess(0x84275f, 0x20, INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
0x10c000230d90, 0x7, 0x7, 0x10c0000f1e48, 0x0, 0x0, 0x0)
	os/exec_posix.go:53 +0x37a fp=0x10c0000f1ce0 sp=0x10c0000f1bf8 pc=0x63712a
os.StartProcess(0x84275f, 0x20, 0x10c000230d90, 0x7, 0x7, 0x10c0000f1e48, 0x14, 0x0, 0x8)
	os/exec.go:102 +0x8d fp=0x10c0000f1d38 sp=0x10c0000f1ce0 pc=0x636c8d
os/exec.(*Cmd).Start(0x10c0001abb80, 0x842701, 0x10c00000ef40)
	os/exec/exec.go:422 +0x6bc fp=0x10c0000f1ea0 sp=0x10c0000f1d38 pc=0x68f69c
os/exec.(*Cmd).Run(0x10c0001abb80, 0x10c00000ef40, 0x10c0000dff00)
	os/exec/exec.go:338 +0x40 fp=0x10c0000f1ec8 sp=0x10c0000f1ea0 pc=0x68ef60
github.com/google/syzkaller/sys/targets.checkFlagSupported(0x10c0001ab080, 0x7a80c7, 0x7, 0x0)
	github.com/google/syzkaller/sys/targets/targets.go:524 +0x192 fp=0x10c0000f1f70 sp=0x10c0000f1ec8 pc=0x724442
github.com/google/syzkaller/sys/targets.checkOptionalFlags.func1(0x10c000019810, 0x10c0001ab080, 0x10c00001981d, 0x7a80c7, 0x7)
	github.com/google/syzkaller/sys/targets/targets.go:508 +0x7c fp=0x10c0000f1fb8 sp=0x10c0000f1f70 pc=0x72575c
runtime.goexit()
	runtime/asm_amd64.s:1373 +0x1 fp=0x10c0000f1fc0 sp=0x10c0000f1fb8 pc=0x5b5061
created by github.com/google/syzkaller/sys/targets.checkOptionalFlags
	github.com/google/syzkaller/sys/targets/targets.go:506 +0x4e9

goroutine 1 [semacquire, locked to thread]:
sync.runtime_Semacquire(0x10c000019818)
	runtime/sema.go:56 +0x44
sync.(*WaitGroup).Wait(0x10c000019810)
	sync/waitgroup.go:130 +0x13c
github.com/google/syzkaller/sys/targets.checkOptionalFlags(0x10c0001ab080)
	github.com/google/syzkaller/sys/targets/targets.go:511 +0x21d
github.com/google/syzkaller/sys/targets.Get.func1()
	github.com/google/syzkaller/sys/targets/targets.go:74 +0x3b
sync.(*Once).doSlow(0x10c0001ab080, 0x10c000221278)
	sync/once.go:66 +0x157
sync.(*Once).Do(...)
	sync/once.go:57
github.com/google/syzkaller/sys/targets.Get(0x7a75b3, 0x6, 0x7a4c66, 0x5, 0x0)
	github.com/google/syzkaller/sys/targets/targets.go:73 +0x139
syzkaller/pkg/report.NewReporter(0x10c0002214b0, 0x6, 0x0, 0x0, 0x1)
	syzkaller/pkg/report/report.go:100 +0x289
syzkaller/pkg/report.glob..func1(0xc774c0, 0x10c0001f9680, 0x7aae0f)
	syzkaller/pkg/report/fuzz.go:55 +0x266
syzkaller/pkg/report.init()
	syzkaller/pkg/report/fuzz.go:65 +0x1575

goroutine 17 [chan receive, locked to thread]:
runtime.gopark(0xcafa80, 0x10c000126058, 0x170e, 0x2)
	runtime/proc.go:304 +0xe6
runtime.chanrecv(0x10c000126000, 0x0, 0x1, 0x0)
	runtime/chan.go:525 +0x2eb
runtime.chanrecv1(0x10c000126000, 0x0)
	runtime/chan.go:407 +0x2b
runtime.cgocallbackg1(0x0)
	runtime/cgocall.go:255 +0x20b
runtime.cgocallbackg(0x0)
	runtime/cgocall.go:207 +0xc7
runtime.cgocallback_gofunc(0x0, 0x0, 0x0, 0x0)
	runtime/asm_amd64.s:793 +0x9a
runtime.goexit()
	runtime/asm_amd64.s:1373 +0x1

goroutine 4 [runnable]:
internal/poll.runtime_pollClose(0x7f3f47381b98)
	runtime/netpoll.go:169 +0xab
internal/poll.(*pollDesc).init(0x10c00028a138, 0x10c00028a120, 0x471480, 0x1)
	internal/poll/fd_poll_runtime.go:43 +0x243
internal/poll.(*FD).Init(0x10c00028a120, 0x7a3cd7, 0x4, 0x1, 0xf, 0x0)
	internal/poll/fd_unix.go:63 +0xa6
os.newFile(0xf, 0x7ae5b4, 0x9, 0x1, 0x10c000000000)
	os/file_unix.go:155 +0x1b6
os.openFileNolog(0x7ae5b4, 0x9, 0x1, 0x0, 0x10c000288018, 0x0, 0x10c000286060)
	os/file_unix.go:226 +0x298
os.OpenFile(0x7ae5b4, 0x9, 0x1, 0x0, 0x2, 0x10c000286060, 0x1)
	os/file.go:307 +0x74
os/exec.(*Cmd).writerDescriptor(0x10c000284000, 0x0, 0x0, 0x4713f0, 0x2, 0x3)
	os/exec/exec.go:291 +0x482
os/exec.(*Cmd).stderr(0x10c000284000, 0x3, 0x0, 0x0)
	os/exec/exec.go:286 +0x106
os/exec.(*Cmd).Start(0x10c000284000, 0x842701, 0x10c000286000)
	os/exec/exec.go:407 +0x1d4
os/exec.(*Cmd).Run(0x10c000284000, 0x10c000286000, 0x10c0000df700)
	os/exec/exec.go:338 +0x40
github.com/google/syzkaller/sys/targets.checkFlagSupported(0x10c0001ab080, 0x8033f8, 0x17, 0x0)
	github.com/google/syzkaller/sys/targets/targets.go:524 +0x192
github.com/google/syzkaller/sys/targets.checkOptionalFlags.func1(0x10c000019810, 0x10c0001ab080, 0x10c00001981c, 0x8033f8, 0x17)
	github.com/google/syzkaller/sys/targets/targets.go:508 +0x7c
created by github.com/google/syzkaller/sys/targets.checkOptionalFlags
	github.com/google/syzkaller/sys/targets/targets.go:506 +0x4e9
AddressSanitizer:DEADLYSIGNAL
=================================================================
==213==ERROR: AddressSanitizer: ABRT on unknown address 0x0000000000d5 (pc 0x0000005b6c81 bp 0x7f3f4acfebf8 sp 0x7f3f4acfebe0 T3)
SCARINESS: 10 (signal)
    #0 0x5b6c81 in runtime.raise runtime/sys_linux_amd64.s:1

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT runtime/sys_linux_amd64.s:1 in runtime.raise
Thread T3 created by T1 here:
    #0 0x50c0ea in pthread_create /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x5542a0 in _cgo_try_pthread_create /root/.go/src/runtime/cgo/gcc_libinit.c:100:9
    #2 0x58b822 in runtime.newm runtime/proc.go:1732
    #3 0x58bdab in runtime.startm runtime/proc.go:1869
    #4 0x590227 in runtime.wakep runtime/proc.go:1953
    #5 0x590227 in runtime.newproc1 runtime/proc.go:3487
    #6 0x5b1f90 in runtime.newproc.func1 runtime/proc.go:3381
    #7 0x5b2f92 in runtime.systemstack runtime/asm_amd64.s:370

Thread T1 created by T0 here:
    #0 0x50c0ea in pthread_create /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x5541f0 in _cgo_try_pthread_create /root/.go/src/runtime/cgo/gcc_libinit.c:100:9
    #2 0x5541f0 in x_cgo_sys_thread_create /root/.go/src/runtime/cgo/gcc_libinit.c:27:12
    #3 0x7895bc in __libc_csu_init (/tmp/not-out/report_fuzzer+0x7895bc)

==213==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 
ERROR: 50% of fuzz targets seem to be broken. See the list above for a detailed information.
Check build failed.
inferno-chromium added a commit that referenced this issue Apr 14, 2020
@inferno-chromium
Revert syzkaller change, track bug in #3639
319eb42
inferno-chromium added a commit that referenced this issue Apr 14, 2020
@inferno-chromium
Switch OSS projects to use native go-fuzz. (#3638)
892cec4 
* Switch OSS projects to use native go-fuzz.

* Fix go-json-iterator breakage, put source in package search dir.

* Revert syzkaller change, track bug in #3639
@Dor1s
Copy link
Contributor

Dor1s commented Apr 14, 2020

/cc @dvyukov

@dvyukov
Copy link
Contributor

dvyukov commented Apr 14, 2020

@mdempsky go-fuzz does not instrument os/exec. If the native instrumentation does, it probably shouldn't (at least the child part).

@mdempsky
Copy link

Oops. Yeah, the compiler avoids instrumenting package runtime, but will instrument whatever else it's told to, including package syscall and the forkExec functions.

Adding -gcflags=syscall=-d=libfuzzer=0 in go114-fuzz-build looks like it should work. I'm wondering if there are any other packages that need to be / should be suppressed?

I know you mentioned os/exec, but I think that's fine to instrument if syscall is suppressed?

mdempsky added a commit to mdempsky/go114-fuzz-build that referenced this issue Apr 14, 2020
@mdempsky
suppress fuzz-instrumentation for package syscall
eb2391a 
Fuzz instrumentation isn't safe for the child process within
syscall.ForkExec. Reported as google/oss-fuzz#3639.
@inferno-chromium inferno-chromium mentioned this issue Apr 14, 2020
Open
@dvyukov
Copy link
Contributor

dvyukov commented Apr 14, 2020

You may find the full list that go-fuzz does not instrument in go-fuzz-build. I don't remember anything additional on top of what may be in the comments there...

@mdempsky
Copy link

Thanks. It looks like go-fuzz-build doesn't explicitly avoid instrumenting syscall, but avoids it as a side effect of it being a dependency of github.com/dvyukov/go-fuzz/go-fuzz-dep, which the comments say it avoids because it would lead to import cycles: https://github.com/dvyukov/go-fuzz/blob/be3528f3a81351d8a438aed216130e1e7da39f7c/go-fuzz-build/main.go#L552

Since go114-fuzz-build doesn't need a Go support library (other than the Go runtime itself), the import cycle concern didn't apply, so I didn't try replicating that logic beyond avoiding instrumenting package runtime. So that explains why I didn't realize package syscall (and fork in particular) would be a sore point.

inferno-chromium added a commit that referenced this issue Apr 14, 2020
@inferno-chromium
Fix syzkaller to use go-fuzz.
e710610 
Fixes #3639.
@inferno-chromium inferno-chromium mentioned this issue Apr 14, 2020
Merged
@Dor1s
Copy link
Contributor

Dor1s commented Apr 14, 2020

@inferno-chromium how many executions did this need to crash? I wonder why bad build check didn't catch it.

inferno-chromium added a commit that referenced this issue Apr 14, 2020
@inferno-chromium
Fix syzkaller to use go-fuzz. (#3646)
896ed72 
Fixes #3639.
@inferno-chromium
Copy link
Collaborator Author

@inferno-chromium how many executions did this need to crash? I wonder why bad build check didn't catch it.

bad build check did catch it instantly, that is why i excluded this from original commit.

@thepudds thepudds mentioned this issue Jun 3, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix syzkaller to use go-fuzz. google/oss-fuzz
4 participants
@mdempsky @dvyukov @Dor1s @inferno-chromium