-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
syz-ci.go
494 lines (467 loc) · 17.2 KB
/
syz-ci.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
// Copyright 2017 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
// syz-ci is a continuous fuzzing system for syzkaller.
// It runs several syz-manager's, polls and rebuilds images for managers
// and polls and rebuilds syzkaller binaries.
// For usage instructions see: docs/ci.md.
package main
// Implementation details:
//
// 2 main components:
// - SyzUpdater: handles syzkaller updates
// - Manager: handles kernel build and syz-manager process (one per manager)
// Both operate in a similar way and keep 2 builds:
// - latest: latest known good build (i.e. we tested it)
// preserved across restarts/reboots, i.e. we can start fuzzing even when
// current syzkaller/kernel git head is broken, or git is down, or anything else
// - current: currently used build (a copy of one of the latest builds)
// Other important points:
// - syz-ci is always built on the same revision as the rest of syzkaller binaries,
// this allows us to handle e.g. changes in manager config format.
// - consequently, syzkaller binaries are never updated on-the-fly,
// instead we re-exec and then update
// - we understand when the latest build is fresh even after reboot,
// i.e. we store enough information to identify it (git hash, compiler identity, etc),
// so we don't rebuild unnecessary (kernel builds take time)
// - we generally avoid crashing the process and handle all errors gracefully
// (this is a continuous system), except for some severe/user errors during start
// (e.g. bad config file, or can't create necessary dirs)
//
// Directory/file structure:
// syz-ci : current executable
// syzkaller/
// latest/ : latest good syzkaller build
// current/ : syzkaller build currently in use
// managers/
// manager1/ : one dir per manager
// kernel/ : kernel checkout
// workdir/ : manager workdir (never deleted)
// latest/ : latest good kernel image build
// current/ : kernel image currently in use
// jobs/
// linux/ : one dir per target OS
// kernel/ : kernel checkout
// image/ : currently used image
// workdir/ : some temp files
//
// Current executable, syzkaller and kernel builds are marked with tag files.
// Tag files uniquely identify the build (git hash, compiler identity, kernel config, etc).
// For tag files both contents and modification time are important,
// modification time allows us to understand if we need to rebuild after a restart.
import (
"encoding/json"
"flag"
"fmt"
"net"
"net/http"
_ "net/http/pprof"
"os"
"path/filepath"
"strings"
"sync"
"time"
"github.com/google/syzkaller/dashboard/dashapi"
"github.com/google/syzkaller/pkg/asset"
"github.com/google/syzkaller/pkg/config"
"github.com/google/syzkaller/pkg/log"
"github.com/google/syzkaller/pkg/mgrconfig"
"github.com/google/syzkaller/pkg/osutil"
"github.com/google/syzkaller/pkg/vcs"
)
var (
flagConfig = flag.String("config", "", "config file")
flagAutoUpdate = flag.Bool("autoupdate", true, "auto-update the binary (for testing)")
flagManagers = flag.Bool("managers", true, "start managers (for testing)")
flagDebug = flag.Bool("debug", false, "debug mode (for testing)")
// nolint: lll
flagExitOnUpgrade = flag.Bool("exit-on-upgrade", false, "exit after a syz-ci upgrade is applied; otherwise syz-ci restarts")
)
type Config struct {
Name string `json:"name"`
HTTP string `json:"http"`
// If manager http address is not specified, give it an address starting from this port. Optional.
// This is also used to auto-assign ports for test instances.
ManagerPort int `json:"manager_port_start"`
// If manager rpc address is not specified, give it addresses starting from this port. By default 30000.
// This is also used to auto-assign ports for test instances.
RPCPort int `json:"rpc_port_start"`
DashboardAddr string `json:"dashboard_addr"` // Optional.
DashboardClient string `json:"dashboard_client"` // Optional.
DashboardKey string `json:"dashboard_key"` // Optional.
HubAddr string `json:"hub_addr"` // Optional.
HubKey string `json:"hub_key"` // Optional.
Goroot string `json:"goroot"` // Go 1.8+ toolchain dir.
SyzkallerRepo string `json:"syzkaller_repo"`
SyzkallerBranch string `json:"syzkaller_branch"` // Defaults to "master".
// Dir with additional syscall descriptions.
// - *.txt and *.const files are copied to syzkaller/sys/linux/
// - *.test files are copied to syzkaller/sys/linux/test/
// - *.h files are copied to syzkaller/executor/
SyzkallerDescriptions string `json:"syzkaller_descriptions"`
// Path to upload coverage reports from managers (optional).
// Supported protocols: GCS (gs://) and HTTP PUT (http:// or https://).
CoverUploadPath string `json:"cover_upload_path"`
// Path to upload json coverage reports from managers (optional).
CoverPipelinePath string `json:"cover_pipeline_path"`
// Path to upload corpus.db from managers (optional).
// Supported protocols: GCS (gs://) and HTTP PUT (http:// or https://).
CorpusUploadPath string `json:"corpus_upload_path"`
// Make files uploaded via CoverUploadPath and CorpusUploadPath public.
PublishGCS bool `json:"publish_gcs"`
// Path to upload bench data from instances (optional).
// Supported protocols: GCS (gs://) and HTTP PUT (http:// or https://).
BenchUploadPath string `json:"bench_upload_path"`
// BinDir must point to a dir that contains compilers required to build
// older versions of the kernel. For linux, it needs to include several
// compiler versions.
BisectBinDir string `json:"bisect_bin_dir"`
// Keys of BisectIgnore are full commit hashes that should never be reported
// in bisection results.
// Values of the map are ignored and can e.g. serve as comments.
BisectIgnore map[string]string `json:"bisect_ignore"`
// Extra commits to cherry-pick to older kernel revisions.
// The list is concatenated with the similar parameter from ManagerConfig.
BisectBackports []vcs.BackportCommit `json:"bisect_backports"`
Ccache string `json:"ccache"`
// BuildCPUs defines the maximum number of parallel kernel build threads.
BuildCPUs int `json:"build_cpus"`
Managers []*ManagerConfig `json:"managers"`
// Poll period for jobs in seconds (optional, defaults to 10 seconds)
JobPollPeriod int `json:"job_poll_period"`
// Set up a second (parallel) job processor to speed up processing.
// For now, this second job processor only handles patch testing requests.
ParallelJobs bool `json:"parallel_jobs"`
// Poll period for commits in seconds (optional, defaults to 3600 seconds)
CommitPollPeriod int `json:"commit_poll_period"`
// Asset Storage config.
AssetStorage *asset.Config `json:"asset_storage"`
// Per-vm type JSON diffs that will be applied to every instace of the
// corresponding VM type.
PatchVMConfigs map[string]json.RawMessage `json:"patch_vm_configs"`
}
type ManagerConfig struct {
// If Name is specified, syz-manager name is set to Config.Name-ManagerConfig.Name.
// This is old naming scheme, it does not allow to move managers between ci instances.
// For new naming scheme set ManagerConfig.ManagerConfig.Name instead and leave this field empty.
// This allows to move managers as their name does not depend on cfg.Name.
// Generally, if you have:
// {
// "name": "ci",
// "managers": [
// {
// "name": "foo",
// ...
// }
// ]
// }
// you want to change it to:
// {
// "name": "ci",
// "managers": [
// {
// ...
// "manager_config": {
// "name": "ci-foo"
// }
// }
// ]
// }
// and rename managers/foo to managers/ci-foo. Then this instance can be moved
// to another ci along with managers/ci-foo dir.
Name string `json:"name"`
Disabled string `json:"disabled"` // If not empty, don't build/start this manager.
DashboardClient string `json:"dashboard_client"`
DashboardKey string `json:"dashboard_key"`
Repo string `json:"repo"`
// Short name of the repo (e.g. "linux-next"), used only for reporting.
RepoAlias string `json:"repo_alias"`
Branch string `json:"branch"` // Defaults to "master".
// Currently either 'gcc' or 'clang'. Note that pkg/bisect requires
// explicit plumbing for every os/compiler combination.
CompilerType string `json:"compiler_type"` // Defaults to "gcc"
Compiler string `json:"compiler"`
Linker string `json:"linker"`
Ccache string `json:"ccache"`
Userspace string `json:"userspace"`
KernelConfig string `json:"kernel_config"`
// KernelSrcSuffix adds a suffix to the kernel_src manager config. This is needed for cases where
// the kernel source root as reported in the coverage UI is a subdirectory of the VCS root.
KernelSrcSuffix string `json:"kernel_src_suffix"`
// Build-type-specific parameters.
// Parameters for concrete types are in Config type in pkg/build/TYPE.go, e.g. pkg/build/android.go.
Build json.RawMessage `json:"build"`
// Baseline config for bisection, see pkg/bisect.KernelConfig.BaselineConfig.
// If not specified, syz-ci generates a `-base.config` path counterpart for `kernel_config` and,
// if it exists, uses it as default.
KernelBaselineConfig string `json:"kernel_baseline_config"`
// File with kernel cmdline values (optional).
KernelCmdline string `json:"kernel_cmdline"`
// File with sysctl values (e.g. output of sysctl -a, optional).
KernelSysctl string `json:"kernel_sysctl"`
Jobs ManagerJobs `json:"jobs"`
// Extra commits to cherry pick to older kernel revisions.
BisectBackports []vcs.BackportCommit `json:"bisect_backports"`
// Base syz-manager config for the instance.
ManagerConfig json.RawMessage `json:"manager_config"`
// If the kernel's commit is older than MaxKernelLagDays days,
// fuzzing won't be started on this instance.
// By default it's 30 days.
MaxKernelLagDays int `json:"max_kernel_lag_days"`
managercfg *mgrconfig.Config
// Auto-assigned ports used by test instances.
testHTTPPort int
testRPCPort int
}
type ManagerJobs struct {
TestPatches bool `json:"test_patches"` // enable patch testing jobs
PollCommits bool `json:"poll_commits"` // poll info about fix commits
BisectCause bool `json:"bisect_cause"` // do cause bisection
BisectFix bool `json:"bisect_fix"` // do fix bisection
}
func (m *ManagerJobs) AnyEnabled() bool {
return m.TestPatches || m.PollCommits || m.BisectCause || m.BisectFix
}
func (m *ManagerJobs) Filter(filter *ManagerJobs) *ManagerJobs {
return &ManagerJobs{
TestPatches: m.TestPatches && filter.TestPatches,
PollCommits: m.PollCommits && filter.PollCommits,
BisectCause: m.BisectCause && filter.BisectCause,
BisectFix: m.BisectFix && filter.BisectFix,
}
}
func main() {
flag.Parse()
log.EnableLogCaching(1000, 1<<20)
cfg, err := loadConfig(*flagConfig)
if err != nil {
log.Fatalf("failed to load config: %v", err)
}
log.SetName(cfg.Name)
shutdownPending := make(chan struct{})
osutil.HandleInterrupts(shutdownPending)
serveHTTP(cfg)
os.Unsetenv("GOPATH")
if cfg.Goroot != "" {
os.Setenv("GOROOT", cfg.Goroot)
os.Setenv("PATH", filepath.Join(cfg.Goroot, "bin")+
string(filepath.ListSeparator)+os.Getenv("PATH"))
}
updatePending := make(chan struct{})
updater := NewSyzUpdater(cfg)
updater.UpdateOnStart(*flagAutoUpdate, shutdownPending)
if *flagAutoUpdate {
go func() {
updater.WaitForUpdate()
close(updatePending)
}()
}
stop := make(chan struct{})
var managers []*Manager
for _, mgrcfg := range cfg.Managers {
mgr, err := createManager(cfg, mgrcfg, stop, *flagDebug)
if err != nil {
log.Errorf("failed to create manager %v: %v", mgrcfg.Name, err)
continue
}
managers = append(managers, mgr)
}
if len(managers) == 0 {
log.Fatalf("failed to create all managers")
}
var wg sync.WaitGroup
if *flagManagers {
for _, mgr := range managers {
mgr := mgr
wg.Add(1)
go func() {
defer wg.Done()
mgr.loop()
}()
}
}
jp, err := newJobManager(cfg, managers, shutdownPending)
if err != nil {
log.Fatalf("failed to create dashapi connection %v", err)
}
stopJobs := jp.startLoop(&wg)
// For testing. Racy. Use with care.
http.HandleFunc("/upload_cover", func(w http.ResponseWriter, r *http.Request) {
for _, mgr := range managers {
if err := mgr.uploadCoverReport(); err != nil {
w.Write([]byte(fmt.Sprintf("failed for %v: %v <br>\n", mgr.name, err)))
return
}
w.Write([]byte(fmt.Sprintf("upload cover for %v <br>\n", mgr.name)))
}
})
wg.Add(1)
go deprecateAssets(cfg, stop, &wg)
select {
case <-shutdownPending:
case <-updatePending:
}
stopJobs() // Gracefully wait for the running jobs to finish.
close(stop)
wg.Wait()
select {
case <-shutdownPending:
default:
updater.UpdateAndRestart()
}
}
func deprecateAssets(cfg *Config, stop chan struct{}, wg *sync.WaitGroup) {
defer wg.Done()
if cfg.DashboardAddr == "" || cfg.AssetStorage.IsEmpty() ||
!cfg.AssetStorage.DoDeprecation {
return
}
dash, err := dashapi.New(cfg.DashboardClient, cfg.DashboardAddr, cfg.DashboardKey)
if err != nil {
log.Fatalf("failed to create dashapi during asset deprecation: %v", err)
return
}
storage, err := asset.StorageFromConfig(cfg.AssetStorage, dash)
if err != nil {
log.Errorf("failed to create asset storage during asset deprecation: %v", err)
return
}
loop:
for {
const sleepDuration = 6 * time.Hour
select {
case <-stop:
break loop
case <-time.After(sleepDuration):
}
log.Logf(0, "deprecating assets")
err := storage.DeprecateAssets()
if err != nil {
log.Errorf("asset deprecation failed: %v", err)
}
}
}
func serveHTTP(cfg *Config) {
ln, err := net.Listen("tcp4", cfg.HTTP)
if err != nil {
log.Fatalf("failed to listen on %v: %v", cfg.HTTP, err)
}
log.Logf(0, "serving http on http://%v", ln.Addr())
go func() {
err := http.Serve(ln, nil)
log.Fatalf("failed to serve http: %v", err)
}()
}
func loadConfig(filename string) (*Config, error) {
cfg := &Config{
SyzkallerRepo: "https://github.com/google/syzkaller.git",
SyzkallerBranch: "master",
ManagerPort: 10000,
RPCPort: 30000,
Goroot: os.Getenv("GOROOT"),
JobPollPeriod: 10,
CommitPollPeriod: 3600,
}
if err := config.LoadFile(filename, cfg); err != nil {
return nil, err
}
if cfg.Name == "" {
return nil, fmt.Errorf("param 'name' is empty")
}
if cfg.HTTP == "" {
return nil, fmt.Errorf("param 'http' is empty")
}
cfg.Goroot = osutil.Abs(cfg.Goroot)
cfg.SyzkallerDescriptions = osutil.Abs(cfg.SyzkallerDescriptions)
cfg.BisectBinDir = osutil.Abs(cfg.BisectBinDir)
cfg.Ccache = osutil.Abs(cfg.Ccache)
var managers []*ManagerConfig
for _, mgr := range cfg.Managers {
if mgr.Disabled == "" {
managers = append(managers, mgr)
}
if err := loadManagerConfig(cfg, mgr); err != nil {
return nil, err
}
}
cfg.Managers = managers
if len(cfg.Managers) == 0 {
return nil, fmt.Errorf("no managers specified")
}
if cfg.AssetStorage != nil {
if err := cfg.AssetStorage.Validate(); err != nil {
return nil, fmt.Errorf("asset storage config error: %w", err)
}
}
return cfg, nil
}
func loadManagerConfig(cfg *Config, mgr *ManagerConfig) error {
managercfg, err := mgrconfig.LoadPartialData(mgr.ManagerConfig)
if err != nil {
return fmt.Errorf("manager config: %w", err)
}
if managercfg.Name != "" && mgr.Name != "" {
return fmt.Errorf("both managercfg.Name=%q and mgr.Name=%q are specified", managercfg.Name, mgr.Name)
}
if managercfg.Name == "" && mgr.Name == "" {
return fmt.Errorf("no managercfg.Name nor mgr.Name are specified")
}
if managercfg.Name != "" {
mgr.Name = managercfg.Name
} else {
managercfg.Name = cfg.Name + "-" + mgr.Name
}
if mgr.CompilerType == "" {
mgr.CompilerType = "gcc"
}
if mgr.Branch == "" {
mgr.Branch = "master"
}
mgr.managercfg = managercfg
managercfg.Syzkaller = filepath.FromSlash("syzkaller/current")
if managercfg.HTTP == "" {
managercfg.HTTP = fmt.Sprintf(":%v", cfg.ManagerPort)
cfg.ManagerPort++
}
if managercfg.RPC == ":0" {
managercfg.RPC = fmt.Sprintf(":%v", cfg.RPCPort)
cfg.RPCPort++
}
mgr.testHTTPPort = cfg.ManagerPort
cfg.ManagerPort++
mgr.testRPCPort = cfg.RPCPort
cfg.RPCPort++
// Note: we don't change Compiler/Ccache because it may be just "gcc" referring
// to the system binary, or pkg/build/netbsd.go uses "g++" and "clang++" as special marks.
mgr.Userspace = osutil.Abs(mgr.Userspace)
mgr.KernelConfig = osutil.Abs(mgr.KernelConfig)
mgr.KernelBaselineConfig = osutil.Abs(mgr.KernelBaselineConfig)
mgr.KernelCmdline = osutil.Abs(mgr.KernelCmdline)
mgr.KernelSysctl = osutil.Abs(mgr.KernelSysctl)
if mgr.KernelConfig != "" && mgr.KernelBaselineConfig == "" {
mgr.KernelBaselineConfig = inferBaselineConfig(mgr.KernelConfig)
}
if mgr.MaxKernelLagDays == 0 {
mgr.MaxKernelLagDays = 30
}
if err := mgr.validate(cfg); err != nil {
return err
}
if cfg.PatchVMConfigs[managercfg.Type] != nil {
managercfg.VM, err = config.MergeJSONs(managercfg.VM, cfg.PatchVMConfigs[managercfg.Type])
if err != nil {
return fmt.Errorf("failed to patch manager %v's VM: %w", mgr.Name, err)
}
}
return nil
}
func inferBaselineConfig(kernelConfig string) string {
suffixPos := strings.LastIndex(kernelConfig, ".config")
if suffixPos < 0 {
return ""
}
candidate := kernelConfig[:suffixPos] + "-base.config"
if !osutil.IsExist(candidate) {
return ""
}
return candidate
}