How to use neutralize method of linux Package
Best Syzkaller code snippet using linux.neutralize
init.go
Source:init.go 
...47 ARCH_SET_FS: target.ConstMap["ARCH_SET_FS"],48 ARCH_SET_GS: target.ConstMap["ARCH_SET_GS"],49 }50 target.MakeDataMmap = targets.MakePosixMmap(target, true, true)51 target.Neutralize = arch.neutralize52 target.SpecialTypes = map[string]func(g *prog.Gen, typ prog.Type, dir prog.Dir, old prog.Arg) (53 prog.Arg, []*prog.Call){54 "timespec": arch.generateTimespec,55 "timeval": arch.generateTimespec,56 "sockaddr_alg": arch.generateSockaddrAlg,57 "alg_name": arch.generateAlgName,58 "alg_aead_name": arch.generateAlgAeadName,59 "alg_hash_name": arch.generateAlgHashName,60 "alg_skcipher_name": arch.generateAlgSkcipherhName,61 "ipt_replace": arch.generateIptables,62 "ip6t_replace": arch.generateIptables,63 "arpt_replace": arch.generateArptables,64 "ebt_replace": arch.generateEbtables,65 "usb_device_descriptor": arch.generateUsbDeviceDescriptor,66 "usb_device_descriptor_hid": arch.generateUsbHidDeviceDescriptor,67 }68 target.AuxResources = map[string]bool{69 "uid": true,70 "pid": true,71 "gid": true,72 "timespec": true,73 "timeval": true,74 "time_sec": true,75 "time_usec": true,76 "time_nsec": true,77 }78 switch target.Arch {79 case targets.AMD64:80 target.SpecialPointers = []uint64{81 0xffffffff81000000, // kernel text82 0xffffffffff600000, // VSYSCALL_ADDR83 }84 case targets.RiscV64:85 target.SpecialPointers = []uint64{86 0xffffffe000000000, // PAGE_OFFSET87 0xffffff0000000000, // somewhere in VMEMMAP range88 }89 case targets.I386, targets.ARM64, targets.ARM, targets.PPC64LE, targets.MIPS64LE, targets.S390x:90 default:91 panic("unknown arch")92 }93 if target.Arch == runtime.GOARCH {94 KCOV_INIT_TRACE = uintptr(target.GetConst("KCOV_INIT_TRACE"))95 KCOV_ENABLE = uintptr(target.GetConst("KCOV_ENABLE"))96 KCOV_REMOTE_ENABLE = uintptr(target.GetConst("KCOV_REMOTE_ENABLE"))97 KCOV_DISABLE = uintptr(target.GetConst("KCOV_DISABLE"))98 KCOV_TRACE_PC = uintptr(target.GetConst("KCOV_TRACE_PC"))99 KCOV_TRACE_CMP = uintptr(target.GetConst("KCOV_TRACE_CMP"))100 }101}102var (103 // This should not be here, but for now we expose this for syz-fuzzer.104 KCOV_INIT_TRACE uintptr105 KCOV_ENABLE uintptr106 KCOV_REMOTE_ENABLE uintptr107 KCOV_DISABLE uintptr108 KCOV_TRACE_PC uintptr109 KCOV_TRACE_CMP uintptr110)111type arch struct {112 unix *targets.UnixNeutralizer113 clockGettimeSyscall *prog.Syscall114 MREMAP_MAYMOVE uint64115 MREMAP_FIXED uint64116 SYSLOG_ACTION_CONSOLE_OFF uint64117 SYSLOG_ACTION_CONSOLE_ON uint64118 SYSLOG_ACTION_CONSOLE_LEVEL uint64119 SYSLOG_ACTION_CLEAR uint64120 SYSLOG_ACTION_SIZE_UNREAD uint64121 FIFREEZE uint64122 FITHAW uint64123 SNAPSHOT_FREEZE uint64124 SNAPSHOT_POWER_OFF uint64125 EXT4_IOC_SHUTDOWN uint64126 EXT4_IOC_RESIZE_FS uint64127 EXT4_IOC_MIGRATE uint64128 FAN_OPEN_PERM uint64129 FAN_ACCESS_PERM uint64130 FAN_OPEN_EXEC_PERM uint64131 PTRACE_TRACEME uint64132 CLOCK_REALTIME uint64133 ARCH_SET_FS uint64134 ARCH_SET_GS uint64135 AF_NFC uint64136 AF_LLC uint64137 AF_BLUETOOTH uint64138 AF_X25 uint64139 AF_AX25 uint64140 AF_NETROM uint64141 AF_ROSE uint64142 AF_IEEE802154 uint64143 AF_NETLINK uint64144 SOCK_RAW uint64145 NETLINK_GENERIC uint64146 USB_MAJOR uint64147 TIOCSSERIAL uint64148 TIOCGSERIAL uint64149}150func (arch *arch) neutralize(c *prog.Call) {151 arch.unix.Neutralize(c)152 switch c.Meta.CallName {153 case "mremap":154 // Add MREMAP_FIXED flag, otherwise it produces non-deterministic results.155 flags := c.Args[3].(*prog.ConstArg)156 if flags.Val&arch.MREMAP_MAYMOVE != 0 {157 flags.Val |= arch.MREMAP_FIXED158 }159 case "syslog":160 cmd := c.Args[0].(*prog.ConstArg)161 cmd.Val = uint64(uint32(cmd.Val))162 // These disable console output, but we need it.163 if cmd.Val == arch.SYSLOG_ACTION_CONSOLE_OFF ||164 cmd.Val == arch.SYSLOG_ACTION_CONSOLE_ON ||165 cmd.Val == arch.SYSLOG_ACTION_CONSOLE_LEVEL ||166 cmd.Val == arch.SYSLOG_ACTION_CLEAR {167 cmd.Val = arch.SYSLOG_ACTION_SIZE_UNREAD168 }169 case "ioctl":170 arch.neutralizeIoctl(c)171 case "fanotify_mark":172 // FAN_*_PERM require the program to reply to open requests.173 // If that does not happen, the program will hang in an unkillable state forever.174 // See the following bug for details:175 // https://groups.google.com/d/msg/syzkaller-bugs/pD-vbqJu6U0/kGH30p3lBgAJ176 mask := c.Args[2].(*prog.ConstArg)177 mask.Val &^= arch.FAN_OPEN_PERM | arch.FAN_ACCESS_PERM | arch.FAN_OPEN_EXEC_PERM178 case "ptrace":179 req := c.Args[0].(*prog.ConstArg)180 // PTRACE_TRACEME leads to unkillable processes, see:181 // https://groups.google.com/forum/#!topic/syzkaller/uGzwvhlCXAw182 if uint64(uint32(req.Val)) == arch.PTRACE_TRACEME {183 req.Val = ^uint64(0)184 }185 case "arch_prctl":186 // fs holds address of tls, if a program messes it at least signal187 // handling will break. This also allows a program to do writes188 // at arbitrary addresses, which usually leads to machine outbreak.189 cmd := c.Args[0].(*prog.ConstArg)190 if uint64(uint32(cmd.Val)) == arch.ARCH_SET_FS {191 cmd.Val = arch.ARCH_SET_GS192 }193 case "init_module":194 // Kernel tries to vmalloc whatever we pass as size and it's not accounted against memcg.195 // As the result it can lead to massive OOM kills of everything running on the machine.196 // Strictly saying, the same applies to finit_module with a sparse file too,197 // but there is no simple way to handle that.198 sz := c.Args[1].(*prog.ConstArg)199 sz.Val %= 1 << 20200 case "syz_init_net_socket":201 // Don't let it mess with arbitrary sockets in init namespace.202 family := c.Args[0].(*prog.ConstArg)203 switch uint64(uint32(family.Val)) {204 case arch.AF_NFC, arch.AF_LLC, arch.AF_BLUETOOTH, arch.AF_IEEE802154,205 arch.AF_X25, arch.AF_AX25, arch.AF_NETROM, arch.AF_ROSE:206 case arch.AF_NETLINK:207 c.Args[1].(*prog.ConstArg).Val = arch.SOCK_RAW208 c.Args[2].(*prog.ConstArg).Val = arch.NETLINK_GENERIC209 default:210 family.Val = ^uint64(0)211 }212 case "syz_open_dev":213 enforceIntArg(c.Args[0])214 enforceIntArg(c.Args[1])215 enforceIntArg(c.Args[2])216 case "sched_setattr":217 // Enabling a SCHED_FIFO or a SCHED_RR policy may lead to false positive stall-related crashes.218 neutralizeSchedAttr(c.Args[1])219 }220 switch c.Meta.Name {221 case "setsockopt$EBT_SO_SET_ENTRIES":222 arch.neutralizeEbtables(c)223 }224}225func neutralizeSchedAttr(a prog.Arg) {226 switch attr := a.(type) {227 case *prog.PointerArg:228 if attr.Res == nil {229 // If it's just a pointer to somewhere, still set it to NULL as there's a risk that230 // it points to the valid memory and it can be interpreted as a sched_attr struct.231 attr.Address = 0232 return233 }234 groupArg, ok := attr.Res.(*prog.GroupArg)235 if !ok || len(groupArg.Inner) == 0 {236 return237 }238 if unionArg, ok := groupArg.Inner[0].(*prog.UnionArg); ok {239 dataArg, ok := unionArg.Option.(*prog.DataArg)240 if !ok {241 return242 }243 if dataArg.Dir() == prog.DirOut {244 return245 }246 // Clear the first 16 bytes to prevent overcoming the limitation by squashing the struct.247 data := append([]byte{}, dataArg.Data()...)248 for i := 0; i < 16 && i < len(data); i++ {249 data[i] = 0250 }251 dataArg.SetData(data)252 }253 // Most likely it's the intended sched_attr structure.254 if len(groupArg.Inner) > 1 {255 policyField, ok := groupArg.Inner[1].(*prog.ConstArg)256 if !ok {257 return258 }259 const SCHED_FIFO = 0x1260 const SCHED_RR = 0x2261 if policyField.Val == SCHED_FIFO || policyField.Val == SCHED_RR {262 policyField.Val = 0263 }264 }265 case *prog.ConstArg:266 attr.Val = 0267 }268}269func enforceIntArg(a prog.Arg) {270 arg, ok := a.(*prog.ConstArg)271 if !ok {272 return273 }274 switch typ := arg.Type().(type) {275 case *prog.ConstType:276 arg.Val = typ.Val277 case *prog.IntType:278 if typ.Kind == prog.IntRange && (arg.Val < typ.RangeBegin || arg.Val > typ.RangeEnd) {279 arg.Val = typ.RangeBegin280 }281 }282}283func (arch *arch) neutralizeIoctl(c *prog.Call) {284 cmd := c.Args[1].(*prog.ConstArg)285 switch uint64(uint32(cmd.Val)) {286 case arch.FIFREEZE:287 // Freeze kills machine. Though, it is an interesting functions,288 // so we need to test it somehow.289 // TODO: not required if executor drops privileges.290 // Fortunately, the value does not conflict with any other ioctl commands for now.291 cmd.Val = arch.FITHAW292 case arch.SNAPSHOT_FREEZE:293 // SNAPSHOT_FREEZE freezes all processes and leaves the machine dead.294 cmd.Val = arch.FITHAW295 case arch.SNAPSHOT_POWER_OFF:296 // SNAPSHOT_POWER_OFF shuts down the machine.297 cmd.Val = arch.FITHAW298 case arch.EXT4_IOC_SHUTDOWN:299 // EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways.300 // Fortunately, the value does not conflict with any other ioctl commands for now.301 cmd.Val = arch.EXT4_IOC_MIGRATE302 case arch.EXT4_IOC_RESIZE_FS:303 // EXT4_IOC_RESIZE_FS on root fs can shrink it to 0 (or whatever is the minimum size)304 // and then creation of new temp dirs for tests will fail.305 // TODO: not necessary for sandbox=namespace as it tests in a tmpfs306 // and/or if we mount tmpfs for sandbox=none (#971).307 cmd.Val = arch.EXT4_IOC_MIGRATE308 case arch.TIOCSSERIAL:309 // TIOCSSERIAL can do nasty things under root, like causing writes to random memory310 // pretty much like /dev/mem, but this is also working as intended.311 // For details see:312 // https://groups.google.com/g/syzkaller-bugs/c/1rVENJf9P4U/m/QtGpapRxAgAJ313 // https://syzkaller.appspot.com/bug?extid=f4f1e871965064ae689e314 // TODO: TIOCSSERIAL does some other things that are not dangerous315 // and would be nice to test, if/when we can neutralize based on sandbox value316 // we could prohibit it only under sandbox=none.317 cmd.Val = arch.TIOCGSERIAL318 }319}320func (arch *arch) generateTimespec(g *prog.Gen, typ0 prog.Type, dir prog.Dir, old prog.Arg) (321 arg prog.Arg, calls []*prog.Call) {322 typ := typ0.(*prog.StructType)323 // We need to generate timespec/timeval that are either324 // (1) definitely in the past, or325 // (2) definitely in unreachable fututre, or326 // (3) few ms ahead of now.327 // Note: timespec/timeval can be absolute or relative to now.328 // Note: executor has blocking syscall timeout of 45 ms,329 // so we generate both 10ms and 60ms....
neutralize
Using AI Code Generation
1import (2func main() {3 l.neutralize()4}5import (6func main() {7 w.neutralize()8}9import (10func main() {11 m.neutralize()12}13import (14func main() {15 u.neutralize()16}17import (18func main() {19 s.neutralize()20}21import (22func main() {23 b.neutralize()24}25import (26func main() {27 a.neutralize()28}29import (30func main() {31 h.neutralize()32}33import (34func main() {35 f.neutralize()36}37import (38func main() {39 n.neutralize()40}41import (42func main() {43 o.neutralize()44}
neutralize
Using AI Code Generation
1import (2type linux struct {3}4type windows struct {5}6type mac struct {7}8type unix struct {9}10func (l linux) neutralize() {11 fmt.Println("Linux neutralize")12}13func (w windows) neutralize() {14 fmt.Println("Windows neutralize")15}16func (m mac) neutralize() {17 fmt.Println("Mac neutralize")18}19func (u unix) neutralize() {20 fmt.Println("Unix neutralize")21}22func main() {23 l.neutralize()24 w.neutralize()25 m.neutralize()26 u.neutralize()27}28import (29type linux struct {30}31type windows struct {32}33type mac struct {34}35type unix struct {36}37func (l linux) neutralize() {38 fmt.Println("Linux neutralize")39}40func (w windows) neutralize() {41 fmt.Println("Windows neutralize")42}43func (m mac) neutralize() {44 fmt.Println("Mac neutralize")45}46func (u unix) neutralize() {47 fmt.Println("Unix neutralize")48}49func (u unix) neutralize(operatingSystem string) {50 fmt.Println("Unix neutralize", operatingSystem)51}52func main() {53 l.neutralize()54 w.neutralize()55 m.neutralize()56 u.neutralize()57 u.neutralize("unix")58}59import (60func main() {61 d.neutralize()62}
neutralize
Using AI Code Generation
1import (2type linux struct {3}4type windows struct {5}6type mac struct {7}8type unix struct {9}10func (l linux) neutralize() {11 fmt.Println("Linux neutralize")12}13func (w windows) neutralize() {14 fmt.Println("Windows neutralize")15}16func (m mac) neutralize() {17 fmt.Println("Mac neutralize")18}19func (u unix) neutralize() {20 fmt.Println("Unix neutralize")21}22func main() {23 l.neutralize()24 w.neutralize()25 m.neutralize()26 u.neutralize()27}28import (29type linux struct {30}31type windows struct {32}33type mac struct {34}35type unix struct {36}37func (l linux) neutralize() {38 fmt.Println("Linux neutralize")39}40func (w windows) neutralize() {41 fmt.Println("Windows neutralize")42}43func (m mac) neutralize() {44 fmt.Println("Mac neutralize")45}46func (u unix) neutralize() {47 fmt.Println("Unix neutralize")48}49func (u unix) neutralize(operatingSystem string) {50 fmt.Println("Unix neutralize", operatingSystem)51}52func main() {53 l.neutralize()54 w.neutralize()55 m.neutralize()56 u.neutralize()57 u.neutralize("unix")58}
neutralize
Using AI Code Generation
1import (2func main() {3 linux := Linux{}4 linux.neutralize()5}6import (7func main() {8 windows := Windows{}9 windows.neutralize()10}11import (12func main() {13 mac := Mac{}14 mac.neutralize()15}16import (17func main() {18 solaris := Solaris{}19 solaris.neutralize()20}21import (22func main() {23 unix := Unix{}24 unix.neutralize()25}26import (27func main() {28 aix := Aix{}29 aix.neutralize()30}31import (32func main() {33 hpux := HPUX{}34 hpux.neutralize()35}36import (
neutralize
Using AI Code Generation
1import "fmt"2func main() {3 l.neutralize()4}5import "fmt"6func main() {7 w.detonate()8}9import "fmt"10func main() {11 l.detonate()12}13import "fmt"14func main() {15 w.detonate()16}17import "fmt"18func main() {19 l.detonate()20}21import "fmt"22func main() {23 w.detonate()24}25import "fmt"26func main() {27 l.detonate()28}29import "fmt"30func main() {31 w.detonate()32}33import "fmt"34func main() {35 l.detonate()36}37import "fmt"38func main() {39 w.detonate()40}41import "fmt"42func main() {
Automation Testing Tutorials
Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.
LambdaTest Learning Hubs:
- JUnit Tutorial
- TestNG Tutorial
- Webdriver Tutorial
- WebDriverIO Tutorial
- Protractor Tutorial
- Selenium 4 Tutorial
- Jenkins Tutorial
- NUnit Tutorial
- Jest Tutorial
- Playwright Tutorial
- Cypress Tutorial
- PyTest Tutorial
YouTube
You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.
Run Syzkaller automation tests on LambdaTest cloud grid
Perform automation testing on 3000+ real desktop and mobile devices online.
Most used method in
- InitTarget
- neutralize
- neutralizeSchedAttr
- enforceIntArg
- neutralizeIoctl
- generateTimespec
- generateSockaddrAlg
- generateAlgName
- generateAlgAeadName
- generateAlgHashName
- generateAlgSkcipherhName
- generateAlgNameStruct
- generateAlg
- generateAlgImpl
- fixedSizeData
- algTest
- TestAlgDescriptions
- TestSingleAlg
- TestTemplateAlg1
- TestTemplateAlg2
- testAlg
- TestAlgDups
- generateIptables
- generateArptables
- generateNetfilterTable
- generateEbtables
- neutralizeEbtables
- generateUsbDeviceDescriptor
- randUsbDeviceID
- generateUsbHidDeviceDescriptor
- patchGroupArg
Try LambdaTest Now !!
Get 100 minutes of automation test minutes FREE!!
Was this article helpful?
