2016-08-08 13:32:48 +00:00
|
|
|
// Copyright 2015/2016 syzkaller project authors. All rights reserved.
|
2015-10-14 14:55:09 +00:00
|
|
|
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
|
|
package prog
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"math/rand"
|
|
|
|
|
"sort"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Calulation of call-to-call priorities.
|
|
|
|
|
// For a given pair of calls X and Y, the priority is our guess as to whether
|
|
|
|
|
// additional of call Y into a program containing call X is likely to give
|
|
|
|
|
// new coverage or not.
|
|
|
|
|
// The current algorithm has two components: static and dynamic.
|
|
|
|
|
// The static component is based on analysis of argument types. For example,
|
|
|
|
|
// if call X and call Y both accept fd[sock], then they are more likely to give
|
|
|
|
|
// new coverage together.
|
|
|
|
|
// The dynamic component is based on frequency of occurrence of a particular
|
|
|
|
|
// pair of syscalls in a single program in corpus. For example, if socket and
|
|
|
|
|
// connect frequently occur in programs together, we give higher priority to
|
|
|
|
|
// this pair of syscalls.
|
|
|
|
|
// Note: the current implementation is very basic, there is no theory behind any
|
|
|
|
|
// constants.
|
|
|
|
|
|
2017-09-14 17:25:01 +00:00
|
|
|
func (target *Target) CalculatePriorities(corpus []*Prog) [][]float32 {
|
|
|
|
|
static := target.calcStaticPriorities()
|
2020-05-04 06:58:32 +00:00
|
|
|
if len(corpus) != 0 {
|
|
|
|
|
dynamic := target.calcDynamicPrio(corpus)
|
|
|
|
|
for i, prios := range dynamic {
|
|
|
|
|
for j, p := range prios {
|
|
|
|
|
static[i][j] *= p
|
|
|
|
|
}
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
}
|
2020-05-04 06:58:32 +00:00
|
|
|
return static
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-14 17:25:01 +00:00
|
|
|
func (target *Target) calcStaticPriorities() [][]float32 {
|
2018-08-01 18:33:33 +00:00
|
|
|
uses := target.calcResourceUsage()
|
|
|
|
|
prios := make([][]float32, len(target.Syscalls))
|
|
|
|
|
for i := range prios {
|
|
|
|
|
prios[i] = make([]float32, len(target.Syscalls))
|
|
|
|
|
}
|
2020-05-21 11:37:18 +00:00
|
|
|
var keys []string
|
|
|
|
|
for key := range uses {
|
|
|
|
|
keys = append(keys, key)
|
|
|
|
|
}
|
|
|
|
|
sort.Strings(keys)
|
|
|
|
|
for _, key := range keys {
|
2020-05-21 13:35:03 +00:00
|
|
|
weights := make([]weights, 0, len(uses[key]))
|
|
|
|
|
for _, weight := range uses[key] {
|
|
|
|
|
weights = append(weights, weight)
|
2020-05-21 11:37:18 +00:00
|
|
|
}
|
2020-05-21 13:35:03 +00:00
|
|
|
sort.Slice(weights, func(i, j int) bool {
|
|
|
|
|
return weights[i].call < weights[j].call
|
|
|
|
|
})
|
|
|
|
|
for _, w0 := range weights {
|
|
|
|
|
for _, w1 := range weights {
|
|
|
|
|
if w0.call == w1.call {
|
2018-08-01 18:33:33 +00:00
|
|
|
// Self-priority is assigned below.
|
|
|
|
|
continue
|
|
|
|
|
}
|
2019-09-10 08:06:53 +00:00
|
|
|
// The static priority is assigned based on the direction of arguments. A higher priority will be
|
|
|
|
|
// assigned when c0 is a call that produces a resource and c1 a call that uses that resource.
|
2020-05-21 13:35:03 +00:00
|
|
|
prios[w0.call][w1.call] += w0.inout*w1.in + 0.7*w0.inout*w1.inout
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
2018-08-01 18:33:33 +00:00
|
|
|
}
|
|
|
|
|
}
|
2019-09-10 08:06:53 +00:00
|
|
|
normalizePrio(prios)
|
|
|
|
|
// The value assigned for self-priority (call wrt itself) have to be high, but not too high.
|
2018-08-01 18:33:33 +00:00
|
|
|
for c0, pp := range prios {
|
2019-09-10 08:06:53 +00:00
|
|
|
pp[c0] = 0.9
|
2018-08-01 18:33:33 +00:00
|
|
|
}
|
|
|
|
|
return prios
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-10 08:06:53 +00:00
|
|
|
func (target *Target) calcResourceUsage() map[string]map[int]weights {
|
|
|
|
|
uses := make(map[string]map[int]weights)
|
2020-05-03 09:29:12 +00:00
|
|
|
ForeachType(target.Syscalls, func(t Type, ctx TypeCtx) {
|
|
|
|
|
c := ctx.Meta
|
|
|
|
|
switch a := t.(type) {
|
|
|
|
|
case *ResourceType:
|
|
|
|
|
if target.AuxResources[a.Desc.Name] {
|
|
|
|
|
noteUsage(uses, c, 0.1, ctx.Dir, "res%v", a.Desc.Name)
|
|
|
|
|
} else {
|
|
|
|
|
str := "res"
|
|
|
|
|
for i, k := range a.Desc.Kind {
|
|
|
|
|
str += "-" + k
|
|
|
|
|
w := 1.0
|
|
|
|
|
if i < len(a.Desc.Kind)-1 {
|
|
|
|
|
w = 0.2
|
2016-08-27 16:27:50 +00:00
|
|
|
}
|
2020-05-03 09:29:12 +00:00
|
|
|
noteUsage(uses, c, float32(w), ctx.Dir, str)
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
2020-05-03 09:29:12 +00:00
|
|
|
}
|
|
|
|
|
case *PtrType:
|
|
|
|
|
if _, ok := a.Elem.(*StructType); ok {
|
|
|
|
|
noteUsage(uses, c, 1.0, ctx.Dir, "ptrto-%v", a.Elem.Name())
|
|
|
|
|
}
|
|
|
|
|
if _, ok := a.Elem.(*UnionType); ok {
|
|
|
|
|
noteUsage(uses, c, 1.0, ctx.Dir, "ptrto-%v", a.Elem.Name())
|
|
|
|
|
}
|
|
|
|
|
if arr, ok := a.Elem.(*ArrayType); ok {
|
|
|
|
|
noteUsage(uses, c, 1.0, ctx.Dir, "ptrto-%v", arr.Elem.Name())
|
|
|
|
|
}
|
|
|
|
|
case *BufferType:
|
|
|
|
|
switch a.Kind {
|
|
|
|
|
case BufferBlobRand, BufferBlobRange, BufferText:
|
|
|
|
|
case BufferString:
|
|
|
|
|
if a.SubKind != "" {
|
|
|
|
|
noteUsage(uses, c, 0.2, ctx.Dir, fmt.Sprintf("str-%v", a.SubKind))
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
2020-05-03 09:29:12 +00:00
|
|
|
case BufferFilename:
|
|
|
|
|
noteUsage(uses, c, 1.0, DirIn, "filename")
|
|
|
|
|
default:
|
|
|
|
|
panic("unknown buffer kind")
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
2020-05-03 09:29:12 +00:00
|
|
|
case *VmaType:
|
|
|
|
|
noteUsage(uses, c, 0.5, ctx.Dir, "vma")
|
|
|
|
|
case *IntType:
|
|
|
|
|
switch a.Kind {
|
|
|
|
|
case IntPlain, IntRange:
|
|
|
|
|
default:
|
|
|
|
|
panic("unknown int kind")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
2018-08-01 18:33:33 +00:00
|
|
|
return uses
|
|
|
|
|
}
|
2015-12-30 17:24:26 +00:00
|
|
|
|
2019-09-10 08:06:53 +00:00
|
|
|
type weights struct {
|
2020-05-21 13:35:03 +00:00
|
|
|
call int
|
2019-09-10 08:06:53 +00:00
|
|
|
in float32
|
|
|
|
|
inout float32
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func noteUsage(uses map[string]map[int]weights, c *Syscall, weight float32, dir Dir, str string, args ...interface{}) {
|
2018-08-01 18:33:33 +00:00
|
|
|
id := fmt.Sprintf(str, args...)
|
|
|
|
|
if uses[id] == nil {
|
2019-09-10 08:06:53 +00:00
|
|
|
uses[id] = make(map[int]weights)
|
|
|
|
|
}
|
|
|
|
|
callWeight := uses[id][c.ID]
|
2020-05-21 13:35:03 +00:00
|
|
|
callWeight.call = c.ID
|
2019-09-10 08:06:53 +00:00
|
|
|
if dir != DirOut {
|
|
|
|
|
if weight > uses[id][c.ID].in {
|
|
|
|
|
callWeight.in = weight
|
|
|
|
|
}
|
2018-08-01 18:33:33 +00:00
|
|
|
}
|
2019-09-10 08:06:53 +00:00
|
|
|
if weight > uses[id][c.ID].inout {
|
|
|
|
|
callWeight.inout = weight
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
2019-09-10 08:06:53 +00:00
|
|
|
uses[id][c.ID] = callWeight
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-14 17:25:01 +00:00
|
|
|
func (target *Target) calcDynamicPrio(corpus []*Prog) [][]float32 {
|
|
|
|
|
prios := make([][]float32, len(target.Syscalls))
|
2015-10-14 14:55:09 +00:00
|
|
|
for i := range prios {
|
2017-09-14 17:25:01 +00:00
|
|
|
prios[i] = make([]float32, len(target.Syscalls))
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
for _, p := range corpus {
|
2019-09-10 08:06:53 +00:00
|
|
|
for idx0, c0 := range p.Calls {
|
|
|
|
|
for _, c1 := range p.Calls[idx0+1:] {
|
2017-05-02 10:28:48 +00:00
|
|
|
id0 := c0.Meta.ID
|
|
|
|
|
id1 := c1.Meta.ID
|
|
|
|
|
prios[id0][id1] += 1.0
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
normalizePrio(prios)
|
|
|
|
|
return prios
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// normalizePrio assigns some minimal priorities to calls with zero priority,
|
|
|
|
|
// and then normalizes priorities to 0.1..1 range.
|
|
|
|
|
func normalizePrio(prios [][]float32) {
|
|
|
|
|
for _, prio := range prios {
|
|
|
|
|
max := float32(0)
|
|
|
|
|
min := float32(1e10)
|
|
|
|
|
nzero := 0
|
|
|
|
|
for _, p := range prio {
|
|
|
|
|
if max < p {
|
|
|
|
|
max = p
|
|
|
|
|
}
|
|
|
|
|
if p != 0 && min > p {
|
|
|
|
|
min = p
|
|
|
|
|
}
|
|
|
|
|
if p == 0 {
|
|
|
|
|
nzero++
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if nzero != 0 {
|
|
|
|
|
min /= 2 * float32(nzero)
|
|
|
|
|
}
|
2018-08-30 13:58:05 +00:00
|
|
|
if min == max {
|
|
|
|
|
max = 0
|
|
|
|
|
}
|
2015-10-14 14:55:09 +00:00
|
|
|
for i, p := range prio {
|
|
|
|
|
if max == 0 {
|
|
|
|
|
prio[i] = 1
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
if p == 0 {
|
|
|
|
|
p = min
|
|
|
|
|
}
|
|
|
|
|
p = (p-min)/(max-min)*0.9 + 0.1
|
|
|
|
|
if p > 1 {
|
|
|
|
|
p = 1
|
|
|
|
|
}
|
|
|
|
|
prio[i] = p
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ChooseTable allows to do a weighted choice of a syscall for a given syscall
|
|
|
|
|
// based on call-to-call priorities and a set of enabled syscalls.
|
|
|
|
|
type ChoiceTable struct {
|
2020-05-04 06:58:32 +00:00
|
|
|
target *Target
|
|
|
|
|
runs [][]int
|
|
|
|
|
calls []*Syscall
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
|
2020-05-04 06:58:32 +00:00
|
|
|
func (target *Target) BuildChoiceTable(corpus []*Prog, enabled map[*Syscall]bool) *ChoiceTable {
|
2015-12-27 11:20:00 +00:00
|
|
|
if enabled == nil {
|
2017-09-05 08:46:34 +00:00
|
|
|
enabled = make(map[*Syscall]bool)
|
2017-09-14 17:25:01 +00:00
|
|
|
for _, c := range target.Syscalls {
|
2015-12-27 11:20:00 +00:00
|
|
|
enabled[c] = true
|
|
|
|
|
}
|
2015-10-16 20:10:51 +00:00
|
|
|
}
|
2020-05-04 06:58:32 +00:00
|
|
|
for call := range enabled {
|
|
|
|
|
if call.Attrs.Disabled {
|
|
|
|
|
delete(enabled, call)
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-09-05 08:46:34 +00:00
|
|
|
var enabledCalls []*Syscall
|
2015-12-27 11:20:00 +00:00
|
|
|
for c := range enabled {
|
|
|
|
|
enabledCalls = append(enabledCalls, c)
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
prog: detect invalid target.Syscalls in BuildChoiceTable
Without this check programs may end up panicing in places far away
from the real cause. E.g.
worker# ./syz-fuzzer -executor=./syz-executor -name=vm-0 -arch=amd64 -manager=10.128.0.101:21386 -sandbox=setuid -procs=2 -v=0 -cover=true -debug=false -test=false
2004/02/03 12:11:11 fuzzer started
2004/02/03 12:11:11 dialing manager at 10.128.0.101:21386
2004/02/03 12:11:12 syscalls: 1
2004/02/03 12:11:12 code coverage: enabled
2004/02/03 12:11:12 comparison tracing: support is not implemented in syzkaller
2004/02/03 12:11:12 setuid sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 namespace sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 Android sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 fault injection: support is not implemented in syzkaller
2004/02/03 12:11:12 leak checking: support is not implemented in syzkaller
2004/02/03 12:11:12 net packet injection: enabled
2004/02/03 12:11:12 net device setup: support is not implemented in syzkaller
panic: invalid argument to Intn
goroutine 27 [running]:
math/rand.(*Rand).Intn(0xc000dff530, 0x0, 0x40)
/usr/local/go/src/math/rand/rand.go:169 +0x9c
github.com/google/syzkaller/prog.(*ChoiceTable).Choose(0xc000d92ec0, 0xc000dff530, 0xffffffffffffffff, 0xc000dff650)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/prio.go:241 +0x1a0
github.com/google/syzkaller/prog.(*randGen).generateCall(0xc000e145a0, 0xc000c2a200, 0xc000ce7f80, 0x2348f1940, 0xc000ce3440, 0xc000e6ee01)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:451 +0x69
github.com/google/syzkaller/prog.(*Target).Generate(0xc00007f1e0, 0x8f8680, 0xc000ce3440, 0x1e, 0xc000d92ec0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/generation.go:19 +0x2b2
main.(*Proc).loop(0xc000d92f40)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:93 +0x2a1
created by main.main
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:236 +0xfe2
2018-12-11 10:14:21 +00:00
|
|
|
if len(enabledCalls) == 0 {
|
2020-05-04 06:58:32 +00:00
|
|
|
panic("no syscalls enabled")
|
prog: detect invalid target.Syscalls in BuildChoiceTable
Without this check programs may end up panicing in places far away
from the real cause. E.g.
worker# ./syz-fuzzer -executor=./syz-executor -name=vm-0 -arch=amd64 -manager=10.128.0.101:21386 -sandbox=setuid -procs=2 -v=0 -cover=true -debug=false -test=false
2004/02/03 12:11:11 fuzzer started
2004/02/03 12:11:11 dialing manager at 10.128.0.101:21386
2004/02/03 12:11:12 syscalls: 1
2004/02/03 12:11:12 code coverage: enabled
2004/02/03 12:11:12 comparison tracing: support is not implemented in syzkaller
2004/02/03 12:11:12 setuid sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 namespace sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 Android sandbox: support is not implemented in syzkaller
2004/02/03 12:11:12 fault injection: support is not implemented in syzkaller
2004/02/03 12:11:12 leak checking: support is not implemented in syzkaller
2004/02/03 12:11:12 net packet injection: enabled
2004/02/03 12:11:12 net device setup: support is not implemented in syzkaller
panic: invalid argument to Intn
goroutine 27 [running]:
math/rand.(*Rand).Intn(0xc000dff530, 0x0, 0x40)
/usr/local/go/src/math/rand/rand.go:169 +0x9c
github.com/google/syzkaller/prog.(*ChoiceTable).Choose(0xc000d92ec0, 0xc000dff530, 0xffffffffffffffff, 0xc000dff650)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/prio.go:241 +0x1a0
github.com/google/syzkaller/prog.(*randGen).generateCall(0xc000e145a0, 0xc000c2a200, 0xc000ce7f80, 0x2348f1940, 0xc000ce3440, 0xc000e6ee01)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/rand.go:451 +0x69
github.com/google/syzkaller/prog.(*Target).Generate(0xc00007f1e0, 0x8f8680, 0xc000ce3440, 0x1e, 0xc000d92ec0, 0x0)
/syzkaller/gopath/src/github.com/google/syzkaller/prog/generation.go:19 +0x2b2
main.(*Proc).loop(0xc000d92f40)
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/proc.go:93 +0x2a1
created by main.main
/syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:236 +0xfe2
2018-12-11 10:14:21 +00:00
|
|
|
}
|
2020-03-06 08:01:48 +00:00
|
|
|
sort.Slice(enabledCalls, func(i, j int) bool {
|
|
|
|
|
return enabledCalls[i].ID < enabledCalls[j].ID
|
|
|
|
|
})
|
2020-05-04 06:58:32 +00:00
|
|
|
for _, p := range corpus {
|
|
|
|
|
for _, call := range p.Calls {
|
|
|
|
|
if !enabled[call.Meta] {
|
2020-09-16 11:32:15 +00:00
|
|
|
fmt.Printf("corpus contains disabled syscall %v\n", call.Meta.Name)
|
2020-06-16 13:43:22 +00:00
|
|
|
panic("disabled syscall")
|
2020-05-04 06:58:32 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
prios := target.CalculatePriorities(corpus)
|
2017-09-14 17:25:01 +00:00
|
|
|
run := make([][]int, len(target.Syscalls))
|
2015-10-14 14:55:09 +00:00
|
|
|
for i := range run {
|
2017-09-14 17:25:01 +00:00
|
|
|
if !enabled[target.Syscalls[i]] {
|
2015-10-14 14:55:09 +00:00
|
|
|
continue
|
|
|
|
|
}
|
2017-09-14 17:25:01 +00:00
|
|
|
run[i] = make([]int, len(target.Syscalls))
|
2015-10-14 14:55:09 +00:00
|
|
|
sum := 0
|
|
|
|
|
for j := range run[i] {
|
2017-09-14 17:25:01 +00:00
|
|
|
if enabled[target.Syscalls[j]] {
|
2020-05-04 06:58:32 +00:00
|
|
|
sum += int(prios[i][j] * 1000)
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
run[i][j] = sum
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-05-04 06:58:32 +00:00
|
|
|
return &ChoiceTable{target, run, enabledCalls}
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
|
2020-05-07 13:34:43 +00:00
|
|
|
func (ct *ChoiceTable) Enabled(call int) bool {
|
2020-05-04 06:58:32 +00:00
|
|
|
return ct.runs[call] != nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (ct *ChoiceTable) choose(r *rand.Rand, bias int) int {
|
|
|
|
|
if bias < 0 {
|
|
|
|
|
bias = ct.calls[r.Intn(len(ct.calls))].ID
|
2015-10-15 15:58:37 +00:00
|
|
|
}
|
2020-05-07 13:34:43 +00:00
|
|
|
if !ct.Enabled(bias) {
|
2020-06-16 13:43:22 +00:00
|
|
|
fmt.Printf("bias to disabled syscall %v", ct.target.Syscalls[bias].Name)
|
|
|
|
|
panic("disabled syscall")
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
2020-05-04 06:58:32 +00:00
|
|
|
run := ct.runs[bias]
|
|
|
|
|
x := r.Intn(run[len(run)-1]) + 1
|
|
|
|
|
res := sort.SearchInts(run, x)
|
2020-05-07 13:34:43 +00:00
|
|
|
if !ct.Enabled(res) {
|
2020-05-04 06:58:32 +00:00
|
|
|
panic("selected disabled syscall")
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
2020-05-04 06:58:32 +00:00
|
|
|
return res
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|