reactos/syzkaller
1
0
Fork 0
mirror of https://github.com/reactos/syzkaller.git synced 2024-11-23 11:29:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3dda7e6768
syzkaller/prog/target.go

310 lines
8.6 KiB
Go
Raw Normal View History

prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
// Copyright 2017 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
package prog
import (
"fmt"
sys/linux: improve AF_ALG alg name generation There is effectively infinite number of possible crypto algorithm names due to templates. Plus there is tricky relation between algorithms and algorithm type names. This change adds custom mutator for sockaddr_alg struct to improve variance in generated algorithms.
2017-11-22 10:42:10 +00:00
"math/rand"
pkg/csource: support archs other than x86_64
2017-09-14 19:27:56 +00:00
"sort"
prog: lazily initialize targets We now have a bunch of targets compiled into each binary. All targets are initialized eagerly on startup time. As the result a do nothing binary starts for ~0.58s and consumes ~21MB. Initialize targets lazily. Usually only 1 target is used. This reduces startup time to ~0.00s and memory consumption to ~5.4MB.
2017-12-13 10:58:10 +00:00
"sync"
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
)
// Target describes target OS/arch pair.
type Target struct {
OS string
Arch string
syz-manager, syz-fuzzer, executor: ensure that binaries are consistent Check that manager/fuzzer/executor are build on the same git revision, use the same syscall descriptions and the same target arch. Update #336
2017-09-15 08:15:00 +00:00
Revision string // unique hash representing revision of the descriptions
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
PtrSize uint64
PageSize uint64
prog: rework address allocation 1. mmap all memory always, without explicit mmap calls in the program. This makes lots of things much easier and removes lots of code. Makes mmap not a special syscall and allows to fuzz without mmap enabled. 2. Change address assignment algorithm. Current algorithm allocates unmapped addresses too frequently and allows collisions between arguments of a single syscall. The new algorithm analyzes actual allocations in the program and places new arguments at unused locations.
2018-02-19 18:35:04 +00:00
NumPages uint64
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
DataOffset uint64
Syscalls []*Syscall
Resources []*ResourceDesc
all: initial support for fuchsia Nothing works, but builds. Update #191
2017-09-20 19:18:36 +00:00
Consts []ConstValue
pkg/compiler: deduplicate Types in descriptions Add prog.Ref Type that serves as a proxy for real types and allows to deduplicate Types in generated descriptions. The Ref type is effectively an index in an array of types. Just before serialization pkg/compiler replaces real types with the Ref types and prepares corresponding array of real types. When a Target is registered in prog package, we do the opposite operation and replace Ref's with the corresponding real types. This brings improvements across the board: compiler memory consumption is reduced by 15%, test building time by 25%, descriptions size by 33%. Before: $ du -h sys/linux/gen 54M sys/linux/gen $ time GOMAXPROCS=1 go test -p=1 -c ./prog real 0m54.200s real 0m53.883s $ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog real 0m27.911s real 0m27.767s $ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen 20.59 100% 3200016 20.97 100% 3445976 20.25 100% 3209684 After: $ du -h sys/linux/gen 36M sys/linux/gen $ time GOMAXPROCS=1 go test -p=1 -c ./prog real 0m42.290s real 0m43.230s $ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog real 0m24.337s real 0m24.727s $ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen 19.11 100% 2764952 19.66 100% 2787624 19.35 100% 2749376 Update #1580
2020-04-25 08:06:37 +00:00
Types []Type
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
prog: refactor target.MakeMmap Make MakeMmap return more than 1 call. This is a preparation for future changes. Also remove addr/size as they are effectively always the same and can be inferred from the target (will also conflict with the future changes). Also rename to MakeDataMmap to better represent the new purpose: it's just some arbitrary mmap, but rather mapping of the data segment.
2020-04-18 10:36:52 +00:00
// MakeDataMmap creates calls that mmaps target data memory range.
MakeDataMmap func() []*Call
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
prog: rename target.SanitizeCall to Neutralize We will need a wrapper for target.SanitizeCall that will do more than just calling the target-provided function. To avoid confusion and potential mistakes, give the target function and prog function different names. Prog package will continue to call this "sanitize", which will include target's "neutralize" + more. Also refactor API a bit: we need a helper function that sanitizes the whole program because that's needed most of the time. Fixes #477 Fixes #502
2020-03-14 15:42:00 +00:00
// Neutralize neutralizes harmful calls by transforming them into non-harmful ones
// (e.g. an ioctl that turns off console output is turned into ioctl that turns on output).
Neutralize func(c *Call)
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
pkg/csource: add ability to annotate syscalls using comments in C reproducers Providing additional info, especially regarding syscall arguments, in reproducers can be helpful. An example is device numbers passed to mknod(2). This commit introduces an optional annotate function on a per target basis. Example for the OpenBSD target: $ cat prog.in mknod(0x0, 0x0, 0x4503) getpid() $ syz-prog2c -prog prog.in int main(void) { syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0); syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */ syscall(SYS_getpid); return 0; }
2019-05-21 21:17:22 +00:00
// AnnotateCall annotates a syscall invocation in C reproducers.
// The returned string will be placed inside a comment except for the
// empty string which will omit the comment.
AnnotateCall func(c ExecCall) string
sys/linux: extend netfilter descriptions
2018-01-24 18:28:36 +00:00
// SpecialTypes allows target to do custom generation/mutation for some struct's and union's.
// Map key is struct/union name for which custom generation/mutation is required.
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
// Map value is custom generation/mutation function that will be called
sys/linux: extend netfilter descriptions
2018-01-24 18:28:36 +00:00
// for the corresponding type. g is helper object that allows generate random numbers,
// allocate memory, etc. typ is the struct/union type. old is the old value of the struct/union
// for mutation, or nil for generation. The function returns a new value of the struct/union,
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
// and optionally any calls that need to be inserted before the arg reference.
prog: remove Dir from Type Having Dir is Type is handy, but forces us to duplicate lots of types. E.g. if a struct is referenced as both in and out, then we need to have 2 copies and 2 copies of structs/types it includes. If also prevents us from having the struct type as struct identity (because we can have up to 3 of them). Revert to the old way we used to do it: propagate Dir as we walk syscall arguments. This moves lots of dir passing from pkg/compiler to prog package. Now Arg contains the dir, so once we build the tree, we can use dirs as before. Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%). Update #1580
2020-04-26 12:14:14 +00:00
SpecialTypes map[string]func(g *Gen, typ Type, dir Dir, old Arg) (Arg, []*Call)
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
prog, sys: move dictionary of special strings to sys It is target-specific.
2017-09-05 14:28:58 +00:00
// Special strings that can matter for the target.
// Used as fallback when string type does not have own dictionary.
StringDictionary []string
syz-manager: corpus rotation Use a random subset of syscalls/corpus/coverage for each individual VM run. Hypothesis is that this should allow fuzzer to get more coverage find more bugs in saturated state (stuck in local optimum). See the issue and comments for details. Update #1348
2019-12-30 10:41:20 +00:00
// Resources that play auxiliary role, but widely used throughout all syscalls (e.g. pid/uid).
AuxResources map[string]bool
prog: add concept of "special pointers" Currently we only generate either valid user-space pointers or NULL. Extend NULL to a set of special pointers that we will use in programs. All targets now contain 3 special values: - NULL - 0xfffffffffffffff (invalid kernel pointer) - 0x999999999999999 (non-canonical address) Each target can add additional special pointers on top of this. Also generate NULL/special pointers for non-opt ptr's. This restriction was always too restrictive. We may want to generate them with very low probability, but we do want to generate them. Also change pointers to NULL/special during mutation (but still not in the opposite direction).
2018-08-30 21:17:47 +00:00
// Additional special invalid pointer values besides NULL to use.
SpecialPointers []uint64
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc.
2017-09-14 17:25:01 +00:00
// Filled by prog package:
prog: lazily initialize targets We now have a bunch of targets compiled into each binary. All targets are initialized eagerly on startup time. As the result a do nothing binary starts for ~0.58s and consumes ~21MB. Initialize targets lazily. Usually only 1 target is used. This reduces startup time to ~0.00s and memory consumption to ~5.4MB.
2017-12-13 10:58:10 +00:00
init sync.Once
initArch func(target *Target)
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc.
2017-09-14 17:25:01 +00:00
SyscallMap map[string]*Syscall
all: initial support for fuchsia Nothing works, but builds. Update #191
2017-09-20 19:18:36 +00:00
ConstMap map[string]uint64
prog: move resource-related functions to a separate file
2017-09-05 14:32:32 +00:00
resourceMap map[string]*ResourceDesc
// Maps resource name to a list of calls that can create the resource.
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
resourceCtors map[string][]*Syscall
all: fix gometalinter warnings Fix typos, non-canonical code, remove dead code, etc.
2018-03-08 17:48:26 +00:00
any anyTypes
prog: support disabled attribute Update #477 Update #502
2020-05-04 06:58:32 +00:00
// The default ChoiceTable is used only by tests and utilities, so we initialize it lazily.
defaultOnce sync.Once
defaultChoiceTable *ChoiceTable
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
}
prog: add concept of "special pointers" Currently we only generate either valid user-space pointers or NULL. Extend NULL to a set of special pointers that we will use in programs. All targets now contain 3 special values: - NULL - 0xfffffffffffffff (invalid kernel pointer) - 0x999999999999999 (non-canonical address) Each target can add additional special pointers on top of this. Also generate NULL/special pointers for non-opt ptr's. This restriction was always too restrictive. We may want to generate them with very low probability, but we do want to generate them. Also change pointers to NULL/special during mutation (but still not in the opposite direction).
2018-08-30 21:17:47 +00:00
const maxSpecialPointers = 16
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
var targets = make(map[string]*Target)
all: initial support for fuchsia Nothing works, but builds. Update #191
2017-09-20 19:18:36 +00:00
func RegisterTarget(target *Target, initArch func(target *Target)) {
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
key := target.OS + "/" + target.Arch
if targets[key] != nil {
panic(fmt.Sprintf("duplicate target %v", key))
}
prog: lazily initialize targets We now have a bunch of targets compiled into each binary. All targets are initialized eagerly on startup time. As the result a do nothing binary starts for ~0.58s and consumes ~21MB. Initialize targets lazily. Usually only 1 target is used. This reduces startup time to ~0.00s and memory consumption to ~5.4MB.
2017-12-13 10:58:10 +00:00
target.initArch = initArch
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
targets[key] = target
prog: allow more than 1 target
2017-09-13 13:15:36 +00:00
}
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc.
2017-09-14 17:25:01 +00:00
func GetTarget(OS, arch string) (*Target, error) {
targets: Use OS=linux when GOOS=android This avoids the issue of "android" not having any registered configurations or syscalls / ioctls / etc, when built with GOOS=android. This occurs when building in Google3, since --config=android_arm64 selects the Android toolchain.
2018-10-08 22:57:53 +00:00
if OS == "android" {
OS = "linux"
}
prog: allow more than 1 target
2017-09-13 13:15:36 +00:00
key := OS + "/" + arch
target := targets[key]
if target == nil {
syz-manager/mgrconfig: explicitly specify target in config Add target config parameter (e.g. linux/amd64) which controls target OS/arch. No more explicit assumptions about target.
2017-09-13 18:40:27 +00:00
var supported []string
for _, t := range targets {
supported = append(supported, fmt.Sprintf("%v/%v", t.OS, t.Arch))
}
pkg/csource: support archs other than x86_64
2017-09-14 19:27:56 +00:00
sort.Strings(supported)
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc.
2017-09-14 17:25:01 +00:00
return nil, fmt.Errorf("unknown target: %v (supported: %v)", key, supported)
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
}
prog: lazily initialize targets We now have a bunch of targets compiled into each binary. All targets are initialized eagerly on startup time. As the result a do nothing binary starts for ~0.58s and consumes ~21MB. Initialize targets lazily. Usually only 1 target is used. This reduces startup time to ~0.00s and memory consumption to ~5.4MB.
2017-12-13 10:58:10 +00:00
target.init.Do(target.lazyInit)
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc.
2017-09-14 17:25:01 +00:00
return target, nil
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
}
pkg/csource: support archs other than x86_64
2017-09-14 19:27:56 +00:00
func AllTargets() []*Target {
var res []*Target
prog: lazily initialize targets We now have a bunch of targets compiled into each binary. All targets are initialized eagerly on startup time. As the result a do nothing binary starts for ~0.58s and consumes ~21MB. Initialize targets lazily. Usually only 1 target is used. This reduces startup time to ~0.00s and memory consumption to ~5.4MB.
2017-12-13 10:58:10 +00:00
for _, target := range targets {
target.init.Do(target.lazyInit)
res = append(res, target)
pkg/csource: support archs other than x86_64
2017-09-14 19:27:56 +00:00
}
sort.Slice(res, func(i, j int) bool {
if res[i].OS != res[j].OS {
return res[i].OS < res[j].OS
}
return res[i].Arch < res[j].Arch
})
return res
}
prog: lazily initialize targets We now have a bunch of targets compiled into each binary. All targets are initialized eagerly on startup time. As the result a do nothing binary starts for ~0.58s and consumes ~21MB. Initialize targets lazily. Usually only 1 target is used. This reduces startup time to ~0.00s and memory consumption to ~5.4MB.
2017-12-13 10:58:10 +00:00
func (target *Target) lazyInit() {
prog: rename target.SanitizeCall to Neutralize We will need a wrapper for target.SanitizeCall that will do more than just calling the target-provided function. To avoid confusion and potential mistakes, give the target function and prog function different names. Prog package will continue to call this "sanitize", which will include target's "neutralize" + more. Also refactor API a bit: we need a helper function that sanitizes the whole program because that's needed most of the time. Fixes #477 Fixes #502
2020-03-14 15:42:00 +00:00
target.Neutralize = func(c *Call) {}
pkg/csource: add ability to annotate syscalls using comments in C reproducers Providing additional info, especially regarding syscall arguments, in reproducers can be helpful. An example is device numbers passed to mknod(2). This commit introduces an optional annotate function on a per target basis. Example for the OpenBSD target: $ cat prog.in mknod(0x0, 0x0, 0x4503) getpid() $ syz-prog2c -prog prog.in int main(void) { syscall(SYS_mmap, 0x20000000, 0x1000000, 3, 0x1012, -1, 0, 0); syscall(SYS_mknod, 0, 0, 0x4503); /* major = 69, minor = 3 */ syscall(SYS_getpid); return 0; }
2019-05-21 21:17:22 +00:00
target.AnnotateCall = func(c ExecCall) string { return "" }
prog: lazily initialize targets We now have a bunch of targets compiled into each binary. All targets are initialized eagerly on startup time. As the result a do nothing binary starts for ~0.58s and consumes ~21MB. Initialize targets lazily. Usually only 1 target is used. This reduces startup time to ~0.00s and memory consumption to ~5.4MB.
2017-12-13 10:58:10 +00:00
target.initTarget()
target.initArch(target)
target.ConstMap = nil // currently used only by initArch
prog: add concept of "special pointers" Currently we only generate either valid user-space pointers or NULL. Extend NULL to a set of special pointers that we will use in programs. All targets now contain 3 special values: - NULL - 0xfffffffffffffff (invalid kernel pointer) - 0x999999999999999 (non-canonical address) Each target can add additional special pointers on top of this. Also generate NULL/special pointers for non-opt ptr's. This restriction was always too restrictive. We may want to generate them with very low probability, but we do want to generate them. Also change pointers to NULL/special during mutation (but still not in the opposite direction).
2018-08-30 21:17:47 +00:00
// Give these 2 known addresses fixed positions and prepend target-specific ones at the end.
target.SpecialPointers = append([]uint64{
0x0000000000000000, // NULL pointer (keep this first because code uses special index=0 as NULL)
0xffffffffffffffff, // unmapped kernel address (keep second because serialized value will match actual pointer value)
0x9999999999999999, // non-canonical address
}, target.SpecialPointers...)
if len(target.SpecialPointers) > maxSpecialPointers {
panic("too many special pointers")
}
prog: lazily initialize targets We now have a bunch of targets compiled into each binary. All targets are initialized eagerly on startup time. As the result a do nothing binary starts for ~0.58s and consumes ~21MB. Initialize targets lazily. Usually only 1 target is used. This reduces startup time to ~0.00s and memory consumption to ~5.4MB.
2017-12-13 10:58:10 +00:00
}
func (target *Target) initTarget() {
all: initial support for fuchsia Nothing works, but builds. Update #191
2017-09-20 19:18:36 +00:00
target.ConstMap = make(map[string]uint64)
for _, c := range target.Consts {
target.ConstMap[c.Name] = c.Value
}
prog: remove StructDesc Remove StructDesc, KeyedStruct, StructKey and all associated logic/complexity in prog and pkg/compiler. We can now handle recursion more generically with the Ref type, and Dir/FieldName are not a part of the type anymore. This makes StructType/UnionType simpler and more natural. Reduces size of sys/linux/gen/amd64.go from 5201321 to 4180861 (-20%). Update #1580
2020-05-03 09:29:12 +00:00
target.resourceMap = restoreLinks(target.Syscalls, target.Resources, target.Types)
pkg/compiler: deduplicate Types in descriptions Add prog.Ref Type that serves as a proxy for real types and allows to deduplicate Types in generated descriptions. The Ref type is effectively an index in an array of types. Just before serialization pkg/compiler replaces real types with the Ref types and prepares corresponding array of real types. When a Target is registered in prog package, we do the opposite operation and replace Ref's with the corresponding real types. This brings improvements across the board: compiler memory consumption is reduced by 15%, test building time by 25%, descriptions size by 33%. Before: $ du -h sys/linux/gen 54M sys/linux/gen $ time GOMAXPROCS=1 go test -p=1 -c ./prog real 0m54.200s real 0m53.883s $ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog real 0m27.911s real 0m27.767s $ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen 20.59 100% 3200016 20.97 100% 3445976 20.25 100% 3209684 After: $ du -h sys/linux/gen 36M sys/linux/gen $ time GOMAXPROCS=1 go test -p=1 -c ./prog real 0m42.290s real 0m43.230s $ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog real 0m24.337s real 0m24.727s $ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen 19.11 100% 2764952 19.66 100% 2787624 19.35 100% 2749376 Update #1580
2020-04-25 08:06:37 +00:00
target.Types = nil
all: initial support for fuchsia Nothing works, but builds. Update #191
2017-09-20 19:18:36 +00:00
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc.
2017-09-14 17:25:01 +00:00
target.SyscallMap = make(map[string]*Syscall)
pkg/compiler: don't assign call IDs statically IDs change whenever a call is added or removed, this leads to large diffs unnecessarly. Assign IDs dynamically.
2018-02-25 13:31:40 +00:00
for i, c := range target.Syscalls {
c.ID = i
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc.
2017-09-14 17:25:01 +00:00
target.SyscallMap[c.Name] = c
syz-manager: corpus rotation Use a random subset of syscalls/corpus/coverage for each individual VM run. Hypothesis is that this should allow fuzzer to get more coverage find more bugs in saturated state (stuck in local optimum). See the issue and comments for details. Update #1348
2019-12-30 10:41:20 +00:00
c.inputResources = target.getInputResources(c)
c.outputResources = target.getOutputResources(c)
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
}
all: initial support for fuchsia Nothing works, but builds. Update #191
2017-09-20 19:18:36 +00:00
prog: speed up resource ctors detection When we build a list of resource constructors we over and over iterate through all types in a syscall to find resource types. Speed it up by iterating only once to build a list of constructors for each resource and then reuse it. This significantly speeds up syz-exeprog startup time on Raspberry Pi Zero.
2019-08-21 18:05:22 +00:00
target.populateResourceCtors()
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
target.resourceCtors = make(map[string][]*Syscall)
all: initial support for fuchsia Nothing works, but builds. Update #191
2017-09-20 19:18:36 +00:00
for _, res := range target.Resources {
prog: speed up resource ctors detection When we build a list of resource constructors we over and over iterate through all types in a syscall to find resource types. Speed it up by iterating only once to build a list of constructors for each resource and then reuse it. This significantly speeds up syz-exeprog startup time on Raspberry Pi Zero.
2019-08-21 18:05:22 +00:00
target.resourceCtors[res.Name] = target.calcResourceCtors(res, false)
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
}
prog: add arbitrary mutation of complex structs Squash complex structs into flat byte array and mutate this array with generic blob mutations. This allows to mutate what we currently consider as paddings and add/remove paddings from structs, etc.
2018-02-24 13:33:36 +00:00
initAnyTypes(target)
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
}
sys: check that target consts are defined Currently when we get target consts with target.ConstMap["name"] during target initialization, we just get 0 for missing consts. This is error-prone as we can mis-type a const, or a const may be undefined only on some archs (as we have common unix code shared between several OSes). Check that all the consts are actually defined. The check detects several violations, to fix them: 1. move mremap to linux as it's only defined on linux 2. move S_IFMT to openbsd, as it's only defined and used on openbsd 3. define missing MAP_ANONYMOUS for freebsd and netbsd 4. fix extract for netbsd
2018-10-19 18:08:19 +00:00
func (target *Target) GetConst(name string) uint64 {
if target.ConstMap == nil {
panic("GetConst can only be used during target initialization")
}
v, ok := target.ConstMap[name]
if !ok {
panic(fmt.Sprintf("const %v is not defined for %v/%v", name, target.OS, target.Arch))
}
return v
}
prog: rename target.SanitizeCall to Neutralize We will need a wrapper for target.SanitizeCall that will do more than just calling the target-provided function. To avoid confusion and potential mistakes, give the target function and prog function different names. Prog package will continue to call this "sanitize", which will include target's "neutralize" + more. Also refactor API a bit: we need a helper function that sanitizes the whole program because that's needed most of the time. Fixes #477 Fixes #502
2020-03-14 15:42:00 +00:00
func (target *Target) sanitize(c *Call, fix bool) error {
target.Neutralize(c)
return nil
}
prog: remove StructDesc Remove StructDesc, KeyedStruct, StructKey and all associated logic/complexity in prog and pkg/compiler. We can now handle recursion more generically with the Ref type, and Dir/FieldName are not a part of the type anymore. This makes StructType/UnionType simpler and more natural. Reduces size of sys/linux/gen/amd64.go from 5201321 to 4180861 (-20%). Update #1580
2020-05-03 09:29:12 +00:00
func RestoreLinks(syscalls []*Syscall, resources []*ResourceDesc, types []Type) {
restoreLinks(syscalls, resources, types)
prog: export RestoreLinks function Allows to use compiled descriptions. Will be useful for static checking utility.
2019-12-17 16:34:47 +00:00
}
prog: remove StructDesc Remove StructDesc, KeyedStruct, StructKey and all associated logic/complexity in prog and pkg/compiler. We can now handle recursion more generically with the Ref type, and Dir/FieldName are not a part of the type anymore. This makes StructType/UnionType simpler and more natural. Reduces size of sys/linux/gen/amd64.go from 5201321 to 4180861 (-20%). Update #1580
2020-05-03 09:29:12 +00:00
func restoreLinks(syscalls []*Syscall, resources []*ResourceDesc, types []Type) map[string]*ResourceDesc {
prog: export RestoreLinks function Allows to use compiled descriptions. Will be useful for static checking utility.
2019-12-17 16:34:47 +00:00
resourceMap := make(map[string]*ResourceDesc)
for _, res := range resources {
resourceMap[res.Name] = res
}
prog: remove StructDesc Remove StructDesc, KeyedStruct, StructKey and all associated logic/complexity in prog and pkg/compiler. We can now handle recursion more generically with the Ref type, and Dir/FieldName are not a part of the type anymore. This makes StructType/UnionType simpler and more natural. Reduces size of sys/linux/gen/amd64.go from 5201321 to 4180861 (-20%). Update #1580
2020-05-03 09:29:12 +00:00
ForeachType(syscalls, func(_ Type, ctx TypeCtx) {
if ref, ok := (*ctx.Ptr).(Ref); ok {
*ctx.Ptr = types[ref]
pkg/compiler: deduplicate Types in descriptions Add prog.Ref Type that serves as a proxy for real types and allows to deduplicate Types in generated descriptions. The Ref type is effectively an index in an array of types. Just before serialization pkg/compiler replaces real types with the Ref types and prepares corresponding array of real types. When a Target is registered in prog package, we do the opposite operation and replace Ref's with the corresponding real types. This brings improvements across the board: compiler memory consumption is reduced by 15%, test building time by 25%, descriptions size by 33%. Before: $ du -h sys/linux/gen 54M sys/linux/gen $ time GOMAXPROCS=1 go test -p=1 -c ./prog real 0m54.200s real 0m53.883s $ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog real 0m27.911s real 0m27.767s $ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen 20.59 100% 3200016 20.97 100% 3445976 20.25 100% 3209684 After: $ du -h sys/linux/gen 36M sys/linux/gen $ time GOMAXPROCS=1 go test -p=1 -c ./prog real 0m42.290s real 0m43.230s $ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog real 0m24.337s real 0m24.727s $ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen 19.11 100% 2764952 19.66 100% 2787624 19.35 100% 2749376 Update #1580
2020-04-25 08:06:37 +00:00
}
prog: remove StructDesc Remove StructDesc, KeyedStruct, StructKey and all associated logic/complexity in prog and pkg/compiler. We can now handle recursion more generically with the Ref type, and Dir/FieldName are not a part of the type anymore. This makes StructType/UnionType simpler and more natural. Reduces size of sys/linux/gen/amd64.go from 5201321 to 4180861 (-20%). Update #1580
2020-05-03 09:29:12 +00:00
switch t := (*ctx.Ptr).(type) {
case *ResourceType:
t.Desc = resourceMap[t.TypeName]
if t.Desc == nil {
panic("no resource desc")
prog: export RestoreLinks function Allows to use compiled descriptions. Will be useful for static checking utility.
2019-12-17 16:34:47 +00:00
}
prog: remove StructDesc Remove StructDesc, KeyedStruct, StructKey and all associated logic/complexity in prog and pkg/compiler. We can now handle recursion more generically with the Ref type, and Dir/FieldName are not a part of the type anymore. This makes StructType/UnionType simpler and more natural. Reduces size of sys/linux/gen/amd64.go from 5201321 to 4180861 (-20%). Update #1580
2020-05-03 09:29:12 +00:00
}
})
prog: export RestoreLinks function Allows to use compiled descriptions. Will be useful for static checking utility.
2019-12-17 16:34:47 +00:00
return resourceMap
}
prog: support disabled attribute Update #477 Update #502
2020-05-04 06:58:32 +00:00
func (target *Target) DefaultChoiceTable() *ChoiceTable {
target.defaultOnce.Do(func() {
target.defaultChoiceTable = target.BuildChoiceTable(nil, nil)
})
return target.defaultChoiceTable
}
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
type Gen struct {
r *randGen
s *state
}
prog: give special type generators access to target
2018-02-17 16:17:56 +00:00
func (g *Gen) Target() *Target {
return g.r.target
}
sys/linux: improve AF_ALG alg name generation There is effectively infinite number of possible crypto algorithm names due to templates. Plus there is tricky relation between algorithms and algorithm type names. This change adds custom mutator for sockaddr_alg struct to improve variance in generated algorithms.
2017-11-22 10:42:10 +00:00
func (g *Gen) Rand() *rand.Rand {
return g.r.Rand
}
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
func (g *Gen) NOutOf(n, outOf int) bool {
return g.r.nOutOf(n, outOf)
}
prog: remove Dir from Type Having Dir is Type is handy, but forces us to duplicate lots of types. E.g. if a struct is referenced as both in and out, then we need to have 2 copies and 2 copies of structs/types it includes. If also prevents us from having the struct type as struct identity (because we can have up to 3 of them). Revert to the old way we used to do it: propagate Dir as we walk syscall arguments. This moves lots of dir passing from pkg/compiler to prog package. Now Arg contains the dir, so once we build the tree, we can use dirs as before. Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%). Update #1580
2020-04-26 12:14:14 +00:00
func (g *Gen) Alloc(ptrType Type, dir Dir, data Arg) (Arg, []*Call) {
return g.r.allocAddr(g.s, ptrType, dir, data.Size(), data), nil
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191
2017-09-05 11:31:14 +00:00
}
sys/linux: improve AF_ALG alg name generation There is effectively infinite number of possible crypto algorithm names due to templates. Plus there is tricky relation between algorithms and algorithm type names. This change adds custom mutator for sockaddr_alg struct to improve variance in generated algorithms.
2017-11-22 10:42:10 +00:00
prog: remove Dir from Type Having Dir is Type is handy, but forces us to duplicate lots of types. E.g. if a struct is referenced as both in and out, then we need to have 2 copies and 2 copies of structs/types it includes. If also prevents us from having the struct type as struct identity (because we can have up to 3 of them). Revert to the old way we used to do it: propagate Dir as we walk syscall arguments. This moves lots of dir passing from pkg/compiler to prog package. Now Arg contains the dir, so once we build the tree, we can use dirs as before. Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%). Update #1580
2020-04-26 12:14:14 +00:00
func (g *Gen) GenerateArg(typ Type, dir Dir, pcalls *[]*Call) Arg {
return g.generateArg(typ, dir, pcalls, false)
sys/linux: extend netfilter descriptions
2018-01-24 18:28:36 +00:00
}
prog: remove Dir from Type Having Dir is Type is handy, but forces us to duplicate lots of types. E.g. if a struct is referenced as both in and out, then we need to have 2 copies and 2 copies of structs/types it includes. If also prevents us from having the struct type as struct identity (because we can have up to 3 of them). Revert to the old way we used to do it: propagate Dir as we walk syscall arguments. This moves lots of dir passing from pkg/compiler to prog package. Now Arg contains the dir, so once we build the tree, we can use dirs as before. Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%). Update #1580
2020-04-26 12:14:14 +00:00
func (g *Gen) GenerateSpecialArg(typ Type, dir Dir, pcalls *[]*Call) Arg {
return g.generateArg(typ, dir, pcalls, true)
sys/linux: extend netfilter descriptions
2018-01-24 18:28:36 +00:00
}
prog: remove Dir from Type Having Dir is Type is handy, but forces us to duplicate lots of types. E.g. if a struct is referenced as both in and out, then we need to have 2 copies and 2 copies of structs/types it includes. If also prevents us from having the struct type as struct identity (because we can have up to 3 of them). Revert to the old way we used to do it: propagate Dir as we walk syscall arguments. This moves lots of dir passing from pkg/compiler to prog package. Now Arg contains the dir, so once we build the tree, we can use dirs as before. Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%). Update #1580
2020-04-26 12:14:14 +00:00
func (g *Gen) generateArg(typ Type, dir Dir, pcalls *[]*Call, ignoreSpecial bool) Arg {
arg, calls := g.r.generateArgImpl(g.s, typ, dir, ignoreSpecial)
sys/linux: improve AF_ALG alg name generation There is effectively infinite number of possible crypto algorithm names due to templates. Plus there is tricky relation between algorithms and algorithm type names. This change adds custom mutator for sockaddr_alg struct to improve variance in generated algorithms.
2017-11-22 10:42:10 +00:00
*pcalls = append(*pcalls, calls...)
prog: introduce Field type Remvoe FieldName from Type and add a separate Field type that holds field name. Use Field for struct fields, union options and syscalls arguments, only these really have names. Reduces size of sys/linux/gen/amd64.go from 5665583 to 5201321 (-8.2%). Allows to not create new type for squashed any pointer. But main advantages will follow, e.g. removing StructDesc, using TypeRef in Arg, etc. Update #1580
2020-05-01 15:19:27 +00:00
g.r.target.assignSizesArray([]Arg{arg}, []Field{{Name: "", Type: arg.Type()}}, nil)
sys/linux: improve AF_ALG alg name generation There is effectively infinite number of possible crypto algorithm names due to templates. Plus there is tricky relation between algorithms and algorithm type names. This change adds custom mutator for sockaddr_alg struct to improve variance in generated algorithms.
2017-11-22 10:42:10 +00:00
return arg
}
sys/linux: extend netfilter descriptions
2018-01-24 18:28:36 +00:00
func (g *Gen) MutateArg(arg0 Arg) (calls []*Call) {
updateSizes := true
for stop := false; !stop; stop = g.r.oneOf(3) {
prog: fix mutationArgs for special types There are 2 bugs currently: 1. mutationArgs recurses into special types, even though they must be mutated as the whole only. 2. When mutationArgs is called from Gen.MutateArg, it included the top special type as well, it must not because at this point only the subargs must be mutated. Fix both problems.
2018-02-18 13:45:32 +00:00
ma := &mutationArgs{target: g.r.target, ignoreSpecial: true}
ForeachSubArg(arg0, ma.collectArg)
if len(ma.args) == 0 {
sys/linux: extend netfilter descriptions
2018-01-24 18:28:36 +00:00
// TODO(dvyukov): probably need to return this condition
// and updateSizes to caller so that Mutate can act accordingly.
return
}
prog: fix mutationArgs for special types There are 2 bugs currently: 1. mutationArgs recurses into special types, even though they must be mutated as the whole only. 2. When mutationArgs is called from Gen.MutateArg, it included the top special type as well, it must not because at this point only the subargs must be mutated. Fix both problems.
2018-02-18 13:45:32 +00:00
idx := g.r.Intn(len(ma.args))
arg, ctx := ma.args[idx], ma.ctxes[idx]
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset.
2018-02-18 12:49:48 +00:00
newCalls, ok := g.r.target.mutateArg(g.r, g.s, arg, ctx, &updateSizes)
sys/linux: extend netfilter descriptions
2018-01-24 18:28:36 +00:00
if !ok {
continue
}
prog: fix mutation of special types Caught by existing tests, just happens very infrequently.
2018-02-01 14:20:37 +00:00
calls = append(calls, newCalls...)
sys/linux: extend netfilter descriptions
2018-01-24 18:28:36 +00:00
}
return calls
}
tools/syz-trace2syz/proggen: replace memoryTracker with prog.memAlloc
2018-12-07 11:44:45 +00:00
prog: rename ProgGen to Builder golint suggests that "prog.Prog" is a bad naming because everything in prog package is ProgSomething. Rename to Builder, "prog.Builder" sounds right.
2018-12-08 07:40:03 +00:00
type Builder struct {
tools/syz-trace2syz/proggen: replace memoryTracker with prog.memAlloc
2018-12-07 11:44:45 +00:00
target *Target
ma *memAlloc
p *Prog
}
prog: rename ProgGen to Builder golint suggests that "prog.Prog" is a bad naming because everything in prog package is ProgSomething. Rename to Builder, "prog.Builder" sounds right.
2018-12-08 07:40:03 +00:00
func MakeProgGen(target *Target) *Builder {
return &Builder{
tools/syz-trace2syz/proggen: replace memoryTracker with prog.memAlloc
2018-12-07 11:44:45 +00:00
target: target,
ma: newMemAlloc(target.NumPages * target.PageSize),
p: &Prog{
Target: target,
},
}
}
prog: rename ProgGen to Builder golint suggests that "prog.Prog" is a bad naming because everything in prog package is ProgSomething. Rename to Builder, "prog.Builder" sounds right.
2018-12-08 07:40:03 +00:00
func (pg *Builder) Append(c *Call) error {
tools/syz-trace2syz/proggen: replace memoryTracker with prog.memAlloc
2018-12-07 11:44:45 +00:00
pg.target.assignSizesCall(c)
prog: rename target.SanitizeCall to Neutralize We will need a wrapper for target.SanitizeCall that will do more than just calling the target-provided function. To avoid confusion and potential mistakes, give the target function and prog function different names. Prog package will continue to call this "sanitize", which will include target's "neutralize" + more. Also refactor API a bit: we need a helper function that sanitizes the whole program because that's needed most of the time. Fixes #477 Fixes #502
2020-03-14 15:42:00 +00:00
pg.target.sanitize(c, true)
tools/syz-trace2syz/proggen: replace memoryTracker with prog.memAlloc
2018-12-07 11:44:45 +00:00
pg.p.Calls = append(pg.p.Calls, c)
return nil
}
prog: rename ProgGen to Builder golint suggests that "prog.Prog" is a bad naming because everything in prog package is ProgSomething. Rename to Builder, "prog.Builder" sounds right.
2018-12-08 07:40:03 +00:00
func (pg *Builder) Allocate(size uint64) uint64 {
tools/syz-trace2syz/proggen: replace memoryTracker with prog.memAlloc
2018-12-07 11:44:45 +00:00
return pg.ma.alloc(nil, size)
}
prog: rename ProgGen to Builder golint suggests that "prog.Prog" is a bad naming because everything in prog package is ProgSomething. Rename to Builder, "prog.Builder" sounds right.
2018-12-08 07:40:03 +00:00
func (pg *Builder) AllocateVMA(npages uint64) uint64 {
tools/syz-trace2syz/proggen: fix vma allocation There are 2 bugs: 1. We always allocate 1 page, even if use more. 2. VMA addresses are not aligned, so most mmap-like functions fail with EINVAL. The added test currently panics with "unaligned vma address".
2018-12-07 11:48:59 +00:00
psize := pg.target.PageSize
addr := pg.ma.alloc(nil, (npages+1)*psize)
return (addr + psize - 1) & ^(psize - 1)
}
prog: rename ProgGen to Builder golint suggests that "prog.Prog" is a bad naming because everything in prog package is ProgSomething. Rename to Builder, "prog.Builder" sounds right.
2018-12-08 07:40:03 +00:00
func (pg *Builder) Finalize() (*Prog, error) {
tools/syz-trace2syz/proggen: replace memoryTracker with prog.memAlloc
2018-12-07 11:44:45 +00:00
if err := pg.p.validate(); err != nil {
return nil, err
}
if _, err := pg.p.SerializeForExec(make([]byte, ExecBufferSize)); err != nil {
return nil, err
}
p := pg.p
pg.p = nil
return p, nil
}
Reference in New Issue Copy Permalink