reactos/syzkaller
1
0
Fork 0
mirror of https://github.com/reactos/syzkaller.git synced 2024-11-24 03:49:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6ceee05ad9
syzkaller/prog/hints.go

211 lines
6.4 KiB
Go
Raw Normal View History

executor, ipc: modify the IO between KCOV<->executor<->fuzzer Now executor is able to read comparisons data from KCOV and write them to fuzzer.
2017-08-16 19:18:04 +00:00
// Copyright 2017 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
package prog
// A hint is basically a tuple consisting of a pointer to an argument
// in one of the syscalls of a program and a value, which should be
// assigned to that argument (we call it a replacer).
// A simplified version of hints workflow looks like this:
// 1. Fuzzer launches a program (we call it a hint seed) and collects all
// the comparisons' data for every syscall in the program.
// 2. Next it tries to match the obtained comparison operands' values
// vs. the input arguments' values.
// 3. For every such match the fuzzer mutates the program by
// replacing the pointed argument with the saved value.
// 4. If a valid program is obtained, then fuzzer launches it and
// checks if new coverage is obtained.
// For more insights on particular mutations please see prog/hints_test.go.
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
import (
prog: fix hints of data args Hints for data args don't work. We do all the work, but at the final stage we patch arg in the _old_ program, not in the _new_ one. So programs passed to the callback are all the same and don't contain any mutations. Tests did not catch this because they work right before that point (don't test the actual interface function MutateWithHints). Fix that and add a test that catches this.
2017-12-08 09:45:11 +00:00
"bytes"
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
"encoding/binary"
prog: fix hints of data args Hints for data args don't work. We do all the work, but at the final stage we patch arg in the _old_ program, not in the _new_ one. So programs passed to the callback are all the same and don't contain any mutations. Tests did not catch this because they work right before that point (don't test the actual interface function MutateWithHints). Fix that and add a test that catches this.
2017-12-08 09:45:11 +00:00
"fmt"
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
)
executor, ipc: modify the IO between KCOV<->executor<->fuzzer Now executor is able to read comparisons data from KCOV and write them to fuzzer.
2017-08-16 19:18:04 +00:00
type uint64Set map[uint64]bool
// Example: for comparisons {(op1, op2), (op1, op3), (op1, op4), (op2, op1)}
// this map will store the following:
// m = {
// op1: {map[op2]: true, map[op3]: true, map[op4]: true},
// op2: {map[op1]: true}
// }.
type CompMap map[uint64]uint64Set
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
const (
maxDataLength = 100
)
prog: remove special knowledge about "mmap" syscall Abstract "mmap" away as it can be called differently on another OS.
2017-09-14 08:32:29 +00:00
var specialIntsSet uint64Set
executor, ipc: modify the IO between KCOV<->executor<->fuzzer Now executor is able to read comparisons data from KCOV and write them to fuzzer.
2017-08-16 19:18:04 +00:00
func (m CompMap) AddComp(arg1, arg2 uint64) {
if _, ok := m[arg1]; !ok {
m[arg1] = make(uint64Set)
}
m[arg1][arg2] = true
}
prog: fix hints of data args Hints for data args don't work. We do all the work, but at the final stage we patch arg in the _old_ program, not in the _new_ one. So programs passed to the callback are all the same and don't contain any mutations. Tests did not catch this because they work right before that point (don't test the actual interface function MutateWithHints). Fix that and add a test that catches this.
2017-12-08 09:45:11 +00:00
func (m CompMap) String() string {
buf := new(bytes.Buffer)
for v, comps := range m {
if len(buf.Bytes()) != 0 {
fmt.Fprintf(buf, ", ")
}
fmt.Fprintf(buf, "0x%x:", v)
for c := range comps {
fmt.Fprintf(buf, " 0x%x", c)
}
}
return buf.String()
}
ipc, prog, fuzzer, execprog: add hints generation code A hint is basically a tuple consisting of a pointer to an argument in one of the syscalls of a program and a value, which should be assigned to that argument. A simplified version of hints workflow looks like this: 1. Fuzzer launches a program and collects all the comparisons' data for every syscall in the program. 2. Next it tries to match the obtained comparison operands' values vs. the input arguments' values. 3. For every such match the fuzzer mutates the program by replacing the pointed argument with the saved value. 4. If a valid program is obtained, then fuzzer launches it and checks if new coverage is obtained. This commit includes: 1. All the code related to hints generation, parsing and mutations. 2. Fuzzer functions to launch the process. 3. Some new stats gathered by fuzzer and manager, related to hints. 4. An updated version of execprog to test the hints process.
2017-08-24 15:52:57 +00:00
// Mutates the program using the comparison operands stored in compMaps.
// For each of the mutants executes the exec callback.
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
func (p *Prog) MutateWithHints(callIndex int, comps CompMap, exec func(p *Prog)) {
p = p.Clone()
c := p.Calls[callIndex]
execValidate := func() {
if debug {
if err := p.validate(); err != nil {
panic(fmt.Sprintf("invalid hints candidate: %v", err))
}
}
exec(p)
}
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset.
2018-02-18 12:49:48 +00:00
ForeachArg(c, func(arg Arg, _ *ArgCtx) {
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
generateHints(p, comps, c, arg, execValidate)
syz-fuzzer: generates hints only for the call that gave new coverage During smashing we know what call gave new coverage, so we can concentrate just on it. This helps to reduce amount of hints generated (we have too many of them).
2017-10-20 10:23:21 +00:00
})
ipc, prog, fuzzer, execprog: add hints generation code A hint is basically a tuple consisting of a pointer to an argument in one of the syscalls of a program and a value, which should be assigned to that argument. A simplified version of hints workflow looks like this: 1. Fuzzer launches a program and collects all the comparisons' data for every syscall in the program. 2. Next it tries to match the obtained comparison operands' values vs. the input arguments' values. 3. For every such match the fuzzer mutates the program by replacing the pointed argument with the saved value. 4. If a valid program is obtained, then fuzzer launches it and checks if new coverage is obtained. This commit includes: 1. All the code related to hints generation, parsing and mutations. 2. Fuzzer functions to launch the process. 3. Some new stats gathered by fuzzer and manager, related to hints. 4. An updated version of execprog to test the hints process.
2017-08-24 15:52:57 +00:00
}
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
func generateHints(p *Prog, compMap CompMap, c *Call, arg Arg, exec func()) {
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset.
2018-02-18 12:49:48 +00:00
typ := arg.Type()
if typ == nil || typ.Dir() == DirOut {
prog: fix bugs in hints generation Add a random hints test and fix bugs it uncovers.
2017-10-20 09:54:24 +00:00
return
}
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset.
2018-02-18 12:49:48 +00:00
switch typ.(type) {
prog: fix bugs in hints generation Add a random hints test and fix bugs it uncovers.
2017-10-20 09:54:24 +00:00
case *ProcType:
// Random proc will not pass validation.
// We can mutate it, but only if the resulting value is within the legal range.
return
case *CsumType:
// Csum will not pass validation and is always computed.
return
}
ipc, prog, fuzzer, execprog: add hints generation code A hint is basically a tuple consisting of a pointer to an argument in one of the syscalls of a program and a value, which should be assigned to that argument. A simplified version of hints workflow looks like this: 1. Fuzzer launches a program and collects all the comparisons' data for every syscall in the program. 2. Next it tries to match the obtained comparison operands' values vs. the input arguments' values. 3. For every such match the fuzzer mutates the program by replacing the pointed argument with the saved value. 4. If a valid program is obtained, then fuzzer launches it and checks if new coverage is obtained. This commit includes: 1. All the code related to hints generation, parsing and mutations. 2. Fuzzer functions to launch the process. 3. Some new stats gathered by fuzzer and manager, related to hints. 4. An updated version of execprog to test the hints process.
2017-08-24 15:52:57 +00:00
switch a := arg.(type) {
case *ConstArg:
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
checkConstArg(a, compMap, exec)
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
case *DataArg:
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
checkDataArg(a, compMap, exec)
ipc, prog, fuzzer, execprog: add hints generation code A hint is basically a tuple consisting of a pointer to an argument in one of the syscalls of a program and a value, which should be assigned to that argument. A simplified version of hints workflow looks like this: 1. Fuzzer launches a program and collects all the comparisons' data for every syscall in the program. 2. Next it tries to match the obtained comparison operands' values vs. the input arguments' values. 3. For every such match the fuzzer mutates the program by replacing the pointed argument with the saved value. 4. If a valid program is obtained, then fuzzer launches it and checks if new coverage is obtained. This commit includes: 1. All the code related to hints generation, parsing and mutations. 2. Fuzzer functions to launch the process. 3. Some new stats gathered by fuzzer and manager, related to hints. 4. An updated version of execprog to test the hints process.
2017-08-24 15:52:57 +00:00
}
}
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
func checkConstArg(arg *ConstArg, compMap CompMap, exec func()) {
original := arg.Val
for replacer := range shrinkExpand(original, compMap) {
arg.Val = replacer
exec()
ipc, prog, fuzzer, execprog: add hints generation code A hint is basically a tuple consisting of a pointer to an argument in one of the syscalls of a program and a value, which should be assigned to that argument. A simplified version of hints workflow looks like this: 1. Fuzzer launches a program and collects all the comparisons' data for every syscall in the program. 2. Next it tries to match the obtained comparison operands' values vs. the input arguments' values. 3. For every such match the fuzzer mutates the program by replacing the pointed argument with the saved value. 4. If a valid program is obtained, then fuzzer launches it and checks if new coverage is obtained. This commit includes: 1. All the code related to hints generation, parsing and mutations. 2. Fuzzer functions to launch the process. 3. Some new stats gathered by fuzzer and manager, related to hints. 4. An updated version of execprog to test the hints process.
2017-08-24 15:52:57 +00:00
}
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
arg.Val = original
ipc, prog, fuzzer, execprog: add hints generation code A hint is basically a tuple consisting of a pointer to an argument in one of the syscalls of a program and a value, which should be assigned to that argument. A simplified version of hints workflow looks like this: 1. Fuzzer launches a program and collects all the comparisons' data for every syscall in the program. 2. Next it tries to match the obtained comparison operands' values vs. the input arguments' values. 3. For every such match the fuzzer mutates the program by replacing the pointed argument with the saved value. 4. If a valid program is obtained, then fuzzer launches it and checks if new coverage is obtained. This commit includes: 1. All the code related to hints generation, parsing and mutations. 2. Fuzzer functions to launch the process. 3. Some new stats gathered by fuzzer and manager, related to hints. 4. An updated version of execprog to test the hints process.
2017-08-24 15:52:57 +00:00
}
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
func checkDataArg(arg *DataArg, compMap CompMap, exec func()) {
prog: add arbitrary mutation of complex structs Squash complex structs into flat byte array and mutate this array with generic blob mutations. This allows to mutate what we currently consider as paddings and add/remove paddings from structs, etc.
2018-02-24 13:33:36 +00:00
// TODO(dvyukov): we need big-endian match for ANYBLOBs.
prog: extend a TODO about big-endian hints
2018-02-27 11:06:28 +00:00
// TODO(dvyukov): any probably not just for ANYBLOBs. Consider that
// kernel code does not convert the data (i.e. not ntohs(pkt->proto) == ETH_P_BATMAN),
// but instead converts the constant (i.e. pkt->proto == htons(ETH_P_BATMAN)).
// In such case we will see dynamic operand that does not match what we have in the program.
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
bytes := make([]byte, 8)
prog: don't serialize output data args Fixes #188 We now will write just ""/1000 to denote a 1000-byte output buffer. Also we now don't store 1000-byte buffer in memory just to denote size. Old format is still parsed.
2017-12-13 19:12:13 +00:00
data := arg.Data()
size := len(data)
if size > maxDataLength {
size = maxDataLength
}
for i := 0; i < size; i++ {
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
original := make([]byte, 8)
prog: don't serialize output data args Fixes #188 We now will write just ""/1000 to denote a 1000-byte output buffer. Also we now don't store 1000-byte buffer in memory just to denote size. Old format is still parsed.
2017-12-13 19:12:13 +00:00
copy(original, data[i:])
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
val := binary.LittleEndian.Uint64(original)
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
for replacer := range shrinkExpand(val, compMap) {
binary.LittleEndian.PutUint64(bytes, replacer)
prog: don't serialize output data args Fixes #188 We now will write just ""/1000 to denote a 1000-byte output buffer. Also we now don't store 1000-byte buffer in memory just to denote size. Old format is still parsed.
2017-12-13 19:12:13 +00:00
copy(data[i:], bytes)
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
exec()
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
}
prog: don't serialize output data args Fixes #188 We now will write just ""/1000 to denote a 1000-byte output buffer. Also we now don't store 1000-byte buffer in memory just to denote size. Old format is still parsed.
2017-12-13 19:12:13 +00:00
copy(data[i:], original)
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
}
}
// Shrink and expand mutations model the cases when the syscall arguments
// are casted to narrower (and wider) integer types.
// ======================================================================
// Motivation for shrink:
// void f(u16 x) {
// u8 y = (u8)x;
// if (y == 0xab) {...}
// }
// If we call f(0x1234), then we'll see a comparison 0x34 vs 0xab and we'll
// be unable to match the argument 0x1234 with any of the comparison operands.
// Thus we shrink 0x1234 to 0x34 and try to match 0x34.
// If there's a match for the shrank value, then we replace the corresponding
// bytes of the input (in the given example we'll get 0x12ab).
// Sometimes the other comparison operand will be wider than the shrank value
// (in the example above consider comparison if (y == 0xdeadbeef) {...}).
// In this case we ignore such comparison because we couldn't come up with
// any valid code example that does similar things. To avoid such comparisons
// we check the sizes with leastSize().
// ======================================================================
// Motivation for expand:
// void f(i8 x) {
// i16 y = (i16)x;
// if (y == -2) {...}
// }
// Suppose we call f(-1), then we'll see a comparison 0xffff vs 0xfffe and be
// unable to match input vs any operands. Thus we sign extend the input and
// check the extension.
// As with shrink we ignore cases when the other operand is wider.
// Note that executor sign extends all the comparison operands to int64.
// ======================================================================
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
func shrinkExpand(v uint64, compMap CompMap) (replacers uint64Set) {
var prev uint64
for _, isize := range []int{64, 32, 16, 8, -32, -16, -8} {
var mutant uint64
var size uint
if isize > 0 {
size = uint(isize)
mutant = v & ((1 << size) - 1)
} else {
size = uint(-isize)
mutant = v | ^((1 << size) - 1)
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
}
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
if size != 64 && prev == mutant {
continue
}
prev = mutant
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
for newV := range compMap[mutant] {
mask := uint64(1<<size - 1)
if newHi := newV & ^mask; newHi == 0 || newHi^^mask == 0 {
if !specialIntsSet[newV&mask] {
// Replace size least significant bits of v with
// corresponding bits of newV. Leave the rest of v as it was.
replacer := (v &^ mask) | (newV & mask)
prog: add a TODO for hints
2017-10-20 10:12:21 +00:00
// TODO(dvyukov): should we try replacing with arg+/-1?
// This could trigger some off-by-ones.
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
if replacers == nil {
replacers = make(uint64Set)
}
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
replacers[replacer] = true
}
}
}
}
prog: speedup and simplify hints code Clone program only once. Preallocate slices in clone. Remove the clone full mode. Always mutate args in place. Allocate replacers map lazily. Don't allocate res map at all (calculate valus on the go). Remove sliceToUint64, pad. benchmark old ns/op new ns/op delta BenchmarkHints 122100048 7466013 -93.89%
2017-12-08 11:27:39 +00:00
return
hints: add new mutations and tests
2017-08-31 15:11:45 +00:00
}
executor, ipc: modify the IO between KCOV<->executor<->fuzzer Now executor is able to read comparisons data from KCOV and write them to fuzzer.
2017-08-16 19:18:04 +00:00
func init() {
specialIntsSet = make(uint64Set)
for _, v := range specialInts {
specialIntsSet[v] = true
}
}
Reference in New Issue Copy Permalink