With commit: syz-manager: add simple email support, it will send
emails when a bug is hit for the first time during that particular
run of syz-manager. In other words, if you restart syz-manager and
the same bug is hit, a new email will be sent again. This is due to
the fact that mgr.crashTypes[crash.Title] doesn't keep track of logs
already written to the disk.
Fixed by moving emailCrash() to logic handling log writing.
Fixes#484
Signed-off-by: Tim Tianyang Chen <soapcn@gmail.com>
Crashes without maintainers are nasty. There is no way to do
anything with them without altering the datastore (they are not mailed).
Add DefaultMaintainers to email config.
These addresses are added to all reported bugs as maintainers (e.g. LKML).
One the report is mailed it's possible to CC more people on it.
By default we don't re-minimize/re-smash programs from corpus,
it takes lots of time on start and is unnecessary.
However, when we improve/fix minimization/smashing,
we may want to.
Introduce corpus database versions and allow to re-minimize/re-smash
on version bumps.
Currently we run an input 3 times to get minimal new coverage,
and then during minimization trying only 1 time to get the same coverage.
This plays poorly with flaky kernel coverage.
Require at least 1 out of 3 runs during minimization to get the same new coverage.
Experimental results suggest that this leads to higher quality corpus
(though, systematic tuning proved to be very hard due to flakes
and hard to explain effects on corpus size, program size, coverage and signal).
syz-fuzzer organically grew from a small nice main function
into a huge single-file monster with tons of global state.
Start refactoring it into something more managable.
This change separates 2 things:
1. Proc: a single fuzzing process (ipc.Env wrapper).
2. WorkQueue: holds global non-fuzzing work items.
More work needed, but this is good first step.
Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.
csource.go is too large and messy.
Move Build/Format into buid.go.
Move generation of common header into common.go.
Split generation of common header into smaller managable functions.
Introduce isUsed(arg) helper, use it in several places.
Move method definitions closer to their types.
Simplify presence check for ArgUsed.Used() in several places.
Currently threaded/collide are global environment flags.
It can be useful to turn off collider during some executions
(minimization, triage, etc).
Make them per-program options.
Fixes#188
We now will write just ""/1000 to denote a 1000-byte output buffer.
Also we now don't store 1000-byte buffer in memory just to denote size.
Old format is still parsed.
Fixes#460
File names, crypto algorithm names, etc in programs are completely unreadable:
bind$alg(r0, &(0x7f0000408000)={0x26, "6861736800000000000000000000",
0x0, 0x0, "6d6435000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000
00000000000"}, 0x58)
Introduce another format for printable strings.
New args are denoted by '' ("" for old args).
New format is enabled for printable chars, \x00
and \t, \r, \n.
Example:
`serialize(&(0x7f0000408000)={"6861736800000000000000000000", "4849000000"})`,
vs:
`serialize(&(0x7f0000408000)={'hash\x00', 'HI\x00'})`,
We now have a bunch of targets compiled into each binary.
All targets are initialized eagerly on startup time.
As the result a do nothing binary starts for ~0.58s and
consumes ~21MB.
Initialize targets lazily. Usually only 1 target is used.
This reduces startup time to ~0.00s and memory consumption
to ~5.4MB.
Users can specify an email address to reveive notifications when a
bug is discovered for the first time, without setting up a full fledged
dashboard. The supported mailer is mailx.
Signed-off-by: Tim Tianyang Chen <soapcn@gmail.com>
