Documentation
¶
Index ¶
- Constants
- func CallSet(data []byte) (map[string]struct{}, error)
- func ForeachArgArray(args *[]Arg, ret Arg, f func(arg, base Arg, parent *[]Arg))
- func ForeachType(meta *Syscall, f func(Type))
- func IsPad(t Type) bool
- func RegisterTarget(target *Target, initArch func(target *Target))
- func RequiresBitmasks(p *Prog) bool
- func RequiresChecksums(p *Prog) bool
- type Arg
- type ArgCommon
- type ArgUsed
- type ArgUser
- type Args
- type ArrayKind
- type ArrayType
- type BufferKind
- type BufferType
- type ByPhysicalAddr
- type Call
- type ChoiceTable
- type CompMap
- type ConstArg
- type ConstType
- type ConstValue
- type CsumChunk
- type CsumChunkKind
- type CsumInfo
- type CsumKind
- type CsumType
- type DataArg
- type Dir
- type FlagsType
- type Gen
- type GroupArg
- type IntKind
- type IntType
- type IntTypeCommon
- type KeyedStruct
- type LenType
- type LogEntry
- type PointerArg
- type ProcType
- type Prog
- func (p *Prog) Clone() *Prog
- func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, corpus []*Prog)
- func (p *Prog) MutateWithHints(compMaps []CompMap, exec func(newP *Prog))
- func (p *Prog) Serialize() []byte
- func (p *Prog) SerializeForExec(buffer []byte, pid int) error
- func (p *Prog) String() string
- func (p *Prog) StripDependencies()
- func (p *Prog) TrimAfter(idx int)
- func (p *Prog) Validate() error
- type PtrType
- type ResourceDesc
- type ResourceType
- type ResultArg
- type ReturnArg
- type StructDesc
- type StructKey
- type StructType
- type Syscall
- type Target
- func (target *Target) BuildChoiceTable(prios [][]float32, enabled map[*Syscall]bool) *ChoiceTable
- func (target *Target) CalculatePriorities(corpus []*Prog) [][]float32
- func (target *Target) Deserialize(data []byte) (prog *Prog, err error)
- func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Prog
- func (target *Target) GenerateAllSyzProg(rs rand.Source) *Prog
- func (target *Target) ParseLog(data []byte) []*LogEntry
- func (target *Target) TransitivelyEnabledCalls(enabled map[*Syscall]bool) map[*Syscall]bool
- type TextKind
- type Type
- type TypeCommon
- func (t *TypeCommon) BitfieldLength() uint64
- func (t *TypeCommon) BitfieldMiddle() bool
- func (t *TypeCommon) BitfieldOffset() uint64
- func (t *TypeCommon) Default() uint64
- func (t TypeCommon) Dir() Dir
- func (t *TypeCommon) FieldName() string
- func (t *TypeCommon) Name() string
- func (t *TypeCommon) Optional() bool
- func (t *TypeCommon) Size() uint64
- func (t *TypeCommon) Varlen() bool
- type UnionArg
- type UnionType
- type VmaType
Constants ¶
View Source
const ( ExecInstrEOF = ^uint64(iota) ExecInstrCopyin ExecInstrCopyout )
View Source
const ( ExecArgConst = uint64(iota) ExecArgResult ExecArgData ExecArgCsum )
View Source
const ( ExecArgCsumChunkData = uint64(iota) ExecArgCsumChunkConst )
View Source
const (
ExecArgCsumInet = uint64(iota)
)
View Source
const (
ExecBufferSize = 2 << 20
)
Variables ¶
This section is empty.
Functions ¶
func CallSet ¶
CallSet returns a set of all calls in the program. It does very conservative parsing and is intended to parse paste/future serialization formats.
func ForeachArgArray ¶
func ForeachType ¶
func RegisterTarget ¶
func RequiresBitmasks ¶
func RequiresChecksums ¶
Types ¶
type ArrayType ¶
type ArrayType struct {
TypeCommon
Type Type
Kind ArrayKind
RangeBegin uint64
RangeEnd uint64
}
type BufferKind ¶
type BufferKind int
const ( BufferBlobRand BufferKind = iota BufferBlobRange BufferString BufferFilename BufferText )
type BufferType ¶
type BufferType struct {
TypeCommon
Kind BufferKind
RangeBegin uint64 // for BufferBlobRange kind
RangeEnd uint64 // for BufferBlobRange kind
Text TextKind // for BufferText
SubKind string
Values []string // possible values for BufferString kind
}
type ByPhysicalAddr ¶
type ByPhysicalAddr struct {
Args
Context *execContext
}
func (ByPhysicalAddr) Less ¶
func (s ByPhysicalAddr) Less(i, j int) bool
type ChoiceTable ¶
type ChoiceTable struct {
// contains filtered or unexported fields
}
ChooseTable allows to do a weighted choice of a syscall for a given syscall based on call-to-call priorities and a set of enabled syscalls.
type CompMap ¶
type CompMap map[uint64]uint64Set
Example: for comparisons {(op1, op2), (op1, op3), (op1, op4), (op2, op1)} this map will store the following:
m = {
op1: {map[op2]: true, map[op3]: true, map[op4]: true},
op2: {map[op1]: true}
}.
type ConstType ¶
type ConstType struct {
IntTypeCommon
Val uint64
IsPad bool
}
type ConstValue ¶
type CsumChunk ¶
type CsumChunk struct {
Kind CsumChunkKind
Arg Arg // for CsumChunkArg
Value uint64 // for CsumChunkConst
Size uint64 // for CsumChunkConst
}
type CsumChunkKind ¶
type CsumChunkKind int
const ( CsumChunkArg CsumChunkKind = iota CsumChunkConst )
type CsumType ¶
type CsumType struct {
IntTypeCommon
Kind CsumKind
Buf string
Protocol uint64 // for CsumPseudo
}
type FlagsType ¶
type FlagsType struct {
IntTypeCommon
Vals []uint64
}
type IntTypeCommon ¶
type IntTypeCommon struct {
TypeCommon
BitfieldOff uint64
BitfieldLen uint64
BigEndian bool
BitfieldMdl bool
}
func (*IntTypeCommon) BitfieldLength ¶
func (t *IntTypeCommon) BitfieldLength() uint64
func (*IntTypeCommon) BitfieldMiddle ¶
func (t *IntTypeCommon) BitfieldMiddle() bool
func (*IntTypeCommon) BitfieldOffset ¶
func (t *IntTypeCommon) BitfieldOffset() uint64
type KeyedStruct ¶
type KeyedStruct struct {
Key StructKey
Desc *StructDesc
}
type LenType ¶
type LenType struct {
IntTypeCommon
ByteSize uint64 // want size in multiple of bytes instead of array size
Buf string
}
type LogEntry ¶
type LogEntry struct {
P *Prog
Proc int // index of parallel proc
Start int // start offset in log
End int // end offset in log
Fault bool // program was executed with fault injection in FaultCall/FaultNth
FaultCall int
FaultNth int
}
LogEntry describes one program in execution log.
type PointerArg ¶
type PointerArg struct {
ArgCommon
PageIndex uint64
PageOffset int // offset within a page
PagesNum uint64 // number of available pages
Res Arg // pointee
}
Used for PtrType and VmaType. Even if these are always constant (for reproducibility), we use a separate type because they are represented in an abstract (base+page+offset) form.
func (*PointerArg) Size ¶
func (arg *PointerArg) Size() uint64
type ProcType ¶
type ProcType struct {
IntTypeCommon
ValuesStart uint64
ValuesPerProc uint64
}
type Prog ¶
func Minimize ¶
Minimize minimizes program p into an equivalent program using the equivalence predicate pred. It iteratively generates simpler programs and asks pred whether it is equal to the orginal program or not. If it is equivalent then the simplification attempt is committed and the process continues.
func (*Prog) MutateWithHints ¶
Mutates the program using the comparison operands stored in compMaps. For each of the mutants executes the exec callback.
func (*Prog) SerializeForExec ¶
SerializeForExec serializes program p for execution by process pid into the provided buffer. If the provided buffer is too small for the program an error is returned.
func (*Prog) String ¶
String generates a very compact program description (mostly for debug output).
func (*Prog) StripDependencies ¶
func (p *Prog) StripDependencies()
type PtrType ¶
type PtrType struct {
TypeCommon
Type Type
}
type ResourceDesc ¶
type ResourceType ¶
type ResourceType struct {
TypeCommon
Desc *ResourceDesc
}
func (*ResourceType) Default ¶
func (t *ResourceType) Default() uint64
func (*ResourceType) SpecialValues ¶
func (t *ResourceType) SpecialValues() []uint64
type ResultArg ¶
type ResultArg struct {
ArgCommon
Res Arg // reference to arg which we use
OpDiv uint64 // divide result (executed before OpAdd)
OpAdd uint64 // add to result
Val uint64 // value used if Res is nil
// contains filtered or unexported fields
}
Used for ResourceType. Either holds constant value or reference another ResultArg or ReturnArg.
type ReturnArg ¶
type ReturnArg struct {
ArgCommon
// contains filtered or unexported fields
}
Used for ResourceType and VmaType. This argument denotes syscall return value.
type StructDesc ¶
type StructDesc struct {
TypeCommon
Fields []Type
AlignAttr uint64
}
func (*StructDesc) FieldName ¶
func (t *StructDesc) FieldName() string
type StructType ¶
type StructType struct {
Key StructKey
FldName string
*StructDesc
}
func (*StructType) FieldName ¶
func (t *StructType) FieldName() string
type Target ¶
type Target struct {
OS string
Arch string
Revision string // unique hash representing revision of the descriptions
PtrSize uint64
PageSize uint64
DataOffset uint64
Syscalls []*Syscall
Resources []*ResourceDesc
Structs []*KeyedStruct
Consts []ConstValue
// Syscall used by MakeMmap.
// It has some special meaning because there are usually too many of them.
MmapSyscall *Syscall
// MakeMmap creates call that maps [start, start+npages) page range.
MakeMmap func(start, npages uint64) *Call
// AnalyzeMmap analyzes the call c regarding mapping/unmapping memory.
// If it maps/unmaps any memory returns [start, start+npages) range,
// otherwise returns npages = 0.
AnalyzeMmap func(c *Call) (start, npages uint64, mapped bool)
// SanitizeCall neutralizes harmful calls.
SanitizeCall func(c *Call)
// SpecialStructs allows target to do custom generation/mutation for some struct types.
// Map key is struct name for which custom generation/mutation is required.
// Map value is custom generation/mutation function that will be called
// for the corresponding structs. g is helper object that allows generate random numbers,
// allocate memory, etc. typ is the struct type. old is the old value of the struct
// for mutation, or nil for generation. The function returns a new value of the struct,
// and optionally any calls that need to be inserted before the arg reference.
SpecialStructs map[string]func(g *Gen, typ *StructType, old *GroupArg) (Arg, []*Call)
// Special strings that can matter for the target.
// Used as fallback when string type does not have own dictionary.
StringDictionary []string
// Filled by prog package:
SyscallMap map[string]*Syscall
ConstMap map[string]uint64
// contains filtered or unexported fields
}
Target describes target OS/arch pair.
func AllTargets ¶
func AllTargets() []*Target
func (*Target) BuildChoiceTable ¶
func (target *Target) BuildChoiceTable(prios [][]float32, enabled map[*Syscall]bool) *ChoiceTable
func (*Target) CalculatePriorities ¶
func (*Target) Generate ¶
Generate generates a random program of length ~ncalls. calls is a set of allowed syscalls, if nil all syscalls are used.
func (*Target) GenerateAllSyzProg ¶
GenerateAllSyzProg generates a program that contains all pseudo syz_ calls for testing.
type TypeCommon ¶
type TypeCommon struct {
TypeName string
FldName string // for struct fields and named args
TypeSize uint64 // static size of the type, or 0 for variable size types
ArgDir Dir
IsOptional bool
}
func (*TypeCommon) BitfieldLength ¶
func (t *TypeCommon) BitfieldLength() uint64
func (*TypeCommon) BitfieldMiddle ¶
func (t *TypeCommon) BitfieldMiddle() bool
func (*TypeCommon) BitfieldOffset ¶
func (t *TypeCommon) BitfieldOffset() uint64
func (*TypeCommon) Default ¶
func (t *TypeCommon) Default() uint64
func (TypeCommon) Dir ¶
func (t TypeCommon) Dir() Dir
func (*TypeCommon) FieldName ¶
func (t *TypeCommon) FieldName() string
func (*TypeCommon) Name ¶
func (t *TypeCommon) Name() string
func (*TypeCommon) Optional ¶
func (t *TypeCommon) Optional() bool
func (*TypeCommon) Size ¶
func (t *TypeCommon) Size() uint64
func (*TypeCommon) Varlen ¶
func (t *TypeCommon) Varlen() bool
type UnionType ¶
type UnionType struct {
Key StructKey
FldName string
*StructDesc
}
type VmaType ¶
type VmaType struct {
TypeCommon
RangeBegin uint64 // in pages
RangeEnd uint64
}
Source Files
Click to show internal directories.
Click to hide internal directories.