Documentation ¶
Index ¶
- Constants
- func CoverToPCs(cfg *mgrconfig.Config, cov []uint64) []uint64
- func CoverageFilter(source *ReportGeneratorWrapper, covCfg mgrconfig.CovFilterCfg, strict bool) (map[uint64]struct{}, error)
- func PCsToCover(cfg *mgrconfig.Config, pcs map[uint64]struct{}) map[uint64]struct{}
- func ParseSeed(target *prog.Target, data []byte) (*prog.Prog, error)
- func ParseSeedStrict(target *prog.Target, data []byte) (*prog.Prog, error)
- type BugInfo
- type BugReport
- type CoverageFilters
- type CoverageInfo
- type Crash
- type CrashInfo
- type CrashStore
- func (cs *CrashStore) BugInfo(id string, full bool) (*BugInfo, error)
- func (cs *CrashStore) BugList() ([]*BugInfo, error)
- func (cs *CrashStore) HasRepro(title string) bool
- func (cs *CrashStore) MoreReproAttempts(title string) bool
- func (cs *CrashStore) Report(id string) (*BugReport, error)
- func (cs *CrashStore) SaveCrash(crash *Crash) (bool, error)
- func (cs *CrashStore) SaveFailedRepro(title string, log []byte) error
- func (cs *CrashStore) SaveRepro(res *ReproResult, progText, cProgText []byte) error
- type DiffBug
- type DiffBugInfo
- type DiffFuzzerStore
- func (s *DiffFuzzerStore) BaseCrashed(title string, report []byte)
- func (s *DiffFuzzerStore) BaseNotCrashed(title string)
- func (s *DiffFuzzerStore) EverCrashedBase(title string) bool
- func (s *DiffFuzzerStore) List() []DiffBug
- func (s *DiffFuzzerStore) PatchedCrashed(title string, report, log []byte)
- func (s *DiffFuzzerStore) SaveRepro(result *ReproResult)
- type FilteredCandidates
- type HTTPServer
- type ReportGeneratorWrapper
- type ReproLoop
- type ReproManagerView
- type ReproResult
- type Seeds
- type UICallType
- type UICorpus
- type UICrash
- type UICrashType
- type UIDiffBug
- type UIDiffTable
- type UIFallbackCall
- type UIFallbackCoverData
- type UIInput
- type UIJobInfo
- type UIJobList
- type UIPrio
- type UIPrioData
- type UIRawCallCover
- type UIStat
- type UISummaryData
- type UISyscallsData
- type UIVMData
- type UIVMInfo
Constants ¶
const ( DoHTML int = iota DoSubsystemCover DoModuleCover DoFuncCover DoFileCover DoRawCoverFiles DoRawCover DoFilterPCs DoCoverJSONL )
const CurrentDBVersion = 5
const DefaultPool = ""
const MaxReproAttempts = 3
const ReminimizeThreshold = 15
Programs that do more than 15 system calls are to be treated with suspicion and re-minimized.
Variables ¶
This section is empty.
Functions ¶
func CoverageFilter ¶
func CoverageFilter(source *ReportGeneratorWrapper, covCfg mgrconfig.CovFilterCfg, strict bool) (map[uint64]struct{}, error)
func PCsToCover ¶
Types ¶
type CoverageFilters ¶
func PrepareCoverageFilters ¶
func PrepareCoverageFilters(source *ReportGeneratorWrapper, cfg *mgrconfig.Config, strict bool) (CoverageFilters, error)
type CoverageInfo ¶
type CoverageInfo struct { Modules []*vminfo.KernelModule ReportGenerator *ReportGeneratorWrapper CoverFilter map[uint64]struct{} }
type Crash ¶
type CrashStore ¶
func NewCrashStore ¶
func NewCrashStore(cfg *mgrconfig.Config) *CrashStore
func ReadCrashStore ¶
func ReadCrashStore(workdir string) *CrashStore
func (*CrashStore) BugList ¶
func (cs *CrashStore) BugList() ([]*BugInfo, error)
func (*CrashStore) HasRepro ¶
func (cs *CrashStore) HasRepro(title string) bool
func (*CrashStore) MoreReproAttempts ¶
func (cs *CrashStore) MoreReproAttempts(title string) bool
func (*CrashStore) SaveCrash ¶
func (cs *CrashStore) SaveCrash(crash *Crash) (bool, error)
Returns whether it was the first crash of a kind.
func (*CrashStore) SaveFailedRepro ¶
func (cs *CrashStore) SaveFailedRepro(title string, log []byte) error
func (*CrashStore) SaveRepro ¶
func (cs *CrashStore) SaveRepro(res *ReproResult, progText, cProgText []byte) error
type DiffBug ¶
type DiffBug struct { Title string Base DiffBugInfo Patched DiffBugInfo }
func (DiffBug) AffectsBoth ¶
func (DiffBug) PatchedOnly ¶
type DiffBugInfo ¶
type DiffFuzzerStore ¶
type DiffFuzzerStore struct { BasePath string // contains filtered or unexported fields }
DiffFuzzerStore provides the functionality of a database of the patch fuzzing.
func (*DiffFuzzerStore) BaseCrashed ¶
func (s *DiffFuzzerStore) BaseCrashed(title string, report []byte)
func (*DiffFuzzerStore) BaseNotCrashed ¶
func (s *DiffFuzzerStore) BaseNotCrashed(title string)
func (*DiffFuzzerStore) EverCrashedBase ¶
func (s *DiffFuzzerStore) EverCrashedBase(title string) bool
func (*DiffFuzzerStore) List ¶
func (s *DiffFuzzerStore) List() []DiffBug
func (*DiffFuzzerStore) PatchedCrashed ¶
func (s *DiffFuzzerStore) PatchedCrashed(title string, report, log []byte)
func (*DiffFuzzerStore) SaveRepro ¶
func (s *DiffFuzzerStore) SaveRepro(result *ReproResult)
type FilteredCandidates ¶
type FilteredCandidates struct { Candidates []fuzzer.Candidate ModifiedHashes []string SeedCount int }
func FilterCandidates ¶
func (*FilteredCandidates) ReminimizeSubset ¶
func (fc *FilteredCandidates) ReminimizeSubset() int
ReminimizeSubset clears the fuzzer.ProgMinimized flag of a small subset of seeds. The ultimate objective is to gradually clean up the poorly minimized corpus programs. ReminimizeSubset assumes that candidates are sorted in the order of ascending len(Prog.Calls).
func (*FilteredCandidates) ResmashSubset ¶
func (fc *FilteredCandidates) ResmashSubset() int
resmashSubset clears fuzzer.ProgSmashes for a subset of seeds. We smash the program only once after we add it to the corpus, but it can be that either it did not finish before the instance was restarted, or the fuzzing algorithms have become smarter over time, or just that kernel code changed over time. It would be best to track it in pkg/db, but until it's capable of that, let's just re-smash some corpus subset on each syz-manager restart.
type HTTPServer ¶
type HTTPServer struct { // To be set once. Cfg *mgrconfig.Config StartTime time.Time CrashStore *CrashStore DiffStore *DiffFuzzerStore // Set dynamically. Corpus atomic.Pointer[corpus.Corpus] Fuzzer atomic.Pointer[fuzzer.Fuzzer] Cover atomic.Pointer[CoverageInfo] ReproLoop atomic.Pointer[ReproLoop] Pools sync.Map // string => dispatcher.Pool[*vm.Instance] EnabledSyscalls atomic.Value // map[*prog.Syscall]bool // contains filtered or unexported fields }
func (*HTTPServer) Serve ¶
func (serv *HTTPServer) Serve()
type ReportGeneratorWrapper ¶
type ReportGeneratorWrapper struct {
// contains filtered or unexported fields
}
func ReportGeneratorCache ¶
func ReportGeneratorCache(cfg *mgrconfig.Config) *ReportGeneratorWrapper
func (*ReportGeneratorWrapper) Get ¶
func (w *ReportGeneratorWrapper) Get() (*cover.ReportGenerator, error)
func (*ReportGeneratorWrapper) Init ¶
func (w *ReportGeneratorWrapper) Init(modules []*vminfo.KernelModule)
func (*ReportGeneratorWrapper) Reset ¶
func (w *ReportGeneratorWrapper) Reset()
type ReproLoop ¶
type ReproLoop struct {
// contains filtered or unexported fields
}
func NewReproLoop ¶
func NewReproLoop(mgr ReproManagerView, reproVMs int, onlyOnce bool) *ReproLoop
func (*ReproLoop) CanReproMore ¶
func (*ReproLoop) Empty ¶
Empty returns true if there are neither running nor planned bug reproductions.
func (*ReproLoop) Reproducing ¶
type ReproManagerView ¶
type ReproManagerView interface { RunRepro(crash *Crash) *ReproResult NeedRepro(crash *Crash) bool ResizeReproPool(size int) }
type ReproResult ¶
type UICrashType ¶
type UIDiffTable ¶
type UIFallbackCall ¶
type UIFallbackCoverData ¶
type UIFallbackCoverData struct {
Calls []UIFallbackCall
}
type UIPrioData ¶
type UIRawCallCover ¶
type UISummaryData ¶
type UISummaryData struct { Name string Revision string RevisionLink string Expert bool Stats []UIStat Crashes []*UICrashType PatchedOnly *UIDiffTable AffectsBoth *UIDiffTable InProgress *UIDiffTable Log string }
type UISyscallsData ¶
type UISyscallsData struct { Name string Calls []UICallType }