prog

package
v0.0.0-...-c87fa8a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 19, 2024 License: Apache-2.0 Imports: 24 Imported by: 789

Documentation

Index

Constants

View Source
const (
	ExecArgCsumChunkData = uint64(iota)
	ExecArgCsumChunkConst
)
View Source
const (
	ExecBufferSize = 4 << 20 // keep in sync with kMaxInput in executor.cc
	ExecNoCopyout  = ^uint64(0)
)
View Source
const (
	// "Recommended" number of calls in programs that we try to aim at during fuzzing.
	RecommendedCalls = 30
	// "Recommended" max number of calls in programs.
	// If we receive longer programs from hub/corpus we discard them.
	MaxCalls = 40
)
View Source
const (
	// Special reference to the outer struct used in len targets.
	ParentRef = "parent"
	// Special reference directly to syscall arguments used in len targets.
	SyscallRef = "syscall"
)
View Source
const (
	ExecArgCsumInet = uint64(iota)
)
View Source
const ExtraCallName = ".extra"
View Source
const MaxArgs = 9

MaxArgs is maximum number of syscall arguments. Executor also knows about this value.

View Source
const (
	// Some aspects of the linux kernel configs also know about this const,
	// e.g. they create that many devices of various types (usually these parameters are in CMDLINE).
	MaxPids = 32
)

Variables

View Source
var (
	GitRevision     = defaultGitRevision // emitted by Makefile, may contain + at the end
	GitRevisionBase string               // without +

	GitRevisionDate time.Time // parsed from gitRevisionDate
)
View Source
var DefaultMutateOpts = MutateOpts{
	ExpectedIterations: 5,
	MutateArgCount:     3,

	SquashWeight:     50,
	SpliceWeight:     200,
	InsertWeight:     100,
	MutateArgWeight:  100,
	RemoveCallWeight: 10,
}
View Source
var ErrViolatedConditions = errors.New("conditional fields rules violation")
View Source
var HostEndian = binary.LittleEndian
View Source
var SquashedArgFound = &DataArg{}

Special case reply of ArgFinder.

Functions

func AssignRandomRerun

func AssignRandomRerun(prog *Prog, rand *rand.Rand)

func CallSet

func CallSet(data []byte) (map[string]struct{}, int, error)

CallSet returns a set of all calls in the program. It does very conservative parsing and is intended to parse past/future serialization formats.

func CppName

func CppName(name string) string

CppName transforms PascalStyleNames to cpp_style_names.

func DecodeFallbackSignal

func DecodeFallbackSignal(s uint64) (callID, errno int)

func EncodeData

func EncodeData(buf *bytes.Buffer, data []byte, readable bool)

func ExecCallCount

func ExecCallCount(exec []byte) (int, error)

func ForeachArg

func ForeachArg(c *Call, f func(Arg, *ArgCtx))

func ForeachArgType

func ForeachArgType(typ Type, f func(t Type, ctx *TypeCtx))

func ForeachCallType

func ForeachCallType(meta *Syscall, f func(t Type, ctx *TypeCtx))

func ForeachSubArg

func ForeachSubArg(arg Arg, f func(Arg, *ArgCtx))

func ForeachType

func ForeachType(syscalls []*Syscall, f func(t Type, ctx *TypeCtx))

func ForeachTypePost

func ForeachTypePost(syscalls []*Syscall, f func(t Type, ctx *TypeCtx))

func GitRevisionKnown

func GitRevisionKnown() bool

func IsPad

func IsPad(t Type) bool

func RegisterTarget

func RegisterTarget(target *Target, types []Type, initArch func(target *Target))

func RemoveArg

func RemoveArg(arg Arg)

RemoveArg is the public alias for the removeArg method.

func RestoreLinks(syscalls []*Syscall, resources []*ResourceDesc, types []Type)

func TestDeserializeHelper

func TestDeserializeHelper(t *testing.T, OS, arch string, transform func(*Target, *Prog), tests []DeserializeTest)

Types

type Arg

type Arg interface {
	Type() Type
	Dir() Dir
	Size() uint64
	// contains filtered or unexported methods
}

func CloneArg

func CloneArg(arg Arg) Arg

func InnerArg

func InnerArg(arg Arg) Arg

Returns inner arg for pointer args.

type ArgCommon

type ArgCommon struct {
	// contains filtered or unexported fields
}

func (*ArgCommon) Dir

func (arg *ArgCommon) Dir() Dir

func (ArgCommon) Type

func (arg ArgCommon) Type() Type

type ArgCtx

type ArgCtx struct {
	Parent *[]Arg      // GroupArg.Inner (for structs) or Call.Args containing this arg.
	Fields []Field     // Fields of the parent struct/syscall.
	Field  *Field      // Syscall field for this arg, nil if there it's not a field.
	Base   *PointerArg // Pointer to the base of the heap object containing this arg.
	Offset uint64      // Offset of this arg from the base.
	Stop   bool        // If set by the callback, subargs of this arg are not visited.
	// contains filtered or unexported fields
}

type ArgFinder

type ArgFinder func(path []string) Arg

type ArrayKind

type ArrayKind int
const (
	ArrayRandLen ArrayKind = iota
	ArrayRangeLen
)

type ArrayType

type ArrayType struct {
	TypeCommon
	Elem       Type
	Kind       ArrayKind
	RangeBegin uint64
	RangeEnd   uint64
}

func (*ArrayType) DefaultArg

func (t *ArrayType) DefaultArg(dir Dir) Arg

func (*ArrayType) String

func (t *ArrayType) String() string

type AssetType

type AssetType int
const (
	MountInRepro AssetType = iota
)

type BinaryExpression

type BinaryExpression struct {
	Operator BinaryOperator
	Left     Expression
	Right    Expression
}

func (*BinaryExpression) Clone

func (bo *BinaryExpression) Clone() Expression

func (*BinaryExpression) Evaluate

func (bo *BinaryExpression) Evaluate(finder ArgFinder) (uint64, bool)

func (BinaryExpression) ForEachValue

func (bo BinaryExpression) ForEachValue(cb func(*Value))

func (BinaryExpression) GoString

func (bo BinaryExpression) GoString() string

type BinaryFormat

type BinaryFormat int
const (
	FormatNative BinaryFormat = iota
	FormatBigEndian
	FormatStrDec
	FormatStrHex
	FormatStrOct
)

type BinaryOperator

type BinaryOperator int
const (
	OperatorCompareEq BinaryOperator = iota
	OperatorCompareNeq
	OperatorBinaryAnd
	OperatorOr
)

type BufferKind

type BufferKind int
const (
	BufferBlobRand BufferKind = iota
	BufferBlobRange
	BufferString
	BufferFilename
	BufferText
	BufferGlob
	BufferCompressed
)

type BufferType

type BufferType struct {
	TypeCommon
	Kind       BufferKind
	RangeBegin uint64   // for BufferBlobRange kind
	RangeEnd   uint64   // for BufferBlobRange kind
	Text       TextKind // for BufferText
	SubKind    string
	Values     []string // possible values for BufferString and BufferGlob kind
	NoZ        bool     // non-zero terminated BufferString/BufferFilename
}

func (*BufferType) DefaultArg

func (t *BufferType) DefaultArg(dir Dir) Arg

func (*BufferType) IsCompressed

func (t *BufferType) IsCompressed() bool

func (*BufferType) String

func (t *BufferType) String() string

type Builder

type Builder struct {
	// contains filtered or unexported fields
}

func MakeProgGen

func MakeProgGen(target *Target) *Builder

func (*Builder) Allocate

func (pg *Builder) Allocate(size, alignment uint64) uint64

func (*Builder) AllocateVMA

func (pg *Builder) AllocateVMA(npages uint64) uint64

func (*Builder) Append

func (pg *Builder) Append(c *Call) error

func (*Builder) Finalize

func (pg *Builder) Finalize() (*Prog, error)

type Call

type Call struct {
	Meta    *Syscall
	Args    []Arg
	Ret     *ResultArg
	Props   CallProps
	Comment string
}

func MakeCall

func MakeCall(meta *Syscall, args []Arg) *Call

type CallFlags

type CallFlags int
const (
	CallExecuted CallFlags = 1 << iota // was started at all
	CallFinished                       // finished executing (rather than blocked forever)
	CallBlocked                        // finished but blocked during execution
)

type CallInfo

type CallInfo struct {
	Flags  CallFlags
	Errno  int
	Signal []uint64
}

type CallProps

type CallProps struct {
	FailNth int  `key:"fail_nth"`
	Async   bool `key:"async"`
	Rerun   int  `key:"rerun"`
}

These properties are parsed and serialized according to the tag and the type of the corresponding fields. IMPORTANT: keep the exact values of "key" tag for existing props unchanged, otherwise the backwards compatibility would be broken.

func (*CallProps) ForeachProp

func (props *CallProps) ForeachProp(f func(fieldName, key string, value reflect.Value))

TODO: This method might be more generic - it can be applied to any struct.

type ChoiceTable

type ChoiceTable struct {
	// contains filtered or unexported fields
}

ChooseTable allows to do a weighted choice of a syscall for a given syscall based on call-to-call priorities and a set of enabled and generatable syscalls.

func (*ChoiceTable) Generatable

func (ct *ChoiceTable) Generatable(call int) bool

type CompMap

type CompMap map[uint64]map[uint64]map[uint64]bool

CompMap maps comparison operand that could come from the input to the second operand to the PC.

func (CompMap) Add

func (m CompMap) Add(pc, arg1, arg2 uint64, isConst bool)

func (CompMap) InplaceIntersect

func (m CompMap) InplaceIntersect(other CompMap)

InplaceIntersect() only leaves the value pairs that are also present in other.

func (CompMap) Len

func (m CompMap) Len() int

func (CompMap) String

func (m CompMap) String() string

type ConstArg

type ConstArg struct {
	ArgCommon
	Val uint64
}

Used for ConstType, IntType, FlagsType, LenType, ProcType and CsumType.

func MakeConstArg

func MakeConstArg(t Type, dir Dir, v uint64) *ConstArg

func (*ConstArg) Size

func (arg *ConstArg) Size() uint64

func (*ConstArg) Value

func (arg *ConstArg) Value() (uint64, uint64)

Value returns value and pid stride.

type ConstType

type ConstType struct {
	IntTypeCommon
	Val   uint64
	IsPad bool
}

func (*ConstType) DefaultArg

func (t *ConstType) DefaultArg(dir Dir) Arg

func (*ConstType) String

func (t *ConstType) String() string

type ConstValue

type ConstValue struct {
	Name  string
	Value uint64
}

type CsumChunk

type CsumChunk struct {
	Kind  CsumChunkKind
	Arg   Arg    // for CsumChunkArg
	Value uint64 // for CsumChunkConst
	Size  uint64 // for CsumChunkConst
}

type CsumChunkKind

type CsumChunkKind int
const (
	CsumChunkArg CsumChunkKind = iota
	CsumChunkConst
)

type CsumInfo

type CsumInfo struct {
	Kind   CsumKind
	Chunks []CsumChunk
}

type CsumKind

type CsumKind int
const (
	CsumInet CsumKind = iota
	CsumPseudo
)

type CsumType

type CsumType struct {
	IntTypeCommon
	Kind     CsumKind
	Buf      string
	Protocol uint64 // for CsumPseudo
}

func (*CsumType) DefaultArg

func (t *CsumType) DefaultArg(dir Dir) Arg

func (*CsumType) String

func (t *CsumType) String() string

type DataArg

type DataArg struct {
	ArgCommon
	// contains filtered or unexported fields
}

Used for BufferType.

func MakeDataArg

func MakeDataArg(t Type, dir Dir, data []byte) *DataArg

func MakeOutDataArg

func MakeOutDataArg(t Type, dir Dir, size uint64) *DataArg

func (*DataArg) Data

func (arg *DataArg) Data() []byte

func (*DataArg) SetData

func (arg *DataArg) SetData(data []byte)

func (*DataArg) Size

func (arg *DataArg) Size() uint64

type DeserializeMode

type DeserializeMode int
const (
	// In strict mode deserialization fails if the program is malformed in any way.
	// This mode is used for manually written programs to ensure that they are correct.
	Strict DeserializeMode = iota
	// In non-strict mode malformed programs silently fixed in a best-effort way,
	// e.g. missing/wrong arguments are replaced with default values.
	// This mode is used for the corpus programs to "repair" them after descriptions changes.
	NonStrict
	// Unsafe mode is used for VM checking programs. In this mode programs are not fixed
	// for safety, e.g. can access global files, issue prohibited ioctl's, disabled syscalls, etc.
	StrictUnsafe
	NonStrictUnsafe
)

type DeserializeTest

type DeserializeTest struct {
	In        string
	Out       string // if not set, equals to In
	Err       string
	StrictErr string // if not set, equals to Err
}

type Dir

type Dir uint8
const (
	DirIn Dir = iota
	DirOut
	DirInOut
)

func (Dir) String

func (dir Dir) String() string

type ExecArg

type ExecArg interface{} // one of ExecArg*

type ExecArgConst

type ExecArgConst struct {
	Size           uint64
	Format         BinaryFormat
	Value          uint64
	BitfieldOffset uint64
	BitfieldLength uint64
	PidStride      uint64
}

type ExecArgCsum

type ExecArgCsum struct {
	Size   uint64
	Kind   uint64
	Chunks []ExecCsumChunk
}

type ExecArgData

type ExecArgData struct {
	Data     []byte
	Readable bool
}

type ExecArgResult

type ExecArgResult struct {
	Size    uint64
	Format  BinaryFormat
	Index   uint64
	DivOp   uint64
	AddOp   uint64
	Default uint64
}

type ExecCall

type ExecCall struct {
	Meta    *Syscall
	Props   CallProps
	Index   uint64
	Args    []ExecArg
	Copyin  []ExecCopyin
	Copyout []ExecCopyout
}

type ExecCopyin

type ExecCopyin struct {
	Addr uint64
	Arg  ExecArg
}

type ExecCopyout

type ExecCopyout struct {
	Index uint64
	Addr  uint64
	Size  uint64
}

type ExecCsumChunk

type ExecCsumChunk struct {
	Kind  uint64
	Value uint64
	Size  uint64
}

type ExecProg

type ExecProg struct {
	Calls []ExecCall
	Vars  []uint64
}

type Expression

type Expression interface {
	fmt.GoStringer
	ForEachValue(func(*Value))
	Clone() Expression
	Evaluate(ArgFinder) (uint64, bool)
}

type Field

type Field struct {
	Name string
	Type
	HasDirection bool
	Direction    Dir
	Condition    Expression
	// contains filtered or unexported fields
}

func (*Field) Dir

func (f *Field) Dir(def Dir) Dir

type FlagDesc

type FlagDesc struct {
	Name   string
	Values []string
}

type FlagsType

type FlagsType struct {
	IntTypeCommon
	Vals    []uint64 // compiler ensures that it's not empty
	BitMask bool
}

func (*FlagsType) DefaultArg

func (t *FlagsType) DefaultArg(dir Dir) Arg

type Gen

type Gen struct {
	// contains filtered or unexported fields
}

func (*Gen) Alloc

func (g *Gen) Alloc(ptrType Type, dir Dir, data Arg) (Arg, []*Call)

func (*Gen) GenerateArg

func (g *Gen) GenerateArg(typ Type, dir Dir, pcalls *[]*Call) Arg

func (*Gen) GenerateSpecialArg

func (g *Gen) GenerateSpecialArg(typ Type, dir Dir, pcalls *[]*Call) Arg

func (*Gen) MutateArg

func (g *Gen) MutateArg(arg0 Arg) (calls []*Call)

func (*Gen) NOutOf

func (g *Gen) NOutOf(n, outOf int) bool

func (*Gen) Rand

func (g *Gen) Rand() *rand.Rand

func (*Gen) Target

func (g *Gen) Target() *Target

type GenericHeatmap

type GenericHeatmap struct {
	// contains filtered or unexported fields
}

func (*GenericHeatmap) ChooseLocation

func (hm *GenericHeatmap) ChooseLocation() int

func (*GenericHeatmap) NumMutations

func (hm *GenericHeatmap) NumMutations() int

type GroupArg

type GroupArg struct {
	ArgCommon
	Inner []Arg
}

Used for StructType and ArrayType. Logical group of args (struct or array).

func MakeGroupArg

func MakeGroupArg(t Type, dir Dir, inner []Arg) *GroupArg

func (*GroupArg) Size

func (arg *GroupArg) Size() uint64

type Heatmap

type Heatmap interface {
	NumMutations() int
	ChooseLocation() int
}

Our heatmaps are a flexible mechanism to assign a probability distribution to some collection of bytes. Usage:

  1. Choose a heatmap and initialize it: `hm := MakeXYZHeatmap(data)`. Different heatmaps implement different probability distributions (for now there is only one).
  2. Select random indices according to the probability distribution: `idx := hm.ChooseLocation(r)`.

func MakeGenericHeatmap

func MakeGenericHeatmap(data []byte, r *rand.Rand) Heatmap

Generic heatmaps model a probability distribution based on sparse data, prioritising selection of regions which are not a single repeated byte. It views data as a series of chunks of length `granularity`, ignoring chunks which are a single repeated byte. Indices are chosen uniformly amongst the remaining "interesting" segments.

type HintsLimiter

type HintsLimiter struct {
	// contains filtered or unexported fields
}

func (*HintsLimiter) Limit

func (limiter *HintsLimiter) Limit(comps CompMap)

Limit restricts hints to at most N replacement attempts per single kernel PC (globally, across all hints mutations for all programs). We are getting too many generated candidates, the fuzzer may not keep up with them at all (hints jobs keep growing infinitely). If a hint indeed came from the input w/o transformation, then we should guess it on the first attempt (or at least after few attempts). If it did not come from the input, or came with a non-trivial transformation, then any number of attempts won't help. So limit the total number of attempts (until the next restart).

type IntKind

type IntKind int
const (
	IntPlain IntKind = iota
	IntRange
)

type IntType

type IntType struct {
	IntTypeCommon
	Kind       IntKind
	RangeBegin uint64
	RangeEnd   uint64
	Align      uint64
}

func (*IntType) DefaultArg

func (t *IntType) DefaultArg(dir Dir) Arg

type IntTypeCommon

type IntTypeCommon struct {
	TypeCommon
	ArgFormat       BinaryFormat
	BitfieldOff     uint64
	BitfieldLen     uint64
	BitfieldUnit    uint64
	BitfieldUnitOff uint64
	// contains filtered or unexported fields
}

func (*IntTypeCommon) BitfieldLength

func (t *IntTypeCommon) BitfieldLength() uint64

func (*IntTypeCommon) BitfieldOffset

func (t *IntTypeCommon) BitfieldOffset() uint64

func (*IntTypeCommon) Format

func (t *IntTypeCommon) Format() BinaryFormat

func (*IntTypeCommon) IsBitfield

func (t *IntTypeCommon) IsBitfield() bool

func (*IntTypeCommon) String

func (t *IntTypeCommon) String() string

func (*IntTypeCommon) TypeBitSize

func (t *IntTypeCommon) TypeBitSize() uint64

Returns the size in bits for integers in binary format or 64 for string-formatted integers. The return value is used in computing limits and truncating other values.

func (*IntTypeCommon) UnitOffset

func (t *IntTypeCommon) UnitOffset() uint64

func (*IntTypeCommon) UnitSize

func (t *IntTypeCommon) UnitSize() uint64

type LenType

type LenType struct {
	IntTypeCommon
	BitSize uint64 // want size in multiple of bits instead of array size
	Offset  bool   // offset from the beginning of the parent struct or base object
	Path    []string
}

func (*LenType) DefaultArg

func (t *LenType) DefaultArg(dir Dir) Arg

type LogEntry

type LogEntry struct {
	P     *Prog
	Proc  int // index of parallel proc
	ID    int // ID of the executed program (-1 if not present)
	Start int // start offset in log
	End   int // end offset in log
}

LogEntry describes one program in execution log.

type MinimizeMode

type MinimizeMode int
const (
	// Minimize for inclusion into corpus.
	// This generally tries to reduce number of arguments for future mutation.
	MinimizeCorpus MinimizeMode = iota
	// Minimize crash reproducer.
	// This mode assumes each test is expensive (need to reboot), so tries fewer things.
	MinimizeCrash
	// Minimize crash reproducer in snapshot mode.
	// This mode does not assume that tests are expensive, and tries to minimize for reproducer readability.
	MinimizeCrashSnapshot
	// Only try to remove calls.
	MinimizeCallsOnly
)

type MutateOpts

type MutateOpts struct {
	ExpectedIterations int
	MutateArgCount     int
	SquashWeight       int
	SpliceWeight       int
	InsertWeight       int
	MutateArgWeight    int
	RemoveCallWeight   int
}

type PointerArg

type PointerArg struct {
	ArgCommon
	Address uint64
	VmaSize uint64 // size of the referenced region for vma args
	Res     Arg    // pointee (nil for vma)
}

Used for PtrType and VmaType.

func MakePointerArg

func MakePointerArg(t Type, dir Dir, addr uint64, data Arg) *PointerArg

func MakeSpecialPointerArg

func MakeSpecialPointerArg(t Type, dir Dir, index uint64) *PointerArg

func MakeVmaPointerArg

func MakeVmaPointerArg(t Type, dir Dir, addr, size uint64) *PointerArg

func (*PointerArg) IsSpecial

func (arg *PointerArg) IsSpecial() bool

func (*PointerArg) Size

func (arg *PointerArg) Size() uint64

type ProcType

type ProcType struct {
	IntTypeCommon
	ValuesStart   uint64
	ValuesPerProc uint64
}

func (*ProcType) DefaultArg

func (t *ProcType) DefaultArg(dir Dir) Arg

type Prog

type Prog struct {
	Target   *Target
	Calls    []*Call
	Comments []string
	// contains filtered or unexported fields
}

func AssignRandomAsync

func AssignRandomAsync(origProg *Prog, rand *rand.Rand) *Prog

Ensures that if an async call produces a resource, then it is distanced from a call consuming the resource at least by one non-async call. This does not give 100% guarantee that the async call finishes by that time, but hopefully this is enough for most cases.

func DoubleExecCollide

func DoubleExecCollide(origProg *Prog, rand *rand.Rand) (*Prog, error)

We append prog to itself, but let the second part only reference resource from the first one. Then we execute all the duplicated calls simultaneously. This somehow resembles the way the previous collide mode was implemented - a program was executed normally and then one more time again, while keeping resource values from the first execution and not waiting until every other call finishes.

func DupCallCollide

func DupCallCollide(origProg *Prog, rand *rand.Rand) (*Prog, error)

DupCallCollide duplicates some of the calls in the program and marks them async. This should hopefully trigger races in a more granular way than DoubleExecCollide.

func Minimize

func Minimize(p0 *Prog, callIndex0 int, mode MinimizeMode, pred0 func(*Prog, int) bool) (*Prog, int)

Minimize minimizes program p into an equivalent program using the equivalence predicate pred. It iteratively generates simpler programs and asks pred whether it is equal to the original program or not. If it is equivalent then the simplification attempt is committed and the process continues.

func (*Prog) CallName

func (p *Prog) CallName(call int) string

func (*Prog) Clone

func (p *Prog) Clone() *Prog

func (*Prog) ContainsAny

func (p *Prog) ContainsAny() bool

func (*Prog) FallbackSignal

func (p *Prog) FallbackSignal(info []CallInfo)

func (*Prog) FilterInplace

func (p *Prog) FilterInplace(allowed map[*Syscall]bool)

FilterInplace only leaves the allowed system calls and deletes all remaining ones.

func (*Prog) ForEachAsset

func (p *Prog) ForEachAsset(cb func(name string, typ AssetType, r io.Reader, c *Call))

func (*Prog) Mutate

func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, noMutate map[int]bool, corpus []*Prog)

Mutate program p.

p: The program to mutate. rs: Random source. ncalls: The allowed maximum calls in mutated program. ct: ChoiceTable for syscalls. noMutate: Set of IDs of syscalls which should not be mutated. corpus: The entire corpus, including original program p.

func (*Prog) MutateWithHints

func (p *Prog) MutateWithHints(callIndex int, comps CompMap, exec func(p *Prog) bool)

Mutates the program using the comparison operands stored in compMaps. For each of the mutants executes the exec callback. The callback must return whether we should continue substitution (true) or abort the process (false).

func (*Prog) MutateWithOpts

func (p *Prog) MutateWithOpts(rs rand.Source, ncalls int, ct *ChoiceTable, noMutate map[int]bool,
	corpus []*Prog, opts MutateOpts)

func (*Prog) OnlyContains

func (p *Prog) OnlyContains(syscalls map[*Syscall]bool) bool

OnlyContains determines whether the program only consists of the syscalls from the first argument.

func (*Prog) RemoveCall

func (p *Prog) RemoveCall(idx int)

RemoveCall removes call idx from p.

func (*Prog) RequiredFeatures

func (p *Prog) RequiredFeatures() RequiredFeatures

func (*Prog) Serialize

func (p *Prog) Serialize() []byte

func (*Prog) SerializeForExec

func (p *Prog) SerializeForExec() ([]byte, error)

SerializeForExec serializes program p for execution by process pid into the provided buffer. Returns number of bytes written to the buffer. If the provided buffer is too small for the program an error is returned.

func (*Prog) SerializeVerbose

func (p *Prog) SerializeVerbose() []byte

func (*Prog) String

func (p *Prog) String() string

String generates a very compact program description (mostly for debug output).

type PtrType

type PtrType struct {
	TypeCommon
	Elem           Type
	ElemDir        Dir
	SquashableElem bool
}

func (*PtrType) DefaultArg

func (t *PtrType) DefaultArg(dir Dir) Arg

func (*PtrType) String

func (t *PtrType) String() string

type Ref

type Ref uint32

func (Ref) Alignment

func (ti Ref) Alignment() uint64

func (Ref) BitfieldLength

func (ti Ref) BitfieldLength() uint64

func (Ref) BitfieldOffset

func (ti Ref) BitfieldOffset() uint64

func (Ref) Clone

func (ti Ref) Clone() Type

func (Ref) DefaultArg

func (ti Ref) DefaultArg(dir Dir) Arg

func (Ref) Format

func (ti Ref) Format() BinaryFormat

func (Ref) IsBitfield

func (ti Ref) IsBitfield() bool

func (Ref) Name

func (ti Ref) Name() string

func (Ref) Optional

func (ti Ref) Optional() bool

func (Ref) Size

func (ti Ref) Size() uint64

func (Ref) String

func (ti Ref) String() string

func (Ref) TemplateName

func (ti Ref) TemplateName() string

func (Ref) TypeBitSize

func (ti Ref) TypeBitSize() uint64

func (Ref) UnitOffset

func (ti Ref) UnitOffset() uint64

func (Ref) UnitSize

func (ti Ref) UnitSize() uint64

func (Ref) Varlen

func (ti Ref) Varlen() bool

type RequiredFeatures

type RequiredFeatures struct {
	Bitmasks       bool
	Csums          bool
	FaultInjection bool
	Async          bool
}

type ResourceCtor

type ResourceCtor struct {
	Call    *Syscall
	Precise bool
}

type ResourceDesc

type ResourceDesc struct {
	Name   string
	Kind   []string
	Values []uint64
	Ctors  []ResourceCtor
}

type ResourceType

type ResourceType struct {
	TypeCommon
	ArgFormat BinaryFormat
	Desc      *ResourceDesc
}

func (*ResourceType) Default

func (t *ResourceType) Default() uint64

func (*ResourceType) DefaultArg

func (t *ResourceType) DefaultArg(dir Dir) Arg

func (*ResourceType) Format

func (t *ResourceType) Format() BinaryFormat

func (*ResourceType) SpecialValues

func (t *ResourceType) SpecialValues() []uint64

func (*ResourceType) String

func (t *ResourceType) String() string

type ResultArg

type ResultArg struct {
	ArgCommon
	Res   *ResultArg // reference to arg which we use
	OpDiv uint64     // divide result (executed before OpAdd)
	OpAdd uint64     // add to result
	Val   uint64     // value used if Res is nil
	// contains filtered or unexported fields
}

Used for ResourceType. This is the only argument that can be used as syscall return value. Either holds constant value or reference another ResultArg.

func MakeResultArg

func MakeResultArg(t Type, dir Dir, r *ResultArg, v uint64) *ResultArg

func MakeReturnArg

func MakeReturnArg(t Type) *ResultArg

func (*ResultArg) Size

func (arg *ResultArg) Size() uint64

type Rotator

type Rotator struct {
	// contains filtered or unexported fields
}

Rotator selects a random subset of syscalls for corpus rotation.

func MakeRotator

func MakeRotator(target *Target, calls map[*Syscall]bool, rnd *rand.Rand) *Rotator

func (*Rotator) Select

func (r *Rotator) Select() map[*Syscall]bool

type StructType

type StructType struct {
	TypeCommon
	Fields       []Field
	AlignAttr    uint64
	OverlayField int // index of the field marked with out_overlay attribute (0 if no attribute)
}

func (*StructType) DefaultArg

func (t *StructType) DefaultArg(dir Dir) Arg

func (*StructType) String

func (t *StructType) String() string

type Syscall

type Syscall struct {
	ID          int
	NR          uint64 // kernel syscall number
	Name        string
	CallName    string
	MissingArgs int // number of trailing args that should be zero-filled
	Args        []Field
	Ret         Type
	Attrs       SyscallAttrs
	// contains filtered or unexported fields
}

type SyscallAttrs

type SyscallAttrs struct {
	Disabled        bool
	Timeout         uint64
	ProgTimeout     uint64
	IgnoreReturn    bool
	BreaksReturns   bool
	NoGenerate      bool
	NoMinimize      bool
	RemoteCover     bool
	Automatic       bool
	AutomaticHelper bool
	Fsck            string
}

SyscallAttrs represents call attributes in syzlang.

This structure is the source of truth for the all other parts of the system. pkg/compiler uses this structure to parse descriptions. syz-sysgen uses this structure to generate code for executor.

Only `bool`s, `string`s and `uint64`s are currently supported.

See docs/syscall_descriptions_syntax.md for description of individual attributes.

type Target

type Target struct {
	OS         string
	Arch       string
	Revision   string // unique hash representing revision of the descriptions
	PtrSize    uint64
	PageSize   uint64
	NumPages   uint64
	DataOffset uint64
	BigEndian  bool

	Syscalls  []*Syscall
	Resources []*ResourceDesc
	Consts    []ConstValue
	Flags     []FlagDesc

	// MakeDataMmap creates calls that mmaps target data memory range.
	MakeDataMmap func() []*Call

	// Neutralize neutralizes harmful calls by transforming them into non-harmful ones
	// (e.g. an ioctl that turns off console output is turned into ioctl that turns on output).
	// fixStructure determines whether it's allowed to make structural changes (e.g. add or
	// remove arguments). It is helpful e.g. when we do neutralization while iterating over the
	// arguments.
	Neutralize func(c *Call, fixStructure bool) error

	// AnnotateCall annotates a syscall invocation in C reproducers.
	// The returned string will be placed inside a comment except for the
	// empty string which will omit the comment.
	AnnotateCall func(c ExecCall) string

	// SpecialTypes allows target to do custom generation/mutation for some struct's and union's.
	// Map key is struct/union name for which custom generation/mutation is required.
	// Map value is custom generation/mutation function that will be called
	// for the corresponding type. g is helper object that allows generate random numbers,
	// allocate memory, etc. typ is the struct/union type. old is the old value of the struct/union
	// for mutation, or nil for generation. The function returns a new value of the struct/union,
	// and optionally any calls that need to be inserted before the arg reference.
	SpecialTypes map[string]func(g *Gen, typ Type, dir Dir, old Arg) (Arg, []*Call)

	// Resources that play auxiliary role, but widely used throughout all syscalls (e.g. pid/uid).
	AuxResources map[string]bool

	// Additional special invalid pointer values besides NULL to use.
	SpecialPointers []uint64

	// Special file name length that can provoke bugs (e.g. PATH_MAX).
	SpecialFileLenghts []int

	// Filled by prog package:
	SyscallMap map[string]*Syscall
	ConstMap   map[string]uint64
	FlagsMap   map[string][]string
	// contains filtered or unexported fields
}

Target describes target OS/arch pair.

func AllTargets

func AllTargets() []*Target

func GetTarget

func GetTarget(OS, arch string) (*Target, error)

func InitTargetTest

func InitTargetTest(t *testing.T, os, arch string) *Target

func (*Target) ArgContainsAny

func (target *Target) ArgContainsAny(arg0 Arg) (res bool)

func (*Target) BuildChoiceTable

func (target *Target) BuildChoiceTable(corpus []*Prog, enabled map[*Syscall]bool) *ChoiceTable

func (*Target) CalculatePriorities

func (target *Target) CalculatePriorities(corpus []*Prog) [][]int32

func (*Target) CallContainsAny

func (target *Target) CallContainsAny(c *Call) (res bool)

func (*Target) DataMmapProg

func (target *Target) DataMmapProg() *Prog

DataMmapProg creates program that maps data segment. Also used for testing as the simplest program.

func (*Target) DefaultChoiceTable

func (target *Target) DefaultChoiceTable() *ChoiceTable

func (*Target) Deserialize

func (target *Target) Deserialize(data []byte, mode DeserializeMode) (*Prog, error)

func (*Target) DeserializeExec

func (target *Target) DeserializeExec(exec []byte, stats map[string]int) (ExecProg, error)

func (*Target) GenSampleProg

func (target *Target) GenSampleProg(meta *Syscall, rs rand.Source) *Prog

GenSampleProg generates a single sample program for the call.

func (*Target) Generate

func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Prog

Generate generates a random program with ncalls calls. ct contains a set of allowed syscalls, if nil all syscalls are used.

func (*Target) GenerateAllSyzProg

func (target *Target) GenerateAllSyzProg(rs rand.Source) *Prog

GenerateAllSyzProg generates a program that contains all pseudo syz_ calls for testing.

func (*Target) GetConst

func (target *Target) GetConst(name string) uint64

func (*Target) ParseLog

func (target *Target) ParseLog(data []byte, mode DeserializeMode) []*LogEntry

func (*Target) PhysicalAddr

func (target *Target) PhysicalAddr(arg *PointerArg) uint64

func (*Target) PseudoSyscalls

func (target *Target) PseudoSyscalls() []*Syscall

PseudoSyscalls selects one *Syscall for each pseudosyscall.

func (*Target) RequiredGlobs

func (target *Target) RequiredGlobs() []string

func (*Target) TransitivelyEnabledCalls

func (target *Target) TransitivelyEnabledCalls(enabled map[*Syscall]bool) (map[*Syscall]bool, map[*Syscall]string)

func (*Target) UpdateGlobs

func (target *Target) UpdateGlobs(globFiles map[string][]string)

type TextKind

type TextKind int
const (
	TextTarget TextKind = iota
	TextX86Real
	TextX86bit16
	TextX86bit32
	TextX86bit64
	TextArm64
	TextPpc64
)

type Type

type Type interface {
	String() string
	Name() string
	TemplateName() string // for template structs name without arguments
	Optional() bool
	Varlen() bool
	Size() uint64
	TypeBitSize() uint64
	Alignment() uint64
	Format() BinaryFormat
	BitfieldOffset() uint64
	BitfieldLength() uint64
	IsBitfield() bool
	// For most of the types UnitSize is equal to Size.
	// These are different only for all but last bitfield in the group,
	// where Size == 0 and UnitSize equals to the underlying bitfield type size.
	UnitSize() uint64
	UnitOffset() uint64

	DefaultArg(dir Dir) Arg
	// contains filtered or unexported methods
}

type TypeCommon

type TypeCommon struct {
	TypeName string
	// Static size of the type, or 0 for variable size types and all but last bitfields in the group.
	TypeSize   uint64
	TypeAlign  uint64
	IsOptional bool
	IsVarlen   bool
	// contains filtered or unexported fields
}

func (*TypeCommon) Alignment

func (t *TypeCommon) Alignment() uint64

func (*TypeCommon) BitfieldLength

func (t *TypeCommon) BitfieldLength() uint64

func (*TypeCommon) BitfieldOffset

func (t *TypeCommon) BitfieldOffset() uint64

func (*TypeCommon) Format

func (t *TypeCommon) Format() BinaryFormat

func (*TypeCommon) IsBitfield

func (t *TypeCommon) IsBitfield() bool

func (*TypeCommon) Name

func (t *TypeCommon) Name() string

func (*TypeCommon) Optional

func (t *TypeCommon) Optional() bool

func (*TypeCommon) Size

func (t *TypeCommon) Size() uint64

func (*TypeCommon) TemplateName

func (t *TypeCommon) TemplateName() string

func (*TypeCommon) TypeBitSize

func (t *TypeCommon) TypeBitSize() uint64

func (*TypeCommon) UnitOffset

func (t *TypeCommon) UnitOffset() uint64

func (*TypeCommon) UnitSize

func (t *TypeCommon) UnitSize() uint64

func (*TypeCommon) Varlen

func (t *TypeCommon) Varlen() bool

type TypeCtx

type TypeCtx struct {
	Meta     *Syscall
	Dir      Dir
	Ptr      *Type
	Optional bool
	Stop     bool // If set by the callback, subtypes of this type are not visited.
}

type UnionArg

type UnionArg struct {
	ArgCommon
	Option Arg
	Index  int // Index of the selected option in the union type.
	// contains filtered or unexported fields
}

Used for UnionType.

func MakeUnionArg

func MakeUnionArg(t Type, dir Dir, opt Arg, index int) *UnionArg

func (*UnionArg) Size

func (arg *UnionArg) Size() uint64

type UnionType

type UnionType struct {
	TypeCommon
	Fields []Field
}

func (*UnionType) DefaultArg

func (t *UnionType) DefaultArg(dir Dir) Arg

func (*UnionType) String

func (t *UnionType) String() string

type Value

type Value struct {
	// If Path is empty, Value is to be used.
	Value uint64
	// Path to the field.
	Path []string
}

func (*Value) Clone

func (v *Value) Clone() Expression

func (*Value) Evaluate

func (v *Value) Evaluate(finder ArgFinder) (uint64, bool)

func (*Value) ForEachValue

func (v *Value) ForEachValue(cb func(*Value))

func (Value) GoString

func (v Value) GoString() string

type VmaType

type VmaType struct {
	TypeCommon
	RangeBegin uint64 // in pages
	RangeEnd   uint64
}

func (*VmaType) DefaultArg

func (t *VmaType) DefaultArg(dir Dir) Arg

func (*VmaType) String

func (t *VmaType) String() string

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL