Documentation ¶
Index ¶
- Constants
- Variables
- func AssignRandomRerun(prog *Prog, rand *rand.Rand)
- func CallSet(data []byte) (map[string]struct{}, int, error)
- func CppName(name string) string
- func DecodeFallbackSignal(s uint64) (callID, errno int)
- func EncodeData(buf *bytes.Buffer, data []byte, readable bool)
- func ExecCallCount(exec []byte) (int, error)
- func ForeachArg(c *Call, f func(Arg, *ArgCtx))
- func ForeachArgType(typ Type, f func(t Type, ctx *TypeCtx))
- func ForeachCallType(meta *Syscall, f func(t Type, ctx *TypeCtx))
- func ForeachSubArg(arg Arg, f func(Arg, *ArgCtx))
- func ForeachType(syscalls []*Syscall, f func(t Type, ctx *TypeCtx))
- func ForeachTypePost(syscalls []*Syscall, f func(t Type, ctx *TypeCtx))
- func GitRevisionKnown() bool
- func IsPad(t Type) bool
- func RegisterTarget(target *Target, types []Type, initArch func(target *Target))
- func RemoveArg(arg Arg)
- func RestoreLinks(syscalls []*Syscall, resources []*ResourceDesc, types []Type)
- func TestDeserializeHelper(t *testing.T, OS, arch string, transform func(*Target, *Prog), ...)
- type Arg
- type ArgCommon
- type ArgCtx
- type ArgFinder
- type ArrayKind
- type ArrayType
- type AssetType
- type BinaryExpression
- type BinaryFormat
- type BinaryOperator
- type BufferKind
- type BufferType
- type Builder
- type Call
- type CallFlags
- type CallInfo
- type CallProps
- type ChoiceTable
- type CompMap
- type ConstArg
- type ConstType
- type ConstValue
- type CsumChunk
- type CsumChunkKind
- type CsumInfo
- type CsumKind
- type CsumType
- type DataArg
- type DeserializeMode
- type DeserializeTest
- type Dir
- type ExecArg
- type ExecArgConst
- type ExecArgCsum
- type ExecArgData
- type ExecArgResult
- type ExecCall
- type ExecCopyin
- type ExecCopyout
- type ExecCsumChunk
- type ExecProg
- type Expression
- type Field
- type FlagDesc
- type FlagsType
- type Gen
- func (g *Gen) Alloc(ptrType Type, dir Dir, data Arg) (Arg, []*Call)
- func (g *Gen) GenerateArg(typ Type, dir Dir, pcalls *[]*Call) Arg
- func (g *Gen) GenerateSpecialArg(typ Type, dir Dir, pcalls *[]*Call) Arg
- func (g *Gen) MutateArg(arg0 Arg) (calls []*Call)
- func (g *Gen) NOutOf(n, outOf int) bool
- func (g *Gen) Rand() *rand.Rand
- func (g *Gen) Target() *Target
- type GenericHeatmap
- type GroupArg
- type Heatmap
- type HintsLimiter
- type IntKind
- type IntType
- type IntTypeCommon
- func (t *IntTypeCommon) BitfieldLength() uint64
- func (t *IntTypeCommon) BitfieldOffset() uint64
- func (t *IntTypeCommon) Format() BinaryFormat
- func (t *IntTypeCommon) IsBitfield() bool
- func (t *IntTypeCommon) String() string
- func (t *IntTypeCommon) TypeBitSize() uint64
- func (t *IntTypeCommon) UnitOffset() uint64
- func (t *IntTypeCommon) UnitSize() uint64
- type LenType
- type LogEntry
- type MinimizeMode
- type MutateOpts
- type PointerArg
- type ProcType
- type Prog
- func AssignRandomAsync(origProg *Prog, rand *rand.Rand) *Prog
- func DoubleExecCollide(origProg *Prog, rand *rand.Rand) (*Prog, error)
- func DupCallCollide(origProg *Prog, rand *rand.Rand) (*Prog, error)
- func Minimize(p0 *Prog, callIndex0 int, mode MinimizeMode, pred0 func(*Prog, int) bool) (*Prog, int)
- func (p *Prog) CallName(call int) string
- func (p *Prog) Clone() *Prog
- func (p *Prog) ContainsAny() bool
- func (p *Prog) FallbackSignal(info []CallInfo)
- func (p *Prog) FilterInplace(allowed map[*Syscall]bool)
- func (p *Prog) ForEachAsset(cb func(name string, typ AssetType, r io.Reader, c *Call))
- func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, noMutate map[int]bool, ...)
- func (p *Prog) MutateWithHints(callIndex int, comps CompMap, exec func(p *Prog) bool)
- func (p *Prog) MutateWithOpts(rs rand.Source, ncalls int, ct *ChoiceTable, noMutate map[int]bool, ...)
- func (p *Prog) OnlyContains(syscalls map[*Syscall]bool) bool
- func (p *Prog) RemoveCall(idx int)
- func (p *Prog) RequiredFeatures() RequiredFeatures
- func (p *Prog) Serialize() []byte
- func (p *Prog) SerializeForExec() ([]byte, error)
- func (p *Prog) SerializeVerbose() []byte
- func (p *Prog) String() string
- type PtrType
- type Ref
- func (ti Ref) Alignment() uint64
- func (ti Ref) BitfieldLength() uint64
- func (ti Ref) BitfieldOffset() uint64
- func (ti Ref) Clone() Type
- func (ti Ref) DefaultArg(dir Dir) Arg
- func (ti Ref) Format() BinaryFormat
- func (ti Ref) IsBitfield() bool
- func (ti Ref) Name() string
- func (ti Ref) Optional() bool
- func (ti Ref) Size() uint64
- func (ti Ref) String() string
- func (ti Ref) TemplateName() string
- func (ti Ref) TypeBitSize() uint64
- func (ti Ref) UnitOffset() uint64
- func (ti Ref) UnitSize() uint64
- func (ti Ref) Varlen() bool
- type RequiredFeatures
- type ResourceCtor
- type ResourceDesc
- type ResourceType
- type ResultArg
- type Rotator
- type StructType
- type Syscall
- type SyscallAttrs
- type Target
- func (target *Target) ArgContainsAny(arg0 Arg) (res bool)
- func (target *Target) BuildChoiceTable(corpus []*Prog, enabled map[*Syscall]bool) *ChoiceTable
- func (target *Target) CalculatePriorities(corpus []*Prog) [][]int32
- func (target *Target) CallContainsAny(c *Call) (res bool)
- func (target *Target) DataMmapProg() *Prog
- func (target *Target) DefaultChoiceTable() *ChoiceTable
- func (target *Target) Deserialize(data []byte, mode DeserializeMode) (*Prog, error)
- func (target *Target) DeserializeExec(exec []byte, stats map[string]int) (ExecProg, error)
- func (target *Target) GenSampleProg(meta *Syscall, rs rand.Source) *Prog
- func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Prog
- func (target *Target) GenerateAllSyzProg(rs rand.Source) *Prog
- func (target *Target) GetConst(name string) uint64
- func (target *Target) ParseLog(data []byte, mode DeserializeMode) []*LogEntry
- func (target *Target) PhysicalAddr(arg *PointerArg) uint64
- func (target *Target) PseudoSyscalls() []*Syscall
- func (target *Target) RequiredGlobs() []string
- func (target *Target) TransitivelyEnabledCalls(enabled map[*Syscall]bool) (map[*Syscall]bool, map[*Syscall]string)
- func (target *Target) UpdateGlobs(globFiles map[string][]string)
- type TextKind
- type Type
- type TypeCommon
- func (t *TypeCommon) Alignment() uint64
- func (t *TypeCommon) BitfieldLength() uint64
- func (t *TypeCommon) BitfieldOffset() uint64
- func (t *TypeCommon) Format() BinaryFormat
- func (t *TypeCommon) IsBitfield() bool
- func (t *TypeCommon) Name() string
- func (t *TypeCommon) Optional() bool
- func (t *TypeCommon) Size() uint64
- func (t *TypeCommon) TemplateName() string
- func (t *TypeCommon) TypeBitSize() uint64
- func (t *TypeCommon) UnitOffset() uint64
- func (t *TypeCommon) UnitSize() uint64
- func (t *TypeCommon) Varlen() bool
- type TypeCtx
- type UnionArg
- type UnionType
- type Value
- type VmaType
Constants ¶
const ( ExecArgCsumChunkData = uint64(iota) ExecArgCsumChunkConst )
const ( ExecBufferSize = 4 << 20 // keep in sync with kMaxInput in executor.cc ExecNoCopyout = ^uint64(0) )
const ( // "Recommended" number of calls in programs that we try to aim at during fuzzing. RecommendedCalls = 30 // "Recommended" max number of calls in programs. // If we receive longer programs from hub/corpus we discard them. MaxCalls = 40 )
const ( // Special reference to the outer struct used in len targets. ParentRef = "parent" // Special reference directly to syscall arguments used in len targets. SyscallRef = "syscall" )
const (
ExecArgCsumInet = uint64(iota)
)
const ExtraCallName = ".extra"
const MaxArgs = 9
MaxArgs is maximum number of syscall arguments. Executor also knows about this value.
const ( // Some aspects of the linux kernel configs also know about this const, // e.g. they create that many devices of various types (usually these parameters are in CMDLINE). MaxPids = 32 )
Variables ¶
var ( GitRevision = defaultGitRevision // emitted by Makefile, may contain + at the end GitRevisionBase string // without + GitRevisionDate time.Time // parsed from gitRevisionDate )
var DefaultMutateOpts = MutateOpts{
ExpectedIterations: 5,
MutateArgCount: 3,
SquashWeight: 50,
SpliceWeight: 200,
InsertWeight: 100,
MutateArgWeight: 100,
RemoveCallWeight: 10,
}
var ErrViolatedConditions = errors.New("conditional fields rules violation")
var HostEndian = binary.LittleEndian
var SquashedArgFound = &DataArg{}
Special case reply of ArgFinder.
Functions ¶
func AssignRandomRerun ¶
func CallSet ¶
CallSet returns a set of all calls in the program. It does very conservative parsing and is intended to parse past/future serialization formats.
func DecodeFallbackSignal ¶
func ExecCallCount ¶
func ForeachArg ¶
func ForeachArgType ¶
func ForeachCallType ¶
func ForeachSubArg ¶
func ForeachType ¶
func ForeachTypePost ¶
func GitRevisionKnown ¶
func GitRevisionKnown() bool
func RegisterTarget ¶
func RestoreLinks ¶
func RestoreLinks(syscalls []*Syscall, resources []*ResourceDesc, types []Type)
func TestDeserializeHelper ¶
Types ¶
type Arg ¶
type ArgCtx ¶
type ArgCtx struct { Parent *[]Arg // GroupArg.Inner (for structs) or Call.Args containing this arg. Fields []Field // Fields of the parent struct/syscall. Field *Field // Syscall field for this arg, nil if there it's not a field. Base *PointerArg // Pointer to the base of the heap object containing this arg. Offset uint64 // Offset of this arg from the base. Stop bool // If set by the callback, subargs of this arg are not visited. // contains filtered or unexported fields }
type ArrayType ¶
type ArrayType struct { TypeCommon Elem Type Kind ArrayKind RangeBegin uint64 RangeEnd uint64 }
func (*ArrayType) DefaultArg ¶
type BinaryExpression ¶
type BinaryExpression struct { Operator BinaryOperator Left Expression Right Expression }
func (*BinaryExpression) Clone ¶
func (bo *BinaryExpression) Clone() Expression
func (*BinaryExpression) Evaluate ¶
func (bo *BinaryExpression) Evaluate(finder ArgFinder) (uint64, bool)
func (BinaryExpression) ForEachValue ¶
func (bo BinaryExpression) ForEachValue(cb func(*Value))
func (BinaryExpression) GoString ¶
func (bo BinaryExpression) GoString() string
type BinaryFormat ¶
type BinaryFormat int
const ( FormatNative BinaryFormat = iota FormatBigEndian FormatStrDec FormatStrHex FormatStrOct )
type BinaryOperator ¶
type BinaryOperator int
const ( OperatorCompareEq BinaryOperator = iota OperatorCompareNeq OperatorBinaryAnd OperatorOr )
type BufferKind ¶
type BufferKind int
const ( BufferBlobRand BufferKind = iota BufferBlobRange BufferString BufferFilename BufferText BufferGlob BufferCompressed )
type BufferType ¶
type BufferType struct { TypeCommon Kind BufferKind RangeBegin uint64 // for BufferBlobRange kind RangeEnd uint64 // for BufferBlobRange kind Text TextKind // for BufferText SubKind string Values []string // possible values for BufferString and BufferGlob kind NoZ bool // non-zero terminated BufferString/BufferFilename }
func (*BufferType) DefaultArg ¶
func (t *BufferType) DefaultArg(dir Dir) Arg
func (*BufferType) IsCompressed ¶
func (t *BufferType) IsCompressed() bool
func (*BufferType) String ¶
func (t *BufferType) String() string
type Builder ¶
type Builder struct {
// contains filtered or unexported fields
}
func MakeProgGen ¶
func (*Builder) AllocateVMA ¶
type CallProps ¶
type CallProps struct { FailNth int `key:"fail_nth"` Async bool `key:"async"` Rerun int `key:"rerun"` }
These properties are parsed and serialized according to the tag and the type of the corresponding fields. IMPORTANT: keep the exact values of "key" tag for existing props unchanged, otherwise the backwards compatibility would be broken.
type ChoiceTable ¶
type ChoiceTable struct {
// contains filtered or unexported fields
}
ChooseTable allows to do a weighted choice of a syscall for a given syscall based on call-to-call priorities and a set of enabled and generatable syscalls.
func (*ChoiceTable) Generatable ¶
func (ct *ChoiceTable) Generatable(call int) bool
type CompMap ¶
CompMap maps comparison operand that could come from the input to the second operand to the PC.
func (CompMap) InplaceIntersect ¶
InplaceIntersect() only leaves the value pairs that are also present in other.
type ConstType ¶
type ConstType struct { IntTypeCommon Val uint64 IsPad bool }
func (*ConstType) DefaultArg ¶
type ConstValue ¶
type CsumChunk ¶
type CsumChunk struct { Kind CsumChunkKind Arg Arg // for CsumChunkArg Value uint64 // for CsumChunkConst Size uint64 // for CsumChunkConst }
type CsumChunkKind ¶
type CsumChunkKind int
const ( CsumChunkArg CsumChunkKind = iota CsumChunkConst )
type CsumType ¶
type CsumType struct { IntTypeCommon Kind CsumKind Buf string Protocol uint64 // for CsumPseudo }
func (*CsumType) DefaultArg ¶
type DataArg ¶
type DataArg struct { ArgCommon // contains filtered or unexported fields }
Used for BufferType.
type DeserializeMode ¶
type DeserializeMode int
const ( // In strict mode deserialization fails if the program is malformed in any way. // This mode is used for manually written programs to ensure that they are correct. Strict DeserializeMode = iota // In non-strict mode malformed programs silently fixed in a best-effort way, // e.g. missing/wrong arguments are replaced with default values. // This mode is used for the corpus programs to "repair" them after descriptions changes. NonStrict // Unsafe mode is used for VM checking programs. In this mode programs are not fixed // for safety, e.g. can access global files, issue prohibited ioctl's, disabled syscalls, etc. StrictUnsafe NonStrictUnsafe )
type DeserializeTest ¶
type ExecArgConst ¶
type ExecArgCsum ¶
type ExecArgCsum struct { Size uint64 Kind uint64 Chunks []ExecCsumChunk }
type ExecArgData ¶
type ExecArgResult ¶
type ExecCall ¶
type ExecCall struct { Meta *Syscall Props CallProps Index uint64 Args []ExecArg Copyin []ExecCopyin Copyout []ExecCopyout }
type ExecCopyin ¶
type ExecCopyout ¶
type ExecCsumChunk ¶
type Expression ¶
type Expression interface { fmt.GoStringer ForEachValue(func(*Value)) Clone() Expression Evaluate(ArgFinder) (uint64, bool) }
type Field ¶
type Field struct { Name string Type HasDirection bool Direction Dir Condition Expression // contains filtered or unexported fields }
type FlagsType ¶
type FlagsType struct { IntTypeCommon Vals []uint64 // compiler ensures that it's not empty BitMask bool }
func (*FlagsType) DefaultArg ¶
type Gen ¶
type Gen struct {
// contains filtered or unexported fields
}
func (*Gen) GenerateSpecialArg ¶
type GenericHeatmap ¶
type GenericHeatmap struct {
// contains filtered or unexported fields
}
func (*GenericHeatmap) ChooseLocation ¶
func (hm *GenericHeatmap) ChooseLocation() int
func (*GenericHeatmap) NumMutations ¶
func (hm *GenericHeatmap) NumMutations() int
type Heatmap ¶
Our heatmaps are a flexible mechanism to assign a probability distribution to some collection of bytes. Usage:
- Choose a heatmap and initialize it: `hm := MakeXYZHeatmap(data)`. Different heatmaps implement different probability distributions (for now there is only one).
- Select random indices according to the probability distribution: `idx := hm.ChooseLocation(r)`.
func MakeGenericHeatmap ¶
Generic heatmaps model a probability distribution based on sparse data, prioritising selection of regions which are not a single repeated byte. It views data as a series of chunks of length `granularity`, ignoring chunks which are a single repeated byte. Indices are chosen uniformly amongst the remaining "interesting" segments.
type HintsLimiter ¶
type HintsLimiter struct {
// contains filtered or unexported fields
}
func (*HintsLimiter) Limit ¶
func (limiter *HintsLimiter) Limit(comps CompMap)
Limit restricts hints to at most N replacement attempts per single kernel PC (globally, across all hints mutations for all programs). We are getting too many generated candidates, the fuzzer may not keep up with them at all (hints jobs keep growing infinitely). If a hint indeed came from the input w/o transformation, then we should guess it on the first attempt (or at least after few attempts). If it did not come from the input, or came with a non-trivial transformation, then any number of attempts won't help. So limit the total number of attempts (until the next restart).
type IntType ¶
type IntType struct { IntTypeCommon Kind IntKind RangeBegin uint64 RangeEnd uint64 Align uint64 }
func (*IntType) DefaultArg ¶
type IntTypeCommon ¶
type IntTypeCommon struct { TypeCommon ArgFormat BinaryFormat BitfieldOff uint64 BitfieldLen uint64 BitfieldUnit uint64 BitfieldUnitOff uint64 // contains filtered or unexported fields }
func (*IntTypeCommon) BitfieldLength ¶
func (t *IntTypeCommon) BitfieldLength() uint64
func (*IntTypeCommon) BitfieldOffset ¶
func (t *IntTypeCommon) BitfieldOffset() uint64
func (*IntTypeCommon) Format ¶
func (t *IntTypeCommon) Format() BinaryFormat
func (*IntTypeCommon) IsBitfield ¶
func (t *IntTypeCommon) IsBitfield() bool
func (*IntTypeCommon) String ¶
func (t *IntTypeCommon) String() string
func (*IntTypeCommon) TypeBitSize ¶
func (t *IntTypeCommon) TypeBitSize() uint64
Returns the size in bits for integers in binary format or 64 for string-formatted integers. The return value is used in computing limits and truncating other values.
func (*IntTypeCommon) UnitOffset ¶
func (t *IntTypeCommon) UnitOffset() uint64
func (*IntTypeCommon) UnitSize ¶
func (t *IntTypeCommon) UnitSize() uint64
type LenType ¶
type LenType struct { IntTypeCommon BitSize uint64 // want size in multiple of bits instead of array size Offset bool // offset from the beginning of the parent struct or base object Path []string }
func (*LenType) DefaultArg ¶
type LogEntry ¶
type LogEntry struct { P *Prog Proc int // index of parallel proc ID int // ID of the executed program (-1 if not present) Start int // start offset in log End int // end offset in log }
LogEntry describes one program in execution log.
type MinimizeMode ¶
type MinimizeMode int
const ( // Minimize for inclusion into corpus. // This generally tries to reduce number of arguments for future mutation. MinimizeCorpus MinimizeMode = iota // Minimize crash reproducer. // This mode assumes each test is expensive (need to reboot), so tries fewer things. MinimizeCrash // Minimize crash reproducer in snapshot mode. // This mode does not assume that tests are expensive, and tries to minimize for reproducer readability. MinimizeCrashSnapshot // Only try to remove calls. MinimizeCallsOnly )
type MutateOpts ¶
type PointerArg ¶
type PointerArg struct { ArgCommon Address uint64 VmaSize uint64 // size of the referenced region for vma args Res Arg // pointee (nil for vma) }
Used for PtrType and VmaType.
func MakePointerArg ¶
func MakePointerArg(t Type, dir Dir, addr uint64, data Arg) *PointerArg
func MakeSpecialPointerArg ¶
func MakeSpecialPointerArg(t Type, dir Dir, index uint64) *PointerArg
func MakeVmaPointerArg ¶
func MakeVmaPointerArg(t Type, dir Dir, addr, size uint64) *PointerArg
func (*PointerArg) IsSpecial ¶
func (arg *PointerArg) IsSpecial() bool
func (*PointerArg) Size ¶
func (arg *PointerArg) Size() uint64
type ProcType ¶
type ProcType struct { IntTypeCommon ValuesStart uint64 ValuesPerProc uint64 }
func (*ProcType) DefaultArg ¶
type Prog ¶
type Prog struct { Target *Target Calls []*Call Comments []string // contains filtered or unexported fields }
func AssignRandomAsync ¶
Ensures that if an async call produces a resource, then it is distanced from a call consuming the resource at least by one non-async call. This does not give 100% guarantee that the async call finishes by that time, but hopefully this is enough for most cases.
func DoubleExecCollide ¶
We append prog to itself, but let the second part only reference resource from the first one. Then we execute all the duplicated calls simultaneously. This somehow resembles the way the previous collide mode was implemented - a program was executed normally and then one more time again, while keeping resource values from the first execution and not waiting until every other call finishes.
func DupCallCollide ¶
DupCallCollide duplicates some of the calls in the program and marks them async. This should hopefully trigger races in a more granular way than DoubleExecCollide.
func Minimize ¶
func Minimize(p0 *Prog, callIndex0 int, mode MinimizeMode, pred0 func(*Prog, int) bool) (*Prog, int)
Minimize minimizes program p into an equivalent program using the equivalence predicate pred. It iteratively generates simpler programs and asks pred whether it is equal to the original program or not. If it is equivalent then the simplification attempt is committed and the process continues.
func (*Prog) ContainsAny ¶
func (*Prog) FallbackSignal ¶
func (*Prog) FilterInplace ¶
FilterInplace only leaves the allowed system calls and deletes all remaining ones.
func (*Prog) ForEachAsset ¶
func (*Prog) Mutate ¶
func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, noMutate map[int]bool, corpus []*Prog)
Mutate program p.
p: The program to mutate. rs: Random source. ncalls: The allowed maximum calls in mutated program. ct: ChoiceTable for syscalls. noMutate: Set of IDs of syscalls which should not be mutated. corpus: The entire corpus, including original program p.
func (*Prog) MutateWithHints ¶
Mutates the program using the comparison operands stored in compMaps. For each of the mutants executes the exec callback. The callback must return whether we should continue substitution (true) or abort the process (false).
func (*Prog) MutateWithOpts ¶
func (p *Prog) MutateWithOpts(rs rand.Source, ncalls int, ct *ChoiceTable, noMutate map[int]bool, corpus []*Prog, opts MutateOpts)
func (*Prog) OnlyContains ¶
OnlyContains determines whether the program only consists of the syscalls from the first argument.
func (*Prog) RequiredFeatures ¶
func (p *Prog) RequiredFeatures() RequiredFeatures
func (*Prog) SerializeForExec ¶
SerializeForExec serializes program p for execution by process pid into the provided buffer. Returns number of bytes written to the buffer. If the provided buffer is too small for the program an error is returned.
func (*Prog) SerializeVerbose ¶
type PtrType ¶
type PtrType struct { TypeCommon Elem Type ElemDir Dir SquashableElem bool }
func (*PtrType) DefaultArg ¶
type Ref ¶
type Ref uint32
func (Ref) BitfieldLength ¶
func (Ref) BitfieldOffset ¶
func (Ref) DefaultArg ¶
func (Ref) Format ¶
func (ti Ref) Format() BinaryFormat
func (Ref) IsBitfield ¶
func (Ref) TemplateName ¶
func (Ref) TypeBitSize ¶
func (Ref) UnitOffset ¶
type RequiredFeatures ¶
type ResourceCtor ¶
type ResourceDesc ¶
type ResourceDesc struct { Name string Kind []string Values []uint64 Ctors []ResourceCtor }
type ResourceType ¶
type ResourceType struct { TypeCommon ArgFormat BinaryFormat Desc *ResourceDesc }
func (*ResourceType) Default ¶
func (t *ResourceType) Default() uint64
func (*ResourceType) DefaultArg ¶
func (t *ResourceType) DefaultArg(dir Dir) Arg
func (*ResourceType) Format ¶
func (t *ResourceType) Format() BinaryFormat
func (*ResourceType) SpecialValues ¶
func (t *ResourceType) SpecialValues() []uint64
func (*ResourceType) String ¶
func (t *ResourceType) String() string
type ResultArg ¶
type ResultArg struct { ArgCommon Res *ResultArg // reference to arg which we use OpDiv uint64 // divide result (executed before OpAdd) OpAdd uint64 // add to result Val uint64 // value used if Res is nil // contains filtered or unexported fields }
Used for ResourceType. This is the only argument that can be used as syscall return value. Either holds constant value or reference another ResultArg.
func MakeReturnArg ¶
type Rotator ¶
type Rotator struct {
// contains filtered or unexported fields
}
Rotator selects a random subset of syscalls for corpus rotation.
func MakeRotator ¶
type StructType ¶
type StructType struct { TypeCommon Fields []Field AlignAttr uint64 OverlayField int // index of the field marked with out_overlay attribute (0 if no attribute) }
func (*StructType) DefaultArg ¶
func (t *StructType) DefaultArg(dir Dir) Arg
func (*StructType) String ¶
func (t *StructType) String() string
type SyscallAttrs ¶
type SyscallAttrs struct { Disabled bool Timeout uint64 ProgTimeout uint64 IgnoreReturn bool BreaksReturns bool NoGenerate bool NoMinimize bool RemoteCover bool Automatic bool AutomaticHelper bool Fsck string }
SyscallAttrs represents call attributes in syzlang.
This structure is the source of truth for the all other parts of the system. pkg/compiler uses this structure to parse descriptions. syz-sysgen uses this structure to generate code for executor.
Only `bool`s, `string`s and `uint64`s are currently supported.
See docs/syscall_descriptions_syntax.md for description of individual attributes.
type Target ¶
type Target struct { OS string Arch string Revision string // unique hash representing revision of the descriptions PtrSize uint64 PageSize uint64 NumPages uint64 DataOffset uint64 BigEndian bool Syscalls []*Syscall Resources []*ResourceDesc Consts []ConstValue Flags []FlagDesc // MakeDataMmap creates calls that mmaps target data memory range. MakeDataMmap func() []*Call // Neutralize neutralizes harmful calls by transforming them into non-harmful ones // (e.g. an ioctl that turns off console output is turned into ioctl that turns on output). // fixStructure determines whether it's allowed to make structural changes (e.g. add or // remove arguments). It is helpful e.g. when we do neutralization while iterating over the // arguments. Neutralize func(c *Call, fixStructure bool) error // AnnotateCall annotates a syscall invocation in C reproducers. // The returned string will be placed inside a comment except for the // empty string which will omit the comment. AnnotateCall func(c ExecCall) string // SpecialTypes allows target to do custom generation/mutation for some struct's and union's. // Map key is struct/union name for which custom generation/mutation is required. // Map value is custom generation/mutation function that will be called // for the corresponding type. g is helper object that allows generate random numbers, // allocate memory, etc. typ is the struct/union type. old is the old value of the struct/union // for mutation, or nil for generation. The function returns a new value of the struct/union, // and optionally any calls that need to be inserted before the arg reference. SpecialTypes map[string]func(g *Gen, typ Type, dir Dir, old Arg) (Arg, []*Call) // Resources that play auxiliary role, but widely used throughout all syscalls (e.g. pid/uid). AuxResources map[string]bool // Additional special invalid pointer values besides NULL to use. SpecialPointers []uint64 // Special file name length that can provoke bugs (e.g. PATH_MAX). SpecialFileLenghts []int // Filled by prog package: SyscallMap map[string]*Syscall ConstMap map[string]uint64 FlagsMap map[string][]string // contains filtered or unexported fields }
Target describes target OS/arch pair.
func AllTargets ¶
func AllTargets() []*Target
func (*Target) ArgContainsAny ¶
func (*Target) BuildChoiceTable ¶
func (target *Target) BuildChoiceTable(corpus []*Prog, enabled map[*Syscall]bool) *ChoiceTable
func (*Target) CalculatePriorities ¶
func (*Target) CallContainsAny ¶
func (*Target) DataMmapProg ¶
DataMmapProg creates program that maps data segment. Also used for testing as the simplest program.
func (*Target) DefaultChoiceTable ¶
func (target *Target) DefaultChoiceTable() *ChoiceTable
func (*Target) Deserialize ¶
func (target *Target) Deserialize(data []byte, mode DeserializeMode) (*Prog, error)
func (*Target) DeserializeExec ¶
func (*Target) GenSampleProg ¶
GenSampleProg generates a single sample program for the call.
func (*Target) Generate ¶
Generate generates a random program with ncalls calls. ct contains a set of allowed syscalls, if nil all syscalls are used.
func (*Target) GenerateAllSyzProg ¶
GenerateAllSyzProg generates a program that contains all pseudo syz_ calls for testing.
func (*Target) ParseLog ¶
func (target *Target) ParseLog(data []byte, mode DeserializeMode) []*LogEntry
func (*Target) PhysicalAddr ¶
func (target *Target) PhysicalAddr(arg *PointerArg) uint64
func (*Target) PseudoSyscalls ¶
PseudoSyscalls selects one *Syscall for each pseudosyscall.
func (*Target) RequiredGlobs ¶
func (*Target) TransitivelyEnabledCalls ¶
func (*Target) UpdateGlobs ¶
type Type ¶
type Type interface { String() string Name() string TemplateName() string // for template structs name without arguments Optional() bool Varlen() bool Size() uint64 TypeBitSize() uint64 Alignment() uint64 Format() BinaryFormat BitfieldOffset() uint64 BitfieldLength() uint64 IsBitfield() bool // For most of the types UnitSize is equal to Size. // These are different only for all but last bitfield in the group, // where Size == 0 and UnitSize equals to the underlying bitfield type size. UnitSize() uint64 UnitOffset() uint64 DefaultArg(dir Dir) Arg // contains filtered or unexported methods }
type TypeCommon ¶
type TypeCommon struct { TypeName string // Static size of the type, or 0 for variable size types and all but last bitfields in the group. TypeSize uint64 TypeAlign uint64 IsOptional bool IsVarlen bool // contains filtered or unexported fields }
func (*TypeCommon) Alignment ¶
func (t *TypeCommon) Alignment() uint64
func (*TypeCommon) BitfieldLength ¶
func (t *TypeCommon) BitfieldLength() uint64
func (*TypeCommon) BitfieldOffset ¶
func (t *TypeCommon) BitfieldOffset() uint64
func (*TypeCommon) Format ¶
func (t *TypeCommon) Format() BinaryFormat
func (*TypeCommon) IsBitfield ¶
func (t *TypeCommon) IsBitfield() bool
func (*TypeCommon) Name ¶
func (t *TypeCommon) Name() string
func (*TypeCommon) Optional ¶
func (t *TypeCommon) Optional() bool
func (*TypeCommon) Size ¶
func (t *TypeCommon) Size() uint64
func (*TypeCommon) TemplateName ¶
func (t *TypeCommon) TemplateName() string
func (*TypeCommon) TypeBitSize ¶
func (t *TypeCommon) TypeBitSize() uint64
func (*TypeCommon) UnitOffset ¶
func (t *TypeCommon) UnitOffset() uint64
func (*TypeCommon) UnitSize ¶
func (t *TypeCommon) UnitSize() uint64
func (*TypeCommon) Varlen ¶
func (t *TypeCommon) Varlen() bool
type UnionArg ¶
type UnionArg struct { ArgCommon Option Arg Index int // Index of the selected option in the union type. // contains filtered or unexported fields }
Used for UnionType.
type Value ¶
type Value struct { // If Path is empty, Value is to be used. Value uint64 // Path to the field. Path []string }
func (*Value) Clone ¶
func (v *Value) Clone() Expression
func (*Value) ForEachValue ¶
Source Files ¶
- alloc.go
- analysis.go
- any.go
- checksum.go
- clone.go
- collide.go
- decodeexec.go
- encoding.go
- encodingexec.go
- expr.go
- generation.go
- heatmap.go
- hints.go
- little_endian.go
- meta.go
- minimization.go
- mutation.go
- parse.go
- prio.go
- prog.go
- rand.go
- resources.go
- rotation.go
- size.go
- target.go
- test_util.go
- types.go
- validation.go