prog

package
v0.0.0-...-4e1406b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 6, 2025 License: Apache-2.0 Imports: 24 Imported by: 816

Documentation

Overview

Copyright 2025 syzkaller project authors. All rights reserved. Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

Index

Constants

View Source 
const (
	ExecArgCsumChunkData = uint64(iota)
	ExecArgCsumChunkConst
)
View Source 
const (
	ExecBufferSize = 4 << 20 // keep in sync with kMaxInput in executor.cc
	ExecNoCopyout  = ^uint64(0)
)
View Source 
const (
	// "Recommended" number of calls in programs that we try to aim at during fuzzing.
	RecommendedCalls = 30
	// "Recommended" max number of calls in programs.
	// If we receive longer programs from hub/corpus we discard them.
	MaxCalls = 40
	// "Recommended" number of calls in KFuzzTest mode. These targets test the behavior
	// of internal kernel functions rather than system behavior, and for this reason
	// it is more sensible to generate a smaller number of calls instead of long chains.
	RecommendedCallsKFuzzTest = 5
)
View Source 
const (
	// Special reference to the outer struct used in len targets.
	ParentRef = "parent"
	// Special reference directly to syscall arguments used in len targets.
	SyscallRef = "syscall"
)
View Source 
const (
	ExecArgCsumInet = uint64(iota)
)
View Source 
const ExtraCallName = ".extra"
View Source 
const (

	// Maximum input size accepted by the KFuzzTest kernel module.
	KFuzzTestMaxInputSize uint64 = 64 << 10
)
View Source 
const MaxArgs = 9

MaxArgs is maximum number of syscall arguments. Executor also knows about this value.

View Source 
const (
	// Some aspects of the linux kernel configs also know about this const,
	// e.g. they create that many devices of various types (usually these parameters are in CMDLINE).
	MaxPids = 32
)

Variables

View Source 
var (
	GitRevision     = defaultGitRevision // emitted by Makefile, may contain + at the end
	GitRevisionBase string               // without +

	GitRevisionDate time.Time // parsed from gitRevisionDate
)
View Source 
var DefaultMutateOpts = MutateOpts{
	ExpectedIterations: 5,
	MutateArgCount:     3,

	SquashWeight:     50,
	SpliceWeight:     200,
	InsertWeight:     100,
	MutateArgWeight:  100,
	RemoveCallWeight: 10,
}
View Source 
var ErrViolatedConditions = errors.New("conditional fields rules violation")
View Source 
var HostEndian = binary.LittleEndian
View Source 
var SquashedArgFound = &DataArg{}

Special case reply of ArgFinder.

Functions

func AssignRandomRerun 

func AssignRandomRerun(prog *Prog, rand *rand.Rand)

func CallSet 

func CallSet(data []byte) (map[string]struct{}, int, error)

CallSet returns a set of all calls in the program. It does very conservative parsing and is intended to parse past/future serialization formats.

func CppName 

func CppName(name string) string

CppName transforms PascalStyleNames to cpp_style_names.

func DecodeFallbackSignal 

func DecodeFallbackSignal(s uint64) (callID, errno int)

func EncodeData 

func EncodeData(buf *bytes.Buffer, data []byte, readable bool)

func ExecCallCount 

func ExecCallCount(exec []byte) (int, error)

func ForeachArg 

func ForeachArg(c *Call, f func(Arg, *ArgCtx))

func ForeachArgType 

func ForeachArgType(typ Type, f func(t Type, ctx *TypeCtx))

func ForeachCallType 

func ForeachCallType(meta *Syscall, f func(t Type, ctx *TypeCtx))

func ForeachSubArg 

func ForeachSubArg(arg Arg, f func(Arg, *ArgCtx))

func ForeachType 

func ForeachType(syscalls []*Syscall, f func(t Type, ctx *TypeCtx))

func ForeachTypePost 

func ForeachTypePost(syscalls []*Syscall, f func(t Type, ctx *TypeCtx))

func FormatArg 

func FormatArg(arg Arg, name string) []string

FormatArg returns a string slice representation of an argument with one entry per line in the output. The formatting roughly corresponds to syzlang descriptions and is intended to be human readable.

func GitRevisionKnown 

func GitRevisionKnown() bool

func IsPad 

func IsPad(t Type) bool

func MarshallKFuzztestArg 

func MarshallKFuzztestArg(topLevel Arg) []byte

MarshallKFuzzTestArg serializes a syzkaller Arg into a flat binary format understood by the KFuzzTest kernel interface (see `include/linux/kfuzztest.h`).

The goal is to represent a tree-like structure of arguments (which may contain pointers and cycles) as a single byte slice that the kernel can deserialize into a set of distinct heap allocations.

The binary format consists of three contiguous parts, in this order:

  1. Region Array: A header describing all logical memory regions that will be allocated by the kernel. Each `relocRegion` defines a region's unique `id`, its `size`, its `alignment`, and its `start` offset within the payload. The kernel uses this table to create one distinct heap allocation per region.

  2. Relocation Table: A header containing a list of `relocationEntry` structs. Each entry identifies the location of a pointer field within the payload (via a `regionID` and `regionOffset`) and maps it to the logical region it points to (via a `value` which holds the pointee's `regionID`). A NULL pointer is identified by the special value `kFuzzTestNilPtrVal`.

  3. Payload: The raw, serialized data for all arguments, laid out as a single contiguous block of memory with padded regions as per the KFuzzTest input format's specification defined in `Documentation/dev-tools/kfuzztest.rst`.

Cycles are handled by tracking visited arguments, ensuring that a region is only visited and encoded once.

For a concrete example of the final binary layout, see the test cases for this function in `prog/kfuzztest_test.go`.

func RegisterTarget 

func RegisterTarget(target *Target, fill, init func(target *Target))
func RestoreLinks(syscalls []*Syscall, resources []*ResourceDesc, types []Type)

func TestDeserializeHelper 

func TestDeserializeHelper(t *testing.T, OS, arch string, transform func(*Target, *Prog), tests []DeserializeTest)

Types

type Arg 

type Arg interface {
	Type() Type
	Dir() Dir
	Size() uint64
	// contains filtered or unexported methods
}

func CloneArg 

func CloneArg(arg Arg) Arg

func InnerArg 

func InnerArg(arg Arg) Arg

Returns inner arg for pointer args.

type ArgCommon 

type ArgCommon struct {
	// contains filtered or unexported fields
}

func (*ArgCommon) Dir 

func (arg *ArgCommon) Dir() Dir

func (*ArgCommon) Type 

func (arg *ArgCommon) Type() Type

type ArgCtx 

type ArgCtx struct {
	Parent *[]Arg      // GroupArg.Inner (for structs) or Call.Args containing this arg.
	Fields []Field     // Fields of the parent struct/syscall.
	Field  *Field      // Syscall field for this arg, nil if there it's not a field.
	Base   *PointerArg // Pointer to the base of the heap object containing this arg.
	Offset uint64      // Offset of this arg from the base.
	Stop   bool        // If set by the callback, subargs of this arg are not visited.
	// contains filtered or unexported fields
}

type ArgFinder 

type ArgFinder func(path []string) Arg

type ArrayKind 

type ArrayKind int
const (
	ArrayRandLen ArrayKind = iota
	ArrayRangeLen
)

type ArrayType 

type ArrayType struct {
	TypeCommon
	Elem       Type
	Kind       ArrayKind
	RangeBegin uint64
	RangeEnd   uint64
}

func (*ArrayType) DefaultArg 

func (t *ArrayType) DefaultArg(dir Dir) Arg

func (*ArrayType) String 

func (t *ArrayType) String() string

type AssetType 

type AssetType int
const (
	MountInRepro AssetType = iota
)

type BinaryExpression 

type BinaryExpression struct {
	Operator BinaryOperator
	Left     Expression
	Right    Expression
}

func (BinaryExpression) Clone 

func (bo BinaryExpression) Clone() Expression

func (BinaryExpression) Evaluate 

func (bo BinaryExpression) Evaluate(finder ArgFinder) (uint64, bool)

func (BinaryExpression) ForEachValue 

func (bo BinaryExpression) ForEachValue(cb func(*Value))

func (BinaryExpression) GoString 

func (bo BinaryExpression) GoString() string

type BinaryFormat 

type BinaryFormat int
const (
	FormatNative BinaryFormat = iota
	FormatBigEndian
	FormatStrDec
	FormatStrHex
	FormatStrOct
)

type BinaryOperator 

type BinaryOperator int
const (
	OperatorCompareEq BinaryOperator = iota
	OperatorCompareNeq
	OperatorBinaryAnd
	OperatorOr
)

type BufferKind 

type BufferKind int
const (
	BufferBlobRand BufferKind = iota
	BufferBlobRange
	BufferString
	BufferFilename
	BufferText
	BufferGlob
	BufferCompressed
)

type BufferType 

type BufferType struct {
	TypeCommon
	Kind       BufferKind
	RangeBegin uint64   // for BufferBlobRange kind
	RangeEnd   uint64   // for BufferBlobRange kind
	Text       TextKind // for BufferText
	SubKind    string
	Values     []string // possible values for BufferString and BufferGlob kind
	NoZ        bool     // non-zero terminated BufferString/BufferFilename
}

func (*BufferType) DefaultArg 

func (t *BufferType) DefaultArg(dir Dir) Arg

func (*BufferType) IsCompressed 

func (t *BufferType) IsCompressed() bool

func (*BufferType) String 

func (t *BufferType) String() string

type Builder 

type Builder struct {
	// contains filtered or unexported fields
}

func MakeProgGen 

func MakeProgGen(target *Target) *Builder

func (*Builder) Allocate 

func (pg *Builder) Allocate(size, alignment uint64) uint64

func (*Builder) AllocateVMA 

func (pg *Builder) AllocateVMA(npages uint64) uint64

func (*Builder) Append 

func (pg *Builder) Append(c *Call) error

func (*Builder) Finalize 

func (pg *Builder) Finalize() (*Prog, error)

type Call 

type Call struct {
	Meta    *Syscall
	Args    []Arg
	Ret     *ResultArg
	Props   CallProps
	Comment string
}

func MakeCall 

func MakeCall(meta *Syscall, args []Arg) *Call

type CallFlags 

type CallFlags int
const (
	CallExecuted CallFlags = 1 << iota // was started at all
	CallFinished                       // finished executing (rather than blocked forever)
	CallBlocked                        // finished but blocked during execution
)

type CallInfo 

type CallInfo struct {
	Flags  CallFlags
	Errno  int
	Signal []uint64
}

type CallProps 

type CallProps struct {
	FailNth int  `key:"fail_nth"`
	Async   bool `key:"async"`
	Rerun   int  `key:"rerun"`
}

These properties are parsed and serialized according to the tag and the type of the corresponding fields. IMPORTANT: keep the exact values of "key" tag for existing props unchanged, otherwise the backwards compatibility would be broken.

func (*CallProps) ForeachProp 

func (props *CallProps) ForeachProp(f func(fieldName, key string, value reflect.Value))

TODO: This method might be more generic - it can be applied to any struct.

type ChoiceTable 

type ChoiceTable struct {
	// contains filtered or unexported fields
}

ChooseTable allows to do a weighted choice of a syscall for a given syscall based on call-to-call priorities and a set of enabled and generatable syscalls.

func (*ChoiceTable) Generatable 

func (ct *ChoiceTable) Generatable(call int) bool

type CompMap 

type CompMap map[uint64]map[uint64]map[uint64]bool

CompMap maps comparison operand that could come from the input to the second operand to the PC.

func (CompMap) Add 

func (m CompMap) Add(pc, arg1, arg2 uint64, isConst bool)

func (CompMap) InplaceIntersect 

func (m CompMap) InplaceIntersect(other CompMap)

InplaceIntersect() only leaves the value pairs that are also present in other.

func (CompMap) Len 

func (m CompMap) Len() int

func (CompMap) String 

func (m CompMap) String() string

type ConstArg 

type ConstArg struct {
	ArgCommon
	Val uint64
}

Used for ConstType, IntType, FlagsType, LenType, ProcType and CsumType.

func MakeConstArg 

func MakeConstArg(t Type, dir Dir, v uint64) *ConstArg

func (*ConstArg) Size 

func (arg *ConstArg) Size() uint64

func (*ConstArg) Value 

func (arg *ConstArg) Value() (uint64, uint64)

Value returns value and pid stride.

type ConstType 

type ConstType struct {
	IntTypeCommon
	Val   uint64
	IsPad bool
}

func (*ConstType) DefaultArg 

func (t *ConstType) DefaultArg(dir Dir) Arg

func (*ConstType) String 

func (t *ConstType) String() string

type ConstValue 

type ConstValue struct {
	Name  string
	Value uint64
}

type CsumChunk 

type CsumChunk struct {
	Kind  CsumChunkKind
	Arg   Arg    // for CsumChunkArg
	Value uint64 // for CsumChunkConst
	Size  uint64 // for CsumChunkConst
}

type CsumChunkKind 

type CsumChunkKind int
const (
	CsumChunkArg CsumChunkKind = iota
	CsumChunkConst
)

type CsumInfo 

type CsumInfo struct {
	Kind   CsumKind
	Chunks []CsumChunk
}

type CsumKind 

type CsumKind int
const (
	CsumInet CsumKind = iota
	CsumPseudo
)

type CsumType 

type CsumType struct {
	IntTypeCommon
	Kind     CsumKind
	Buf      string
	Protocol uint64 // for CsumPseudo
}

func (*CsumType) DefaultArg 

func (t *CsumType) DefaultArg(dir Dir) Arg

func (*CsumType) String 

func (t *CsumType) String() string

type DataArg 

type DataArg struct {
	ArgCommon
	// contains filtered or unexported fields
}

Used for BufferType.

func MakeDataArg 

func MakeDataArg(t Type, dir Dir, data []byte) *DataArg

func MakeOutDataArg 

func MakeOutDataArg(t Type, dir Dir, size uint64) *DataArg

func (*DataArg) Data 

func (arg *DataArg) Data() []byte

func (*DataArg) SetData 

func (arg *DataArg) SetData(data []byte)

func (*DataArg) Size 

func (arg *DataArg) Size() uint64

type DeserializeMode 

type DeserializeMode int
const (
	// In strict mode deserialization fails if the program is malformed in any way.
	// This mode is used for manually written programs to ensure that they are correct.
	Strict DeserializeMode = iota
	// In non-strict mode malformed programs silently fixed in a best-effort way,
	// e.g. missing/wrong arguments are replaced with default values.
	// This mode is used for the corpus programs to "repair" them after descriptions changes.
	NonStrict
	// Unsafe mode is used for VM checking programs. In this mode programs are not fixed
	// for safety, e.g. can access global files, issue prohibited ioctl's, disabled syscalls, etc.
	StrictUnsafe
	NonStrictUnsafe
)

type DeserializeTest 

type DeserializeTest struct {
	In        string
	Out       string // if not set, equals to In
	Err       string
	StrictErr string // if not set, equals to Err
}

type Dir 

type Dir uint8
const (
	DirIn Dir = iota
	DirOut
	DirInOut
)

func (Dir) String 

func (dir Dir) String() string

type ExecArg 

type ExecArg interface{} // one of ExecArg*

type ExecArgConst 

type ExecArgConst struct {
	Size           uint64
	Format         BinaryFormat
	Value          uint64
	BitfieldOffset uint64
	BitfieldLength uint64
	PidStride      uint64
}

type ExecArgCsum 

type ExecArgCsum struct {
	Size   uint64
	Kind   uint64
	Chunks []ExecCsumChunk
}

type ExecArgData 

type ExecArgData struct {
	Data     []byte
	Readable bool
}

type ExecArgResult 

type ExecArgResult struct {
	Size    uint64
	Format  BinaryFormat
	Index   uint64
	DivOp   uint64
	AddOp   uint64
	Default uint64
}

type ExecCall 

type ExecCall struct {
	Meta    *Syscall
	Props   CallProps
	Index   uint64
	Args    []ExecArg
	Copyin  []ExecCopyin
	Copyout []ExecCopyout
}

type ExecCopyin 

type ExecCopyin struct {
	Addr uint64
	Arg  ExecArg
}

type ExecCopyout 

type ExecCopyout struct {
	Index uint64
	Addr  uint64
	Size  uint64
}

type ExecCsumChunk 

type ExecCsumChunk struct {
	Kind  uint64
	Value uint64
	Size  uint64
}

type ExecProg 

type ExecProg struct {
	Calls []ExecCall
	Vars  []uint64
}

type Expression 

type Expression interface {
	fmt.GoStringer
	ForEachValue(func(*Value))
	Clone() Expression
	Evaluate(ArgFinder) (uint64, bool)
}

type Field 

type Field struct {
	Name string
	Type
	HasDirection bool
	Direction    Dir
	Condition    Expression
	// contains filtered or unexported fields
}

func (*Field) Dir 

func (f *Field) Dir(def Dir) Dir

type FlagDesc 

type FlagDesc struct {
	Name   string
	Values []string
}

type FlagsType 

type FlagsType struct {
	IntTypeCommon
	Vals    []uint64 // compiler ensures that it's not empty
	BitMask bool
}

func (*FlagsType) DefaultArg 

func (t *FlagsType) DefaultArg(dir Dir) Arg

type Gen 

type Gen struct {
	// contains filtered or unexported fields
}

func (*Gen) Alloc 

func (g *Gen) Alloc(ptrType Type, dir Dir, data Arg) (Arg, []*Call)

func (*Gen) GenerateArg 

func (g *Gen) GenerateArg(typ Type, dir Dir, pcalls *[]*Call) Arg

func (*Gen) GenerateSpecialArg 

func (g *Gen) GenerateSpecialArg(typ Type, dir Dir, pcalls *[]*Call) Arg

func (*Gen) MutateArg 

func (g *Gen) MutateArg(arg0 Arg) (calls []*Call)

func (*Gen) NOutOf 

func (g *Gen) NOutOf(n, outOf int) bool

func (*Gen) Rand 

func (g *Gen) Rand() *rand.Rand

func (*Gen) Target 

func (g *Gen) Target() *Target

type GenericHeatmap 

type GenericHeatmap struct {
	// contains filtered or unexported fields
}

func (*GenericHeatmap) ChooseLocation 

func (hm *GenericHeatmap) ChooseLocation() int

func (*GenericHeatmap) NumMutations 

func (hm *GenericHeatmap) NumMutations() int

type GroupArg 

type GroupArg struct {
	ArgCommon
	Inner []Arg
}

Used for StructType and ArrayType. Logical group of args (struct or array).

func MakeGroupArg 

func MakeGroupArg(t Type, dir Dir, inner []Arg) *GroupArg

func (*GroupArg) Size 

func (arg *GroupArg) Size() uint64

type Heatmap 

type Heatmap interface {
	NumMutations() int
	ChooseLocation() int
}

Our heatmaps are a flexible mechanism to assign a probability distribution to some collection of bytes. Usage:

  1. Choose a heatmap and initialize it: `hm := MakeXYZHeatmap(data)`. Different heatmaps implement different probability distributions (for now there is only one).
  2. Select random indices according to the probability distribution: `idx := hm.ChooseLocation(r)`.

func MakeGenericHeatmap 

func MakeGenericHeatmap(data []byte, r *rand.Rand) Heatmap

Generic heatmaps model a probability distribution based on sparse data, prioritising selection of regions which are not a single repeated byte. It views data as a series of chunks of length `granularity`, ignoring chunks which are a single repeated byte. Indices are chosen uniformly amongst the remaining "interesting" segments.

type HintsLimiter 

type HintsLimiter struct {
	// contains filtered or unexported fields
}

func (*HintsLimiter) Limit 

func (limiter *HintsLimiter) Limit(comps CompMap)

Limit restricts hints to at most N replacement attempts per single kernel PC (globally, across all hints mutations for all programs). We are getting too many generated candidates, the fuzzer may not keep up with them at all (hints jobs keep growing infinitely). If a hint indeed came from the input w/o transformation, then we should guess it on the first attempt (or at least after few attempts). If it did not come from the input, or came with a non-trivial transformation, then any number of attempts won't help. So limit the total number of attempts (until the next restart).

type IntKind 

type IntKind int
const (
	IntPlain IntKind = iota
	IntRange
)

type IntType 

type IntType struct {
	IntTypeCommon
	Kind       IntKind
	RangeBegin uint64
	RangeEnd   uint64
	Align      uint64
}

func (*IntType) DefaultArg 

func (t *IntType) DefaultArg(dir Dir) Arg

type IntTypeCommon 

type IntTypeCommon struct {
	TypeCommon
	ArgFormat       BinaryFormat
	BitfieldOff     uint64
	BitfieldLen     uint64
	BitfieldUnit    uint64
	BitfieldUnitOff uint64
	// contains filtered or unexported fields
}

func (*IntTypeCommon) BitfieldLength 

func (t *IntTypeCommon) BitfieldLength() uint64

func (*IntTypeCommon) BitfieldOffset 

func (t *IntTypeCommon) BitfieldOffset() uint64

func (*IntTypeCommon) Format 

func (t *IntTypeCommon) Format() BinaryFormat

func (*IntTypeCommon) IsBitfield 

func (t *IntTypeCommon) IsBitfield() bool

func (*IntTypeCommon) String 

func (t *IntTypeCommon) String() string

func (*IntTypeCommon) TypeBitSize 

func (t *IntTypeCommon) TypeBitSize() uint64

Returns the size in bits for integers in binary format or 64 for string-formatted integers. The return value is used in computing limits and truncating other values.

func (*IntTypeCommon) UnitOffset 

func (t *IntTypeCommon) UnitOffset() uint64

func (*IntTypeCommon) UnitSize 

func (t *IntTypeCommon) UnitSize() uint64

type LenType 

type LenType struct {
	IntTypeCommon
	BitSize uint64 // want size in multiple of bits instead of array size
	Offset  bool   // offset from the beginning of the parent struct or base object
	Path    []string
}

func (*LenType) DefaultArg 

func (t *LenType) DefaultArg(dir Dir) Arg

type LogEntry 

type LogEntry struct {
	P     *Prog
	Proc  int // index of parallel proc
	ID    int // ID of the executed program (-1 if not present)
	Start int // start offset in log
	End   int // end offset in log
}

LogEntry describes one program in execution log.

type MinimizeMode 

type MinimizeMode int
const (
	// Minimize for inclusion into corpus.
	// This generally tries to reduce number of arguments for future mutation.
	MinimizeCorpus MinimizeMode = iota
	// Minimize crash reproducer.
	// This mode assumes each test is expensive (need to reboot), so tries fewer things.
	MinimizeCrash
	// Minimize crash reproducer in snapshot mode.
	// This mode does not assume that tests are expensive, and tries to minimize for reproducer readability.
	MinimizeCrashSnapshot
	// Only try to remove calls.
	MinimizeCallsOnly
)

type MutateOpts 

type MutateOpts struct {
	ExpectedIterations int
	MutateArgCount     int
	SquashWeight       int
	SpliceWeight       int
	InsertWeight       int
	MutateArgWeight    int
	RemoveCallWeight   int
}

type PointerArg 

type PointerArg struct {
	ArgCommon
	Address uint64
	VmaSize uint64 // size of the referenced region for vma args
	Res     Arg    // pointee (nil for vma)
}

Used for PtrType and VmaType.

func MakePointerArg 

func MakePointerArg(t Type, dir Dir, addr uint64, data Arg) *PointerArg

func MakeSpecialPointerArg 

func MakeSpecialPointerArg(t Type, dir Dir, index uint64) *PointerArg

func MakeVmaPointerArg 

func MakeVmaPointerArg(t Type, dir Dir, addr, size uint64) *PointerArg

func (*PointerArg) IsSpecial 

func (arg *PointerArg) IsSpecial() bool

func (*PointerArg) Size 

func (arg *PointerArg) Size() uint64

type ProcType 

type ProcType struct {
	IntTypeCommon
	ValuesStart   uint64
	ValuesPerProc uint64
}

func (*ProcType) DefaultArg 

func (t *ProcType) DefaultArg(dir Dir) Arg

type Prog 

type Prog struct {
	Target   *Target
	Calls    []*Call
	Comments []string
	// contains filtered or unexported fields
}

func AssignRandomAsync 

func AssignRandomAsync(origProg *Prog, rand *rand.Rand) *Prog

Ensures that if an async call produces a resource, then it is distanced from a call consuming the resource at least by one non-async call. This does not give 100% guarantee that the async call finishes by that time, but hopefully this is enough for most cases.

func DoubleExecCollide 

func DoubleExecCollide(origProg *Prog, rand *rand.Rand) (*Prog, error)

We append prog to itself, but let the second part only reference resource from the first one. Then we execute all the duplicated calls simultaneously. This somehow resembles the way the previous collide mode was implemented - a program was executed normally and then one more time again, while keeping resource values from the first execution and not waiting until every other call finishes.

func DupCallCollide 

func DupCallCollide(origProg *Prog, rand *rand.Rand) (*Prog, error)

DupCallCollide duplicates some of the calls in the program and marks them async. This should hopefully trigger races in a more granular way than DoubleExecCollide.

func Minimize 

func Minimize(p0 *Prog, callIndex0 int, mode MinimizeMode, pred0 func(*Prog, int) bool) (*Prog, int)

Minimize minimizes program p into an equivalent program using the equivalence predicate pred. It iteratively generates simpler programs and asks pred whether it is equal to the original program or not. If it is equivalent then the simplification attempt is committed and the process continues.

func (*Prog) CallName 

func (p *Prog) CallName(call int) string

func (*Prog) Clone 

func (p *Prog) Clone() *Prog

func (*Prog) ContainsAny 

func (p *Prog) ContainsAny() bool

func (*Prog) FallbackSignal 

func (p *Prog) FallbackSignal(info []CallInfo)

func (*Prog) FilterInplace 

func (p *Prog) FilterInplace(allowed map[*Syscall]bool)

FilterInplace only leaves the allowed system calls and deletes all remaining ones.

func (*Prog) ForEachAsset 

func (p *Prog) ForEachAsset(cb func(name string, typ AssetType, r io.Reader, c *Call))

func (*Prog) Mutate 

func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, noMutate map[int]bool, corpus []*Prog)

Mutate program p.

p: The program to mutate. rs: Random source. ncalls: The allowed maximum calls in mutated program. ct: ChoiceTable for syscalls. noMutate: Set of IDs of syscalls which should not be mutated. corpus: The entire corpus, including original program p.

func (*Prog) MutateWithHints 

func (p *Prog) MutateWithHints(callIndex int, comps CompMap, exec func(p *Prog) bool)

Mutates the program using the comparison operands stored in compMaps. For each of the mutants executes the exec callback. The callback must return whether we should continue substitution (true) or abort the process (false).

func (*Prog) MutateWithOpts 

func (p *Prog) MutateWithOpts(rs rand.Source, ncalls int, ct *ChoiceTable, noMutate map[int]bool,
	corpus []*Prog, opts MutateOpts)

func (*Prog) OnlyContains 

func (p *Prog) OnlyContains(syscalls map[*Syscall]bool) bool

OnlyContains determines whether the program only consists of the syscalls from the first argument.

func (*Prog) RemoveCall 

func (p *Prog) RemoveCall(idx int)

RemoveCall removes call idx from p.

func (*Prog) RequiredFeatures 

func (p *Prog) RequiredFeatures() RequiredFeatures

func (*Prog) Serialize 

func (p *Prog) Serialize(flags ...SerializeFlag) []byte

func (*Prog) SerializeForExec 

func (p *Prog) SerializeForExec() ([]byte, error)

SerializeForExec serializes program p for execution by process pid into the provided buffer. Returns number of bytes written to the buffer. If the provided buffer is too small for the program an error is returned.

func (*Prog) SerializeVerbose 

func (p *Prog) SerializeVerbose() []byte

func (*Prog) String 

func (p *Prog) String() string

String generates a very compact program description (mostly for debug output).

type PtrType 

type PtrType struct {
	TypeCommon
	Elem           Type
	ElemDir        Dir
	SquashableElem bool
}

func (*PtrType) DefaultArg 

func (t *PtrType) DefaultArg(dir Dir) Arg

func (*PtrType) String 

func (t *PtrType) String() string

type Ref 

type Ref uint32

func (Ref) Alignment 

func (ti Ref) Alignment() uint64

func (Ref) BitfieldLength 

func (ti Ref) BitfieldLength() uint64

func (Ref) BitfieldOffset 

func (ti Ref) BitfieldOffset() uint64

func (Ref) Clone 

func (ti Ref) Clone() Type

func (Ref) DefaultArg 

func (ti Ref) DefaultArg(dir Dir) Arg

func (Ref) Format 

func (ti Ref) Format() BinaryFormat

func (Ref) IsBitfield 

func (ti Ref) IsBitfield() bool

func (Ref) Name 

func (ti Ref) Name() string

func (Ref) Optional 

func (ti Ref) Optional() bool

func (Ref) Size 

func (ti Ref) Size() uint64

func (Ref) String 

func (ti Ref) String() string

func (Ref) TemplateName 

func (ti Ref) TemplateName() string

func (Ref) TypeBitSize 

func (ti Ref) TypeBitSize() uint64

func (Ref) UnitOffset 

func (ti Ref) UnitOffset() uint64

func (Ref) UnitSize 

func (ti Ref) UnitSize() uint64

func (Ref) Varlen 

func (ti Ref) Varlen() bool

type RequiredFeatures 

type RequiredFeatures struct {
	Bitmasks       bool
	Csums          bool
	FaultInjection bool
	Async          bool
}

type ResourceCtor 

type ResourceCtor struct {
	Call    *Syscall
	Precise bool
}

type ResourceDesc 

type ResourceDesc struct {
	Name   string
	Kind   []string
	Values []uint64
	Ctors  []ResourceCtor
}

type ResourceType 

type ResourceType struct {
	TypeCommon
	ArgFormat BinaryFormat
	Desc      *ResourceDesc
}

func (*ResourceType) Default 

func (t *ResourceType) Default() uint64

func (*ResourceType) DefaultArg 

func (t *ResourceType) DefaultArg(dir Dir) Arg

func (*ResourceType) Format 

func (t *ResourceType) Format() BinaryFormat

func (*ResourceType) SpecialValues 

func (t *ResourceType) SpecialValues() []uint64

func (*ResourceType) String 

func (t *ResourceType) String() string

type ResultArg 

type ResultArg struct {
	ArgCommon
	Res   *ResultArg // reference to arg which we use
	OpDiv uint64     // divide result (executed before OpAdd)
	OpAdd uint64     // add to result
	Val   uint64     // value used if Res is nil
	// contains filtered or unexported fields
}

Used for ResourceType. This is the only argument that can be used as syscall return value. Either holds constant value or reference another ResultArg.

func MakeResultArg 

func MakeResultArg(t Type, dir Dir, r *ResultArg, v uint64) *ResultArg

func MakeReturnArg 

func MakeReturnArg(t Type) *ResultArg

func (*ResultArg) Size 

func (arg *ResultArg) Size() uint64

type Rotator 

type Rotator struct {
	// contains filtered or unexported fields
}

Rotator selects a random subset of syscalls for corpus rotation.

func MakeRotator 

func MakeRotator(target *Target, calls map[*Syscall]bool, rnd *rand.Rand) *Rotator

func (*Rotator) Select 

func (r *Rotator) Select() map[*Syscall]bool

type SerializeFlag 

type SerializeFlag int
const (
	// Include all field values, even if they have default values.
	Verbose SerializeFlag = 0
	// Don't serialize compressed fs images.
	// This is used in coverage report generation to prevent the bloating of the resulting HTML file.
	SkipImages SerializeFlag = 1
)

type StructType 

type StructType struct {
	TypeCommon
	Fields       []Field
	AlignAttr    uint64
	OverlayField int // index of the field marked with out_overlay attribute (0 if no attribute)
}

func (*StructType) DefaultArg 

func (t *StructType) DefaultArg(dir Dir) Arg

func (*StructType) String 

func (t *StructType) String() string

type Syscall 

type Syscall struct {
	ID          int
	NR          uint64 // kernel syscall number
	Name        string
	CallName    string
	MissingArgs int // number of trailing args that should be zero-filled
	Args        []Field
	Ret         Type
	Attrs       SyscallAttrs
	// contains filtered or unexported fields
}

type SyscallAttrs 

type SyscallAttrs struct {
	Disabled        bool
	Timeout         uint64
	ProgTimeout     uint64
	IgnoreReturn    bool
	BreaksReturns   bool
	NoGenerate      bool
	NoMinimize      bool
	NoSquash        bool
	RemoteCover     bool
	Automatic       bool
	AutomaticHelper bool
	KFuzzTest       bool
	Fsck            string
	// Filesystem is used in tools/syz-imagegen when fs name cannot be deduced from
	// the part after $.
	Filesystem string
}

SyscallAttrs represents call attributes in syzlang.

This structure is the source of truth for the all other parts of the system. pkg/compiler uses this structure to parse descriptions. syz-sysgen uses this structure to generate code for executor.

Only `bool`s, `string`s and `uint64`s are currently supported.

See docs/syscall_descriptions_syntax.md for description of individual attributes.

type Target 

type Target struct {
	OS         string
	Arch       string
	Revision   string // unique hash representing revision of the descriptions
	PtrSize    uint64
	PageSize   uint64
	NumPages   uint64
	DataOffset uint64
	BigEndian  bool

	Syscalls  []*Syscall
	Resources []*ResourceDesc
	Consts    []ConstValue
	Flags     []FlagDesc
	Types     []Type

	// MakeDataMmap creates calls that mmaps target data memory range.
	MakeDataMmap func() []*Call

	// Neutralize neutralizes harmful calls by transforming them into non-harmful ones
	// (e.g. an ioctl that turns off console output is turned into ioctl that turns on output).
	// fixStructure determines whether it's allowed to make structural changes (e.g. add or
	// remove arguments). It is helpful e.g. when we do neutralization while iterating over the
	// arguments.
	Neutralize func(c *Call, fixStructure bool) error

	// AnnotateCall annotates a syscall invocation in C reproducers.
	// The returned string will be placed inside a comment except for the
	// empty string which will omit the comment.
	AnnotateCall func(c ExecCall) string

	// SpecialTypes allows target to do custom generation/mutation for some struct's and union's.
	// Map key is struct/union name for which custom generation/mutation is required.
	// Map value is custom generation/mutation function that will be called
	// for the corresponding type. g is helper object that allows generate random numbers,
	// allocate memory, etc. typ is the struct/union type. old is the old value of the struct/union
	// for mutation, or nil for generation. The function returns a new value of the struct/union,
	// and optionally any calls that need to be inserted before the arg reference.
	SpecialTypes map[string]func(g *Gen, typ Type, dir Dir, old Arg) (Arg, []*Call)

	// Resources that play auxiliary role, but widely used throughout all syscalls (e.g. pid/uid).
	AuxResources map[string]bool

	// Additional special invalid pointer values besides NULL to use.
	SpecialPointers []uint64

	// Special file name length that can provoke bugs (e.g. PATH_MAX).
	SpecialFileLenghts []int

	// Filled by prog package:
	SyscallMap map[string]*Syscall
	ConstMap   map[string]uint64
	FlagsMap   map[string][]string
	// contains filtered or unexported fields
}

Target describes target OS/arch pair.

func AllTargets 

func AllTargets() []*Target

func GetTarget 

func GetTarget(OS, arch string) (*Target, error)

func InitTargetTest 

func InitTargetTest(t *testing.T, os, arch string) *Target

func (*Target) ArgContainsAny 

func (target *Target) ArgContainsAny(arg0 Arg) (res bool)

func (*Target) BuildChoiceTable 

func (target *Target) BuildChoiceTable(corpus []*Prog, enabled map[*Syscall]bool) *ChoiceTable

func (*Target) CalculatePriorities 

func (target *Target) CalculatePriorities(corpus []*Prog, enabled map[*Syscall]bool) ([][]int32, map[*Syscall]bool)

CalculatePriorities returns the priority matrix as well as the map of generatable syscalls. The rows/columns corresponding to the non-generatable syscalls are left to be 0.

func (*Target) CallContainsAny 

func (target *Target) CallContainsAny(c *Call) (res bool)

func (*Target) DataMmapProg 

func (target *Target) DataMmapProg() *Prog

DataMmapProg creates program that maps data segment. Also used for testing as the simplest program.

func (*Target) DefaultChoiceTable 

func (target *Target) DefaultChoiceTable() *ChoiceTable

func (*Target) Deserialize 

func (target *Target) Deserialize(data []byte, mode DeserializeMode) (*Prog, error)

func (*Target) DeserializeExec 

func (target *Target) DeserializeExec(exec []byte, stats map[string]int) (ExecProg, error)

func (*Target) Extend 

func (target *Target) Extend(syscalls []*Syscall, types []Type, resources []*ResourceDesc)

Extend extends a target with a new set of syscalls, types, and resources. It is assumed that all new syscalls, types, and resources do not conflict with those already present in the target.

func (*Target) GenSampleProg 

func (target *Target) GenSampleProg(meta *Syscall, rs rand.Source) *Prog

GenSampleProg generates a single sample program for the call.

func (*Target) Generate 

func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Prog

Generate generates a random program with ncalls calls. ct contains a set of allowed syscalls, if nil all syscalls are used.

func (*Target) GenerateAllSyzProg 

func (target *Target) GenerateAllSyzProg(rs rand.Source) *Prog

GenerateAllSyzProg generates a program that contains all pseudo syz_ calls for testing.

func (*Target) GetConst 

func (target *Target) GetConst(name string) uint64

func (*Target) KFuzzTestRunID 

func (t *Target) KFuzzTestRunID() (int, error)

KFuzzTestRunID returns the ID for the syz_kfuzztest_run pseudo-syscall, or an error if it is not found in the target.

func (*Target) ParseLog 

func (target *Target) ParseLog(data []byte, mode DeserializeMode) []*LogEntry

func (*Target) PhysicalAddr 

func (target *Target) PhysicalAddr(arg *PointerArg) uint64

func (*Target) PseudoSyscalls 

func (target *Target) PseudoSyscalls() []*Syscall

PseudoSyscalls selects one *Syscall for each pseudosyscall.

func (*Target) RequiredGlobs 

func (target *Target) RequiredGlobs() []string

func (*Target) TransitivelyEnabledCalls 

func (target *Target) TransitivelyEnabledCalls(enabled map[*Syscall]bool) (map[*Syscall]bool, map[*Syscall]string)

func (*Target) UpdateGlobs 

func (target *Target) UpdateGlobs(globFiles map[string][]string)

type TextKind 

type TextKind int
const (
	TextTarget TextKind = iota
	TextX86Real
	TextX86bit16
	TextX86bit32
	TextX86bit64
	TextArm64
	TextPpc64
)

type Type 

type Type interface {
	String() string
	Name() string
	TemplateName() string // for template structs name without arguments
	Optional() bool
	Varlen() bool
	Size() uint64
	TypeBitSize() uint64
	Alignment() uint64
	Format() BinaryFormat
	BitfieldOffset() uint64
	BitfieldLength() uint64
	IsBitfield() bool
	// For most of the types UnitSize is equal to Size.
	// These are different only for all but last bitfield in the group,
	// where Size == 0 and UnitSize equals to the underlying bitfield type size.
	UnitSize() uint64
	UnitOffset() uint64

	DefaultArg(dir Dir) Arg
	// contains filtered or unexported methods
}

type TypeCommon 

type TypeCommon struct {
	TypeName string
	// Static size of the type, or 0 for variable size types and all but last bitfields in the group.
	TypeSize   uint64
	TypeAlign  uint64
	IsOptional bool
	IsVarlen   bool
	// contains filtered or unexported fields
}

func (*TypeCommon) Alignment 

func (t *TypeCommon) Alignment() uint64

func (*TypeCommon) BitfieldLength 

func (t *TypeCommon) BitfieldLength() uint64

func (*TypeCommon) BitfieldOffset 

func (t *TypeCommon) BitfieldOffset() uint64

func (*TypeCommon) Format 

func (t *TypeCommon) Format() BinaryFormat

func (*TypeCommon) IsBitfield 

func (t *TypeCommon) IsBitfield() bool

func (*TypeCommon) Name 

func (t *TypeCommon) Name() string

func (*TypeCommon) Optional 

func (t *TypeCommon) Optional() bool

func (*TypeCommon) Size 

func (t *TypeCommon) Size() uint64

func (*TypeCommon) TemplateName 

func (t *TypeCommon) TemplateName() string

func (*TypeCommon) TypeBitSize 

func (t *TypeCommon) TypeBitSize() uint64

func (*TypeCommon) UnitOffset 

func (t *TypeCommon) UnitOffset() uint64

func (*TypeCommon) UnitSize 

func (t *TypeCommon) UnitSize() uint64

func (*TypeCommon) Varlen 

func (t *TypeCommon) Varlen() bool

type TypeCtx 

type TypeCtx struct {
	Meta     *Syscall
	Dir      Dir
	Ptr      *Type
	Optional bool
	Stop     bool // If set by the callback, subtypes of this type are not visited.
}

type UnionArg 

type UnionArg struct {
	ArgCommon
	Option Arg
	Index  int // Index of the selected option in the union type.
	// contains filtered or unexported fields
}

Used for UnionType.

func MakeUnionArg 

func MakeUnionArg(t Type, dir Dir, opt Arg, index int) *UnionArg

func (*UnionArg) Size 

func (arg *UnionArg) Size() uint64

type UnionType 

type UnionType struct {
	TypeCommon
	Fields []Field
}

func (*UnionType) DefaultArg 

func (t *UnionType) DefaultArg(dir Dir) Arg

func (*UnionType) String 

func (t *UnionType) String() string

type Value 

type Value struct {
	// If Path is empty, Value is to be used.
	Value uint64
	// Path to the field.
	Path []string
}

func (*Value) Clone 

func (v *Value) Clone() Expression

func (*Value) Evaluate 

func (v *Value) Evaluate(finder ArgFinder) (uint64, bool)

func (*Value) ForEachValue 

func (v *Value) ForEachValue(cb func(*Value))

func (*Value) GoString 

func (v *Value) GoString() string

type VmaType 

type VmaType struct {
	TypeCommon
	RangeBegin uint64 // in pages
	RangeEnd   uint64
}

func (*VmaType) DefaultArg 

func (t *VmaType) DefaultArg(dir Dir) Arg

func (*VmaType) String 

func (t *VmaType) String() string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.