diff options
| author | Aleksandr Nogikh <nogikh@google.com> | 2025-08-11 16:36:56 +0200 |
|---|---|---|
| committer | Aleksandr Nogikh <nogikh@google.com> | 2025-08-12 13:49:42 +0000 |
| commit | 51659ac6f1b0b6710ac35c0c4beb31a32d85f728 (patch) | |
| tree | a21c835421377d31e8732bd82a90badc3c01ee66 | |
| parent | 6c0b41a01e303797e859c01e425dc47aafe4cf45 (diff) | |
syz-cluster: skip coverage checks for some fuzz targets
There are cases when we do not need the "if the patched code is not
reached within 30 minutes, abort fuzzing" check.
This is e.g. the case of mm/ code that is not fully instrumented by
KCOV.
| -rw-r--r-- | syz-cluster/pkg/api/api.go | 2 | ||||
| -rw-r--r-- | syz-cluster/pkg/workflow/template.yaml | 2 | ||||
| -rw-r--r-- | syz-cluster/workflow/fuzz-step/main.go | 34 | ||||
| -rw-r--r-- | syz-cluster/workflow/fuzz-step/workflow-template.yaml | 3 |
4 files changed, 28 insertions, 13 deletions
diff --git a/syz-cluster/pkg/api/api.go b/syz-cluster/pkg/api/api.go index 5976db71d..60981983b 100644 --- a/syz-cluster/pkg/api/api.go +++ b/syz-cluster/pkg/api/api.go @@ -24,6 +24,8 @@ type FuzzTask struct { type FuzzConfig struct { Config string `json:"config"` // Refers to workflow/configs/{}. CorpusURL string `json:"corpus_url"` + // Don't expect kernel coverage for the patched area. + SkipCoverCheck bool `json:"skip_cover_check"` } // The triage step of the workflow will request these from controller. diff --git a/syz-cluster/pkg/workflow/template.yaml b/syz-cluster/pkg/workflow/template.yaml index d9107799c..c5666b5aa 100644 --- a/syz-cluster/pkg/workflow/template.yaml +++ b/syz-cluster/pkg/workflow/template.yaml @@ -146,6 +146,8 @@ spec: value: "{{=jsonpath(steps['base-build'].outputs.parameters.result, '$.build_id')}}" - name: corpus-url value: "{{=jsonpath(inputs.parameters.element, '$.corpus_url')}}" + - name: skip-cover-check + value: "{{=jsonpath(inputs.parameters.element, '$.skip_cover_check')}}" artifacts: - name: base-kernel from: "{{steps.base-build.outputs.artifacts.kernel}}" diff --git a/syz-cluster/workflow/fuzz-step/main.go b/syz-cluster/workflow/fuzz-step/main.go index f7ed5ef39..77432ec4f 100644 --- a/syz-cluster/workflow/fuzz-step/main.go +++ b/syz-cluster/workflow/fuzz-step/main.go @@ -28,13 +28,14 @@ import ( ) var ( - flagConfig = flag.String("config", "", "syzkaller config") - flagSession = flag.String("session", "", "session ID") - flagBaseBuild = flag.String("base_build", "", "base build ID") - flagPatchedBuild = flag.String("patched_build", "", "patched build ID") - flagTime = flag.String("time", "1h", "how long to fuzz") - flagWorkdir = flag.String("workdir", "/workdir", "base workdir path") - flagCorpusURL = flag.String("corpus_url", "", "an URL to download corpus from") + flagConfig = flag.String("config", "", "syzkaller config") + flagSession = flag.String("session", "", "session ID") + flagBaseBuild = flag.String("base_build", "", "base build ID") + flagPatchedBuild = flag.String("patched_build", "", "patched build ID") + flagTime = flag.String("time", "1h", "how long to fuzz") + flagWorkdir = flag.String("workdir", "/workdir", "base workdir path") + flagCorpusURL = flag.String("corpus_url", "", "an URL to download corpus from") + flagSkipCoverCheck = flag.Bool("skip_cover_check", false, "don't check whether we reached the patched code") ) const testName = "Fuzzing" @@ -134,12 +135,11 @@ func run(baseCtx context.Context, client *api.Client, timeout time.Duration, eg.Go(func() error { defer log.Logf(0, "diff fuzzing terminated") return manager.RunDiffFuzzer(ctx, base, patched, manager.DiffFuzzerConfig{ - Debug: false, - PatchedOnly: bugs, - Store: store, - MaxTriageTime: timeout / 2, - // Allow up to 30 minutes after the corpus triage to reach the patched code. - FuzzToReachPatched: time.Minute * 30, + Debug: false, + PatchedOnly: bugs, + Store: store, + MaxTriageTime: timeout / 2, + FuzzToReachPatched: fuzzToReachPatched(), }) }) const ( @@ -317,6 +317,14 @@ func readJSONMap(file string) (map[string]string, error) { return data, nil } +func fuzzToReachPatched() time.Duration { + if *flagSkipCoverCheck { + return 0 + } + // Allow up to 30 minutes after the corpus triage to reach the patched code. + return time.Minute * 30 +} + func compressArtifacts(dir string) (io.Reader, error) { var buf bytes.Buffer lw := &LimitedWriter{ diff --git a/syz-cluster/workflow/fuzz-step/workflow-template.yaml b/syz-cluster/workflow/fuzz-step/workflow-template.yaml index 1735dfec0..f5e084154 100644 --- a/syz-cluster/workflow/fuzz-step/workflow-template.yaml +++ b/syz-cluster/workflow/fuzz-step/workflow-template.yaml @@ -18,6 +18,8 @@ spec: value: "" - name: corpus-url value: "" + - name: skip-cover-check + value: "false" artifacts: - name: base-kernel path: /base @@ -34,6 +36,7 @@ spec: "--base_build", "{{inputs.parameters.base-build-id}}", "--patched_build", "{{inputs.parameters.patched-build-id}}", "--corpus_url", "{{inputs.parameters.corpus-url}}", + "--skip_cover_check={{inputs.parameters.skip-cover-check}}", "--time", "3h", "--workdir", "/workdir", "--vv", "1" |