diff options
| author | Hrutvik Kanabar <hrutvik@google.com> | 2022-09-20 14:43:25 +0000 |
|---|---|---|
| committer | Marco Elver <me@marcoelver.com> | 2022-09-22 16:42:04 +0200 |
| commit | 3fddc7194573e00eabde07dbb8ff17b025eb5c75 (patch) | |
| tree | 666f974b48e810491fc10070d8176acbf881c3ac /pkg | |
| parent | 5088f152247b1ec7659f72a05309254ca1b2b1d7 (diff) | |
pkg/mgrconfig, prog, syz-fuzzer: manager-configurable syscall mutation
Allow manager configuration to specify that certain syscalls should not
be mutated. This is expected to be useful when mutating certain syscalls
is unlikely to produce interesting executions. For example, mutating a
`syz_mount_image` call will likely produce a corrupt image.
Some implementation details:
- Add a `no_mutate_syscalls` manager config entry, with the same format
as `enable_syscalls`. Ensure this is parsed and stored in the config
as a set of syscall IDs.
- Send this set to fuzzers when they connect to their managers via RPC.
Ensure each fuzzer stores a copy of the set.
- When mutating arguments of a syscall, check first whether it has been
specified as non-mutatable.
- For all mutations not managed by a `syz-manager`, retain previous
behaviour by ensuring that no syscalls are considered non-mutable.
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/mgrconfig/config.go | 2 | ||||
| -rw-r--r-- | pkg/mgrconfig/load.go | 28 | ||||
| -rw-r--r-- | pkg/rpctype/rpctype.go | 1 |
3 files changed, 29 insertions, 2 deletions
diff --git a/pkg/mgrconfig/config.go b/pkg/mgrconfig/config.go index 9073c482c..46270ab0c 100644 --- a/pkg/mgrconfig/config.go +++ b/pkg/mgrconfig/config.go @@ -166,6 +166,8 @@ type Config struct { EnabledSyscalls []string `json:"enable_syscalls,omitempty"` // List of system calls that should be treated as disabled (optional). DisabledSyscalls []string `json:"disable_syscalls,omitempty"` + // List of syscalls that should not be mutated by the fuzzer (optional). + NoMutateSyscalls []string `json:"no_mutate_syscalls,omitempty"` // List of regexps for known bugs. // Don't save reports matching these regexps, but reboot VM after them, // matched against whole report output. diff --git a/pkg/mgrconfig/load.go b/pkg/mgrconfig/load.go index 2b49d0cbd..f1063ed17 100644 --- a/pkg/mgrconfig/load.go +++ b/pkg/mgrconfig/load.go @@ -34,8 +34,9 @@ type Derived struct { ExecprogBin string ExecutorBin string - Syscalls []int - Timeouts targets.Timeouts + Syscalls []int + NoMutateCalls map[int]bool // Set of IDs of syscalls which should not be mutated. + Timeouts targets.Timeouts } func LoadData(data []byte) (*Config, error) { @@ -177,6 +178,10 @@ func Complete(cfg *Config) error { if err != nil { return err } + cfg.NoMutateCalls, err = ParseNoMutateSyscalls(cfg.Target, cfg.NoMutateSyscalls) + if err != nil { + return err + } cfg.initTimeouts() return nil } @@ -329,6 +334,25 @@ func ParseEnabledSyscalls(target *prog.Target, enabled, disabled []string) ([]in return arr, nil } +func ParseNoMutateSyscalls(target *prog.Target, syscalls []string) (map[int]bool, error) { + var result = make(map[int]bool) + + for _, c := range syscalls { + n := 0 + for _, call := range target.Syscalls { + if MatchSyscall(call.Name, c) { + result[call.ID] = true + n++ + } + } + if n == 0 { + return nil, fmt.Errorf("unknown no_mutate syscall: %v", c) + } + } + + return result, nil +} + func MatchSyscall(name, pattern string) bool { if pattern == name || strings.HasPrefix(name, pattern+"$") { return true diff --git a/pkg/rpctype/rpctype.go b/pkg/rpctype/rpctype.go index f1d889a20..fc582e576 100644 --- a/pkg/rpctype/rpctype.go +++ b/pkg/rpctype/rpctype.go @@ -41,6 +41,7 @@ type ConnectArgs struct { type ConnectRes struct { EnabledCalls []int + NoMutateCalls map[int]bool GitRevision string TargetRevision string AllSandboxes bool |