diff options
| author | Aleksandr Nogikh <nogikh@google.com> | 2025-09-18 17:36:53 +0200 |
|---|---|---|
| committer | Taras Madan <tarasmadan@google.com> | 2025-10-07 15:25:13 +0000 |
| commit | 99ed12e158687b7aba55eac142d6bad3f147d029 (patch) | |
| tree | a9809d7c5d60f45b805e0346a9a543ba0651a9e1 /syz-cluster/pkg/fuzzconfig | |
| parent | 790f0ffe2224829b20e4dc6556c090c503e1d161 (diff) | |
syz-cluster: rewrite fuzz config generation
Instead of a predefined set of manually written syz-manager configs,
construct it dynamically from different bits.
During triage, select not just one, but all matching fuzzer
configurations and then merge them together.
Diffstat (limited to 'syz-cluster/pkg/fuzzconfig')
18 files changed, 1534 insertions, 0 deletions
diff --git a/syz-cluster/pkg/fuzzconfig/base.cfg b/syz-cluster/pkg/fuzzconfig/base.cfg new file mode 100644 index 000000000..add1ba131 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/base.cfg @@ -0,0 +1,21 @@ +{ + "name": "base", + "target": "linux/amd64", + "kernel_obj": "/base/obj", + "kernel_build_src": "/workdir", + "image": "/base/image", + "syzkaller": "/syzkaller", + "workdir": "/workdir", + "type": "qemu", + "procs": 3, + "sandbox": "none", + "experimental": {"cover_edges": false}, + "vm": { + "count": 3, + "cmdline": "root=/dev/sda1", + "kernel": "/base/kernel", + "cpu": 2, + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + } +} diff --git a/syz-cluster/pkg/fuzzconfig/generate.go b/syz-cluster/pkg/fuzzconfig/generate.go new file mode 100644 index 000000000..5b503e3ae --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/generate.go @@ -0,0 +1,188 @@ +// Copyright 2025 syzkaller project authors. All rights reserved. +// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +package fuzzconfig + +import ( + _ "embed" + "encoding/json" + "fmt" + + "github.com/google/syzkaller/pkg/config" + "github.com/google/syzkaller/pkg/mgrconfig" + "github.com/google/syzkaller/syz-cluster/pkg/api" +) + +//go:embed base.cfg +var baseConfigJSON []byte + +//go:embed patched.cfg +var patchedConfigJSON []byte + +// GenerateBase produces a syz-manager config for the base kernel. +// The caller must still invoke mgrconfig.Complete. +func GenerateBase(cfg *api.FuzzConfig) (*mgrconfig.Config, error) { + var baseRaw json.RawMessage + err := config.LoadData(baseConfigJSON, &baseRaw) + if err != nil { + return nil, fmt.Errorf("failed to read the base config: %w", err) + } + base, err := mgrconfig.LoadPartialData(baseRaw) + if err != nil { + return nil, fmt.Errorf("failed to load the config: %w", err) + } + err = applyFuzzConfig(base, cfg) + if err != nil { + return nil, err + } + return base, nil +} + +// GeneratePatched produces a syz-manager config for the base kernel. +// The caller must still invoke mgrconfig.Complete. +func GeneratePatched(cfg *api.FuzzConfig) (*mgrconfig.Config, error) { + var baseRaw, deltaRaw json.RawMessage + err := config.LoadData(baseConfigJSON, &baseRaw) + if err != nil { + return nil, fmt.Errorf("failed to read the base config: %w", err) + } + err = config.LoadData(patchedConfigJSON, &deltaRaw) + if err != nil { + return nil, fmt.Errorf("failed to read the patched config: %w", err) + } + patchedRaw, err := config.MergeJSONs(baseRaw, deltaRaw) + if err != nil { + return nil, fmt.Errorf("failed to merge the configs: %w", err) + } + patched, err := mgrconfig.LoadPartialData(patchedRaw) + if err != nil { + return nil, fmt.Errorf("failed to load the config: %w", err) + } + err = applyFuzzConfig(patched, cfg) + if err != nil { + return nil, err + } + return patched, nil +} + +func applyFuzzConfig(mgrCfg *mgrconfig.Config, cfg *api.FuzzConfig) error { + if len(cfg.Focus) == 0 { + noFocus(mgrCfg) + return nil + } + for _, focus := range cfg.Focus { + cb := setFocus[focus] + if cb == nil { + return fmt.Errorf("unknown focus: %s", focus) + } + err := cb(mgrCfg) + if err != nil { + return fmt.Errorf("failed to apply focus %s: %w", focus, err) + } + } + return nil +} + +// nolint: lll +var setFocus = map[string]func(*mgrconfig.Config) error{ + api.FocusKVM: func(mgrCfg *mgrconfig.Config) error { + mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls, + "openat$kvm", + "openat$sev", + "close", + "ioctl$KVM*", + "syz_kvm*", + "mmap$KVM_VCPU", + "munmap", + "syz_memcpy_off$KVM_EXIT_MMIO", + "syz_memcpy_off$KVM_EXIT_HYPERCALL", + "eventfd2", + "write$eventfd", + ) + var err error + mgrCfg.VM, err = config.MergeJSONs(mgrCfg.VM, []byte( + `{"qemu_args": "-machine q35,nvdimm=on,accel=kvm,kernel-irqchip=split -cpu max,migratable=off -enable-kvm -smp 2,sockets=2,cores=1"}`)) + return err + }, + api.FocusNet: func(mgrCfg *mgrconfig.Config) error { + mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls, + "accept", "accept4", "bind", "close", "connect", "epoll_create", + "epoll_create1", "epoll_ctl", "epoll_pwait", "epoll_wait", + "getpeername", "getsockname", "getsockopt", "ioctl", "listen", + "mmap", "poll", "ppoll", "pread64", "preadv", "pselect6", + "pwrite64", "pwritev", "read", "readv", "recvfrom", "recvmmsg", + "recvmsg", "select", "sendfile", "sendmmsg", "sendmsg", "sendto", + "setsockopt", "shutdown", "socket", "socketpair", "splice", + "vmsplice", "write", "writev", "tee", "bpf", "getpid", + "getgid", "getuid", "gettid", "unshare", "pipe", + "syz_emit_ethernet", "syz_extract_tcp_res", + "syz_genetlink_get_family_id", "syz_init_net_socket", + "mkdirat$cgroup*", "openat$cgroup*", "write$cgroup*", + "clock_gettime", "bpf", "openat$tun", "openat$ppp", + "syz_open_procfs$namespace", "syz_80211_*", "nanosleep", + "openat$nci", "ioctl$IOCTL_GET_NCIDEV_IDX", "openat$rfkill", + "openat$6lowpan*", "openat$pidfd", "openat$tcp*", "openat$vhost_vsock", + "openat$ptp*", "ioctl$PTP*", + ) + return nil + }, + api.FocusFS: func(mgrCfg *mgrconfig.Config) error { + mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls, + "syz_mount_image", "open", "openat", "creat", "close", "read", + "pread64", "readv", "preadv", "preadv2", "write", "pwrite64", + "writev", "pwritev", "pwritev2", "lseek", "copy_file_range", "dup", + "dup2", "dup3", "tee", "splice", "vmsplice", "sendfile", "stat", + "lstat", "fstat", "newfstatat", "statx", "poll", "clock_gettime", + "ppoll", "select", "pselect6", "epoll_create", "epoll_create1", + "epoll_ctl", "epoll_wait", "epoll_pwait", "epoll_pwait2", "mmap", + "munmap", "mremap", "msync", "readahead", "fcntl", "mknod", "mknodat", + "chmod", "fchmod", "fchmodat", "chown", "lchown", "fchown", + "fchownat", "fallocate", "faccessat", "faccessat2", "utime", "utimes", + "futimesat", "utimensat", "link", "linkat", "symlinkat", "symlink", + "unlink", "unlinkat", "readlink", "readlinkat", "rename", "renameat", + "renameat2", "mkdir", "mkdirat", "rmdir", "truncate", "ftruncate", + "flock", "fsync", "fdatasync", "sync", "syncfs", "sync_file_range", + "getdents", "getdents64", "name_to_handle_at", "open_by_handle_at", + "chroot", "getcwd", "chdir", "fchdir", "quotactl", "pivot_root", + "statfs", "fstatfs", "syz_open_procfs", "syz_read_part_table", + "mount", "fsopen", "fspick", "fsconfig", "fsmount", "move_mount", + "open_tree", "mount_setattr", "ioctl$FS_*", "ioctl$BTRFS*", + "ioctl$AUTOFS*", "ioctl$EXT4*", "ioctl$F2FS*", "ioctl$FAT*", + "ioctl$VFAT*", "ioctl$FI*", + ) + mgrCfg.NoMutateSyscalls = append(mgrCfg.NoMutateSyscalls, + "syz_mount_image$btrfs", + "syz_mount_image$ext4", + "syz_mount_image$f2fs", + "syz_mount_image$ntfs", + "syz_mount_image$ocfs2", + "syz_mount_image$xfs", + ) + return nil + }, + api.FocusIoUring: func(mgrCfg *mgrconfig.Config) error { + mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls, + "io_uring_*", "syz_io_uring_*", "syz_memcpy_off", "mmap", "madvise", + "mprotect", "eventfd", "socket", "setsockopt", "accept", "open", "close", + "clock_gettime", "ioctl$sock_SIOCGIFINDEX", "ioctl$IOCTL_GET_NCIDEV_IDX", + "openat", "epoll_create", + ) + return nil + }, + api.FocusBPF: func(mgrCfg *mgrconfig.Config) error { + mgrCfg.EnabledSyscalls = append(mgrCfg.EnabledSyscalls, + "bpf", "mkdir", "mount$bpf", "unlink", "close", + "perf_event_open*", "ioctl$PERF*", "getpid", "gettid", + "socketpair", "sendmsg", "recvmsg", "setsockopt$sock_attach_bpf", + "socket", "ioctl$sock_kcm*", "syz_clone", + "mkdirat$cgroup*", "openat$cgroup*", "write$cgroup*", + "openat$tun", "write$tun", "ioctl$TUN*", "ioctl$SIOCSIFHWADDR", + "openat$ppp", "syz_open_procfs$namespace", "openat$pidfd", "fstat", + ) + return nil + }, +} + +func noFocus(mgrCfg *mgrconfig.Config) { + mgrCfg.DisabledSyscalls = []string{"perf_event_open*", "syz_mount_image$hfs", "syz_mount_image$gfs*"} +} diff --git a/syz-cluster/pkg/fuzzconfig/generate_test.go b/syz-cluster/pkg/fuzzconfig/generate_test.go new file mode 100644 index 000000000..1dd143eaf --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/generate_test.go @@ -0,0 +1,79 @@ +// Copyright 2025 syzkaller project authors. All rights reserved. +// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +package fuzzconfig + +import ( + "encoding/json" + "flag" + "os" + "path/filepath" + "testing" + + "github.com/google/syzkaller/pkg/config" + "github.com/google/syzkaller/pkg/mgrconfig" + "github.com/google/syzkaller/syz-cluster/pkg/api" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +var flagWrite = flag.Bool("write", false, "overwrite out.txt files") + +func TestSingularFocus(t *testing.T) { + focusMap := map[string]struct{}{} + for _, target := range api.FuzzTargets { + for _, campaign := range target.Campaigns { + if campaign.Focus != "" { + focusMap[campaign.Focus] = struct{}{} + } + } + } + for focus := range focusMap { + t.Run(focus, func(t *testing.T) { + cfg := &api.FuzzConfig{Focus: []string{focus}} + runTest(t, cfg, filepath.Join("testdata", "singular", focus)) + }) + } +} + +func TestNoFocus(t *testing.T) { + runTest(t, &api.FuzzConfig{}, filepath.Join("testdata", "singular", "default")) +} + +func TestMultipleFocus(t *testing.T) { + runTest(t, &api.FuzzConfig{ + Focus: []string{api.FocusBPF, api.FocusIoUring}, + }, filepath.Join("testdata", "mixed", "bpf_io_uring")) +} + +func runTest(t *testing.T, cfg *api.FuzzConfig, baseName string) { + base, err := GenerateBase(cfg) + require.NoError(t, err) + compareOrSave(t, baseName+".base.cfg", base) + + patched, err := GeneratePatched(cfg) + require.NoError(t, err) + compareOrSave(t, baseName+".patched.cfg", patched) +} + +func compareOrSave(t *testing.T, fileName string, mgrCfg *mgrconfig.Config) { + targetJSON, err := json.MarshalIndent(mgrCfg, "", "\t") + require.NoError(t, err) + if *flagWrite { + err = os.WriteFile(fileName, targetJSON, 0644) + require.NoError(t, err) + return + } + + var raw json.RawMessage + err = config.LoadFile(fileName, &raw) + require.NoError(t, err) + + cfg, err := mgrconfig.LoadPartialData(raw) + require.NoError(t, err) + require.NotNil(t, cfg) + + resultJSON, err := json.MarshalIndent(cfg, "", "\t") + require.NoError(t, err) + assert.Equal(t, targetJSON, resultJSON) +} diff --git a/syz-cluster/pkg/fuzzconfig/patched.cfg b/syz-cluster/pkg/fuzzconfig/patched.cfg new file mode 100644 index 000000000..8b4027891 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/patched.cfg @@ -0,0 +1,10 @@ +{ + "name": "patched", + "target": "linux/amd64", + "kernel_obj": "/patched/obj", + "image": "/patched/image", + "vm": { + "count": 9, + "kernel": "/patched/kernel" + } +} diff --git a/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.base.cfg new file mode 100644 index 000000000..6c4b3d58e --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.base.cfg @@ -0,0 +1,90 @@ +{ + "name": "base", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/base/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/base/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "bpf", + "mkdir", + "mount$bpf", + "unlink", + "close", + "perf_event_open*", + "ioctl$PERF*", + "getpid", + "gettid", + "socketpair", + "sendmsg", + "recvmsg", + "setsockopt$sock_attach_bpf", + "socket", + "ioctl$sock_kcm*", + "syz_clone", + "mkdirat$cgroup*", + "openat$cgroup*", + "write$cgroup*", + "openat$tun", + "write$tun", + "ioctl$TUN*", + "ioctl$SIOCSIFHWADDR", + "openat$ppp", + "syz_open_procfs$namespace", + "openat$pidfd", + "fstat", + "io_uring_*", + "syz_io_uring_*", + "syz_memcpy_off", + "mmap", + "madvise", + "mprotect", + "eventfd", + "socket", + "setsockopt", + "accept", + "open", + "close", + "clock_gettime", + "ioctl$sock_SIOCGIFINDEX", + "ioctl$IOCTL_GET_NCIDEV_IDX", + "openat", + "epoll_create" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "count": 3, + "cmdline": "root=/dev/sda1", + "kernel": "/base/kernel", + "cpu": 2, + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.patched.cfg new file mode 100644 index 000000000..ce1ee850a --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/mixed/bpf_io_uring.patched.cfg @@ -0,0 +1,90 @@ +{ + "name": "patched", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/patched/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/patched/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "bpf", + "mkdir", + "mount$bpf", + "unlink", + "close", + "perf_event_open*", + "ioctl$PERF*", + "getpid", + "gettid", + "socketpair", + "sendmsg", + "recvmsg", + "setsockopt$sock_attach_bpf", + "socket", + "ioctl$sock_kcm*", + "syz_clone", + "mkdirat$cgroup*", + "openat$cgroup*", + "write$cgroup*", + "openat$tun", + "write$tun", + "ioctl$TUN*", + "ioctl$SIOCSIFHWADDR", + "openat$ppp", + "syz_open_procfs$namespace", + "openat$pidfd", + "fstat", + "io_uring_*", + "syz_io_uring_*", + "syz_memcpy_off", + "mmap", + "madvise", + "mprotect", + "eventfd", + "socket", + "setsockopt", + "accept", + "open", + "close", + "clock_gettime", + "ioctl$sock_SIOCGIFINDEX", + "ioctl$IOCTL_GET_NCIDEV_IDX", + "openat", + "epoll_create" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "cmdline": "root=/dev/sda1", + "count": 9, + "cpu": 2, + "kernel": "/patched/kernel", + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.base.cfg new file mode 100644 index 000000000..79d1339c0 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.base.cfg @@ -0,0 +1,73 @@ +{ + "name": "base", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/base/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/base/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "bpf", + "mkdir", + "mount$bpf", + "unlink", + "close", + "perf_event_open*", + "ioctl$PERF*", + "getpid", + "gettid", + "socketpair", + "sendmsg", + "recvmsg", + "setsockopt$sock_attach_bpf", + "socket", + "ioctl$sock_kcm*", + "syz_clone", + "mkdirat$cgroup*", + "openat$cgroup*", + "write$cgroup*", + "openat$tun", + "write$tun", + "ioctl$TUN*", + "ioctl$SIOCSIFHWADDR", + "openat$ppp", + "syz_open_procfs$namespace", + "openat$pidfd", + "fstat" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "count": 3, + "cmdline": "root=/dev/sda1", + "kernel": "/base/kernel", + "cpu": 2, + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.patched.cfg new file mode 100644 index 000000000..059b47cf0 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/bpf.patched.cfg @@ -0,0 +1,73 @@ +{ + "name": "patched", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/patched/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/patched/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "bpf", + "mkdir", + "mount$bpf", + "unlink", + "close", + "perf_event_open*", + "ioctl$PERF*", + "getpid", + "gettid", + "socketpair", + "sendmsg", + "recvmsg", + "setsockopt$sock_attach_bpf", + "socket", + "ioctl$sock_kcm*", + "syz_clone", + "mkdirat$cgroup*", + "openat$cgroup*", + "write$cgroup*", + "openat$tun", + "write$tun", + "ioctl$TUN*", + "ioctl$SIOCSIFHWADDR", + "openat$ppp", + "syz_open_procfs$namespace", + "openat$pidfd", + "fstat" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "cmdline": "root=/dev/sda1", + "count": 9, + "cpu": 2, + "kernel": "/patched/kernel", + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/default.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.base.cfg new file mode 100644 index 000000000..28c8c600d --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.base.cfg @@ -0,0 +1,49 @@ +{ + "name": "base", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/base/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/base/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "disable_syscalls": [ + "perf_event_open*", + "syz_mount_image$hfs", + "syz_mount_image$gfs*" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "count": 3, + "cmdline": "root=/dev/sda1", + "kernel": "/base/kernel", + "cpu": 2, + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/default.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.patched.cfg new file mode 100644 index 000000000..55d699651 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/default.patched.cfg @@ -0,0 +1,49 @@ +{ + "name": "patched", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/patched/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/patched/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "disable_syscalls": [ + "perf_event_open*", + "syz_mount_image$hfs", + "syz_mount_image$gfs*" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "cmdline": "root=/dev/sda1", + "count": 9, + "cpu": 2, + "kernel": "/patched/kernel", + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.base.cfg new file mode 100644 index 000000000..8515dfe19 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.base.cfg @@ -0,0 +1,168 @@ +{ + "name": "base", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/base/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/base/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "syz_mount_image", + "open", + "openat", + "creat", + "close", + "read", + "pread64", + "readv", + "preadv", + "preadv2", + "write", + "pwrite64", + "writev", + "pwritev", + "pwritev2", + "lseek", + "copy_file_range", + "dup", + "dup2", + "dup3", + "tee", + "splice", + "vmsplice", + "sendfile", + "stat", + "lstat", + "fstat", + "newfstatat", + "statx", + "poll", + "clock_gettime", + "ppoll", + "select", + "pselect6", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_wait", + "epoll_pwait", + "epoll_pwait2", + "mmap", + "munmap", + "mremap", + "msync", + "readahead", + "fcntl", + "mknod", + "mknodat", + "chmod", + "fchmod", + "fchmodat", + "chown", + "lchown", + "fchown", + "fchownat", + "fallocate", + "faccessat", + "faccessat2", + "utime", + "utimes", + "futimesat", + "utimensat", + "link", + "linkat", + "symlinkat", + "symlink", + "unlink", + "unlinkat", + "readlink", + "readlinkat", + "rename", + "renameat", + "renameat2", + "mkdir", + "mkdirat", + "rmdir", + "truncate", + "ftruncate", + "flock", + "fsync", + "fdatasync", + "sync", + "syncfs", + "sync_file_range", + "getdents", + "getdents64", + "name_to_handle_at", + "open_by_handle_at", + "chroot", + "getcwd", + "chdir", + "fchdir", + "quotactl", + "pivot_root", + "statfs", + "fstatfs", + "syz_open_procfs", + "syz_read_part_table", + "mount", + "fsopen", + "fspick", + "fsconfig", + "fsmount", + "move_mount", + "open_tree", + "mount_setattr", + "ioctl$FS_*", + "ioctl$BTRFS*", + "ioctl$AUTOFS*", + "ioctl$EXT4*", + "ioctl$F2FS*", + "ioctl$FAT*", + "ioctl$VFAT*", + "ioctl$FI*" + ], + "no_mutate_syscalls": [ + "syz_mount_image$btrfs", + "syz_mount_image$ext4", + "syz_mount_image$f2fs", + "syz_mount_image$ntfs", + "syz_mount_image$ocfs2", + "syz_mount_image$xfs" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "count": 3, + "cmdline": "root=/dev/sda1", + "kernel": "/base/kernel", + "cpu": 2, + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.patched.cfg new file mode 100644 index 000000000..9fbfaf3f6 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/fs.patched.cfg @@ -0,0 +1,168 @@ +{ + "name": "patched", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/patched/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/patched/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "syz_mount_image", + "open", + "openat", + "creat", + "close", + "read", + "pread64", + "readv", + "preadv", + "preadv2", + "write", + "pwrite64", + "writev", + "pwritev", + "pwritev2", + "lseek", + "copy_file_range", + "dup", + "dup2", + "dup3", + "tee", + "splice", + "vmsplice", + "sendfile", + "stat", + "lstat", + "fstat", + "newfstatat", + "statx", + "poll", + "clock_gettime", + "ppoll", + "select", + "pselect6", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_wait", + "epoll_pwait", + "epoll_pwait2", + "mmap", + "munmap", + "mremap", + "msync", + "readahead", + "fcntl", + "mknod", + "mknodat", + "chmod", + "fchmod", + "fchmodat", + "chown", + "lchown", + "fchown", + "fchownat", + "fallocate", + "faccessat", + "faccessat2", + "utime", + "utimes", + "futimesat", + "utimensat", + "link", + "linkat", + "symlinkat", + "symlink", + "unlink", + "unlinkat", + "readlink", + "readlinkat", + "rename", + "renameat", + "renameat2", + "mkdir", + "mkdirat", + "rmdir", + "truncate", + "ftruncate", + "flock", + "fsync", + "fdatasync", + "sync", + "syncfs", + "sync_file_range", + "getdents", + "getdents64", + "name_to_handle_at", + "open_by_handle_at", + "chroot", + "getcwd", + "chdir", + "fchdir", + "quotactl", + "pivot_root", + "statfs", + "fstatfs", + "syz_open_procfs", + "syz_read_part_table", + "mount", + "fsopen", + "fspick", + "fsconfig", + "fsmount", + "move_mount", + "open_tree", + "mount_setattr", + "ioctl$FS_*", + "ioctl$BTRFS*", + "ioctl$AUTOFS*", + "ioctl$EXT4*", + "ioctl$F2FS*", + "ioctl$FAT*", + "ioctl$VFAT*", + "ioctl$FI*" + ], + "no_mutate_syscalls": [ + "syz_mount_image$btrfs", + "syz_mount_image$ext4", + "syz_mount_image$f2fs", + "syz_mount_image$ntfs", + "syz_mount_image$ocfs2", + "syz_mount_image$xfs" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "cmdline": "root=/dev/sda1", + "count": 9, + "cpu": 2, + "kernel": "/patched/kernel", + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.base.cfg new file mode 100644 index 000000000..94990b812 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.base.cfg @@ -0,0 +1,63 @@ +{ + "name": "base", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/base/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/base/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "io_uring_*", + "syz_io_uring_*", + "syz_memcpy_off", + "mmap", + "madvise", + "mprotect", + "eventfd", + "socket", + "setsockopt", + "accept", + "open", + "close", + "clock_gettime", + "ioctl$sock_SIOCGIFINDEX", + "ioctl$IOCTL_GET_NCIDEV_IDX", + "openat", + "epoll_create" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "count": 3, + "cmdline": "root=/dev/sda1", + "kernel": "/base/kernel", + "cpu": 2, + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.patched.cfg new file mode 100644 index 000000000..4fe786944 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/io_uring.patched.cfg @@ -0,0 +1,63 @@ +{ + "name": "patched", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/patched/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/patched/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "io_uring_*", + "syz_io_uring_*", + "syz_memcpy_off", + "mmap", + "madvise", + "mprotect", + "eventfd", + "socket", + "setsockopt", + "accept", + "open", + "close", + "clock_gettime", + "ioctl$sock_SIOCGIFINDEX", + "ioctl$IOCTL_GET_NCIDEV_IDX", + "openat", + "epoll_create" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "cmdline": "root=/dev/sda1", + "count": 9, + "cpu": 2, + "kernel": "/patched/kernel", + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.base.cfg new file mode 100644 index 000000000..bdfe653ef --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.base.cfg @@ -0,0 +1,57 @@ +{ + "name": "base", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/base/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/base/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "openat$kvm", + "openat$sev", + "close", + "ioctl$KVM*", + "syz_kvm*", + "mmap$KVM_VCPU", + "munmap", + "syz_memcpy_off$KVM_EXIT_MMIO", + "syz_memcpy_off$KVM_EXIT_HYPERCALL", + "eventfd2", + "write$eventfd" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "cmdline": "root=/dev/sda1", + "count": 3, + "cpu": 2, + "kernel": "/base/kernel", + "mem": 7168, + "qemu_args": "-machine q35,nvdimm=on,accel=kvm,kernel-irqchip=split -cpu max,migratable=off -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.patched.cfg new file mode 100644 index 000000000..86e319ac7 --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/kvm.patched.cfg @@ -0,0 +1,57 @@ +{ + "name": "patched", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/patched/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/patched/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "openat$kvm", + "openat$sev", + "close", + "ioctl$KVM*", + "syz_kvm*", + "mmap$KVM_VCPU", + "munmap", + "syz_memcpy_off$KVM_EXIT_MMIO", + "syz_memcpy_off$KVM_EXIT_HYPERCALL", + "eventfd2", + "write$eventfd" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "cmdline": "root=/dev/sda1", + "count": 9, + "cpu": 2, + "kernel": "/patched/kernel", + "mem": 7168, + "qemu_args": "-machine q35,nvdimm=on,accel=kvm,kernel-irqchip=split -cpu max,migratable=off -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/net.base.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/net.base.cfg new file mode 100644 index 000000000..641241acb --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/net.base.cfg @@ -0,0 +1,118 @@ +{ + "name": "base", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/base/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/base/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "accept", + "accept4", + "bind", + "close", + "connect", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_pwait", + "epoll_wait", + "getpeername", + "getsockname", + "getsockopt", + "ioctl", + "listen", + "mmap", + "poll", + "ppoll", + "pread64", + "preadv", + "pselect6", + "pwrite64", + "pwritev", + "read", + "readv", + "recvfrom", + "recvmmsg", + "recvmsg", + "select", + "sendfile", + "sendmmsg", + "sendmsg", + "sendto", + "setsockopt", + "shutdown", + "socket", + "socketpair", + "splice", + "vmsplice", + "write", + "writev", + "tee", + "bpf", + "getpid", + "getgid", + "getuid", + "gettid", + "unshare", + "pipe", + "syz_emit_ethernet", + "syz_extract_tcp_res", + "syz_genetlink_get_family_id", + "syz_init_net_socket", + "mkdirat$cgroup*", + "openat$cgroup*", + "write$cgroup*", + "clock_gettime", + "bpf", + "openat$tun", + "openat$ppp", + "syz_open_procfs$namespace", + "syz_80211_*", + "nanosleep", + "openat$nci", + "ioctl$IOCTL_GET_NCIDEV_IDX", + "openat$rfkill", + "openat$6lowpan*", + "openat$pidfd", + "openat$tcp*", + "openat$vhost_vsock", + "openat$ptp*", + "ioctl$PTP*" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "count": 3, + "cmdline": "root=/dev/sda1", + "kernel": "/base/kernel", + "cpu": 2, + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file diff --git a/syz-cluster/pkg/fuzzconfig/testdata/singular/net.patched.cfg b/syz-cluster/pkg/fuzzconfig/testdata/singular/net.patched.cfg new file mode 100644 index 000000000..985dbb9be --- /dev/null +++ b/syz-cluster/pkg/fuzzconfig/testdata/singular/net.patched.cfg @@ -0,0 +1,118 @@ +{ + "name": "patched", + "target": "linux/amd64", + "http": "", + "rpc": ":0", + "workdir": "/workdir", + "kernel_obj": "/patched/obj", + "kernel_build_src": "/workdir", + "android_split_build": false, + "image": "/patched/image", + "ssh_user": "root", + "syzkaller": "/syzkaller", + "procs": 3, + "max_crash_logs": 100, + "sandbox": "none", + "sandbox_arg": 0, + "snapshot": false, + "cover": true, + "cover_filter": {}, + "raw_cover": false, + "reproduce": true, + "preserve_corpus": true, + "enable_syscalls": [ + "accept", + "accept4", + "bind", + "close", + "connect", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_pwait", + "epoll_wait", + "getpeername", + "getsockname", + "getsockopt", + "ioctl", + "listen", + "mmap", + "poll", + "ppoll", + "pread64", + "preadv", + "pselect6", + "pwrite64", + "pwritev", + "read", + "readv", + "recvfrom", + "recvmmsg", + "recvmsg", + "select", + "sendfile", + "sendmmsg", + "sendmsg", + "sendto", + "setsockopt", + "shutdown", + "socket", + "socketpair", + "splice", + "vmsplice", + "write", + "writev", + "tee", + "bpf", + "getpid", + "getgid", + "getuid", + "gettid", + "unshare", + "pipe", + "syz_emit_ethernet", + "syz_extract_tcp_res", + "syz_genetlink_get_family_id", + "syz_init_net_socket", + "mkdirat$cgroup*", + "openat$cgroup*", + "write$cgroup*", + "clock_gettime", + "bpf", + "openat$tun", + "openat$ppp", + "syz_open_procfs$namespace", + "syz_80211_*", + "nanosleep", + "openat$nci", + "ioctl$IOCTL_GET_NCIDEV_IDX", + "openat$rfkill", + "openat$6lowpan*", + "openat$pidfd", + "openat$tcp*", + "openat$vhost_vsock", + "openat$ptp*", + "ioctl$PTP*" + ], + "strace_bin": "", + "strace_bin_on_target": false, + "execprog_bin_on_target": "", + "executor_bin_on_target": "", + "run_fsck": true, + "type": "qemu", + "vm": { + "cmdline": "root=/dev/sda1", + "count": 9, + "cpu": 2, + "kernel": "/patched/kernel", + "mem": 7168, + "qemu_args": "-machine q35 -enable-kvm -smp 2,sockets=2,cores=1" + }, + "asset_storage": null, + "Experimental": { + "reset_acc_state": false, + "remote_cover": true, + "cover_edges": false, + "descriptions_mode": "manual" + } +}
\ No newline at end of file |