diff options
| author | Victor Chibotaru <tchibo@google.com> | 2017-08-24 17:52:57 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2017-08-30 18:40:14 +0200 |
| commit | 49c11eb5140bbe727be05015f78831043e2fe3a8 (patch) | |
| tree | 0ab0e16b367215d0a8935d14f3a614182b2192b1 /tools/syz-execprog | |
| parent | 07c84b670b4a25a7795e9fb8d47abe0922d2976b (diff) | |
ipc, prog, fuzzer, execprog: add hints generation code
A hint is basically a tuple consisting of a pointer to an argument
in one of the syscalls of a program and a value, which should be
assigned to that argument.
A simplified version of hints workflow looks like this:
1. Fuzzer launches a program and collects all the comparisons' data
for every syscall in the program.
2. Next it tries to match the obtained comparison operands' values
vs. the input arguments' values.
3. For every such match the fuzzer mutates the program by
replacing the pointed argument with the saved value.
4. If a valid program is obtained, then fuzzer launches it and
checks if new coverage is obtained.
This commit includes:
1. All the code related to hints generation, parsing and mutations.
2. Fuzzer functions to launch the process.
3. Some new stats gathered by fuzzer and manager, related to hints.
4. An updated version of execprog to test the hints process.
Diffstat (limited to 'tools/syz-execprog')
| -rw-r--r-- | tools/syz-execprog/execprog.go | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/tools/syz-execprog/execprog.go b/tools/syz-execprog/execprog.go index a2e530fbf..de2e1f7f3 100644 --- a/tools/syz-execprog/execprog.go +++ b/tools/syz-execprog/execprog.go @@ -33,6 +33,7 @@ var ( flagOutput = flag.String("output", "none", "write programs to none/stdout") flagFaultCall = flag.Int("fault_call", -1, "inject fault into this call (0-based)") flagFaultNth = flag.Int("fault_nth", 0, "inject fault on n-th operation (0-based)") + flagHints = flag.Bool("hints", false, "do a hints-generation run") ) func main() { @@ -73,6 +74,12 @@ func main() { execOpts.Flags |= ipc.FlagCollectCover execOpts.Flags &^= ipc.FlagDedupCover } + if *flagHints { + if execOpts.Flags&ipc.FlagCollectCover != 0 { + execOpts.Flags ^= ipc.FlagCollectCover + } + execOpts.Flags |= ipc.FlagCollectComps + } if *flagFaultCall >= 0 { config.Flags |= ipc.FlagEnableFault @@ -162,6 +169,13 @@ func main() { } } } + if *flagHints { + compMaps := ipc.GetCompMaps(info) + p.MutateWithHints(compMaps, func(p *prog.Prog) { + fmt.Printf("%v\n", string(p.Serialize())) + }) + } + return true }() { return |