| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
| |
probability coverage
|
| |
|
|
|
|
|
|
|
|
|
| |
Static prefix sums have been replaced with a Fenwick tree.
In the current syzkaller, program priority was set based on a Signal
received by a single system call. This commit allows priority to be
changed dynamically, making it possible to maintain priority based on
Signals from all system calls.
Signed-off-by: Grigory Bazilevich <g.bazilevich@ispras.ru>
|
| |
|
|
| |
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
| |
Don't waste time doing focused fuzzing if no modified code has
been reached in 30 minutes after corpus triage.
|
| | |
|
| |
|
|
|
| |
Set Corpus in HTTPServer dynamically.
Refactor syz-manager and syz-diff accordingly.
|
| |
|
|
|
|
|
|
| |
Focus area assigns a fuzzing priority to a set of PCs.
When running ChooseProgram(), corpus will first select a focus area
proportionally to the specified weights, and only then continue with
selecting a program belonging to it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Occasionally, deflake() and minimize() fail and we end up with huge
programs in the syzkaller corpus. Huge programs in the corpus, in turn,
lead to slower corpus triage and slower exec/sec overall, since many of
the executed programs are based on the ones from the corpus.
A slightly bigger corpus with on average shorter and more focused
programs sounds like a more desirable outcome.
Give preference to smaller programs during minimization. It should
hopefully improve the situation over time.
|
| |
|
|
|
|
|
|
| |
Go package names should generally be singular form:
https://go.dev/blog/package-names
https://rakyll.org/style-packages
https://groups.google.com/g/golang-nuts/c/buBwLar1gNw
|
| |
|
|
|
|
| |
New is more idiomatic name and is shorter
(lines where stats.Create is used are usually long,
so making them a bit shorter is good).
|
| |
|
|
|
|
|
|
| |
We only need serialized representation on some rare operations
(some web UI pages, and first hub connect). Don't keep them in memory.
In my instance this saves 503MB (15.5%) of heap,
which reduces RSS by 1GB (2x due to GC).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
|
|
|
| |
There's still a risk of a race between the pointer overwriting and
accesses to the embedded object.
Let's use an internal replace() method instead.
|
| |
|
|
|
|
|
| |
Add ability for each package to create and export own stats.
Each stat is self-contained, describes how it should be presented,
and there is not need to copy them from one package to another.
Stats also keep historical data and allow building graphs over time.
|
| |
|
|
|
|
|
|
| |
The following two operations were in conflict:
1) Overwriting of corpus.ProgramsList in Minimize().
2) ProgramsList.ChooseProgram() that used its own mutex.
Instead of overwriting the object, let's create a new one.
|
| |
|
|
|
|
|
| |
Currently we throw away saturated calls only after triage/minimization.
Triage/minimization is unnecessary for saturated calls,
we already know we will throw them away later.
Don't send saturated calls for triage/minimization.
|
| |
|
|
|
|
|
| |
Once in 15 minutes, drop 1000 elements of the pure max signal (that is,
max signal minus corpus signal).
It seems to have a positive effect on the total fuzzing performance.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of doing fuzzing in parallel in running VM, make all decisions
in the host syz-manager process.
Instantiate and keep a fuzzer.Fuzzer object in syz-manager and update
the RPC between syz-manager and syz-fuzzer to exchange exact programs to
execute and their resulting signal and coverage.
To optimize the networking traffic, exchange mostly only the difference
between the known max signal and the detected signal.
|
| |
|
|
|
| |
Stats() seems to be a more sound choice since these structures include
multiple data points.
|
| | |
|
|
|
pkg/fuzzer and syz-manager have a common corpus functionality that can
be well be unified.
Create a separate pkg/corpus package that would be used by both of them.
It will simplify further work of moving pkg/fuzzer to the host.
|
