From e13a05ed99be3112220ed09062bd52e1c0a2ffb6 Mon Sep 17 00:00:00 2001 From: Aleksandr Nogikh Date: Mon, 31 Jan 2022 16:06:41 +0000 Subject: syz-manager: retriage disabled progs There are some syscalls (e.g. perf_event_open) which do not really affect the behavior of other calls, but affect their coverage. Therefore, they appear quite often in the corpus and when we disable them, we might drop a significant share of it. Give such dropped programs a second chance by removing disabled calls from them and then re-minimizing the leftover in syz-fuzzer. --- syz-manager/manager.go | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/syz-manager/manager.go b/syz-manager/manager.go index 2a983c929..b5d068a02 100644 --- a/syz-manager/manager.go +++ b/syz-manager/manager.go @@ -536,6 +536,18 @@ func (mgr *Manager) loadProg(data []byte, minimized, smashed bool) bool { // We won't execute it, but remember its hash so // it is not deleted during minimization. mgr.disabledHashes[hash.String(data)] = struct{}{} + } else { + // We cut out the disabled syscalls and let syz-fuzzer retriage and + // minimize what remains from the prog. The original prog will be + // deleted from the corpus. + leftover := programLeftover(mgr.target, mgr.targetEnabledSyscalls, data) + if len(leftover) > 0 { + mgr.candidates = append(mgr.candidates, rpctype.Candidate{ + Prog: leftover, + Minimized: false, + Smashed: smashed, + }) + } } return true } @@ -547,6 +559,22 @@ func (mgr *Manager) loadProg(data []byte, minimized, smashed bool) bool { return true } +func programLeftover(target *prog.Target, enabled map[*prog.Syscall]bool, data []byte) []byte { + p, err := target.Deserialize(data, prog.NonStrict) + if err != nil { + panic(fmt.Sprintf("subsequent deserialization failed: %s", data)) + } + for i := 0; i < len(p.Calls); { + c := p.Calls[i] + if !enabled[c.Meta] { + p.RemoveCall(i) + continue + } + i++ + } + return p.Serialize() +} + func checkProgram(target *prog.Target, enabled map[*prog.Syscall]bool, data []byte) (bad, disabled bool) { p, err := target.Deserialize(data, prog.NonStrict) if err != nil { -- cgit mrf-deployment