From 1336586b42f6118b19c3da932fd615e85a47c0b5 Mon Sep 17 00:00:00 2001 From: Victor Chibotaru Date: Wed, 16 Aug 2017 14:09:58 +0200 Subject: executor, fuzzer: change the way Syzkaller opens the KCOV device We have implemented a new version of KCOV, which is able to dump comparison operands' data, obtained from Clang's instrumentation hooks __sanitizer_cov_trace_cmp[1248], __sanitizer_cov_trace_const_cmp[1248] and __sanitizer_cov_trace_switch. Current KCOV implementation can work in two modes: "Dump only the PCs" or "Dump only comparisons' data". Mode selection is done by the following series of calls: fd = open(KCOV_PATH, ...); // works as previous ioctl(fd, KCOV_INIT_TRACE, ...); // works as previous mmap(fd, ...); // works as previous ioctl(fd, KCOV_ENABLE, mode); // mode = KCOV_MODE_TRACE_CMP or mode = KCOV_MODE_TRACE_PC Note that this new interface is backwards compatible, as old KCOV devices will just return -EINVAL for the last ioctl. This way we can distinguish if the KCOV device is able to dump the comparisons. Main changes in this commit: 1. Fuzzer now checks at startup which type (new/old) of KCOV device is running. 2. Executor now receives an additional flag, which indicates if executor should read the comparisons data from KCOV. The flag works on per-call basis, so executor can collect PCs or Comps for each individual syscall. --- sys/sys_arm.const | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'sys/sys_arm.const') diff --git a/sys/sys_arm.const b/sys/sys_arm.const index 6b6dc9cad..3b51f34ce 100644 --- a/sys/sys_arm.const +++ b/sys/sys_arm.const @@ -194,6 +194,10 @@ KCMP_IO = 5 KCMP_SIGHAND = 4 KCMP_SYSVSEM = 6 KCMP_VM = 1 +KCOV_ENABLE = 25444 +KCOV_INIT_TRACE = 2147771137 +KCOV_TRACE_CMP = 1 +KCOV_TRACE_PC = 0 KEXEC_ARCH_386 = 196608 KEXEC_ARCH_ARM = 2621440 KEXEC_ARCH_IA_64 = 3276800 -- cgit mrf-deployment