From 49c11eb5140bbe727be05015f78831043e2fe3a8 Mon Sep 17 00:00:00 2001
From: Victor Chibotaru <tchibo@google.com>
Date: Thu, 24 Aug 2017 17:52:57 +0200
Subject: ipc, prog, fuzzer, execprog: add hints generation code

A hint is basically a tuple consisting of a pointer to an argument
in one of the syscalls of a program and a value, which should be
assigned to that argument.

A simplified version of hints workflow looks like this:
    1. Fuzzer launches a program and collects all the comparisons' data
for every syscall in the program.
    2. Next it tries to match the obtained comparison operands' values
vs. the input arguments' values.
    3. For every such match the fuzzer mutates the program by
replacing the pointed argument with the saved value.
    4. If a valid program is obtained, then fuzzer launches it and
checks if new coverage is obtained.

This commit includes:
    1. All the code related to hints generation, parsing and mutations.
    2. Fuzzer functions to launch the process.
    3. Some new stats gathered by fuzzer and manager, related to hints.
    4. An updated version of execprog to test the hints process.
---
 tools/syz-execprog/execprog.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'tools')

diff --git a/tools/syz-execprog/execprog.go b/tools/syz-execprog/execprog.go
index a2e530fbf..de2e1f7f3 100644
--- a/tools/syz-execprog/execprog.go
+++ b/tools/syz-execprog/execprog.go
@@ -33,6 +33,7 @@ var (
 	flagOutput    = flag.String("output", "none", "write programs to none/stdout")
 	flagFaultCall = flag.Int("fault_call", -1, "inject fault into this call (0-based)")
 	flagFaultNth  = flag.Int("fault_nth", 0, "inject fault on n-th operation (0-based)")
+	flagHints     = flag.Bool("hints", false, "do a hints-generation run")
 )
 
 func main() {
@@ -73,6 +74,12 @@ func main() {
 		execOpts.Flags |= ipc.FlagCollectCover
 		execOpts.Flags &^= ipc.FlagDedupCover
 	}
+	if *flagHints {
+		if execOpts.Flags&ipc.FlagCollectCover != 0 {
+			execOpts.Flags ^= ipc.FlagCollectCover
+		}
+		execOpts.Flags |= ipc.FlagCollectComps
+	}
 
 	if *flagFaultCall >= 0 {
 		config.Flags |= ipc.FlagEnableFault
@@ -162,6 +169,13 @@ func main() {
 							}
 						}
 					}
+					if *flagHints {
+						compMaps := ipc.GetCompMaps(info)
+						p.MutateWithHints(compMaps, func(p *prog.Prog) {
+							fmt.Printf("%v\n", string(p.Serialize()))
+						})
+					}
+
 					return true
 				}() {
 					return
-- 
cgit mrf-deployment