From 9b1f3e665308ee2ddd5b3f35a078219b5c509cdb Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Sat, 7 Mar 2020 13:12:35 +0100
Subject: prog: control program length

We have _some_ limits on program length, but they are really soft.
When we ask to generate a program with 10 calls, sometimes we get
100-150 calls. There are also no checks when we accept external
programs from corpus/hub. Issue #1630 contains an example where
this crashes VM (executor limit on number of 1000 resources is
violated). Larger programs also harm the process overall (slower,
consume more memory, lead to monster reproducers, etc).

Add a set of measure for hard control over program length.
Ensure that generated/mutated programs are not too long;
drop too long programs coming from corpus/hub in manager;
drop too long programs in hub.
As a bonus ensure that mutation don't produce programs with
0 calls (which is currently possible and happens).

Fixes #1630
---
 tools/syz-mutate/mutate.go |  2 +-
 tools/syz-stress/stress.go | 10 ++++------
 2 files changed, 5 insertions(+), 7 deletions(-)

(limited to 'tools')

diff --git a/tools/syz-mutate/mutate.go b/tools/syz-mutate/mutate.go
index 1ed4704e2..3dcc446c6 100644
--- a/tools/syz-mutate/mutate.go
+++ b/tools/syz-mutate/mutate.go
@@ -24,7 +24,7 @@ var (
 	flagOS     = flag.String("os", runtime.GOOS, "target os")
 	flagArch   = flag.String("arch", runtime.GOARCH, "target arch")
 	flagSeed   = flag.Int("seed", -1, "prng seed")
-	flagLen    = flag.Int("len", 30, "number of calls in programs")
+	flagLen    = flag.Int("len", prog.RecommendedCalls, "number of calls in programs")
 	flagEnable = flag.String("enable", "", "comma-separated list of enabled syscalls")
 	flagCorpus = flag.String("corpus", "", "name of the corpus file")
 )
diff --git a/tools/syz-stress/stress.go b/tools/syz-stress/stress.go
index 3ca669a1b..18d4fa872 100644
--- a/tools/syz-stress/stress.go
+++ b/tools/syz-stress/stress.go
@@ -41,8 +41,6 @@ var (
 	gate     *ipc.Gate
 )
 
-const programLength = 30
-
 func main() {
 	flag.Usage = func() {
 		flag.PrintDefaults()
@@ -99,15 +97,15 @@ func main() {
 			for i := 0; ; i++ {
 				var p *prog.Prog
 				if *flagGenerate && len(corpus) == 0 || i%4 != 0 {
-					p = target.Generate(rs, programLength, ct)
+					p = target.Generate(rs, prog.RecommendedCalls, ct)
 					execute(pid, env, execOpts, p)
-					p.Mutate(rs, programLength, ct, corpus)
+					p.Mutate(rs, prog.RecommendedCalls, ct, corpus)
 					execute(pid, env, execOpts, p)
 				} else {
 					p = corpus[rnd.Intn(len(corpus))].Clone()
-					p.Mutate(rs, programLength, ct, corpus)
+					p.Mutate(rs, prog.RecommendedCalls, ct, corpus)
 					execute(pid, env, execOpts, p)
-					p.Mutate(rs, programLength, ct, corpus)
+					p.Mutate(rs, prog.RecommendedCalls, ct, corpus)
 					execute(pid, env, execOpts, p)
 				}
 			}
-- 
cgit mrf-deployment