How syzlang describes multiple resources dependency
200 views
Skip to first unread message
马麟
Mar 17, 2021, 2:58:04 AM3/17/21
to syzkaller
Hi there
I was trying to write my own pseudo-syscall to start fuzzing. That is why I have to add some descriptions using syzlang.
After figuring out the contents in the documentation as well as some examples, I have the following concerns.
Can syzlang support multiple resource descriptions?
The "multiple" I talked about here is like maybe one (pseudo-)system call will produce two different resources. These two different resources may be used individually by other syscalls. For code, it looks like
resource my_resource_1[int32]
resource my_resource_2[int32]
my_new_syscall(....) <= Both my_resource_1/my_resource_2 created in this syscall
some_syscall1(fd my_resource_1)
some_syscall2(fd my_resource_2)
From my point of view, the design of my_new_syscall maybe is not graceful. However, is there any choice I can encode a resource into one struct and split them for other syscalls?
For example, define a resource as int64, which is the concatenation of two int32.
When calling some_syscall1, the resource has to be xor with a mask.
How can I manage to achieve this? Or is there any else way out?
Best wishes.
Dmitry Vyukov
Mar 17, 2021, 3:24:27 AM3/17/21
to 马麟, syzkaller
On Wed, Mar 17, 2021 at 7:58 AM 马麟 <kylin.f...@gmail.com> wrote:
>
> Hi there
> I was trying to write my own pseudo-syscall to start fuzzing. That is why I have to add some descriptions using syzlang.
>
> After figuring out the contents in the documentation as well as some examples, I have the following concerns.
>
> Can syzlang support multiple resource descriptions?
>
> The "multiple" I talked about here is like maybe one (pseudo-)system call will produce two different resources. These two different resources may be used individually by other syscalls. For code, it looks like
>
> resource my_resource_1[int32]
> resource my_resource_2[int32]
>
> my_new_syscall(....) <= Both my_resource_1/my_resource_2 created in this syscall
> some_syscall1(fd my_resource_1)
> some_syscall2(fd my_resource_2)
>
> From my point of view, the design of my_new_syscall maybe is not graceful. However, is there any choice I can encode a resource into one struct and split them for other syscalls?
Hi,
>
> Hi there
> I was trying to write my own pseudo-syscall to start fuzzing. That is why I have to add some descriptions using syzlang.
>
> After figuring out the contents in the documentation as well as some examples, I have the following concerns.
>
> Can syzlang support multiple resource descriptions?
>
> The "multiple" I talked about here is like maybe one (pseudo-)system call will produce two different resources. These two different resources may be used individually by other syscalls. For code, it looks like
>
> resource my_resource_1[int32]
> resource my_resource_2[int32]
>
> my_new_syscall(....) <= Both my_resource_1/my_resource_2 created in this syscall
> some_syscall1(fd my_resource_1)
> some_syscall2(fd my_resource_2)
>
> From my point of view, the design of my_new_syscall maybe is not graceful. However, is there any choice I can encode a resource into one struct and split them for other syscalls?
Yes, this is perfectly supported. A single syscall can return multiple
resources via different pointers, or via multiple fields of a single
struct.
> For example, define a resource as int64, which is the concatenation of two int32.
it as a single int64 in the first.
> When calling some_syscall1, the resource has to be xor with a mask.
>
> How can I manage to achieve this? Or is there any else way out?
design. If it still can be changed, I would go and ask authors to
change it to accepted/common kernel API patterns.
马麟
Mar 17, 2021, 3:36:26 AM3/17/21
to syzkaller
> Yes, this is perfectly supported. A single syscall can return multiple
> resources via different pointers, or via multiple fields of a single
> struct
> resources via different pointers, or via multiple fields of a single
> struct
Woah, that's exactly what I want! I may have to ask for some details. Really appreciate to above timely reply.
1. Through different pointers?
Does this mean I just need to declare pointers as resources and pass them into my pseudo-syscall? I thought these resources type only take effects when they are used as return values.
2. Though struct
> You just declare it as 2 int32 fields
So I need to define a struct as a resource, whose fields are these two int32. When I need to pass one of them into a system call, what expression shall I use to only extract one int32 from this struct? Does simply C expressions like below works?
resource my_resource[my_struct]
some_syscall1(fd my_resource.f1)
some_syscall2(fd my_resource.f2)
my_struct {
f1 int32
f2 int32
}
Anyway, I will try these two solutions in practice. Thanks a lot :)
Dmitry Vyukov
Mar 17, 2021, 3:50:11 AM3/17/21
to 马麟, syzkaller
On Wed, Mar 17, 2021 at 8:36 AM 马麟 <kylin.f...@gmail.com> wrote:
>
> > Yes, this is perfectly supported. A single syscall can return multiple
> > resources via different pointers, or via multiple fields of a single
> > struct
>
> Woah, that's exactly what I want! I may have to ask for some details. Really appreciate to above timely reply.
>
> 1. Through different pointers?
> Does this mean I just need to declare pointers as resources and pass them into my pseudo-syscall? I thought these resources type only take effects when they are used as return values.
>
> 2. Though struct
> > You just declare it as 2 int32 fields
> So I need to define a struct as a resource, whose fields are these two int32. When I need to pass one of them into a system call, what expression shall I use to only extract one int32 from this struct? Does simply C expressions like below works?
>
> resource my_resource[my_struct]
>
> some_syscall1(fd my_resource.f1)
> some_syscall2(fd my_resource.f2)
>
> my_struct {
> f1 int32
> f2 int32
> }
>
> Anyway, I will try these two solutions in practice. Thanks a lot :)
Please see:
>
> > Yes, this is perfectly supported. A single syscall can return multiple
> > resources via different pointers, or via multiple fields of a single
> > struct
>
> Woah, that's exactly what I want! I may have to ask for some details. Really appreciate to above timely reply.
>
> 1. Through different pointers?
> Does this mean I just need to declare pointers as resources and pass them into my pseudo-syscall? I thought these resources type only take effects when they are used as return values.
>
> 2. Though struct
> > You just declare it as 2 int32 fields
> So I need to define a struct as a resource, whose fields are these two int32. When I need to pass one of them into a system call, what expression shall I use to only extract one int32 from this struct? Does simply C expressions like below works?
>
> resource my_resource[my_struct]
>
> some_syscall1(fd my_resource.f1)
> some_syscall2(fd my_resource.f2)
>
> my_struct {
> f1 int32
> f2 int32
> }
>
> Anyway, I will try these two solutions in practice. Thanks a lot :)
https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions_syntax.md#resources
and existing description of e.g. pipe syscall.
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/9aca2057-e5b6-454b-ab0d-a8e12e2572a5n%40googlegroups.com.
Lin Horse
Mar 24, 2021, 7:19:53 AM3/24/21
to syzkaller
Hi there (again)~
This time I have learned about the descriptions and also deepen my understanding by writing some examples.
For now, I get some examples that get me puzzled. (I just don't understand about the in/out/inout direction)
# Puzzle-1
=====
resource A[int32]
resource B[int32]
resource C[int32]
syscall1() C
syscall2(para ptr[out my_stru])
syscall3(c C, para ptr[inout my_str])
my_stru {
a A (inout)
b B (inout)
}
=====
In my imagination, the `syscall1` will create resource C; the `syscall2` will create resource A in the struct; the `syscall3` will create resource B in the struct while it needs the help of resource B and C.
P.S. The reason I put A and B into this weird struct is that A and B have special relation. (one A maps to one B in fact)
The result is that syzkaller tells me that no syscalls can create resource A.
Hence I changed the description of syscall2 to
=====
syscall2(para ptr[out A])
=====
However, the syzkaller now tells me that no syscalls can create resource B.
My question is that:
If we define a resource X, we must need at least one syscall that exactly return this type. Or a syscall that whose argument is an out direction pointer to that type. Is this statement right?
# Puzzle-2
For syscall sequence that may be endued with complex logic, I found that syzkaller may get struggled in generating valid corpus. Is there any way out to help syzkaller to do that? For tools like AFL in userspace, people may choose to prepare good test cases as input corpus. However, I didn't find a similar interface in syzkaller to implement that. How can I load some crafted corpus to syzkaller?
Thanks again! Best wishes :)
Lin Ma
Dmitry Vyukov
Mar 24, 2021, 7:46:17 AM3/24/21
to Lin Horse, syzkaller
> # Puzzle-2
>
> For syscall sequence that may be endued with complex logic, I found that syzkaller may get struggled in generating valid corpus. Is there any way out to help syzkaller to do that? For tools like AFL in userspace, people may choose to prepare good test cases as input corpus. However, I didn't find a similar interface in syzkaller to implement that. How can I load some crafted corpus to syzkaller?
https://github.com/google/syzkaller/tree/master/sys/linux/test
syz-manager discovers it based on the "syzkaller" argument in the
config and uses all programs there as corpus seeds.
https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions.md#testing-of-descriptions
Lin Horse
Mar 24, 2021, 7:50:08 AM3/24/21
to syzkaller
Gotcha :)
Reply all
Reply to author
Forward
0 new messages