[google/syzkaller] c9f0a9: pkg/kcov: add pkg/kcov
1 view
Skip to first unread message
![github-merge-queue[bot]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
github-merge-queue[bot]
Sep 22, 2025, 5:12:34 AM (7 days ago) Sep 22
to syzk...@googlegroups.com
Branch: refs/heads/gh-readonly-queue/master/pr-6280-770ff59fb77d138f63af2893d3f1c97da2625d05
Home: https://github.com/google/syzkaller
Commit: c9f0a99247f6d9a6df877720609cbce3dca73b55
https://github.com/google/syzkaller/commit/c9f0a99247f6d9a6df877720609cbce3dca73b55
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
A pkg/kcov/cdefs.go
A pkg/kcov/kcov.go
Log Message:
-----------
pkg/kcov: add pkg/kcov
Add a Go-native KCOV package, with a helper functions for tracing a
a function. This is in preparation for a standalone KFuzzTest tool,
which should be written in Go in order to take advantage of existing
fuzzing infrastructure.
The hard-coded coverage buffer size is the same as the executor program,
defined as `512 << 10` in `executor/executor.cc`.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 490f32238051336d5a498cbc3ecc47140052b502
https://github.com/google/syzkaller/commit/490f32238051336d5a498cbc3ecc47140052b502
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M docs/syscall_descriptions_syntax.md
M executor/common_linux.h
M pkg/vminfo/linux_syscalls.go
M prog/encodingexec.go
A prog/kfuzztest.go
A prog/kfuzztest_test.go
M prog/types.go
A sys/linux/kfuzztest.txt
Log Message:
-----------
kfuzztest: introduce syz_kfuzztest_run pseudo-syscall
Add syz_kfuzztest_run pseudo-syscall, KFuzzTest attribute, and encoding
logic.
KFuzzTest targets, which are invoked in the executor with the new
syz_kfuzztest_run pseudo-syscall, require specialized encoding. To
differentiate KFuzzTest calls from standard syzkaller calls, we
introduce a new attribute called KFuzzTest or "kfuzz_test" in syzkaller
descriptions that can be used to annotate calls.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 4fbe5a7f81ea2167d193a6d1503d3afc6c86329f
https://github.com/google/syzkaller/commit/4fbe5a7f81ea2167d193a6d1503d3afc6c86329f
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M prog/target.go
Log Message:
-----------
prog/target: add Extend method
As KFuzzTest targets are discovered at boot, we need a mechanism for
adding these to the array of enabled system calls. This is implemented
by the new Extend method, which performs this setup.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 91601ce4199e5c85a51aa48270101c7fa5bff51a
https://github.com/google/syzkaller/commit/91601ce4199e5c85a51aa48270101c7fa5bff51a
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M prog/target.go
Log Message:
-----------
prog/target: add fetching function for syz_kfuzztest_run ID
All non-base variants of syz_kfuzztest_run (i.e., those that are
discovered dynamically) are encoded so that they map onto the base
variant which is defined in kfuzztest.txt, and known by the executor.
We add a function for fetching this, that is wrapped in a sync.once
block to avoid repeated iteration over the target's array of syscalls.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 9a3002038e891237ff5b561f756a0ff6e32d1d2f
https://github.com/google/syzkaller/commit/9a3002038e891237ff5b561f756a0ff6e32d1d2f
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
A pkg/kfuzztest/builder.go
A pkg/kfuzztest/description_generation_test.go
A pkg/kfuzztest/extractor.go
A pkg/kfuzztest/kfuzztest.go
A pkg/kfuzztest/testdata/.gitignore
A pkg/kfuzztest/testdata/1/desc.txt
A pkg/kfuzztest/testdata/1/prog.c
A pkg/kfuzztest/testdata/2/desc.txt
A pkg/kfuzztest/testdata/2/prog.c
A pkg/kfuzztest/testdata/common.h
A pkg/kfuzztest/testdata/linker.ld
A pkg/kfuzztest/types.go
Log Message:
-----------
pkg/kfuzztest: add pkg/kfuzztest
Add a new package, pkg/kfuzztest, that implements dynamic discovery of
KFuzzTest targets by parsing a vmlinux kernel binary.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: f333ae936f1859d357b8efc744915fe7927a6c5d
https://github.com/google/syzkaller/commit/f333ae936f1859d357b8efc744915fe7927a6c5d
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M pkg/mgrconfig/config.go
Log Message:
-----------
pkg/mgrconfig: add experimental enable_kfuzztest boolean flag
Commit: 6c7b65699dcfc2e93d2e7917f6b0e7bab99f2a26
https://github.com/google/syzkaller/commit/6c7b65699dcfc2e93d2e7917f6b0e7bab99f2a26
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M prog/mutation.go
M prog/rand.go
M prog/types.go
Log Message:
-----------
prog: add specialized mutation for KFuzzTest calls
Internal kernel functions (and as a result KFuzzTest) have stricter
contracts than system calls. For this reason, we must avoid mutating
the following cases:
- Length arguments not matching the length of the related buffer.
- Strings not being null-terminated.
Add special cases for KFuzzTest calls that avoids these situations.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: dfd6d26bd3a8046c9be10383cc0d7c83adca05d5
https://github.com/google/syzkaller/commit/dfd6d26bd3a8046c9be10383cc0d7c83adca05d5
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M syz-manager/manager.go
Log Message:
-----------
syz-manager: enable KFuzzTest target discovery
Add logic for dynamic KFuzzTest target discovery in syz-manager. By
default, all KFuzzTest targets are enabled when the enable_kfuzztest
config option is set to true.
Commit: 6e1112d5c5188a4ad2911642c49a7f0b335a0cb7
https://github.com/google/syzkaller/commit/6e1112d5c5188a4ad2911642c49a7f0b335a0cb7
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M pkg/corpus/corpus.go
Log Message:
-----------
pkg/corpus: add Cover() method for returning the corpus' coverage
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 288cfa16e79d64f1dbaafe91d4aee223fe0dd494
https://github.com/google/syzkaller/commit/288cfa16e79d64f1dbaafe91d4aee223fe0dd494
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M Makefile
A pkg/kfuzztest-executor/executor.go
A pkg/kfuzztest-manager/manager.go
A syz-kfuzztest/main.go
Log Message:
-----------
syz-kfuzztest: add syz-kfuzztest executable
syz-kfuzztest is a new standalone designed for fuzzing KFuzzTest on a
live kernel VM (e.g., inside QEMU). It has no dependencies on the
executor program, instead directly writing into a KFuzzTest target's
debugfs entry.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 0e3ee7ae77a21c6d598599ac1bf94aefe6d5681d
https://github.com/google/syzkaller/commit/0e3ee7ae77a21c6d598599ac1bf94aefe6d5681d
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
A tools/kfuzztest-gen/main.go
Log Message:
-----------
tools/kfuzztest-gen: add kfuzztest-gen tool
Add a tool for generating a syscaller description for every KFuzzTest
target discovered in a vmlinux binary and outputting it to stdout.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 6feac83014c7863b431feaca50d89e1abbf2f054
https://github.com/google/syzkaller/commit/6feac83014c7863b431feaca50d89e1abbf2f054
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
A docs/kfuzztest.md
A docs/syz-kfuzztest.md
Log Message:
-----------
docs: add KFuzzTest documentation
Add documentation for syzkaller's KFuzzTest integration, and a separate
documentation file for the syz-kfuzztest program.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: a13ba2b663b7d2761d9ff6cf1165fa4f2f64aa2c
https://github.com/google/syzkaller/commit/a13ba2b663b7d2761d9ff6cf1165fa4f2f64aa2c
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M pkg/fuzzer/fuzzer.go
M pkg/fuzzer/job.go
M prog/rand.go
M syz-manager/manager.go
Log Message:
-----------
pkg/fuzzer: use a smaller number of recommended calls for KFuzzTest
Introduce a KFuzzTest mode for the fuzzer so that a smaller number of
recommended calls can be used if we are fuzzing KFuzzTest targets.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 00c475bd12fe0219cd0564fc64272452b40d372c
https://github.com/google/syzkaller/commit/00c475bd12fe0219cd0564fc64272452b40d372c
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M tools/syz-prog2c/prog2c.go
Log Message:
-----------
tools/syz-prog2c: add vmlinux parsing stage for KFuzzTest
If vmlinux is specified as a flag, we perform a setup stage where we
parse vmlinux for KFuzzTest targets.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 0ac7291ca51f87df8022da0f66178546e855701a
https://github.com/google/syzkaller/commit/0ac7291ca51f87df8022da0f66178546e855701a
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M executor/common_linux.h
M pkg/kfuzztest/builder.go
M pkg/kfuzztest/testdata/1/desc.txt
M pkg/kfuzztest/testdata/2/desc.txt
M prog/encodingexec.go
M prog/kfuzztest.go
M sys/linux/kfuzztest.txt
Log Message:
-----------
prog: fix syz_kfuzztest_run allocation strategy
Previously, the generated KFuzzTest programs were reusing the address of
the top-level input struct. A problem could arise when the encoded blob
is large and overflows into another allocated region - this certainly
happens in the case where the input struct points to some large char
buffer, for example.
While this wasn't directly a problem, it could lead to racy behavior
when running KFuzzTest targets concurrently.
To fix this, we now introduce an additional buffer parameter into
syz_kfuzztest_run that is as big as the maximum accepted input size in
the KFuzzTest kernel code. When this buffer is allocated, we ensure that
we have some allocated space in the program that can hold the entire
encoded input.
This works in practice, but has not been tested with concurrent
KFuzzTest executions yet.
Compare: https://github.com/google/syzkaller/compare/c9f0a99247f6%5E...0ac7291ca51f
To unsubscribe from these emails, change your notification settings at https://github.com/google/syzkaller/settings/notifications
Home: https://github.com/google/syzkaller
Commit: c9f0a99247f6d9a6df877720609cbce3dca73b55
https://github.com/google/syzkaller/commit/c9f0a99247f6d9a6df877720609cbce3dca73b55
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
A pkg/kcov/cdefs.go
A pkg/kcov/kcov.go
Log Message:
-----------
pkg/kcov: add pkg/kcov
Add a Go-native KCOV package, with a helper functions for tracing a
a function. This is in preparation for a standalone KFuzzTest tool,
which should be written in Go in order to take advantage of existing
fuzzing infrastructure.
The hard-coded coverage buffer size is the same as the executor program,
defined as `512 << 10` in `executor/executor.cc`.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 490f32238051336d5a498cbc3ecc47140052b502
https://github.com/google/syzkaller/commit/490f32238051336d5a498cbc3ecc47140052b502
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M docs/syscall_descriptions_syntax.md
M executor/common_linux.h
M pkg/vminfo/linux_syscalls.go
M prog/encodingexec.go
A prog/kfuzztest.go
A prog/kfuzztest_test.go
M prog/types.go
A sys/linux/kfuzztest.txt
Log Message:
-----------
kfuzztest: introduce syz_kfuzztest_run pseudo-syscall
Add syz_kfuzztest_run pseudo-syscall, KFuzzTest attribute, and encoding
logic.
KFuzzTest targets, which are invoked in the executor with the new
syz_kfuzztest_run pseudo-syscall, require specialized encoding. To
differentiate KFuzzTest calls from standard syzkaller calls, we
introduce a new attribute called KFuzzTest or "kfuzz_test" in syzkaller
descriptions that can be used to annotate calls.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 4fbe5a7f81ea2167d193a6d1503d3afc6c86329f
https://github.com/google/syzkaller/commit/4fbe5a7f81ea2167d193a6d1503d3afc6c86329f
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M prog/target.go
Log Message:
-----------
prog/target: add Extend method
As KFuzzTest targets are discovered at boot, we need a mechanism for
adding these to the array of enabled system calls. This is implemented
by the new Extend method, which performs this setup.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 91601ce4199e5c85a51aa48270101c7fa5bff51a
https://github.com/google/syzkaller/commit/91601ce4199e5c85a51aa48270101c7fa5bff51a
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M prog/target.go
Log Message:
-----------
prog/target: add fetching function for syz_kfuzztest_run ID
All non-base variants of syz_kfuzztest_run (i.e., those that are
discovered dynamically) are encoded so that they map onto the base
variant which is defined in kfuzztest.txt, and known by the executor.
We add a function for fetching this, that is wrapped in a sync.once
block to avoid repeated iteration over the target's array of syscalls.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 9a3002038e891237ff5b561f756a0ff6e32d1d2f
https://github.com/google/syzkaller/commit/9a3002038e891237ff5b561f756a0ff6e32d1d2f
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
A pkg/kfuzztest/builder.go
A pkg/kfuzztest/description_generation_test.go
A pkg/kfuzztest/extractor.go
A pkg/kfuzztest/kfuzztest.go
A pkg/kfuzztest/testdata/.gitignore
A pkg/kfuzztest/testdata/1/desc.txt
A pkg/kfuzztest/testdata/1/prog.c
A pkg/kfuzztest/testdata/2/desc.txt
A pkg/kfuzztest/testdata/2/prog.c
A pkg/kfuzztest/testdata/common.h
A pkg/kfuzztest/testdata/linker.ld
A pkg/kfuzztest/types.go
Log Message:
-----------
pkg/kfuzztest: add pkg/kfuzztest
Add a new package, pkg/kfuzztest, that implements dynamic discovery of
KFuzzTest targets by parsing a vmlinux kernel binary.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: f333ae936f1859d357b8efc744915fe7927a6c5d
https://github.com/google/syzkaller/commit/f333ae936f1859d357b8efc744915fe7927a6c5d
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M pkg/mgrconfig/config.go
Log Message:
-----------
pkg/mgrconfig: add experimental enable_kfuzztest boolean flag
Commit: 6c7b65699dcfc2e93d2e7917f6b0e7bab99f2a26
https://github.com/google/syzkaller/commit/6c7b65699dcfc2e93d2e7917f6b0e7bab99f2a26
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M prog/mutation.go
M prog/rand.go
M prog/types.go
Log Message:
-----------
prog: add specialized mutation for KFuzzTest calls
Internal kernel functions (and as a result KFuzzTest) have stricter
contracts than system calls. For this reason, we must avoid mutating
the following cases:
- Length arguments not matching the length of the related buffer.
- Strings not being null-terminated.
Add special cases for KFuzzTest calls that avoids these situations.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: dfd6d26bd3a8046c9be10383cc0d7c83adca05d5
https://github.com/google/syzkaller/commit/dfd6d26bd3a8046c9be10383cc0d7c83adca05d5
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M syz-manager/manager.go
Log Message:
-----------
syz-manager: enable KFuzzTest target discovery
Add logic for dynamic KFuzzTest target discovery in syz-manager. By
default, all KFuzzTest targets are enabled when the enable_kfuzztest
config option is set to true.
Commit: 6e1112d5c5188a4ad2911642c49a7f0b335a0cb7
https://github.com/google/syzkaller/commit/6e1112d5c5188a4ad2911642c49a7f0b335a0cb7
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M pkg/corpus/corpus.go
Log Message:
-----------
pkg/corpus: add Cover() method for returning the corpus' coverage
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 288cfa16e79d64f1dbaafe91d4aee223fe0dd494
https://github.com/google/syzkaller/commit/288cfa16e79d64f1dbaafe91d4aee223fe0dd494
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M Makefile
A pkg/kfuzztest-executor/executor.go
A pkg/kfuzztest-manager/manager.go
A syz-kfuzztest/main.go
Log Message:
-----------
syz-kfuzztest: add syz-kfuzztest executable
syz-kfuzztest is a new standalone designed for fuzzing KFuzzTest on a
live kernel VM (e.g., inside QEMU). It has no dependencies on the
executor program, instead directly writing into a KFuzzTest target's
debugfs entry.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 0e3ee7ae77a21c6d598599ac1bf94aefe6d5681d
https://github.com/google/syzkaller/commit/0e3ee7ae77a21c6d598599ac1bf94aefe6d5681d
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
A tools/kfuzztest-gen/main.go
Log Message:
-----------
tools/kfuzztest-gen: add kfuzztest-gen tool
Add a tool for generating a syscaller description for every KFuzzTest
target discovered in a vmlinux binary and outputting it to stdout.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 6feac83014c7863b431feaca50d89e1abbf2f054
https://github.com/google/syzkaller/commit/6feac83014c7863b431feaca50d89e1abbf2f054
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
A docs/kfuzztest.md
A docs/syz-kfuzztest.md
Log Message:
-----------
docs: add KFuzzTest documentation
Add documentation for syzkaller's KFuzzTest integration, and a separate
documentation file for the syz-kfuzztest program.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: a13ba2b663b7d2761d9ff6cf1165fa4f2f64aa2c
https://github.com/google/syzkaller/commit/a13ba2b663b7d2761d9ff6cf1165fa4f2f64aa2c
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M pkg/fuzzer/fuzzer.go
M pkg/fuzzer/job.go
M prog/rand.go
M syz-manager/manager.go
Log Message:
-----------
pkg/fuzzer: use a smaller number of recommended calls for KFuzzTest
Introduce a KFuzzTest mode for the fuzzer so that a smaller number of
recommended calls can be used if we are fuzzing KFuzzTest targets.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 00c475bd12fe0219cd0564fc64272452b40d372c
https://github.com/google/syzkaller/commit/00c475bd12fe0219cd0564fc64272452b40d372c
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M tools/syz-prog2c/prog2c.go
Log Message:
-----------
tools/syz-prog2c: add vmlinux parsing stage for KFuzzTest
If vmlinux is specified as a flag, we perform a setup stage where we
parse vmlinux for KFuzzTest targets.
Signed-off-by: Ethan Graham <ethan...@google.com>
Commit: 0ac7291ca51f87df8022da0f66178546e855701a
https://github.com/google/syzkaller/commit/0ac7291ca51f87df8022da0f66178546e855701a
Author: Ethan Graham <ethan...@google.com>
Date: 2025-09-22 (Mon, 22 Sep 2025)
Changed paths:
M executor/common_linux.h
M pkg/kfuzztest/builder.go
M pkg/kfuzztest/testdata/1/desc.txt
M pkg/kfuzztest/testdata/2/desc.txt
M prog/encodingexec.go
M prog/kfuzztest.go
M sys/linux/kfuzztest.txt
Log Message:
-----------
prog: fix syz_kfuzztest_run allocation strategy
Previously, the generated KFuzzTest programs were reusing the address of
the top-level input struct. A problem could arise when the encoded blob
is large and overflows into another allocated region - this certainly
happens in the case where the input struct points to some large char
buffer, for example.
While this wasn't directly a problem, it could lead to racy behavior
when running KFuzzTest targets concurrently.
To fix this, we now introduce an additional buffer parameter into
syz_kfuzztest_run that is as big as the maximum accepted input size in
the KFuzzTest kernel code. When this buffer is allocated, we ensure that
we have some allocated space in the program that can hold the entire
encoded input.
This works in practice, but has not been tested with concurrent
KFuzzTest executions yet.
Compare: https://github.com/google/syzkaller/compare/c9f0a99247f6%5E...0ac7291ca51f
To unsubscribe from these emails, change your notification settings at https://github.com/google/syzkaller/settings/notifications
github-merge-queue[bot]
Sep 22, 2025, 5:24:16 AM (7 days ago) Sep 22
to syzk...@googlegroups.com
Branch: refs/heads/master
Compare: https://github.com/google/syzkaller/compare/770ff59fb77d...0ac7291ca51f
Reply all
Reply to author
Forward
0 new messages