syscalls dependency
175 views
Skip to first unread message
Joey Jiao
Aug 27, 2021, 2:33:16 AM8/27/21
to syzkaller
Hi,
We previously had this discussion to have dependency on params of one syscall to another which can be solved by resource.
But can syzkaller support syscalls' level dependency?
We need to execute S1...until S6 in sequence, but each syscall still can be called multiple times.
Calling sequence like below:
S1 open$dev(...) fdS2 ioctl$dev(fd...,out) // we need out.handle and out.fd
S3 mmap$dev(...out.fd) ptr
S4 memcpy(ptr, random_buf)
S5 open$dev1(...) fd1
S6 ioctl$dev(fd1, cmd, out.handle)
so the question is can the feature be supportted in grammer?
Dmitry Vyukov
Aug 30, 2021, 1:22:57 AM8/30/21
to Joey Jiao, syzkaller
I think this should work as you want if you make fd returned by S1 and
out.fd and out.handle separate resources.
The S4 memcpy is a bit trickier. You can make mmap$dev return a
resource, and then use a syz_memcpy_off specialization to copy random
(or not random) data to the address:
https://github.com/google/syzkaller/blob/be2c130d4c0c511da96ce278486cf0564aeadcea/sys/linux/io_uring.txt#L71-L76
https://github.com/google/syzkaller/blob/be2c130d4c0c511da96ce278486cf0564aeadcea/executor/common_linux.h#L2106-L2118
SACHIN GROVER
Sep 8, 2021, 5:08:13 AM9/8/21
to syzkaller
Hi Dmitry,
I don't see any go program syzkaller tried till now which includes all the below syscalls in sequence, even though I have made sufficient dependency using resources and all ioctls are showing up in active syscalls on dashboard.
S1 open$dev(...) fd
S2 ioctl$dev(fd...,out) // we need out.handle and out.fd
S3 mmap$dev(...out.fd) ptr
S4 memcpy(ptr, random_buf)
S5 open$dev1(...) fd1
S6 ioctl$dev(fd1, cmd, out.handle)
Thanks,
Sachin
Aleksandr Nogikh
Sep 8, 2021, 1:39:31 PM9/8/21
to syzkaller
Hi Sachin,
Just a suggestion - you might try to write a seed program yourself and syzkaller will use it as an inspiration.
See e.g. the contents of this folder: https://github.com/google/syzkaller/tree/master/sys/linux/test
Syzkaller attempts to run and mutate everything from it right after the fuzzing starts. But make sure that the program you've written is valid and actually gives new coverage/does what you want it to do.
--
Best Regards,
Aleksandr
Just a suggestion - you might try to write a seed program yourself and syzkaller will use it as an inspiration.
See e.g. the contents of this folder: https://github.com/google/syzkaller/tree/master/sys/linux/test
Syzkaller attempts to run and mutate everything from it right after the fuzzing starts. But make sure that the program you've written is valid and actually gives new coverage/does what you want it to do.
--
Best Regards,
Aleksandr
SACHIN GROVER
Sep 10, 2021, 10:29:56 AM9/10/21
to syzkaller
I thought of making go program as you said and able to use syz-mutate to some extent.
But, I have some syscalls where 1 syscall is producing a struct and other syscall is consuming. I tried giving (out) direction to struct and in other syscall passed the same struct as (in), but since structs are not resource, syz-mutate go program is not passing the same vale around.
I see resource definition does not specify struct as underlying type of resource. Is there a way we can make a dependency here.
eg:
ioctl$A(..,.., struct A)
ioctl$B(..,.., struct B)
A {
i another_struct (out)
j int32
}
B {
m
another_struct (in)
n int32
}
Thanks,
Sachin
SACHIN GROVER
Sep 23, 2021, 7:12:42 AM9/23/21
to syzkaller
Even after writing an initial corpus, syzkaller is not able to resolve dependencies and pass same resource value, I was able to see good coverage happening if there is only two resource dependencies, but for than that it never fuzz correctly.
My sequence involves around 6 dependencies and I never saw a program in the corpus and syzkaller mutated it. Syzkaller changes the sequence as well during mutation even after making them dependent using resources , which is not what I need.
Reply all
Reply to author
Forward
0 new messages