Need help in specifying grammar
64 views
Skip to first unread message
SACHIN GROVER
Oct 7, 2021, 3:02:53 AM10/7/21
to syzkaller
HI Dmitry,
Is there a way I can pass the actual length in the array, instead of length of a struct member like below.
struct A {
devices len[hdls, int32] // This length should be equal to number of actual handles filled by syzkaller in array, if the number of handles filled by syzkaller is 2, devices member should get value 2
handles array[handle, 24]
}
In above case, I am always getting length as 24.
Thanks,
Sachin
Dmitry Vyukov
Oct 7, 2021, 3:30:52 AM10/7/21
to SACHIN GROVER, syzkaller
> handles array[handle, 24]
So the length of the array is always 24 and the fuzzer fills in 24
elements always.
So you are getting what you are asking for.
If you want a variable-size array, you need to say:
handles array[handle]
SACHIN GROVER
Oct 8, 2021, 5:20:16 AM10/8/21
to syzkaller
Hi,
Couple of problems I am facing.
I have multiple syscalls which are dependent on each other, and I have used "resource" to specify dependency among them.
1. Is there a way to bump priority of particular syscalls. I see some syscalls are running with very less priority and hence corpus shows hardly 1-2 programs, but other ioctl have much more programs in corpus. Image of same is attached.
2. I tried to provide initial corpus so that syzkaller can maintain the sequence of 6 syscalls that I want in sequence(used resource for dependency here in descriptors) and used r1, r2 and other variables just like mentioned in sys*/test/ folder to make initial corpus. But I see that sykaller has never tried this sequence in 30 hours of run.
Is there any way to check if my initial corpus is correct, how to check if all 6 syscalls goes through correctly, with the specified sequence.
Thanks,
Sachin
Dmitry Vyukov
Oct 11, 2021, 7:19:28 AM10/11/21
to SACHIN GROVER, syzkaller
On Fri, 8 Oct 2021 at 11:20, SACHIN GROVER <coolway...@gmail.com> wrote:
>
> Hi,
>
> Couple of problems I am facing.
>
> I have multiple syscalls which are dependent on each other, and I have used "resource" to specify dependency among them.
>
> 1. Is there a way to bump priority of particular syscalls. I see some syscalls are running with very less priority and hence corpus shows hardly 1-2 programs, but other ioctl have much more programs in corpus. Image of same is attached.
There is no way to manually change priorities.
>
> Hi,
>
> Couple of problems I am facing.
>
> I have multiple syscalls which are dependent on each other, and I have used "resource" to specify dependency among them.
>
> 1. Is there a way to bump priority of particular syscalls. I see some syscalls are running with very less priority and hence corpus shows hardly 1-2 programs, but other ioctl have much more programs in corpus. Image of same is attached.
But is coverage-guided and it adds more programs for a particular call
to the corpus, if this call gives different kernel coverage with
different arguments.
From your screenshot it looks like the ioctl just bails out very early
and does not actually give any interesting coverage. If that's the
case, that's what needs to be fixed. It's not related to priorities,
nor should be fixed by changing priorities.
> 2. I tried to provide initial corpus so that syzkaller can maintain the sequence of 6 syscalls that I want in sequence(used resource for dependency here in descriptors) and used r1, r2 and other variables just like mentioned in sys*/test/ folder to make initial corpus. But I see that sykaller has never tried this sequence in 30 hours of run.
> Is there any way to check if my initial corpus is correct, how to check if all 6 syscalls goes through correctly, with the specified sequence.
https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions.md#testing-of-descriptions
> Thanks,
> Sachin
>
> On Thursday, 7 October 2021 at 13:00:52 UTC+5:30 Dmitry Vyukov wrote:
>>
>> On Thu, 7 Oct 2021 at 09:02, SACHIN GROVER <coolway...@gmail.com> wrote:
>> >
>> > HI Dmitry,
>> >
>> > Is there a way I can pass the actual length in the array, instead of length of a struct member like below.
>> >
>> > struct A {
>> > devices len[hdls, int32] // This length should be equal to number of actual handles filled by syzkaller in array, if the number of handles filled by syzkaller is 2, devices member should get value 2
>> > handles array[handle, 24]
>> > }
>> >
>> > In above case, I am always getting length as 24.
>>
>> This 24 here specifies a fixed-size array with size 24:
>>
>> > handles array[handle, 24]
>>
>> So the length of the array is always 24 and the fuzzer fills in 24
>> elements always.
>> So you are getting what you are asking for.
>>
>> If you want a variable-size array, you need to say:
>>
>> handles array[handle]
>
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/7b7c3e6f-df7b-4366-b7e4-781953a30720n%40googlegroups.com.
SACHIN GROVER
Oct 11, 2021, 7:27:39 AM10/11/21
to syzkaller
I already tried with syz-runtest, and resolved the syntax issues, now able to run my test prog using syz-runtest. But after I pack it in corpus.db and run syzkaller, syzkaller is still not using it.
Also since I have 6-7 syscalls in my test prog, is there a way to check if we are hitting all the functions which should get a hit on calling these 6-7 syscalls in sequence.
Also is there a way to allocate memory in fuzzer and pass fd of the memory to a syscall ?
Dmitry Vyukov
Oct 11, 2021, 7:35:20 AM10/11/21
to SACHIN GROVER, syzkaller
On Mon, 11 Oct 2021 at 13:27, SACHIN GROVER <coolway...@gmail.com> wrote:
>
> I already tried with syz-runtest, and resolved the syntax issues, now able to run my test prog using syz-runtest. But after I pack it in corpus.db and run syzkaller, syzkaller is still not using it.
My first guess would be that it's using the program, but the program
>
> I already tried with syz-runtest, and resolved the syntax issues, now able to run my test prog using syz-runtest. But after I pack it in corpus.db and run syzkaller, syzkaller is still not using it.
does not give any coverage, so it throws it away as uninteresting.
> Also since I have 6-7 syscalls in my test prog, is there a way to check if we are hitting all the functions which should get a hit on calling these 6-7 syscalls in sequence.
If your syscalls can return success, but still not do what you expect
them to do, you can use coverage reports. You can collect per-syscall
coverage with syz-execprog, there is -cover-something flag. And then
use tools/syz-cover to generate code coverage reports and assess them.
Or the coverage trace files produced by syz-execprog can be piped to
addr2line and then you can assess these traces directly.
SACHIN GROVER
Oct 14, 2021, 3:48:00 AM10/14/21
to syzkaller
Any way to allocated memory in userspace now, I see malloc is not allowed. My use case is that I need to allocate memory in userspace and pass fd of that memory to a ioctl.
Dmitry Vyukov
Oct 14, 2021, 6:21:40 AM10/14/21
to SACHIN GROVER, syzkaller
On Thu, 14 Oct 2021 at 09:48, SACHIN GROVER <coolway...@gmail.com> wrote:
>
> Any way to allocated memory in userspace now, I see malloc is not allowed. My use case is that I need to allocate memory in userspace and pass fd of that memory to a ioctl.
What is "fd of memory"?
>
> Any way to allocated memory in userspace now, I see malloc is not allowed. My use case is that I need to allocate memory in userspace and pass fd of that memory to a ioctl.
If you send a PR with what you are trying to describe, it will make
things easier to answer.
SACHIN GROVER
Oct 18, 2021, 6:09:55 AM10/18/21
to syzkaller
I was able to use DMA buf fd, by calling ION_ALLOC ioctl. Thanks for the help
Syz-cover does not seems to work on out of tree modules, anyway to parse rawcoverage and symbolize it to get the coverage info for modules ?
Dmitry Vyukov
Oct 18, 2021, 5:04:39 PM10/18/21
to SACHIN GROVER, syzkaller
On Mon, 18 Oct 2021 at 12:09, SACHIN GROVER <coolway...@gmail.com> wrote:
>
> I was able to use DMA buf fd, by calling ION_ALLOC ioctl. Thanks for the help
>
> Syz-cover does not seems to work on out of tree modules, anyway to parse rawcoverage and symbolize it to get the coverage info for modules ?
Yes, I think tools/syz-cover was never extended to support modules.
>
> I was able to use DMA buf fd, by calling ION_ALLOC ioctl. Thanks for the help
>
> Syz-cover does not seems to work on out of tree modules, anyway to parse rawcoverage and symbolize it to get the coverage info for modules ?
We probably need syz-manager also export modules info/addresses, and
then make tools/syz-cover accept and use that file.
SACHIN GROVER
Nov 29, 2021, 1:57:12 AM11/29/21
to syzkaller
I tried to run some initial corpus using syz-execprog. below are the logs that I am getting for executor, may I know what are these errno, how can we interpret these?
spawned worker pid 2
#0 [453ms] -> openat$A(0xffffffffffffff9c, 0x20000040, 0x2, 0x0)
#0 [465ms] <- openat$A=0x3 errno=14 cover=158126
#0 [487ms] -> ioctl$A_CMD(0x3, 0xc01856c0, 0x20000080)
#0 [499ms] <- ioctl$A_CMD=0x0 errno=14 cover=262143
#0 [509ms] -> ioctl$C(0xffffffffffffffff, 0xc01856c0, 0x20000100)
#0 [509ms] <- ioctl$C=0xffffffffffffffff errno=9 cover=2
#0 [509ms] -> close(0x3)
#0 [894ms] <- close=0x0 errno=14 cover=262143
#0 [901ms] -> close(0xffffffffffffffff)
#0 [901ms] <- close=0xffffffffffffffff errno=9 cover=4
Dmitry Vyukov
Nov 29, 2021, 2:18:40 AM11/29/21
to SACHIN GROVER, syzkaller
On Mon, 29 Nov 2021 at 07:57, SACHIN GROVER <coolway...@gmail.com> wrote:
>
> I tried to run some initial corpus using syz-execprog. below are the logs that I am getting for executor, may I know what are these errno, how can we interpret these?
>
> spawned worker pid 2
> #0 [453ms] -> openat$A(0xffffffffffffff9c, 0x20000040, 0x2, 0x0)
> #0 [465ms] <- openat$A=0x3 errno=14 cover=158126
> #0 [487ms] -> ioctl$A_CMD(0x3, 0xc01856c0, 0x20000080)
> #0 [499ms] <- ioctl$A_CMD=0x0 errno=14 cover=262143
> #0 [509ms] -> ioctl$C(0xffffffffffffffff, 0xc01856c0, 0x20000100)
> #0 [509ms] <- ioctl$C=0xffffffffffffffff errno=9 cover=2
> #0 [509ms] -> close(0x3)
> #0 [894ms] <- close=0x0 errno=14 cover=262143
> #0 [901ms] -> close(0xffffffffffffffff)
> #0 [901ms] <- close=0xffffffffffffffff errno=9 cover=4
HI SACHIN,
>
> I tried to run some initial corpus using syz-execprog. below are the logs that I am getting for executor, may I know what are these errno, how can we interpret these?
>
> spawned worker pid 2
> #0 [453ms] -> openat$A(0xffffffffffffff9c, 0x20000040, 0x2, 0x0)
> #0 [465ms] <- openat$A=0x3 errno=14 cover=158126
> #0 [487ms] -> ioctl$A_CMD(0x3, 0xc01856c0, 0x20000080)
> #0 [499ms] <- ioctl$A_CMD=0x0 errno=14 cover=262143
> #0 [509ms] -> ioctl$C(0xffffffffffffffff, 0xc01856c0, 0x20000100)
> #0 [509ms] <- ioctl$C=0xffffffffffffffff errno=9 cover=2
> #0 [509ms] -> close(0x3)
> #0 [894ms] <- close=0x0 errno=14 cover=262143
> #0 [901ms] -> close(0xffffffffffffffff)
> #0 [901ms] <- close=0xffffffffffffffff errno=9 cover=4
The errno is the standard unix/linux errno thing, you can find
information about errno in multiple sources on internet, e.g.:
https://www.thegeekstuff.com/2010/10/linux-error-codes/
Note errno is relevant only if syscall returns 0xffffffffffffffff.
SACHIN GROVER
Nov 30, 2021, 1:15:27 AM11/30/21
to syzkaller
Thanks this helped, but I am seeing another issue, after putting some prints in driver, I found copy_to_user is failing.
corpus:
ioctl1 -> fill r4
ioctl2 -> fill r5
ioctl$some_CMD(r0, 0xc01856c0, &AUTO=@u1={0x118, 0x20c, 0x1, 0x0, &AUTO={r4, 0x1, [r5], <r6=>0x0}}) // r4, and r5 are the inputs coming from other ioctls, r6 is the output
if (copy_to_user(
u64_to_user_ptr(k_ioctl->handle), // this is the last arg in @u1 above assigned with &AUTO
&v.info,
sizeof(struct info_struct )))
rc = -EFAULT; //failing here
}
Any way to know why copy to user is failing here.
SACHIN GROVER
Dec 2, 2021, 2:01:09 AM12/2/21
to syzkaller
Hi,
I was able to resolve the above issues and can see that syz-execprog is running all syscalls correctly and not returning 0xfffffffffff
I packed it with syz-db, but syzkaller tried the same sequence only once in few hours of fuzz, but it also mutated it, and removed couple of resources.
Initial Corpus provided as part of corpus.db:
r0 = openat$video0(0xffffffffffffff9c, &AUTO='/dev/video0\x00', 0x2, 0x0)
r1 = openat$video1(0xffffffffffffff9c, &AUTO='/dev/v4l-subdev1\x00', 0x2, 0x0)
ioctl$CMD1(r0, 0xc01856c0, &AUTO=@u1={0x10c, 0x8, 0x1, 0x0, &AUTO={<r2=>0x0, nil}})
ioctl$CMD2(r1, 0xc01856c0, &AUTO=@u1={0x102, 0x18, 0x1, 0x00, &AUTO={r2, <r3=>0x0, 0x2, 0xfefefefe, &AUTO=@v1={0x0, AUTO, 0x1, 0x0, &AUTO=[0x8, 0x63c, 0x100, 0x9, 0x7]}}})
ioctl$CMD3(r0, 0xc01856c0, &AUTO=@u1={0x118, 0x20c, 0x1, 0x0, &AUTO={r2, 0x1, [r3], <r4=>0x0}})
ioctl$CMD4(r0, 0xc01856c0, &AUTO=@u4={0x10f, 0x8, 0x1, 0x0, &AUTO={r2, r4}})
ioctl$CMD5(r0, 0xc01856c0, &AUTO=@u1={0x10d, 0x8, 0x1, 0x0, &AUTO={r2, 0x0}})
close$video0(r0)
close$video1(r1)
On syzkaller dashboard, Syzkaller tried this for CMD4:
r0 = openat$video0(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
r1 = openat$video1(0xffffffffffffff9c, &(0x7f0000000280), 0x0, 0x0)
ioctl$CMD1(r0, 0xc01856c0, &(0x7f00000002c0)=@u1={0x10c, 0x8, 0x1, 0x0, &(0x7f0000000300)={<r2=>0x0}})
ioctl$CMD2(r1, 0xc01856c0, &(0x7f0000000340)=@u1={0x102, 0x18, 0x1, 0x0, &(0x7f0000000380)={0x0, <r3=>0x0, 0x0, 0xfefefefe, 0x0}}) // Syzkaller has removed r2 resource from here, due to which this and other subsequent syscalls failed
ioctl$CMD3(r0, 0xc01856c0, &(0x7f0000000440)=@u1={0x118, 0x20c, 0x1, 0x0, &(0x7f0000000480)={r2, 0x1, [r3], <r4=>0x0}})
ioctl$CMD4(r0, 0xc01856c0, &(0x7f00000006c0)=@u4={0x10f, 0x8, 0x1, 0x0, &(0x7f0000000700)={r2, r4}})
Can you please guide how to debug the issue ? Does Syzkaller don't follow resource dependency always? how to make sure that syzkaller tries with resource dependency. If not, there will be very less coverage in subsequent dependent calls, as the syscall functions will bail out at the start.
Thanks,
Sachin
Reply all
Reply to author
Forward
0 new messages