prog

package
v0.0.0-...-f0d17a2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 6, 2023 License: Apache-2.0, Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ExecArgCsumChunkData = uint64(iota)
	ExecArgCsumChunkConst
)
View Source
const (
	ExecBufferSize = 2 << 20
	ExecNoCopyout  = ^uint64(0)
)
View Source
const (
	ExecArgCsumInet = uint64(iota)
)
View Source
const (
	MaxPids = 32
)

Variables

This section is empty.

Functions

func CallSet

func CallSet(data []byte) (map[string]struct{}, error)

CallSet returns a set of all calls in the program. It does very conservative parsing and is intended to parse paste/future serialization formats.

func Debug

func Debug()

func DecodeFallbackSignal

func DecodeFallbackSignal(s uint32) (callID, errno int)

func EncodeData

func EncodeData(buf *bytes.Buffer, data []byte, readable bool)

func ForeachArg

func ForeachArg(c *Call, f func(Arg, *ArgCtx))

func ForeachSubArg

func ForeachSubArg(arg Arg, f func(Arg, *ArgCtx))

func ForeachType

func ForeachType(meta *Syscall, f func(Type))

func IsPad

func IsPad(t Type) bool

func RegisterTarget

func RegisterTarget(target *Target, initArch func(target *Target))

func RequiredFeatures

func RequiredFeatures(p *Prog) (bitmasks, csums bool)

Types

type Arg

type Arg interface {
	Type() Type
	Size() uint64
	// contains filtered or unexported methods
}

func InnerArg

func InnerArg(arg Arg) Arg

Returns inner arg for pointer args.

type ArgCommon

type ArgCommon struct {
	// contains filtered or unexported fields
}

func (*ArgCommon) Type

func (arg *ArgCommon) Type() Type

type ArgCtx

type ArgCtx struct {
	Parent *[]Arg      // GroupArg.Inner (for structs) or Call.Args containing this arg
	Base   *PointerArg // pointer to the base of the heap object containing this arg
	Offset uint64      // offset of this arg from the base
	Stop   bool        // if set by the callback, subargs of this arg are not visited
}

type ArrayKind

type ArrayKind int
const (
	ArrayRandLen ArrayKind = iota
	ArrayRangeLen
)

type ArrayType

type ArrayType struct {
	TypeCommon
	Type       Type
	Kind       ArrayKind
	RangeBegin uint64
	RangeEnd   uint64
}

func (*ArrayType) DefaultArg

func (t *ArrayType) DefaultArg() Arg

func (*ArrayType) String

func (t *ArrayType) String() string

type BinaryFormat

type BinaryFormat int
const (
	FormatNative BinaryFormat = iota
	FormatBigEndian
	FormatStrDec
	FormatStrHex
	FormatStrOct
)

type BufferKind

type BufferKind int
const (
	BufferBlobRand BufferKind = iota
	BufferBlobRange
	BufferString
	BufferFilename
	BufferText
)

type BufferType

type BufferType struct {
	TypeCommon
	Kind       BufferKind
	RangeBegin uint64   // for BufferBlobRange kind
	RangeEnd   uint64   // for BufferBlobRange kind
	Text       TextKind // for BufferText
	SubKind    string
	Values     []string // possible values for BufferString kind
	NoZ        bool     // non-zero terminated BufferString/BufferFilename
}

func (*BufferType) DefaultArg

func (t *BufferType) DefaultArg() Arg

func (*BufferType) String

func (t *BufferType) String() string

type Builder

type Builder struct {
	// contains filtered or unexported fields
}

func MakeProgGen

func MakeProgGen(target *Target) *Builder

func (*Builder) Allocate

func (pg *Builder) Allocate(size uint64) uint64

func (*Builder) AllocateVMA

func (pg *Builder) AllocateVMA(npages uint64) uint64

func (*Builder) Append

func (pg *Builder) Append(c *Call) error

func (*Builder) Finalize

func (pg *Builder) Finalize() (*Prog, error)

type Call

type Call struct {
	Meta    *Syscall
	Args    []Arg
	Ret     *ResultArg
	Comment string
}

type CallFlags

type CallFlags int
const (
	CallExecuted CallFlags = 1 << iota // was started at all
	CallFinished                       // finished executing (rather than blocked forever)
	CallBlocked                        // finished but blocked during execution
)

type CallInfo

type CallInfo struct {
	Flags  CallFlags
	Errno  int
	Signal []uint32
}

type ChoiceTable

type ChoiceTable struct {
	// contains filtered or unexported fields
}

ChooseTable allows to do a weighted choice of a syscall for a given syscall based on call-to-call priorities and a set of enabled syscalls.

func (*ChoiceTable) Choose

func (ct *ChoiceTable) Choose(r *rand.Rand, call int) int

type CompMap

type CompMap map[uint64]map[uint64]bool

Example: for comparisons {(op1, op2), (op1, op3), (op1, op4), (op2, op1)} this map will store the following:

m = {
		op1: {map[op2]: true, map[op3]: true, map[op4]: true},
		op2: {map[op1]: true}
}.

func (CompMap) AddComp

func (m CompMap) AddComp(arg1, arg2 uint64)

func (CompMap) String

func (m CompMap) String() string

type ConstArg

type ConstArg struct {
	ArgCommon
	Val uint64
}

Used for ConstType, IntType, FlagsType, LenType, ProcType and CsumType.

func MakeConstArg

func MakeConstArg(t Type, v uint64) *ConstArg

func (*ConstArg) Size

func (arg *ConstArg) Size() uint64

func (*ConstArg) Value

func (arg *ConstArg) Value() (uint64, uint64)

Value returns value, pid stride and endianness.

type ConstType

type ConstType struct {
	IntTypeCommon
	Val   uint64
	IsPad bool
}

func (*ConstType) DefaultArg

func (t *ConstType) DefaultArg() Arg

func (*ConstType) String

func (t *ConstType) String() string

type ConstValue

type ConstValue struct {
	Name  string
	Value uint64
}

type CsumChunk

type CsumChunk struct {
	Kind  CsumChunkKind
	Arg   Arg    // for CsumChunkArg
	Value uint64 // for CsumChunkConst
	Size  uint64 // for CsumChunkConst
}

type CsumChunkKind

type CsumChunkKind int
const (
	CsumChunkArg CsumChunkKind = iota
	CsumChunkConst
)

type CsumInfo

type CsumInfo struct {
	Kind   CsumKind
	Chunks []CsumChunk
}

type CsumKind

type CsumKind int
const (
	CsumInet CsumKind = iota
	CsumPseudo
)

type CsumType

type CsumType struct {
	IntTypeCommon
	Kind     CsumKind
	Buf      string
	Protocol uint64 // for CsumPseudo
}

func (*CsumType) DefaultArg

func (t *CsumType) DefaultArg() Arg

func (*CsumType) String

func (t *CsumType) String() string

type DataArg

type DataArg struct {
	ArgCommon
	// contains filtered or unexported fields
}

Used for BufferType.

func MakeDataArg

func MakeDataArg(t Type, data []byte) *DataArg

func MakeOutDataArg

func MakeOutDataArg(t Type, size uint64) *DataArg

func (*DataArg) Data

func (arg *DataArg) Data() []byte

func (*DataArg) SetData

func (arg *DataArg) SetData(data []byte)

func (*DataArg) Size

func (arg *DataArg) Size() uint64

type DeserializeMode

type DeserializeMode int
const (
	Strict    DeserializeMode = iota
	NonStrict DeserializeMode = iota
)

type Dir

type Dir int
const (
	DirIn Dir = iota
	DirOut
	DirInOut
)

func (Dir) String

func (dir Dir) String() string

type ExecArg

type ExecArg interface{} // one of ExecArg*

type ExecArgConst

type ExecArgConst struct {
	Size           uint64
	Format         BinaryFormat
	Value          uint64
	BitfieldOffset uint64
	BitfieldLength uint64
	PidStride      uint64
}

type ExecArgCsum

type ExecArgCsum struct {
	Size   uint64
	Kind   uint64
	Chunks []ExecCsumChunk
}

type ExecArgData

type ExecArgData struct {
	Data     []byte
	Readable bool
}

type ExecArgResult

type ExecArgResult struct {
	Size    uint64
	Format  BinaryFormat
	Index   uint64
	DivOp   uint64
	AddOp   uint64
	Default uint64
}

type ExecCall

type ExecCall struct {
	Meta    *Syscall
	Index   uint64
	Args    []ExecArg
	Copyin  []ExecCopyin
	Copyout []ExecCopyout
}

type ExecCopyin

type ExecCopyin struct {
	Addr uint64
	Arg  ExecArg
}

type ExecCopyout

type ExecCopyout struct {
	Index uint64
	Addr  uint64
	Size  uint64
}

type ExecCsumChunk

type ExecCsumChunk struct {
	Kind  uint64
	Value uint64
	Size  uint64
}

type ExecProg

type ExecProg struct {
	Calls []ExecCall
	Vars  []uint64
}

type FlagsType

type FlagsType struct {
	IntTypeCommon
	Vals    []uint64
	BitMask bool
}

func (*FlagsType) DefaultArg

func (t *FlagsType) DefaultArg() Arg

type Gen

type Gen struct {
	// contains filtered or unexported fields
}

func (*Gen) Alloc

func (g *Gen) Alloc(ptrType Type, data Arg) (Arg, []*Call)

func (*Gen) GenerateArg

func (g *Gen) GenerateArg(typ Type, pcalls *[]*Call) Arg

func (*Gen) GenerateSpecialArg

func (g *Gen) GenerateSpecialArg(typ Type, pcalls *[]*Call) Arg

func (*Gen) MutateArg

func (g *Gen) MutateArg(arg0 Arg) (calls []*Call)

func (*Gen) NOutOf

func (g *Gen) NOutOf(n, outOf int) bool

func (*Gen) Rand

func (g *Gen) Rand() *rand.Rand

func (*Gen) Target

func (g *Gen) Target() *Target

type GroupArg

type GroupArg struct {
	ArgCommon
	Inner []Arg
}

Used for StructType and ArrayType. Logical group of args (struct or array).

func MakeGroupArg

func MakeGroupArg(t Type, inner []Arg) *GroupArg

func (*GroupArg) Size

func (arg *GroupArg) Size() uint64

type IntKind

type IntKind int
const (
	IntPlain   IntKind = iota
	IntFileoff         // offset within a file
	IntRange
)

type IntType

type IntType struct {
	IntTypeCommon
	Kind       IntKind
	RangeBegin uint64
	RangeEnd   uint64
}

func (*IntType) DefaultArg

func (t *IntType) DefaultArg() Arg

type IntTypeCommon

type IntTypeCommon struct {
	TypeCommon
	ArgFormat   BinaryFormat
	BitfieldOff uint64
	BitfieldLen uint64
	BitfieldMdl bool
}

func (*IntTypeCommon) BitfieldLength

func (t *IntTypeCommon) BitfieldLength() uint64

func (*IntTypeCommon) BitfieldMiddle

func (t *IntTypeCommon) BitfieldMiddle() bool

func (*IntTypeCommon) BitfieldOffset

func (t *IntTypeCommon) BitfieldOffset() uint64

func (*IntTypeCommon) Format

func (t *IntTypeCommon) Format() BinaryFormat

func (*IntTypeCommon) String

func (t *IntTypeCommon) String() string

type KeyedStruct

type KeyedStruct struct {
	Key  StructKey
	Desc *StructDesc
}

type LenType

type LenType struct {
	IntTypeCommon
	BitSize uint64 // want size in multiple of bits instead of array size
	Buf     string
}

func (*LenType) DefaultArg

func (t *LenType) DefaultArg() Arg

type LogEntry

type LogEntry struct {
	P         *Prog
	Proc      int  // index of parallel proc
	Start     int  // start offset in log
	End       int  // end offset in log
	Fault     bool // program was executed with fault injection in FaultCall/FaultNth
	FaultCall int
	FaultNth  int
}

LogEntry describes one program in execution log.

type PointerArg

type PointerArg struct {
	ArgCommon
	Address uint64
	VmaSize uint64 // size of the referenced region for vma args
	Res     Arg    // pointee (nil for vma)
}

Used for PtrType and VmaType.

func MakePointerArg

func MakePointerArg(t Type, addr uint64, data Arg) *PointerArg

func MakeSpecialPointerArg

func MakeSpecialPointerArg(t Type, index uint64) *PointerArg

func MakeVmaPointerArg

func MakeVmaPointerArg(t Type, addr, size uint64) *PointerArg

func (*PointerArg) IsSpecial

func (arg *PointerArg) IsSpecial() bool

func (*PointerArg) Size

func (arg *PointerArg) Size() uint64

type ProcType

type ProcType struct {
	IntTypeCommon
	ValuesStart   uint64
	ValuesPerProc uint64
}

func (*ProcType) DefaultArg

func (t *ProcType) DefaultArg() Arg

type Prog

type Prog struct {
	Target   *Target
	Calls    []*Call
	Comments []string
}

func Minimize

func Minimize(p0 *Prog, callIndex0 int, crash bool, pred0 func(*Prog, int) bool) (*Prog, int)

Minimize minimizes program p into an equivalent program using the equivalence predicate pred. It iteratively generates simpler programs and asks pred whether it is equal to the original program or not. If it is equivalent then the simplification attempt is committed and the process continues.

func (*Prog) Clone

func (p *Prog) Clone() *Prog

func (*Prog) FallbackSignal

func (p *Prog) FallbackSignal(info []CallInfo)

func (*Prog) GetCall

func (p *Prog) GetCall(rs rand.Source, meta *Syscall, idx uint32, ct *ChoiceTable) []*Call

func (*Prog) InsertCall

func (p *Prog) InsertCall(c0c []*Call, idx uint32, ncalls int)

func (*Prog) Mutate

func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, corpus []*Prog)

func (*Prog) MutateD

func (p *Prog) MutateD(rs rand.Source, ncalls int, ct *ChoiceTable, corpus []*Prog)

func (*Prog) MutateIoctl1Arg

func (p *Prog) MutateIoctl1Arg(rs rand.Source, idx int, ct *ChoiceTable) bool

func (*Prog) MutateIoctl3Arg

func (p *Prog) MutateIoctl3Arg(rs rand.Source, idx int, ct *ChoiceTable) bool

func (*Prog) MutateWithHints

func (p *Prog) MutateWithHints(callIndex int, comps CompMap, exec func(p *Prog))

Mutates the program using the comparison operands stored in compMaps. For each of the mutants executes the exec callback.

func (*Prog) RemoveCall

func (p *Prog) RemoveCall(idx int)

removeCall removes call idx from p.

func (*Prog) RepeatCall

func (p *Prog) RepeatCall(idx int)

func (*Prog) Serialize

func (p *Prog) Serialize() []byte

func (*Prog) SerializeForExec

func (p *Prog) SerializeForExec(buffer []byte) (int, error)

SerializeForExec serializes program p for execution by process pid into the provided buffer. Returns number of bytes written to the buffer. If the provided buffer is too small for the program an error is returned.

func (*Prog) Splice

func (p *Prog) Splice(rp *Prog, idx uint32, ncalls int) bool

func (*Prog) String

func (p *Prog) String() string

String generates a very compact program description (mostly for debug output).

type PtrType

type PtrType struct {
	TypeCommon
	Type Type
}

func (*PtrType) DefaultArg

func (t *PtrType) DefaultArg() Arg

func (*PtrType) String

func (t *PtrType) String() string

type ResourceDesc

type ResourceDesc struct {
	Name   string
	Type   Type
	Kind   []string
	Values []uint64
}

type ResourceType

type ResourceType struct {
	TypeCommon
	ArgFormat BinaryFormat
	Desc      *ResourceDesc
}

func (*ResourceType) Default

func (t *ResourceType) Default() uint64

func (*ResourceType) DefaultArg

func (t *ResourceType) DefaultArg() Arg

func (*ResourceType) Format

func (t *ResourceType) Format() BinaryFormat

func (*ResourceType) SpecialValues

func (t *ResourceType) SpecialValues() []uint64

func (*ResourceType) String

func (t *ResourceType) String() string

type ResultArg

type ResultArg struct {
	ArgCommon
	Res   *ResultArg // reference to arg which we use
	OpDiv uint64     // divide result (executed before OpAdd)
	OpAdd uint64     // add to result
	Val   uint64     // value used if Res is nil
	// contains filtered or unexported fields
}

Used for ResourceType. This is the only argument that can be used as syscall return value. Either holds constant value or reference another ResultArg.

func MakeResultArg

func MakeResultArg(t Type, r *ResultArg, v uint64) *ResultArg

func MakeReturnArg

func MakeReturnArg(t Type) *ResultArg

func (*ResultArg) Size

func (arg *ResultArg) Size() uint64

type StructDesc

type StructDesc struct {
	TypeCommon
	Fields    []Type
	AlignAttr uint64
}

func (*StructDesc) FieldName

func (t *StructDesc) FieldName() string

type StructKey

type StructKey struct {
	Name string
	Dir  Dir
}

type StructType

type StructType struct {
	Key     StructKey
	FldName string
	*StructDesc
}

func (*StructType) DefaultArg

func (t *StructType) DefaultArg() Arg

func (*StructType) FieldName

func (t *StructType) FieldName() string

func (*StructType) String

func (t *StructType) String() string

type Syscall

type Syscall struct {
	ID          int
	NR          uint64 // kernel syscall number
	Name        string
	CallName    string
	MissingArgs int // number of trailing args that should be zero-filled
	Args        []Type
	Ret         Type
}

type Target

type Target struct {
	OS         string
	Arch       string
	Revision   string // unique hash representing revision of the descriptions
	PtrSize    uint64
	PageSize   uint64
	NumPages   uint64
	DataOffset uint64

	Syscalls  []*Syscall
	Resources []*ResourceDesc
	Structs   []*KeyedStruct
	Consts    []ConstValue

	// MakeMmap creates call that maps [addr, addr+size) memory range.
	MakeMmap func(addr, size uint64) *Call

	// SanitizeCall neutralizes harmful calls.
	SanitizeCall func(c *Call)

	// SpecialTypes allows target to do custom generation/mutation for some struct's and union's.
	// Map key is struct/union name for which custom generation/mutation is required.
	// Map value is custom generation/mutation function that will be called
	// for the corresponding type. g is helper object that allows generate random numbers,
	// allocate memory, etc. typ is the struct/union type. old is the old value of the struct/union
	// for mutation, or nil for generation. The function returns a new value of the struct/union,
	// and optionally any calls that need to be inserted before the arg reference.
	SpecialTypes map[string]func(g *Gen, typ Type, old Arg) (Arg, []*Call)

	// Special strings that can matter for the target.
	// Used as fallback when string type does not have own dictionary.
	StringDictionary []string

	// Additional special invalid pointer values besides NULL to use.
	SpecialPointers []uint64

	SyscallMap map[string]*Syscall
	ConstMap   map[string]uint64
	// contains filtered or unexported fields
}

Target describes target OS/arch pair.

func AllTargets

func AllTargets() []*Target

func GetTarget

func GetTarget(OS, arch string) (*Target, error)

func (*Target) ArgContainsAny

func (target *Target) ArgContainsAny(arg0 Arg) (res bool)

func (*Target) BuildChoiceTable

func (target *Target) BuildChoiceTable(prios [][]float32, enabled map[*Syscall]bool) *ChoiceTable

func (*Target) CalculatePriorities

func (target *Target) CalculatePriorities(corpus []*Prog) [][]float32

func (*Target) CallContainsAny

func (target *Target) CallContainsAny(c *Call) (res bool)

func (*Target) Deserialize

func (target *Target) Deserialize(data []byte, mode DeserializeMode) (*Prog, error)

func (*Target) DeserializeExec

func (target *Target) DeserializeExec(exec []byte) (ExecProg, error)

func (*Target) Generate

func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Prog

Generate generates a random program of length ~ncalls. calls is a set of allowed syscalls, if nil all syscalls are used.

func (*Target) GenerateAllSyzProg

func (target *Target) GenerateAllSyzProg(rs rand.Source) *Prog

GenerateAllSyzProg generates a program that contains all pseudo syz_ calls for testing.

func (*Target) GenerateSimpleProg

func (target *Target) GenerateSimpleProg() *Prog

GenerateSimpleProg generates the simplest non-empty program for testing (e.g. containing a single mmap).

func (*Target) GenerateUberMmapProg

func (target *Target) GenerateUberMmapProg() *Prog

func (*Target) GetConst

func (target *Target) GetConst(name string) uint64

func (*Target) ParseLog

func (target *Target) ParseLog(data []byte) []*LogEntry

func (*Target) PhysicalAddr

func (target *Target) PhysicalAddr(arg *PointerArg) uint64

func (*Target) TransitivelyEnabledCalls

func (target *Target) TransitivelyEnabledCalls(enabled map[*Syscall]bool) (map[*Syscall]bool, map[*Syscall]string)

type TextKind

type TextKind int
const (
	TextTarget TextKind = iota
	TextX86Real
	TextX86bit16
	TextX86bit32
	TextX86bit64
	TextArm64
)

type Type

type Type interface {
	String() string
	Name() string
	FieldName() string
	Dir() Dir
	Optional() bool
	Varlen() bool
	Size() uint64
	Format() BinaryFormat
	BitfieldOffset() uint64
	BitfieldLength() uint64
	BitfieldMiddle() bool // returns true for all but last bitfield in a group

	DefaultArg() Arg
	// contains filtered or unexported methods
}

type TypeCommon

type TypeCommon struct {
	TypeName   string
	FldName    string // for struct fields and named args
	TypeSize   uint64 // static size of the type, or 0 for variable size types
	ArgDir     Dir
	IsOptional bool
	IsVarlen   bool
}

func (*TypeCommon) BitfieldLength

func (t *TypeCommon) BitfieldLength() uint64

func (*TypeCommon) BitfieldMiddle

func (t *TypeCommon) BitfieldMiddle() bool

func (*TypeCommon) BitfieldOffset

func (t *TypeCommon) BitfieldOffset() uint64

func (TypeCommon) Dir

func (t TypeCommon) Dir() Dir

func (*TypeCommon) FieldName

func (t *TypeCommon) FieldName() string

func (*TypeCommon) Format

func (t *TypeCommon) Format() BinaryFormat

func (*TypeCommon) Name

func (t *TypeCommon) Name() string

func (*TypeCommon) Optional

func (t *TypeCommon) Optional() bool

func (*TypeCommon) Size

func (t *TypeCommon) Size() uint64

func (*TypeCommon) Varlen

func (t *TypeCommon) Varlen() bool

type UnionArg

type UnionArg struct {
	ArgCommon
	Option Arg
}

Used for UnionType.

func MakeUnionArg

func MakeUnionArg(t Type, opt Arg) *UnionArg

func (*UnionArg) Size

func (arg *UnionArg) Size() uint64

type UnionType

type UnionType struct {
	Key     StructKey
	FldName string
	*StructDesc
}

func (*UnionType) DefaultArg

func (t *UnionType) DefaultArg() Arg

func (*UnionType) FieldName

func (t *UnionType) FieldName() string

func (*UnionType) String

func (t *UnionType) String() string

type VmaType

type VmaType struct {
	TypeCommon
	RangeBegin uint64 // in pages
	RangeEnd   uint64
}

func (*VmaType) DefaultArg

func (t *VmaType) DefaultArg() Arg

func (*VmaType) String

func (t *VmaType) String() string

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL