syzkaller icon indicating copy to clipboard operation
syzkaller copied to clipboard

Published 20 hours ago verified publisher icon google

Configurable disabling of syscall generation/mutation/minimisation

Open hrutvik opened this issue 2 years ago • 3 comments

Allow users to disable generation, mutation, and/or minimisation of syscalls. Using these options correctly should prevent syzkaller wasting time generating/mutating/minimising syscalls for which it is unlikely to make much progress.

The new do_not_generate and do_not_minimize attributes allows syzlang descriptions to specify non-generatable/non-minimisable syscalls.

The new do_not_mutate_syscalls manager config option allows per-manager specification of syscalls that should not be mutated, in the same format as the existing {enable,disable}_syscalls options.

Also add myself as a contributor.

hrutvik avatar Sep 20 '22 15:09 hrutvik

Codecov Report

Merging #3388 (43d8c52) into master (60af505) will decrease coverage by 0.0%. The diff coverage is 50.7%.

Impacted Files Coverage Δ
prog/types.go 74.5% <ø> (ø)
syz-fuzzer/fuzzer.go 6.5% <0.0%> (-<0.1%) :arrow_down:
syz-fuzzer/proc.go 0.0% <0.0%> (ø)
syz-manager/rpc.go 0.0% <0.0%> (ø)
pkg/mgrconfig/load.go 44.9% <27.8%> (-1.2%) :arrow_down:
prog/prio.go 90.7% <52.6%> (-0.9%) :arrow_down:
prog/mutation.go 89.3% <53.8%> (-1.2%) :arrow_down:
prog/rand.go 92.5% <83.3%> (-0.2%) :arrow_down:
prog/minimization.go 91.2% <100.0%> (+0.1%) :arrow_up:
prog/test/fuzz.go 48.8% <100.0%> (ø)
... and 8 more

codecov[bot] avatar Sep 20 '22 15:09 codecov[bot]

I've converted this back to a draft because the behaviour is not quite right when there are do_not_generate syscalls in the corpus. The previous implementation checked that disabled syscalls (due to an attribute or omission from the enabled_syscalls config option) do not appear in the corpus, allowing it to assume that a randomly chosen call can't be disabled. With non-generatable syscalls this is a little more subtle: these can appear in the corpus, but still should not be randomly chosen during generation.

hrutvik avatar Sep 21 '22 08:09 hrutvik

Could you please elaborate on the motivation for the do_not_mutate_syscalls option? At least for the syz_mount_image, we don't really want to minimize or generate it, but I think we do want to mutate it.

If we're trying to test only "normal" filesystem workloads (i.e. no corrupted images) then we do not want mutation - we start with valid images and these (should) remain valid after various filesystem-related syscalls. This is the aim of the new syzbot instance, where we will enable this config option for syz_mount_image.

On most other instances, as you say we want to continue mutating syz_mount_image as before - which is why no_mutate_syscalls is a config option rather than a syzlang attribute.

Separately, we can then improve testing of mutated/corrupted images by ensuring we get past filesystem-specific checksum validation.

hrutvik avatar Sep 21 '22 14:09 hrutvik

Feel free to "Rebase and merge" when Github is happy (out-of-date branch).

melver avatar Sep 22 '22 13:09 melver

Feel free to "Rebase and merge" when Github is happy (out-of-date branch).

Ah I don't seem to have write access to the repository

hrutvik avatar Sep 22 '22 14:09 hrutvik