syzkaller icon indicating copy to clipboard operation
syzkaller copied to clipboard
verified publisher icon google

dashboard/app: show full reproducer impact (don't stop at warn_on etc.)

Open tarasmadan opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe. Bug reproducer allows to reach some bug in the code satisfying its triggering condition. Syzbot typically stops at the moment first oracle (sanitizer, WARN_ON etc.) reportes the problem. The first oracle doesn't mean the only(or the most interesting) oracle.

The oracles have different reputation. For the community, KASAN: write ... is a much stronger prioritization signal than the WARNING: ....

According to our experience, memory safety bugs may be detected early by oracles like WARN_ON. It makes sense to discover the whole reproducer impact collecting signals from all oracles.

Describe the solution you'd like The alternatives are:

  1. Run reproduces on the kernel w/o panics and collect the full log.
  2. Setup more specialized instances (KASAN: write, KASAN: read) and correlate findings with general syzbot instances.

Additional context GREBE did similar thing. They collected information about the crash point and tried to reach it differently following the similar motivation, to prove higher impact of the existing finding.

tarasmadan avatar Jan 31 '25 14:01 tarasmadan

We have 1664 upstream open bugs now. Grouping them by category:

  1. 324 WARNING
  2. 284 INFO
  3. 208 possible deadlock
  4. 196 KCSAN
  5. 180 KASAN
  6. 114 kernel panic
  7. 112 BUG
  8. 94 general protection fault
  9. 89 KMSAN
  10. 23 UBSAN
  11. 15 memory leak
  12. ~20 other

600 INFO+WARNING are the main candidates for the deeper analysis.

The idea is to focus on the KASAN only instances and start using "kasan multi-shot" mode by syz-manager. It will fuzz the same way it is fuzzing now. Finding the reproducer we'll ignore INFO and WARNING messages (first run only?) and go deeper enabling KASAN to detect the consequences of the bug.

We'll continue to report the same INFO or WARNING but with additional details. The amount of bugs found will not be changed.

tarasmadan avatar Feb 11 '25 07:02 tarasmadan

The second alternative target are the KASAN reads. What looks more promising?:

  1. 180 KASAN reads -> XX KASAN writes conversion,
  2. 600 INFO+WARNING -> XX KASAN reads conversion.

tarasmadan avatar Feb 11 '25 09:02 tarasmadan

Learning the code touched it to to improve readability. See #6250. The plan is to:

  1. Remember report chain, not only the first report.
  2. TODO: decide how to show it in syz-manager.
  3. TODO: decide how to store it in DB and show on the syzbot dashboard.

tarasmadan avatar Aug 05 '25 08:08 tarasmadan