pkg/fuzzer, pkg/managerconfig, prog, syz-manager: flag to enforce syscall dependencies

Syzkaller often breaks dependencies across syscalls (e.g., due minimization, stochastic resource
generation, and mutation) when generating programs, thus failing to build fuzzing inputs that
exercise deep states in the target program.

This patch addresses this issue by adding a Boolean (called PromoteDeps), which if
set, certain measures are taken to enforce that syscall dependencies are respected in any generated
program: Mutation does not break dependencies, Resource generation is no longer stochastic, and
if a minimized program has broken dependencies, it gets discarded.

To this end, I introduced two optional fields in the config file: promote_syscalls_dependency,
and dynamic_promote_syscalls_dependency.  The former flag is a boolean and when set to true will
enable the PromoteDeps flag. The latter field, contains a time expressed in minutes (e.g, 30).
Once the manager starts, it sets a timer with the value contained in this flag. Once the timer
reaches the 0, the Boolean PromoteDep is switched (i.e., if it contained false it now contains true,
and vice versa), and the timer starts again. This switch allows us to introduce more
randomness in the generated programs achieving the best of both worlds.

Author: badnack

AUTHORS

@@ -54,3 +54,4 @@ Tudor Ambarus
 Elektrobit Automotive GmbH
 Rivos Inc.
 Jeongjun Park
+Qualcomm, Inc

CONTRIBUTORS

@@ -141,3 +141,5 @@ Rivos Inc.
 Jeongjun Park
 Nikita Zhandarovich
 Jiacheng Xu
+Qualcomm, Inc
+ Nilo Redini

pkg/fuzzer/fuzzer.go

@@ -49,6 +49,7 @@ func NewFuzzer(ctx context.Context, cfg *Config, rnd *rand.Rand,
 			return true
 		}
 	}
+	prog.SetPromoteDeps(cfg.PromoteSyscallsDependency)
 	f := &Fuzzer{
 		Stats:  newStats(target),
 		Config: cfg,
@@ -201,19 +202,20 @@ func (fuzzer *Fuzzer) processResult(req *queue.Request, res *queue.Result, flags
 }
 
 type Config struct {
-	Debug          bool
-	Corpus         *corpus.Corpus
-	Logf           func(level int, msg string, args ...interface{})
-	Snapshot       bool
-	Coverage       bool
-	FaultInjection bool
-	Comparisons    bool
-	Collide        bool
-	EnabledCalls   map[*prog.Syscall]bool
-	NoMutateCalls  map[int]bool
-	FetchRawCover  bool
-	NewInputFilter func(call string) bool
-	PatchTest      bool
+	Debug                     bool
+	Corpus                    *corpus.Corpus
+	Logf                      func(level int, msg string, args ...interface{})
+	Snapshot                  bool
+	Coverage                  bool
+	FaultInjection            bool
+	Comparisons               bool
+	Collide                   bool
+	EnabledCalls              map[*prog.Syscall]bool
+	NoMutateCalls             map[int]bool
+	FetchRawCover             bool
+	NewInputFilter            func(call string) bool
+	PatchTest                 bool
+	PromoteSyscallsDependency bool
 }
 
 func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call int, triage *map[int]*triageCall) {
@@ -276,6 +278,12 @@ func (fuzzer *Fuzzer) genFuzz() *queue.Request {
 		// more frequently because fallback signal is weak.
 		mutateRate = 0.5
 	}
+	if prog.IsPromoteDeps() {
+		// if we want to promote dependencies, we penalize mutation since
+		// we want to avoid picking and mutating programs with broken
+		// dependencies
+		mutateRate = 0.3
+	}
 	var req *queue.Request
 	rnd := fuzzer.rand()
 	if rnd.Float64() < mutateRate {
@@ -284,7 +292,7 @@ func (fuzzer *Fuzzer) genFuzz() *queue.Request {
 	if req == nil {
 		req = genProgRequest(fuzzer, rnd)
 	}
-	if fuzzer.Config.Collide && rnd.Intn(3) == 0 {
+	if !prog.IsPromoteDeps() && fuzzer.Config.Collide && rnd.Intn(3) == 0 {
 		req = &queue.Request{
 			Prog: randomCollide(req.Prog, rnd),
 			Stat: fuzzer.statExecCollide,

pkg/fuzzer/job.go

@@ -57,13 +57,17 @@ func mutateProgRequest(fuzzer *Fuzzer, rnd *rand.Rand) *queue.Request {
 	if p == nil {
 		return nil
 	}
+	depsValidated := p.ValidateDeps()
 	newP := p.Clone()
 	newP.Mutate(rnd,
 		prog.RecommendedCalls,
 		fuzzer.ChoiceTable(),
 		fuzzer.Config.NoMutateCalls,
 		fuzzer.Config.Corpus.Programs(),
 	)
+	if depsValidated && !newP.ValidateDeps() {
+		return nil
+	}
 	return &queue.Request{
 		Prog:     newP,
 		ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),
@@ -456,6 +460,9 @@ func (job *smashJob) run(fuzzer *Fuzzer) {
 			fuzzer.ChoiceTable(),
 			fuzzer.Config.NoMutateCalls,
 			fuzzer.Config.Corpus.Programs())
+		if !p.ValidateDeps() {
+			continue
+		}
 		result := fuzzer.execute(job.exec, &queue.Request{
 			Prog:     p,
 			ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),

pkg/mgrconfig/config.go

@@ -167,7 +167,10 @@ type Config struct {
 	// By default it is true, as this is the desired behavior when executing syzkaller
 	// locally.
 	PreserveCorpus bool `json:"preserve_corpus"`
-
+	// the following fields force the IOCTLs dependencies (expressed through resources)
+	// to be respected in every generated program
+	PromoteSyscallsDependency bool  `json:"promote_syscalls_dependency,omitempty"`
+	DependecySwitcheroo       int64 `json:"dynamic_promote_syscalls_dependency,omitempty"`
 	// List of syscalls to test (optional). For example:
 	//	"enable_syscalls": [ "mmap", "openat$ashmem", "ioctl$ASHMEM*" ]
 	EnabledSyscalls []string `json:"enable_syscalls,omitempty"`

prog/analysis.go

@@ -12,19 +12,79 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"strings"
 
 	"github.com/google/syzkaller/pkg/image"
 )
 
 type state struct {
-	target    *Target
-	ct        *ChoiceTable
-	corpus    []*Prog
-	files     map[string]bool
-	resources map[string][]*ResultArg
-	strings   map[string]bool
-	ma        *memAlloc
-	va        *vmaAlloc
+	target     *Target
+	ct         *ChoiceTable
+	corpus     []*Prog
+	files      map[string]bool
+	resources  map[string][]*ResultArg
+	strings    map[string]bool
+	ma         *memAlloc
+	va         *vmaAlloc
+	ioctlStack []string
+}
+
+func pushFieldToStack(s *state, fName string) {
+	if len(s.ioctlStack) > 0 {
+		index := len(s.ioctlStack) - 1
+		s.ioctlStack[index] = s.ioctlStack[index] + "-" + fName
+	}
+}
+
+func popFieldFromStack(s *state) {
+	if len(s.ioctlStack) > 0 {
+		index := len(s.ioctlStack) - 1
+		lastIndex := strings.LastIndex(s.ioctlStack[index], "-")
+		s.ioctlStack[index] = s.ioctlStack[index][:lastIndex]
+	}
+}
+
+func pushIoctlToStack(s *state, ioctlName string) {
+	s.ioctlStack = append(s.ioctlStack, ioctlName)
+}
+
+func popIoctlFromStack(s *state) {
+	if len(s.ioctlStack) > 0 {
+		s.ioctlStack = s.ioctlStack[:len(s.ioctlStack)-1]
+	}
+}
+
+func getIoctlFieldLoopIterations(s *state) int {
+	recCounter := 0
+	indexLastEl := len(s.ioctlStack) - 1
+	if indexLastEl >= 0 {
+		for _, v := range s.ioctlStack[:indexLastEl] {
+			if v == s.ioctlStack[indexLastEl] {
+				recCounter++
+			}
+		}
+	}
+	return recCounter
+}
+
+func isIoctlInStack(s *state, ioctl string) bool {
+	currentIoctls := []string{}
+	for _, v := range s.ioctlStack {
+		parts := strings.Split(v, "-")
+		currentIoctls = append(currentIoctls, parts[0])
+	}
+
+	for _, v := range currentIoctls {
+		if v == ioctl {
+			return true
+		}
+	}
+
+	return false
+}
+
+func clearIoctlStack(s *state) {
+	s.ioctlStack = []string{}
 }
 
 // analyze analyzes the program p up to but not including call c.

prog/expr.go

@@ -160,12 +160,27 @@ func checkUnionArg(idx int, typ *UnionType, finder ArgFinder) (ok, calculated bo
 
 func matchingUnionArgs(typ *UnionType, finder ArgFinder) []int {
 	var ret []int
-	for i := range typ.Fields {
+	posDef := -1
+	for i, v := range typ.Fields {
+		if v.Name == "default" {
+			posDef = i
+		}
 		ok, _ := checkUnionArg(i, typ, finder)
 		if ok {
 			ret = append(ret, i)
 		}
 	}
+
+	if len(ret) > 1 && posDef != -1 && IsPromoteDeps() {
+		// if we are to promote deps, we remove the default value, if other values
+		// are present
+		for i, v := range ret {
+			if v == posDef {
+				ret = append(ret[:i], ret[i+1:]...)
+				break
+			}
+		}
+	}
 	return ret
 }
 

prog/generation.go

@@ -7,6 +7,39 @@ import (
 	"math/rand"
 )
 
+func resizeGeneratedCalls(p *Prog, ncalls int, skipCall *Call) {
+	idxToRemove := len(p.Calls) - 1
+	forceRemoval := false
+	if idxToRemove < 0 {
+		return
+	}
+
+	for len(p.Calls) > ncalls {
+		if idxToRemove < 0 {
+			// We tried to keep dependencies, but we have to remove something.
+			forceRemoval = true
+			idxToRemove = len(p.Calls) - 1
+		}
+		if skipCall != nil && p.Calls[idxToRemove] == skipCall {
+			idxToRemove--
+			continue
+		}
+		removeCall := true
+		if IsPromoteDeps() && !forceRemoval {
+			p1 := p.Clone()
+			p1.RemoveCall(idxToRemove)
+			if !p1.ValidateDeps() {
+				removeCall = false
+			}
+		}
+		if removeCall {
+			p.RemoveCall(idxToRemove) // it used to be (ncalls-1), but it would remove random dependencies
+		}
+
+		idxToRemove--
+	}
+}
+
 // Generate generates a random program with ncalls calls.
 // ct contains a set of allowed syscalls, if nil all syscalls are used.
 func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Prog {
@@ -16,6 +49,7 @@ func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Pro
 	r := newRand(target, rs)
 	s := newState(target, ct, nil)
 	for len(p.Calls) < ncalls {
+		clearIoctlStack(s)
 		calls := r.generateCall(s, p, len(p.Calls))
 		for _, c := range calls {
 			s.analyze(c)
@@ -26,9 +60,13 @@ func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Pro
 	// resources and overflow ncalls. Remove some of these calls.
 	// The resources in the last call will be replaced with the default values,
 	// which is exactly what we want.
-	for len(p.Calls) > ncalls {
-		p.RemoveCall(ncalls - 1)
+	allowCalls := ncalls
+	if IsPromoteDeps() {
+		// if we promote depenendencies, and the program is within limits,
+		// we'll allow it as is
+		allowCalls = max(MaxCalls, ncalls)
 	}
+	resizeGeneratedCalls(p, allowCalls, nil)
 	p.sanitizeFix()
 	p.debugValidate()
 	return p

prog/minimization.go

@@ -62,7 +62,7 @@ func Minimize(p0 *Prog, callIndex0 int, mode MinimizeMode, pred0 func(*Prog, int
 		p.debugValidate()
 		id := hash.String(p.Serialize())
 		if _, ok := dedup[id]; !ok {
-			dedup[id] = pred0(p, callIndex)
+			dedup[id] = p.ValidateDeps() && pred0(p, callIndex)
 		}
 		return dedup[id]
 	}