pkg/fuzzer, pkg/managerconfig, prog, syz-manager: logic to enforce syscall dependencies

Syzkaller often breaks dependencies across syscalls (e.g., due minimization, stochastic resource
generation, and mutation) when generating programs, thus failing to build fuzzing inputs that
exercise deep states in the target program.

This patch adds the logic to check whether syscall dependencies are broken in a given program.
Everytime a new program is to be generated, we set a flag called EnforceDeps to true with
a certain probability. If this flag is set, we enforce that the dependencies of each syscall
used in the program is respected.

Author: badnack

AUTHORS

@@ -54,3 +54,4 @@ Tudor Ambarus
 Elektrobit Automotive GmbH
 Rivos Inc.
 Jeongjun Park
+Qualcomm, Inc

CONTRIBUTORS

@@ -141,3 +141,5 @@ Rivos Inc.
 Jeongjun Park
 Nikita Zhandarovich
 Jiacheng Xu
+Qualcomm, Inc
+ Nilo Redini

pkg/fuzzer/fuzzer.go

@@ -284,7 +284,7 @@ func (fuzzer *Fuzzer) genFuzz() *queue.Request {
 	if req == nil {
 		req = genProgRequest(fuzzer, rnd)
 	}
-	if fuzzer.Config.Collide && rnd.Intn(3) == 0 {
+	if !req.Prog.EnforceDeps && fuzzer.Config.Collide && rnd.Intn(3) == 0 {
 		req = &queue.Request{
 			Prog: randomCollide(req.Prog, rnd),
 			Stat: fuzzer.statExecCollide,

pkg/fuzzer/job.go

@@ -44,7 +44,8 @@ func (ji *JobInfo) ID() string {
 func genProgRequest(fuzzer *Fuzzer, rnd *rand.Rand) *queue.Request {
 	p := fuzzer.target.Generate(rnd,
 		prog.RecommendedCalls,
-		fuzzer.ChoiceTable())
+		fuzzer.ChoiceTable(),
+	)
 	return &queue.Request{
 		Prog:     p,
 		ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),
@@ -64,6 +65,9 @@ func mutateProgRequest(fuzzer *Fuzzer, rnd *rand.Rand) *queue.Request {
 		fuzzer.Config.NoMutateCalls,
 		fuzzer.Config.Corpus.Programs(),
 	)
+	if !newP.ValidateDeps() {
+		return nil
+	}
 	return &queue.Request{
 		Prog:     newP,
 		ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),
@@ -456,6 +460,9 @@ func (job *smashJob) run(fuzzer *Fuzzer) {
 			fuzzer.ChoiceTable(),
 			fuzzer.Config.NoMutateCalls,
 			fuzzer.Config.Corpus.Programs())
+		if !p.ValidateDeps() {
+			continue
+		}
 		result := fuzzer.execute(job.exec, &queue.Request{
 			Prog:     p,
 			ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),

prog/analysis.go

@@ -12,19 +12,95 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"strings"
 
 	"github.com/google/syzkaller/pkg/image"
 )
 
 type state struct {
-	target    *Target
-	ct        *ChoiceTable
-	corpus    []*Prog
-	files     map[string]bool
-	resources map[string][]*ResultArg
-	strings   map[string]bool
-	ma        *memAlloc
-	va        *vmaAlloc
+	target       *Target
+	ct           *ChoiceTable
+	corpus       []*Prog
+	files        map[string]bool
+	resources    map[string][]*ResultArg
+	strings      map[string]bool
+	ma           *memAlloc
+	va           *vmaAlloc
+	syscallStack []string
+}
+
+// pushFieldToStack pushes a new argument field onto the syscall stack,
+// next to the syscall it belongs to, so we can keep track of the
+// generated fields and prevent infinite recursion while generating a
+// new call with enforced dependencies.
+func pushFieldToStack(s *state, fName string) {
+	if len(s.syscallStack) > 0 {
+		index := len(s.syscallStack) - 1
+		s.syscallStack[index] = s.syscallStack[index] + "-" + fName
+	}
+}
+
+// popFieldFromStack pops the latest argument field from the syscall stack.
+func popFieldFromStack(s *state) {
+	if len(s.syscallStack) > 0 {
+		index := len(s.syscallStack) - 1
+		lastIndex := strings.LastIndex(s.syscallStack[index], "-")
+		s.syscallStack[index] = s.syscallStack[index][:lastIndex]
+	}
+}
+
+// pushSyscallToStack pushes a syscall name onto the syscall stack.
+// This is used to prevent infinite recursion when
+// creating new syscall calls for programs with
+// unbroken dependencies.
+func pushSyscallToStack(s *state, Syscall string) {
+	s.syscallStack = append(s.syscallStack, Syscall)
+}
+
+// popSyscallFromStack pops a syscall name from the syscall stack.
+func popSyscallFromStack(s *state) {
+	if len(s.syscallStack) > 0 {
+		s.syscallStack = s.syscallStack[:len(s.syscallStack)-1]
+	}
+}
+
+// getSyscallFieldLoopIterations returns the number
+// of times we looped through the current syscall and
+// set of arguments. This is used to detect infinite recursion
+// when generating a new call with enforced dependencies.
+func getSyscallFieldLoopIterations(s *state) int {
+	recCounter := 0
+	indexLastEl := len(s.syscallStack) - 1
+	if indexLastEl >= 0 {
+		for _, v := range s.syscallStack[:indexLastEl] {
+			if v == s.syscallStack[indexLastEl] {
+				recCounter++
+			}
+		}
+	}
+	return recCounter
+}
+
+// isSyscallInStack checks whether a given syscall is already on the stack.
+func isSyscallInStack(s *state, syscall string) bool {
+	currentSyscalls := []string{}
+	for _, v := range s.syscallStack {
+		parts := strings.Split(v, "-")
+		currentSyscalls = append(currentSyscalls, parts[0])
+	}
+
+	for _, v := range currentSyscalls {
+		if v == syscall {
+			return true
+		}
+	}
+
+	return false
+}
+
+// clearSyscallStack clears the current syscall stack.
+func clearSyscallStack(s *state) {
+	s.syscallStack = []string{}
 }
 
 // analyze analyzes the program p up to but not including call c.

prog/clone.go

@@ -21,8 +21,9 @@ func (p *Prog) cloneWithMap(newargs map[*ResultArg]*ResultArg) *Prog {
 		panic("cloning of unsafe programs is not supposed to be done")
 	}
 	p1 := &Prog{
-		Target: p.Target,
-		Calls:  cloneCalls(p.Calls, newargs),
+		Target:      p.Target,
+		Calls:       cloneCalls(p.Calls, newargs),
+		EnforceDeps: p.EnforceDeps,
 	}
 	p1.debugValidate()
 	return p1

prog/expr.go

@@ -72,7 +72,7 @@ func makeArgFinder(t *Target, c *Call, unionArg *UnionArg, parents parentStack)
 }
 
 func (r *randGen) patchConditionalFields(c *Call, s *state) (extra []*Call, changed bool) {
-	if r.patchConditionalDepth > 1 {
+	if r.patchConditionalDepth > 1 && !r.EnforceDeps {
 		// Some nested patchConditionalFields() calls are fine as we could trigger a resource
 		// constructor via generateArg(). But since nested createResource() calls are prohibited,
 		// patchConditionalFields() should never be nested more than 2 times.

prog/generation.go

@@ -7,15 +7,72 @@ import (
 	"math/rand"
 )
 
+func callHasDependents(p *Prog, idx int) bool {
+	if !p.EnforceDeps {
+		return false
+	}
+	hasDeps := false
+	c := p.Calls[idx]
+	ForeachArg(c, func(arg Arg, _ *ArgCtx) {
+		if a, ok := arg.(*ResultArg); ok {
+			if len(a.uses) > 0 && (a.Dir() == DirOut || a.Dir() == DirInOut) {
+				for key, val := range a.uses {
+					if val && key.ArgCommon.dir == DirIn {
+						hasDeps = true
+						return
+					}
+				}
+			}
+		}
+	})
+	return hasDeps
+}
+
+func resizeGeneratedCalls(p *Prog, ncalls int, skipCall *Call) int {
+	idxToRemove := len(p.Calls) - 1
+	forceRemoval := false
+	if idxToRemove < 0 {
+		return 0
+	}
+	removed := 0
+	for len(p.Calls) > ncalls {
+		if idxToRemove < 0 {
+			// We tried to keep dependencies, but we have to remove something.
+			forceRemoval = true
+			idxToRemove = len(p.Calls) - 1
+		}
+		if skipCall != nil && p.Calls[idxToRemove] == skipCall {
+			idxToRemove--
+			continue
+		}
+		removeCall := true
+		if !forceRemoval && p.EnforceDeps && callHasDependents(p, idxToRemove) {
+			removeCall = false
+		}
+		if removeCall {
+			p.RemoveCall(idxToRemove)
+			removed++
+		}
+
+		idxToRemove--
+	}
+	return removed
+}
+
 // Generate generates a random program with ncalls calls.
 // ct contains a set of allowed syscalls, if nil all syscalls are used.
 func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Prog {
+	r := newRand(target, rs)
 	p := &Prog{
-		Target: target,
+		Target:      target,
+		EnforceDeps: r.nOutOf(7, 10),
 	}
-	r := newRand(target, rs)
+
 	s := newState(target, ct, nil)
+	r.EnforceDeps = p.EnforceDeps
+
 	for len(p.Calls) < ncalls {
+		clearSyscallStack(s)
 		calls := r.generateCall(s, p, len(p.Calls))
 		for _, c := range calls {
 			s.analyze(c)
@@ -26,9 +83,7 @@ func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Pro
 	// resources and overflow ncalls. Remove some of these calls.
 	// The resources in the last call will be replaced with the default values,
 	// which is exactly what we want.
-	for len(p.Calls) > ncalls {
-		p.RemoveCall(ncalls - 1)
-	}
+	resizeGeneratedCalls(p, ncalls, nil)
 	p.sanitizeFix()
 	p.debugValidate()
 	return p

prog/minimization.go

@@ -62,7 +62,7 @@ func Minimize(p0 *Prog, callIndex0 int, mode MinimizeMode, pred0 func(*Prog, int
 		p.debugValidate()
 		id := hash.String(p.Serialize())
 		if _, ok := dedup[id]; !ok {
-			dedup[id] = pred0(p, callIndex)
+			dedup[id] = p.ValidateDeps() && pred0(p, callIndex)
 		}
 		return dedup[id]
 	}