fix some small issues

seclab-ucr · Sep 5, 2023 · aec42e2 · aec42e2
1 parent 818958e
commit aec42e2
Show file tree

Hide file tree

Showing 12 changed files with 193 additions and 67 deletions.
diff --git a/helper_functions/get_prioritylist.py b/helper_functions/get_prioritylist.py
@@ -110,7 +110,6 @@ def get_cover_lineinfo(PATH):
     print("\nget_cover_lineinfo()\n")
     prioritylist.get_cover_lineinfo(PATH)
     prioritylist.get_complete_coverage_coverline(PATH)
-    #if not os.path.exists(PATH + "/targetline"):
     if not os.path.exists(PATH+"/lineguidance/"):
         os.mkdir(PATH+"/lineguidance/")
     helper.get_callstack(PATH)
@@ -190,10 +189,13 @@ def generate_kleeconfig(PATH):
         generate_kleeconfig(PATH)
     if option == "all":
         if not os.path.exists(PATH+"/vm.log_correct"):
-            run_SyzMorph_add(syzbothash)
+            #run_SyzMorph_add(syzbothash)
             compile_refkernel(PATH, syzbothash)
         else:
             print("skip run_SyzMorph_add/compile_refkernel since vm.log_correct exists")
+        if not os.path.exists(PATH+"/vm.log_correct"):
+            print("Please generate the vm.log_correct manually")
+            exit()
         get_cover_from_vmlog(PATH, syzbothash)
         get_cover_lineinfo(PATH)
         compile_bcfiles(PATH)

diff --git a/helper_functions/get_prioritylists.py b/helper_functions/get_prioritylists.py
@@ -1,7 +1,8 @@
 import helper
 import os, subprocess
+import sys
 import json
-
+import get_syzkaller
 def get_prioritylist(PATH):
     print("get_prioritylist()")
     string1 = "cd /home/zzhan173/Linux_kernel_UC_KLEE;python3 helper_functions/get_prioritylist.py all "+PATH+">"+PATH+"/get_prioritylist_log 2>&1"
@@ -21,33 +22,41 @@ def clean_files(PATH):
     print(string1)
     helper.command(string1)
 
-OOBW_skipcases = ["6087eafb76a94c4ac9eb", "b055b1a6b2b958707a21", "a42d84593d6a89a76f26", "838eb0878ffd51f27c41", "cfc0247ac173f597aaaa"]
+OOBW_skipcases = ["6087eafb76a94c4ac9eb", "b055b1a6b2b958707a21", "a42d84593d6a89a76f26", "838eb0878ffd51f27c41",  "59af7bf76d795311da8c","cfc0247ac173f597aaaa", "dc3b1cf9111ab5fe98e7", "59b7daa4315e07a994f1"]
 OOBR_skipcases = ["35101610ff3e83119b1b", "37ba33391ad5f3935bbd","983cb8fb2d17a7af549d","a22c6092d003d6fe1122", "d29e9263e13ce0b9f4fd", "7d027845265d531ba506", "f68108fed972453a0ad4"]
 UAFR_skipcases = ["6720d64f31c081c2f708","cbb289816e728f56a4e2c1b854a3163402fe2f88", "9f43bb6a66ff96a21931", "5be8aebb1b7dfa90ef31"]
 UAFW_skipcases = ["c7d9ec7a1a7272dd71b3"]
+#Reproducers don't trigger the vulnerability
+UAF_skipcases = ["373ce58a5e9ddec1b8ee55d9f7353db5b565cdc3", "ad1f53726c3bd11180cb", "b75c138e9286ac742647" , "7be8b464a3a27e6dc5c73d3ffe3b56dc0cf51e52" , "13bef047dbfffa5cd1af"]
+total_skipcases = OOBW_skipcases + OOBR_skipcases + UAFR_skipcases + UAFW_skipcases + UAF_skipcases
 if __name__ == "__main__":
     #with open("/home/zzhan173/Linux_kernel_UC_KLEE/cases/OOBRcases", "r") as f:
     #    s_buf = f.readlines()
     #Type = "UAFR"
-    Type = "OOBR"
+    #Type = "OOBW"
+    Type = "UAF"
     PATH = "/data4/zzhan173/Fixtag_locator/"+Type+"_cases_filter.json"
+    specific_case = None
+    if len(sys.argv) > 1:
+        specific_case = sys.argv[1]
     with open(PATH, "r") as f:
         syzbothash_info = json.load(f)
     for syzbothash in syzbothash_info:
-        if syzbothash in OOBW_skipcases:
-            continue
-        if syzbothash in OOBR_skipcases:
+        if specific_case and syzbothash!=specific_case:
             continue
-        if syzbothash in UAFR_skipcases:
-            continue
-        if syzbothash in UAFW_skipcases:
+        if syzbothash in total_skipcases:
             continue
         PATH = "/data3/zzhan173/"+Type+"/"+syzbothash+"/refkernel"
         if not os.path.exists(PATH):
             os.makedirs(PATH)
-        if os.path.exists(PATH+"/configs/config_cover_doms.json"):
+        i386 = None
+        if "386" in syzbothash_info[syzbothash]["manager"]:
+            i386 = True
+
+        if not specific_case and os.path.exists(PATH+"/configs/config_cover_doms.json"):
             print("\nAlready generated config_cover_doms.json, skip", PATH,"\n")
             continue
-        else:
-            print("\nHave not generated  config_cover_doms.json", PATH)
-            get_prioritylist(PATH)
+        syzkaller_commit = syzbothash_info[syzbothash]["syzkaller"]
+        print("\nHave not generated  config_cover_doms.json", PATH)
+        get_syzkaller.compile_syzkaller(PATH, syzkaller_commit, i386)
+        get_prioritylist(PATH)
diff --git a/helper_functions/get_refkernel_results.py b/helper_functions/get_refkernel_results.py
@@ -2,6 +2,7 @@
 import helper
 from multiprocessing import Pool
 import json
+import get_prioritylists
 
 def run_klee(arguments):
     config, output = arguments
@@ -30,7 +31,7 @@ def generate_configlist(PATH):
     calltrace = config_cover_doms["97_calltrace"]
 
     new_config_cover_doms = config_cover_doms
-    length = 3
+    length = 1
     while length < len(calltrace):
         new_calltrace = calltrace[-1*length:]
         new_config_cover_doms["97_calltrace"] = new_calltrace
@@ -50,11 +51,24 @@ def get_configlist(PATH):
 
 if __name__ == "__main__":
     config_output = []
-    with open("/home/zzhan173/Linux_kernel_UC_KLEE/cases/OOBRcases", "r") as f:
-        s_buf = f.readlines()
-    for syzbothash in s_buf:
-        syzbothash = syzbothash[:-1]
-        PATH = "/data3/zzhan173/OOBR/"+syzbothash+"/refkernel"
+    #with open("/home/zzhan173/Linux_kernel_UC_KLEE/cases/OOBRcases", "r") as f:
+    #    s_buf = f.readlines()
+    #for syzbothash in s_buf:
+    Type = "UAF"
+    PATH = "/data4/zzhan173/Fixtag_locator/"+Type+"_cases_filter.json"
+
+    specific_hash = None
+    if len(sys.argv) > 1:
+        specific_hash = sys.argv[1]
+    total_skipcases = get_prioritylists.total_skipcases
+    with open(PATH, "r") as f:
+        syzbothash_info = json.load(f)
+    for syzbothash in syzbothash_info:
+        if syzbothash in total_skipcases:
+            continue
+        if specific_hash and syzbothash != specific_hash:
+            continue
+        PATH = "/data3/zzhan173/" + Type + "/"+syzbothash+"/refkernel"
         generate_configlist(PATH)
         configlist = get_configlist(PATH)
         for config in configlist:

diff --git a/helper_functions/get_syzkaller.py b/helper_functions/get_syzkaller.py
@@ -6,43 +6,58 @@ def command(string1):
     result=p.stdout.readlines()
     return result
 
-def get_go12_syzkaller(commit):
+def get_go12_syzkaller(commit, i386=None):
     os.environ['GOPATH'] = "/home/zzhan173/syzkaller/GO12/gopath"
     os.environ['GOROOT'] = "/home/zzhan173/syzkaller/GO12/goroot"
     os.environ['PATH'] = os.environ['GOROOT'] + "/bin:" + os.environ['GOPATH'] + "/bin:" + os.environ['PATH']
     string1 = "cd /home/zzhan173/syzkaller/GO12/gopath/src/github.com/google/syzkaller; git checkout -f "+commit+";"
     #print(string1)
     command(string1)
-    string1 = "cd /home/zzhan173/syzkaller/GO12/gopath/src/github.com/google/syzkaller; make;"
+    string1 = "cd /home/zzhan173/syzkaller/GO12/gopath/src/github.com/google/syzkaller; make"
+    if i386:
+        string1 += " TARGETVMARCH=amd64 TARGETARCH=386"
     command(string1)
 
-def copy_go12_syzkaller(targetdir):
+def copy_go12_syzkaller(targetdir, i386=None):
     string1 = "cp /home/zzhan173/syzkaller/GO12/gopath/src/github.com/google/syzkaller/bin/linux_amd64/* "+targetdir
     command(string1)
+    if i386:
+        string1 = "cp /home/zzhan173/syzkaller/GO12/gopath/src/github.com/google/syzkaller/bin/linux_386/* "+targetdir
+        command(string1)
 
-def get_go14_syzkaller(commit):
+def get_go14_syzkaller(commit, i386=None):
     os.environ['GOPATH'] = "/home/zzhan173/syzkaller/GO14/gopath"
     os.environ['GOROOT'] = "/home/zzhan173/syzkaller/GO14/goroot"
     os.environ['PATH'] = os.environ['GOROOT'] + "/bin:" + os.environ['GOPATH'] + "/bin:" + os.environ['PATH']
     string1 = "cd /home/zzhan173/syzkaller/GO14/gopath/src/github.com/google/syzkaller; git checkout -f "+commit+";make"
+    if i386:
+        string1 += " TARGETVMARCH=amd64 TARGETARCH=386"
     command(string1)
 
-def copy_go14_syzkaller(targetdir):
+def copy_go14_syzkaller(targetdir, i386=None):
     string1 = "cp /home/zzhan173/syzkaller/GO14/gopath/src/github.com/google/syzkaller/bin/linux_amd64/* "+targetdir
     command(string1)
+    if i386:
+        string1 = "cp /home/zzhan173/syzkaller/GO14/gopath/src/github.com/google/syzkaller/bin/linux_386/* "+targetdir
+        command(string1)
 
-def get_go16_syzkaller(commit):
+def get_go16_syzkaller(commit, i386=None):
     os.environ['GOPATH'] = "/home/zzhan173/syzkaller/GO16/gopath"
     os.environ['GOROOT'] = "/home/zzhan173/syzkaller/GO16/go"
     os.environ['PATH'] = os.environ['GOROOT'] + "/bin:" + os.environ['GOPATH'] + "/bin:" + os.environ['PATH']
     #print("os.environ['PATH']:", os.environ['PATH'])
     string1 = "cd /home/zzhan173/syzkaller/GO16; cd syzkaller; git checkout -f "+commit+";make"
+    if i386:
+        string1 += " TARGETVMARCH=amd64 TARGETARCH=386"
     print(string1)
     command(string1)
 
-def copy_go16_syzkaller(targetdir):
+def copy_go16_syzkaller(targetdir, i386=None):
     string1 = "cp /home/zzhan173/syzkaller/GO16/syzkaller/bin/linux_amd64/* "+targetdir
     command(string1)
+    if i386:
+        string1 = "cp /home/zzhan173/syzkaller/GO16/syzkaller/bin/linux_386/* "+targetdir
+        command(string1)
 
 def get_goversion(commit):
     string1 = "cd /home/zzhan173/repos/syzkaller;git checkout -f "+commit
@@ -62,22 +77,23 @@ def get_goversion(commit):
         print("dont find suitable go version from setup.md for", commit)
         return None
 
-def compile_syzkaller(targetdir, commit):
+def compile_syzkaller(targetdir, commit, i386=None):
+    print("compile_syzkaller()", targetdir, commit, i386)
     targetdir += "/syzkaller/"
     print("compile_syzkaller() ",commit, "for", targetdir)
     if not os.path.exists(targetdir):
         os.mkdir(targetdir)
     goversion = get_goversion(commit)
     print("goversion:", goversion)
     if goversion == "go12":
-        get_go12_syzkaller(commit)
-        copy_go12_syzkaller(targetdir)
+        get_go12_syzkaller(commit, i386)
+        copy_go12_syzkaller(targetdir, i386)
     elif goversion == "go14":
-        get_go14_syzkaller(commit)
-        copy_go14_syzkaller(targetdir)
+        get_go14_syzkaller(commit, i386)
+        copy_go14_syzkaller(targetdir, i386)
     elif goversion == "go16":
-        get_go16_syzkaller(commit)
-        copy_go16_syzkaller(targetdir)
+        get_go16_syzkaller(commit, i386)
+        copy_go16_syzkaller(targetdir, i386)
     else:
         "compile_syzkaller Fail"
         return False
@@ -90,4 +106,8 @@ def compile_syzkaller(targetdir, commit):
     #commit = "da505f84d3e8fc3bb7c54fea76eb5574987ee01a"
     targetdir = sys.argv[1]
     commit = sys.argv[2]
-    compile_syzkaller(targetdir, commit)
+    i386 = None
+    if len(sys.argv) > 3:
+        i386 = True
+        print("i386")
+    compile_syzkaller(targetdir, commit, i386)
diff --git a/helper_functions/get_targetkernel_configs.py b/helper_functions/get_targetkernel_configs.py
@@ -5,6 +5,7 @@
 import shutil
 import get_refkernel_results
 from multiprocessing import Pool
+import get_prioritylists
 
 repo_PATH = {
   "linux":"/home/zzhan173/repos/linux/"
@@ -101,6 +102,8 @@ def get_targetkernel_configs(Type, specific_hashvalue = None):
         if specific_hashvalue:
             if hashvalue != specific_hashvalue:
                 continue
+        if hashvalue in get_prioritylists.total_skipcases:
+            print("skip", hashvalue)
         for targetkernel in hash_targetkernels[hashvalue]:
             intputlist += [(Type, hashvalue, targetkernel)]
     print("length of inputlist:", len(intputlist))
@@ -120,6 +123,21 @@ def run_klees(Type, specific_hashvalue = None):
             config = PATH2+"/configs/config_cover_doms.json"
             output = PATH2+"/configs/output"
 
+            with open(config, "r") as f:
+                klee_config = json.load(f)
+            target_line_list = klee_config["4_target_line_list"]
+            target_line_list = [line for line in target_line_list if line != "manualget"]
+            if len(target_line_list) == 0:
+                with open(output, "w") as f:
+                    f.write("target line not exist")
+                print(hashvalue, targetkernel, "target line not exist")
+                continue
+
+
+            #if os.path.exists(output):
+            #    print("already generate the output, continue")
+            #    continue
+
             PATH1 = "/data3/zzhan173/"+Type+"/"+hashvalue+"/refkernel"
             helper.generate_kleeconfig_newentry(PATH1, PATH2)
             if os.path.exists(config):
@@ -134,10 +152,14 @@ def run_klees(Type, specific_hashvalue = None):
     #repo = "/home/zzhan173/repos/linux"
     #tag = "v5.4"
     #get_targetkernel(PATH, repo, tag)
-    Type = "OOBR"
+    specifichash = None
+    if len(sys.argv) > 1:
+        specifichash = sys.argv[1]
+    #Type = "OOBR"
+    #Type = "OOBW"
+    Type = "UAF"
 
-    get_targetkernel_configs(Type, sys.argv[1])
-    #run_klees(Type)
-    run_klees(Type, sys.argv[1])
+    get_targetkernel_configs(Type, specifichash)
+    run_klees(Type, specifichash)