def reproduce(self, target_path, input_path, arguments, max_time): # pylint: disable=unused-argument
"""Reproduce a crash given an input.
Example: ./syz-crush -config my.cfg -infinite=false -restart_time=20s
crash-qemu-1-1455745459265726910
Args:
target_path: Path to the target.
input_path: Path to the reproducer input.
arguments: Additional arguments needed for reproduction.
max_time: Maximum allowed time for the reproduction.
Returns:
A ReproduceResult.
"""
binary_dir = self.prepare_binary_path()
syzkaller_runner = runner.get_runner(
os.path.join(binary_dir, constants.SYZ_REPRO))
repro_args = runner.get_config()
repro_args.extend([
'-infinite=false', '-restart_time={}s'.format(REPRO_TIME),
input_path
])
result = syzkaller_runner.repro(max_time, repro_args=repro_args)
return engine.ReproduceResult(result.command, result.return_code,
result.time_executed, result.output)
def minimize_testcase(
self,
target_path, # pylint: disable=unused-argument
arguments, # pylint: disable=unused-argument
input_path: str,
output_path, # pylint: disable=unused-argument
max_time, # pylint: disable=unused-argument
) -> engine.ReproduceResult:
"""Optional (but recommended): Minimize a testcase.
Example: ./bin/syz-repro -config ./{config file}
{syzkaller workdir}/crashes/{crash hash}/{execution.log}
Args:
target_path: Path to the target.
arguments: Additional arguments needed for testcase minimization.
input_path: Path to the reproducer input.
output_path: Path to the minimized output.
max_time: Maximum allowed time for the minimization.
Returns:
A ReproduceResult.
"""
binary_dir = self.prepare_binary_path()
syzrepro_runner = runner.get_runner(
os.path.join(binary_dir, constants.SYZ_REPRO))
syzrepro_args = runner.get_config() + [input_path]
return syzrepro_runner.minimize(syzrepro_args)
def fuzz(self,
target_path,
options,
unused_reproducers_dir=None,
max_time=0) -> engine.FuzzResult:
"""Run a fuzz session.
Args:
target_path: Path to the target.
options: The FuzzOptions object returned by prepare().
reproducers_dir: The directory to put reproducers in when crashes
are found.
max_time: Maximum allowed time for the fuzzing to run.
Returns:
A FuzzResult object.
"""
profiler.start_if_needed('syzkaller_kasan')
syzkaller_runner = runner.get_runner(target_path)
# Directory to place new units.
self._create_temp_corpus_dir('new')
args = options.arguments
self.init_corpus(options.corpus_dir, runner.get_work_dir())
fuzz_result = syzkaller_runner.fuzz(max_time, additional_args=args)
self.save_corpus(runner.get_work_dir(), options.corpus_dir)
return fuzz_result
def reproduce(
self,
target_path: str, # pylint: disable=unused-argument
input_path: str,
arguments: List[str], # pylint: disable=unused-argument
max_time: int,
) -> engine.ReproduceResult:
"""Reproduce a crash given an input.
Example: ./syz-crush -config my.cfg -infinite=false -restart_time=20s
crash-qemu-1-1455745459265726910
Args:
target_path: Path to the target.
input_path: Path to the reproducer input.
arguments: Additional arguments needed for reproduction.
max_time: Maximum allowed time for the reproduction.
Returns:
A ReproduceResult.
"""
binary_dir = self.prepare_binary_path()
syzcrush_runner = runner.get_runner(
os.path.join(binary_dir, constants.SYZ_CRUSH))
syzcrush_args = (
runner.get_config() +
['-infinite=false', f'-restart_time={REPRO_TIME}s', input_path])
result = syzcrush_runner.repro(max_time, repro_args=syzcrush_args)
if result.return_code:
# TODO: upload minimized output to clusterfuzz bucket. Fix #2525
self.minimize_testcase(
target_path=None,
arguments=None,
input_path=input_path,
output_path=None,
max_time=None,
)
return result