lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 29 Jul 2019 13:08:16 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzkaller <syzkaller@...glegroups.com>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        Eric Biggers <ebiggers@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Catalin Marinas <catalin.marinas@....com>
Subject: Re: syzbot bisection analysis

On Wed, Mar 27, 2019 at 6:20 PM Dmitry Vyukov <dvyukov@...gle.com> wrote:
>
> Hello,
>
> As most of you probably already noticed, syzbot started bisecting
> cause commits for crashes about 2 weeks ago and sending emails like
> this:
> https://groups.google.com/d/msg/syzkaller-bugs/2XhfN2Kfbqs/0U3YnKsGBQAJ
> The bisection results are also available on the dashboard, e.g.:
> https://syzkaller.appspot.com/bug?id=02bde0600a225e8efa31bdce2e7f1b822542fef1
>
> Bisection was probably the most popular feature request for syzbot.
> Cause commits allow to add the right people to CC and also should help
> to pin-point the harder bugs. If you are interested in details of the
> bisection process, some are described here:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#bisection
> The next step step will be fix commit bisection to help identify and
> close bugs that are already fixed but syzbot is not aware yet.
>
> As expected automatic bisection of kernel bugs is not completely
> trivial and we've got lots of incorrect results. To better understand
> what happens, why and how we are doing, I've analyzed the 118
> bisections that we have so far for the following metrics:
>  - if the bisection was correct or not
>  - the crash has multiple manifestations (on the same commit or on
> different commits)
>  - if the fact that bug hard to reproduce contributed to incorrect bisection
>  - if unrelated bugs contributed to incorrect bisection
>  - if skipped commits contributed to incorrect bisection
>  - if disabled configs contributed to incorrect bisection
> There are also some auto-extracted metrics like the start release of
> bisection, start/end crash, etc. I won't claim that the analysis is
> 100% correct, which would require spending a day on each case. But it
> should be 95% correct or so. The results are here (there is a second
> tab with raw data):
> https://docs.google.com/spreadsheets/d/1WdBAN54-csaZpD3LgmTcIMR7NDFuQoOZZqPZ-CUqQgA
>
> Total success rate is slightly above 50%. But there is strong
> correlation with how far back in history we have to go: for recently
> introduced bugs the rate is 70+%. And for bugs introduced since v5.0
> it's 95%. So hopefully this is a good forecast for future.
>
> The 2 major contributors to incorrect results look quite fundamental:
>  - unrelated bugs contributed to 66% of incorrect results
>  - hard to reproduce bugs contributed to 46% of incorrect results
>
> I've started collecting feedback/ideas re improving bisection quality here:
> https://github.com/google/syzkaller/issues/1051
> But so far no magic bullet come up. So please continue treating the
> results with understanding. The incorrect results were usually easy to
> identify: commit to a completely unrelated subsystem, or even
> non-current arch. There is always a detailed bisection log attached as
> well.
>
> If you are still here, there were some curious cases too, e.g.:
> A bug bisected to a comment-only commit:
> https://groups.google.com/d/msg/syzkaller-bugs/1BSkmb_fawo/vz7GhBd0CQAJ
> A bug bisected to a release tag:
> https://groups.google.com/d/msg/syzkaller-bugs/38HP_pUXJ3s/ehD37HSxDAAJ
> And a fault-injection-provoked bug bisected to addition of the fault
> injection facility by me (which is, well, kinda expected):
> https://groups.google.com/d/msg/syzkaller-bugs/GYiA5CKTPXw/MA4mO01wDAAJ
>
> Thanks

A mini analysis of memory leaks bisection:
https://docs.google.com/spreadsheets/d/1WdBAN54-csaZpD3LgmTcIMR7NDFuQoOZZqPZ-CUqQgA/edit#gid=1421280815

Out of 12 leak bisections that happened so far only 2 are semi-correct:
1. The bug is too old, so syzbot just proved that it happens back to
the horizon (v4.1):
https://syzkaller.appspot.com/bug?id=ecc7f04cd94b5c062c000865d43bfb682d718b8e
2. The bug requires both leak detection and fault injection, was
bisected to the commit that allows them to work together:
https://syzkaller.appspot.com/bug?id=58c436c13ed984480edba66a224daff9c184de12
Both results are not too useful.

The remaining 10 were all diverged due to other unrelated memory leaks
and other non-leak bugs. It seems the main 2 reasons for this:
1. Lots of leaks are old (kernel is under-tested with KMEMLEAK).
2. Lots of unrelated bugs.
It's unclear how much KMEMLEAK potential for false positives is in
play. For example, lots of bisections are diverged by "memory leak in
batadv_tvlv_handler_register", but this is a true bug reported at:
https://syzkaller.appspot.com/bug?id=0654529ad3cc1d67a6d9812d8b75489c03dfb983
However, some are diverged by e.g. "memory leak in __neigh_create" and
"memory leak in copy_process" and these were not reported as separate
leaks, so either false positives or true leaks fixed in previous
releases.

I am going to turn off leak bisection for now (easiest way to raise
average bisection precision).
Maybe when we get overall bug levels down, and in particular number of
memory leaks, then newly-introduced leaks will be at least as
bisectable as other bug types. But this will probably require at least
several years of active work.

Powered by blists - more mailing lists