Question about "Types of branch"

hardenedlinux / harbian-qa

Bug hunting through fuzzer/*-sanitizer/etc...

GNU General Public License v3.0

130 stars 19 forks source link

Question about "Types of branch" #14

Closed daydayup40 closed 5 years ago

daydayup40 commented 5 years ago

This question related to https://github.com/hardenedlinux/harbian-qa/tree/master/syzkaller/kstat_demo#types-of-branch. Did you mean that the first and second type of branch is determined by syscall parameters? The third type of branch determined by a local variable. Are they determined indirectly by syscall parameters or kernel global state? Thanks for your help!

Bins94 commented 5 years ago

Sorry, maybe it's because of my poor English. 1.The first type can be easily covered by mutating a single syscall. 2.The second type of branch can be covered by multi-syscalls sequence.

The third type can be hardly covered by 1 or 2. It may never be covered.

Bins94 commented 5 years ago

kernel function paramenter != syscall parameters. In the 3, both "hardly" and "never" are meaningful. For example, check if the exception handling is valid.