syz-verifier, executor, pkg/flatrpc: implement memory comparison#13
Open
natitati4 wants to merge 1 commit into
Open
syz-verifier, executor, pkg/flatrpc: implement memory comparison#13natitati4 wants to merge 1 commit into
natitati4 wants to merge 1 commit into
Conversation
natitati4
force-pushed
the
memory-comparison
branch
5 times, most recently
from
2652f9b to
8feb144
Compare
matankalina
reviewed
May 4, 2026
matankalina
reviewed
May 4, 2026
matankalina
reviewed
May 4, 2026
| if (sscanf(line, "%llx-%llx %7s %*s %*s %*s %127[^\n]", &start, &end, perms, name_buf) < 3) | ||
| continue; | ||
|
|
||
| if (perms[0] != 'r') |
Collaborator
There was a problem hiding this comment.
What vma's we can't read? Those are the vma's we decided we don't want to read compare anyway?
Author
There was a problem hiding this comment.
No - those are handled separately a few lines above. This is just a defensive check, because if a VMA is unreadable process_vm_readv will not read anything and hashing will be useless.
Collaborator
There was a problem hiding this comment.
For now because we compare only the scratchpad we don't have a problem to read straight from the /proc/pid/mem according to the virtual addresses in /proc/pid/maps. Later when we will maybe want to read unreadable areas - worth to move read straight from /dev/mem or /proc/kcore (Like https://github.com/jtsylve/LiME) so we won't be limited by the maps perms for comparing memory areas
matankalina
reviewed
May 4, 2026
natitati4
force-pushed
the
memory-comparison
branch
from
8feb144 to
806b2c7
Compare
This commit introduces a differential memory comparison engine to detect memory divergences across different kernel versions in syz-verifier. syz-verifier: Isolate the memory policy engine into a dedicated memcmp.go module to track and evaluate mismatches. The verifier now sets the new MemCmp execution flag when requesting program execution to instruct the executor to provide memory data. executor: Introduce ptrace interception into the execution loop to capture baseline and final memory hashes. Add 2 hook points into the child that raise SIGSTOP, which the parent catches via ptrace - one when the child starts and one when it is about to exit. This allows the parent to collect memory information about the child to send back to the verifier safely. Gate memory comparison related operations behind flag_memcmp to avoid incurring overhead for other tools that rely on the executor. pkg/flatrpc: Integrate said MemCmp flag into ExecFlags via FlatBuffers.
natitati4
force-pushed
the
memory-comparison
branch
from
806b2c7 to
74e0017
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces the memory comparison engine to detect memory divergences across different kernel versions in syz-verifier.
syz-verifier:
Isolate the memory policy engine into a dedicated memcmp.go module to track and evaluate mismatches. The verifier now sets the new MemCmp execution flag when requesting program execution to instruct the executor to provide memory data.
executor:
Introduce ptrace interception into the execution loop to capture baseline and final memory hashes. Add 2 hook points into the child that raise SIGSTOP, which the parent catches via ptrace - one when the child starts and one when it is about to exit. This allows the parent to collect memory information about the child to send back to the verifier safely. Gate memory comparison related operations behind flag_memcmp to avoid incurring overhead for other tools that rely on the executor.
pkg/flatrpc:
Integrate said MemCmp flag into ExecFlags via FlatBuffers.
Unsolved problems:
Bucketing memory mismatches in crash report
There is currently no unique "name" for a program. So the mismatch reports appear in the web page under one title that contains all of them. It is capped at 100, so we're probably missing things. There are a couple of possible solutions to this:
IPC Data Bloat and OutputData Limits
The fork server parent (executor 'exec') has to add the VMA arrays into the shared OutputData struct in order to talk to the orchestrator (executor 'runner') and give it the memory comparison info. OutputData is of a limited size (256KB), and probably for a good reason. Modifying its size is very likely to get flagged by the syzkaller maintainers. Possible solutions:
Speed
syz-verifier is currently entirely sequential, this prevents us from using multiple VMs, and probably more CPUs/procs. We probably need to find a way to make syz-verifier parallelize its work.
And many other features/optimizations/rewrites/cleanups.