| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | The performance of Syzkaller, Syzkaller variant, GREBE and GREBE without mutation optimization sampled from Table II. The "SYZ ID" column is the case ID. The "Initial Error Behavior" column indicates the error behavior manifested in the corresponding bug report. The "Discovered New Error Behaviors" column is the behaviors new discovered. In the “Time” column, T1 represents the amount of hours Syzkaller took, T2 is for Syzkaller’s variant, T3 is for GREBE without optimization, and T4 stands for GREBE. The dash “-” means the corresponding behavior is not discovered by the corresponding tool. | ||||||||||||||||||||||||||
2 | |||||||||||||||||||||||||||
3 | |||||||||||||||||||||||||||
4 | SYZ ID | Critical Structures Identified | Initial Error Behavior | Discovered New Error Behaviors | Time (in hours) | ||||||||||||||||||||||
5 | T1 | T2 | T3 | T4 | |||||||||||||||||||||||
6 | d2c64e2 | l2tp_session, l2tp_tunnel | kernel BUG at net/l2tp/l2tp core.c:LINE! | WARNING: locking bug in do ipv6 setsockopt | - | - | - | 0.28 | |||||||||||||||||||
7 | WARNING: locking bug in inet autobind | - | - | - | 8.05 | ||||||||||||||||||||||
8 | WARNING: locking bug in inet6 bind | - | - | - | 3.7 | ||||||||||||||||||||||
9 | WARNING: locking bug in ip6 datagram connect | - | - | - | 12.51 | ||||||||||||||||||||||
10 | WARNING: locking bug in sock setsockopt | - | - | - | 84.26 | ||||||||||||||||||||||
11 | WARNING: locking bug in do ipv6 getsockopt | - | - | - | 116.89 | ||||||||||||||||||||||
12 | WARNING: locking bug in sock bindtoindex | - | - | - | 144.36 | ||||||||||||||||||||||
13 | 09fc5ec | blkpg_partition, block_device gendisk, hd_struct | KASAN: use-after-free Read in delete partition | - | - | - | - | - | |||||||||||||||||||
14 | d1baeb1 | skb_shared_info | BUG: unable to handle kernel paging request in skb release data | general protection fault in skb release data | - | - | 23.76 | 0.99 | |||||||||||||||||||
15 | KASAN: wild-memory-access Read in skb copy ubufs | - | - | - | 33.18 | ||||||||||||||||||||||
16 | KASAN: slab-out-of-bounds Write in pskb expand head | - | - | - | 46.21 | ||||||||||||||||||||||
17 | 8eceaff | tc_action, tcf_exts | WARNING: refcount bug in tcf action put | general protection fault in tcf action destroy | - | - | 1.04 | 148.74 | |||||||||||||||||||
18 | KASAN: use-after-free Write in tcindex set parms | - | - | 6.89 | 43.63 | ||||||||||||||||||||||
19 | KASAN: slab-out-of-bounds Write in tcindex destroy | - | - | 150.36 | 149.16 | ||||||||||||||||||||||
20 | WARNING in tcf exts destroy | - | - | 148.95 | 0.02 | ||||||||||||||||||||||
21 | KASAN: global-out-of-bounds Read in tcf action destroy | - | - | 8.28 | - | ||||||||||||||||||||||
22 | KASAN: invalid-free in tcf exts destroy | - | - | 10.36 | - | ||||||||||||||||||||||
23 | b4b5c74 | xt_led_info, xt_led_info_internal, xt_tgdtor_param | INFO: trying to register non-static key in led tg destroy | - | - | - | - | - | |||||||||||||||||||
24 | bb7fa48 | futex_pi_state | WARNING in get pi state | KASAN: use-after-free Read in exit pi state list | - | 2.43 | 0.04 | 0.08 | |||||||||||||||||||
25 | 229e0b7 | delayed_uprobe | general protection fault in delayed uprobe remove | KASAN: use-after-free Read in delayed uprobe remove | - | - | 3.83 | 6.66 | |||||||||||||||||||
26 | KASAN: use-after-free Read in uprobe mmap | - | - | 12.69 | 4.1 | ||||||||||||||||||||||
27 | general protection fault in uprobe mmap | - | - | - | 89.49 | ||||||||||||||||||||||
28 | KASAN: use-after-free Read in update ref ctr | - | - | - | 157.46 | ||||||||||||||||||||||
29 | 6a44063 | bpf_array, pcpu_chunk | BUG: unable to handle kernel paging request in pcpu alloc | - | - | - | - | - | |||||||||||||||||||
30 | d767177 | skcipher_walk | general protection fault in crypto chacha20 crypt | KASAN: stack-out-of-bounds Read in crypto chacha20 crypt | - | 0.55 | - | 72.34 | |||||||||||||||||||
31 | KASAN: slab-out-of-bounds Read in crypto chacha20 crypt | - | - | - | 83.16 | ||||||||||||||||||||||
32 | 460cc94 | fixed_file_data, fixed_file_table, io_ring_ctx | WARNING: ODEBUG bug in io sqe files unregister | KASAN: use-after-free Read in percpu ref switch to atomic rcu | - | - | - | 42.86 | |||||||||||||||||||
33 | WARNING in percpu ref exit | - | - | 8.88 | 7.65 | ||||||||||||||||||||||
34 | 3a6c997 | bitmap_ip, bitmap_ip_adt_elem, ip_set | KASAN: slab-out-of-bounds Read in bitmap ip add | KASAN: slab-out-of-bounds Write in bitmap ip del | - | - | - | 8.32 | |||||||||||||||||||
35 | KASAN: slab-out-of-bounds Read in bitmap ipmac gc | - | - | - | 43.86 | ||||||||||||||||||||||
36 | KASAN: slab-out-of-bounds Read in bitmap ip ext cleanup | - | - | - | 118.65 | ||||||||||||||||||||||
37 | KASAN: slab-out-of-bounds Read in bitmap ip test | - | - | - | 0.26 | ||||||||||||||||||||||
38 | KASAN: slab-out-of-bounds Read in bitmap ip gc | - | - | - | 61.97 | ||||||||||||||||||||||
39 | KASAN: use-after-free Read in bitmap ip ext cleanup | - | - | - | 17.31 | ||||||||||||||||||||||
40 | KASAN: slab-out-of-bounds Read in bitmap ip list | - | - | - | 0.6 | ||||||||||||||||||||||
41 | KASAN: slab-out-of-bounds Read in bitmap ipmac list | - | - | - | 33.83 | ||||||||||||||||||||||
42 | KASAN: use-after-free Read in bitmap ipmac ext cleanup | - | - | - | 58.62 | ||||||||||||||||||||||
43 | KASAN: slab-out-of-bounds Read in bitmap ipmac test | - | - | - | 49.3 | ||||||||||||||||||||||
44 | 2389bfc | tc_action, tcf_exts, tcindex_data, tcindex_filter_result | KASAN: slab-out-of-bounds Read in tcf exts destroy | - | - | - | - | - | |||||||||||||||||||
45 | 27ae1ae | dst_entry, metadata_dst rcu_cblist, rt6_info, xfrm_dst | KASAN: use-after-free Read in find match | KASAN: use-after-free Read in neigh notify | - | - | - | 2.07 | |||||||||||||||||||
46 | e4be308 | crypto_shash, kdf_sdesc,shash_desc | KASAN: slab-out-of-bounds Write in sha512 final | KASAN: slab-out-of-bounds Write in tgr192 final | - | - | 2.31 | 14.22 | |||||||||||||||||||
47 | KASAN: slab-out-of-bounds Write in tgr160 final | - | - | 1.43 | 3.9 | ||||||||||||||||||||||
48 | KASAN: slab-out-of-bounds Write in crypto sha3 final | - | - | 2.76 | 4.65 | ||||||||||||||||||||||
49 | KASAN: slab-out-of-bounds Write in rmd320 final | - | - | 1.82 | 0.81 | ||||||||||||||||||||||
50 | KASAN: slab-out-of-bounds Write in wp384 final | - | - | 3.03 | 0.19 | ||||||||||||||||||||||
51 | KASAN: slab-out-of-bounds Write in sha512 finup | - | - | 0.11 | 2.84 | ||||||||||||||||||||||
52 | KASAN: slab-out-of-bounds Write in sha1 finup | - | - | 3.34 | 1.8 | ||||||||||||||||||||||
53 | KASAN: slab-out-of-bounds Write in sha1 final | - | - | 3.76 | 12.46 | ||||||||||||||||||||||
54 | KASAN: slab-out-of-bounds Write in sha256 final | - | - | 1.07 | 12.75 | ||||||||||||||||||||||
55 | KASAN: slab-out-of-bounds Write in rmd160 final | - | - | 0.38 | 0.48 | ||||||||||||||||||||||
56 | KASAN: slab-out-of-bounds Write in sha256 finup | - | - | 2.06 | 13 | ||||||||||||||||||||||
57 | f56bbe6 | iov_iter, qrtr_hdr_v1 qrtr_hdr_v2 | general protection fault in qrtr endpoint post | KASAN: slab-out-of-bounds Read in qrtr endpoint post | - | - | 26.09 | 12.25 | |||||||||||||||||||
58 | 521a764 | ax25_address, nr_sock | WARNING: refcount bug in nr insert socket | KASAN: use-after-free Read in release sock | 0.69 | 2.36 | 11.74 | 4.39 | |||||||||||||||||||
59 | KASAN: use-after-free Read in nr release | - | - | - | 20 | ||||||||||||||||||||||
60 | KASAN: use-after-free Read in nr insert socket | - | - | 0.03 | 0.06 | ||||||||||||||||||||||
61 | KASAN: use-after-free Write in nr insert socket | - | - | - | 126.82 | ||||||||||||||||||||||
62 | KASAN: use-after-free Read in lock sock nested | - | - | - | 18.2 | ||||||||||||||||||||||
63 | 7d0275f | sk_buff_head, tipc_msg tipc_sock | WARNING in tipc msg append | - | - | - | - | - | |||||||||||||||||||
64 | 7022420 | snd_pcm_channel_area, snd_pcm_oss_file, snd_pcm_oss_runtime, snd_pcm_plugin, snd_pcm_plugin_channel, snd_pcm_plugin_format, snd_pcm_runtime, snd_pcm_substream | KASAN: slab-out-of-bounds Read in default write copy kernel | KASAN: slab-out-of-bounds Read in default write copy kernel | - | - | 3.04 | 3.84 | |||||||||||||||||||
65 | 4cf5ee7 | vb2_buffer, vb2_queue, video_device | general protection fault in vb2 mmap | KASAN: use-after-free Read in vb2 mmap | - | - | 8.2 | 39.19 | |||||||||||||||||||
66 | KASAN: use-after-free in vb2 mmap | - | - | - | 138.81 | ||||||||||||||||||||||
67 | 502c872 | netlink_ext_ack | general protection fault in netlink ack | KASAN: stack-out-of-bounds Read in nla put | 0.01 | 0.01 | 0.01 | 0.01 | |||||||||||||||||||
68 | cbb2898 | crypto_shash, sctp_endpoint sctp_sock | KASAN: use-after-free Read in sctp auth free | KASAN: use-after-free Read in sctp auth destroy hmacs | - | - | 0.02 | 0.02 | |||||||||||||||||||
69 | 5c9918d | io_kiocb, wait_queue_entry | general protection fault in io poll double wake | - | - | - | - | - | |||||||||||||||||||
70 | ed6f145 | vhost_net, vhost_net_virtqueue vhost_virtqueue, vhost_vring_file | kernel BUG at drivers/vhost/vhost.c:LINE! | - | - | - | - | - | |||||||||||||||||||
71 | 1fd1d44 | scatter_walk, skcipher_walk | general protection fault in scatterwalk copychunks | general protection fault in skcipher walk done | - | - | - | 0.4 | |||||||||||||||||||
72 | badc913 | Qdisc | WARNING: refcount bug in qdisc put | - | - | - | - | - | |||||||||||||||||||
73 | 0df4c1a | vhost_dev, vhost_net | WARNING in vhost dev cleanup | KASAN: use-after-free Read in remove wait queue | - | - | - | 5.67 | |||||||||||||||||||
74 | KASAN: use-after-free Read in corrupted | - | - | - | 54.3 | ||||||||||||||||||||||
75 | KASAN: use-after-free Read in eventfd release | - | - | - | 0.13 | ||||||||||||||||||||||
76 | 4bf11aa | extended_inquiry_info, hci_dev | KASAN: slab-out-of-bounds Read in hci extended inquiry result evt | KASAN: slab-out-of-bounds Read in hci event packet | 0.02 | - | - | 0.01 | |||||||||||||||||||
77 | b7f4861 | devlink, devlink_health_reporter nsim_dev, nsim_dev_health | KASAN: use-after-free Read in devlink health reporter destroy | - | - | - | - | - | |||||||||||||||||||
78 | 3b7409f | rdma_cm_id, rdma_id_private rdma_ucm_resolve_ip, sockaddr sockaddr_ib, sockaddr_in sockaddr_in6, ucma_context ucma_file | KASAN: use-after-free Read in cma bind port | KASAN: use-after-free Read in cma acquire dev | - | - | - | 29.79 | |||||||||||||||||||
79 | KASAN: use-after-free Read in rdma listen | - | - | 144.92 | - | ||||||||||||||||||||||
80 | 27ea7ae | pde_opener, seq_file snd_info_buffer, snd_info_private_data | WARNING in snd info get line | - | - | - | - | - | |||||||||||||||||||
81 | 160442a | hci_dev, inquiry_info_with_rssi | KASAN: slab-out-of-bounds Read in hci inquiry result with rssi evt | - | - | - | - | - | |||||||||||||||||||
82 | 163388d | dma_buf, v4l2_fh v4l2_m2m_ctx v4l2_m2m_queue_ctx vb2_buffer, vb2_plane vb2_queue, vim2m_ctx vb2_vmalloc_buf | WARNING in dma buf vunmap | general protection fault in vb2 queue free | - | - | 119.98 | 11.03 | |||||||||||||||||||
83 | KASAN: null-ptr-deref Read in vb2 vmalloc put | - | - | 5.68 | 9.87 | ||||||||||||||||||||||
84 | WARNING in vb2 warn zero bytesused | - | - | 68.67 | 14 | ||||||||||||||||||||||
85 | WARNING in vb2 queue cancel | - | - | 14.33 | 56.83 | ||||||||||||||||||||||
86 | bdeea91 | aead_instance, crypto_aead crypto_aead_spawn, crypto_spawn crypto_type, pcrypt_instance_ctx | WARNING: refcount bug in crypto mod get | WARNING: refcount bug in crypto destroy tfm | 6.69 | 2.62 | 0.06 | 1.25 | |||||||||||||||||||
87 | KASAN: use-after-free Read in crypto alg extsize | - | - | - | 83.69 | ||||||||||||||||||||||
88 | b9b37a7 | mousedev_client | BUG: corrupted list in mousedev release | WARNING: ODEBUG bug in exit to user mode prepare | - | - | - | 2.56 | |||||||||||||||||||
89 | BUG: corrupted list in mousedev detach client | - | - | 0.04 | 0.02 | ||||||||||||||||||||||
90 | KASAN: use-after-free Read in m oss release | - | - | - | 1.63 | ||||||||||||||||||||||
91 | KASAN: use-after-free Read in m oss release file | - | - | - | 1.63 | ||||||||||||||||||||||
92 | KASAN: vmalloc-out-of-bounds Write in m format set silence | - | - | - | 11.89 | ||||||||||||||||||||||
93 | KASAN: use-after-free Read in task work run | - | - | - | 18.85 | ||||||||||||||||||||||
94 | b0e30ab | smc_sock | general protection fault in kernel accept | KASAN: use-after-free Read in kernel accept | - | 0.55 | 7.72 | 0.49 | |||||||||||||||||||
95 | general protection fault in kernel accept | - | 0.03 | 0.01 | 0.01 | ||||||||||||||||||||||
96 | d5222b3 | addr_req, rdma_cm_id, ucma_file rdma_id_private, ucma_context | WARNING: bad unlock balance in ucma event handler | WARNING: bad unlock balance in ucma destroy id | - | - | 74.3 | 43.36 | |||||||||||||||||||
97 | general protection fault in rdma listen | - | - | - | 22.2 | ||||||||||||||||||||||
98 | KASAN: use-after-free Read in rdma listen | 31.67 | - | 38.88 | 21.69 | ||||||||||||||||||||||
99 | BUG: corrupted list in rdma listen | - | - | 114.51 | - | ||||||||||||||||||||||
100 | de28cb0 | dst_entry, neigh_table, neighbour, rt6_info | BUG: corrupted list in neigh create | BUG: corrupted list in neigh mark dead | 15.33 | 5.9 | 0.15 | 10.89 | |||||||||||||||||||