github.com/google/syzkaller@v0.0.0-20251211124644-a066d2bc4b02/pkg/report/impact_score.go (about) 1 // Copyright 2025 syzkaller project authors. All rights reserved. 2 // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 package report 5 6 import ( 7 "sort" 8 9 "github.com/google/syzkaller/pkg/report/crash" 10 ) 11 12 // impactOrder represent an ordering of bug impact severity. The earlier 13 // entries are considered more severe. 14 var impactOrder = []crash.Type{ 15 // Highest Priority (Direct Memory Corruption - Write) 16 crash.KASANUseAfterFreeWrite, 17 crash.KASANWrite, 18 // High Priority (Memory Corruption) 19 crash.KASANInvalidFree, 20 crash.KFENCEInvalidFree, 21 crash.KFENCEMemoryCorruption, 22 crash.KASANUseAfterFreeRead, 23 crash.KMSANUseAfterFreeRead, 24 crash.KASANRead, 25 crash.KFENCERead, 26 crash.MemorySafetyUBSAN, // array-index-out-of-bounds, at least Read. 27 crash.KCSANAssert, 28 crash.RefcountWARNING, // we had a few UAFs in the past 29 crash.KASANNullPtrDerefWrite, 30 crash.KASANNullPtrDerefRead, 31 crash.NullPtrDerefBUG, 32 // Medium Priority (Infoleaks, Uninitialized Memory, Corruptions) 33 crash.KMSANInfoLeak, 34 crash.MemorySafetyBUG, 35 crash.KMSANUninitValue, 36 // Medium Priority (Concurrency and Severe Instability) 37 crash.KCSANDataRace, 38 crash.AtomicSleep, // high potential for system-wide deadlocks 39 crash.LockdepBug, // indicates potential deadlocks and hangs 40 // Lower-Medium Priority (Denial of Service and General Bugs) 41 crash.MemoryLeak, // a form of DoS 42 crash.DoS, 43 crash.Hang, 44 // Unknown types shouldn't be mentioned here. If bug goes to Unknown it means we need better parsing/processing. 45 // You can find them at the end of the scored list on the bug enumeration pages. 46 // crash.KMSANUnknown 47 // crash.KASANUnknown 48 // crash.KCSANUnknown 49 } 50 51 // TitlesToImpact converts a bug title(s) to an impact score. 52 // If several titles provided, it returns the highest score. 53 // A higher score indicates a more severe impact. 54 // -1 means unknown. 55 func TitlesToImpact(title string, otherTitles ...string) int { 56 maxImpact := -1 57 for _, t := range append([]string{title}, otherTitles...) { 58 typ := TitleToCrashType(t) 59 for i, t := range impactOrder { 60 if typ == t { 61 maxImpact = max(maxImpact, len(impactOrder)-i) 62 } 63 } 64 } 65 return maxImpact 66 } 67 68 type TitleFreqRank struct { 69 Title string 70 Count int 71 Total int 72 Rank int 73 } 74 75 func ExplainTitleStat(ts *titleStat) []*TitleFreqRank { 76 titleCount := map[string]int{} 77 var totalCount int 78 ts.visit(func(count int, titles ...string) { 79 uniq := map[string]bool{} 80 for _, title := range titles { 81 uniq[title] = true 82 } 83 for title := range uniq { 84 titleCount[title] += count 85 } 86 totalCount += count 87 }) 88 var res []*TitleFreqRank 89 for title, count := range titleCount { 90 res = append(res, &TitleFreqRank{ 91 Title: title, 92 Count: count, 93 Total: totalCount, 94 Rank: TitlesToImpact(title), 95 }) 96 } 97 sort.Slice(res, func(l, r int) bool { 98 if res[l].Rank != res[r].Rank { 99 return res[l].Rank > res[r].Rank 100 } 101 lTitle, rTitle := res[l].Title, res[r].Title 102 if titleCount[lTitle] != titleCount[rTitle] { 103 return titleCount[lTitle] > titleCount[rTitle] 104 } 105 return lTitle < rTitle 106 }) 107 return res 108 }