The document discusses the internals of syzkaller, an in-kernel fuzzer for finding bugs. It explains that syzkaller sprays large allocations across memory pages to leave small holes, then sprays the targeted object to fill one of the holes and have the target in front of the spray. This allows the target object to be found and used for exploitation. It also provides statistics on the types of bugs found by syzkaller, with most being exploitable bugs or crashes/stability issues found through fuzzing kernel interfaces.

13. https://github.com/google/syzkaller/blob/master/docs/internals.md

23. Beffore we go find the
upper object, the original
object pointed by @rdx:
Special pool being
enabled, there can only be
1 object per page

24. Function call !!!

27. Page aligned
Spray big allocations
leaving 0x90 sized holes
Spray the targeted object
to refill the holes
=> Allocations work by allocating last chunk of a page first then filling from
the beginning, the remainder going into the freelist
=> After a huge amount of spray, the pages should be aligned, and by
spraying lots of unix sockets we can fill one of these holes with the target
object and have it be in front of our spray
spray hole
target

35. Memory
Socket
EpollPipe
Shm
Sem
fnctl
ioctl
sockopt
Cients
Server
FILE

42. Exploitable
37%
DoS
38%
Stability (chaos)
25%
#BUGS