syzkaller installation detailed record

  First sort out the working method of syzkaller, so that it is easy to understand why syzkaller is so complicated to build:
  Generally, the tested Linux kernel needs to run on a virtual machine for testing, and it should rarely be tested directly on a physical machine, so it needs qemuto support hardware virtual machines. Secondly, the Linux kernel cannot run with only the core, and it also needs the support of the environment outside the distribution, so we also need to use it debootstrapto generate a small Linux distribution for testing.
  Therefore, the use of syzkaller actually requires two things, one is the Linux kernel to be tested, and the other is a small distribution to run the kernel. Therefore, the establishment of the syzkaller environment is actually to satisfy the above two contents:

• Some necessary dependencies are used to ensure the normal installation and use of the software
• The higher versions of gmp, mpfr, mpc, gcc required to compile the test kernel and the kernels compiled with these higher version tools
• Generate the image required for a small Linux distribution (generated by debootstrap)
• The qemu virtual machine environment, go environment, and my.cfgfiles used for syzkaller identification (used to specify the kernel and release version) required for syzkaller testing

platform

  VMware Ubuntu16.04

Installation dependencies

sudo apt-get install gcc g++ m4 make libncurses5-dev libssl-dev texinfo build-essential openssl zlibc minizip libidn11-dev libidn11 flex bison git debootstrap qemu-system-x86 libelf-dev

Create the required directory

  In /home/lygcreate the next working directory (lyg user name, modify it according to their own systems), in order to complete the compilation of the latest software:

mkdir workspace
cd workspace
mkdir bin fuzz source

Environment variable declaration

sudo vim ~/.bashrc

  Add to:

export GOPATH=/home/lyg/workspace/fuzz/syzkaller
export GOROOT=/home/lyg/workspace/bin/go
export PATH=$GOPATH/bin:$PATH
export PATH=$GOROOT/bin:$PATH
export GCC=/home/lyg/workspace/bin/gcc8.1.0

source ~/.bashrc

Configure an environment that is more suitable for higher version Linux kernel compilation

  The specific software includes: gmp-6.1.0, mpfr-3.1.4, mpc-1.0.3, gcc8.1.0, download it to the workspacedirectory and decompress it in the directory.
  In workspacethe directory to create a tmpfolder, enter the directory to do the following, and delete after each operation tmpall the files in a folder. (The path information in the command is modified according to your own situation)

../gmp-6.1.0/configure --prefix=/home/lyg/workspace/bin/gmp6.1.0
make -j4
sudo make install
rm –r *

../mpfr-3.1.4/configure --prefix=/home/lyg/workspace/bin/mpfr3.1.4 --with-gmp=/home/lyg/workspace/bin/gmp6.1.0
make -j4
sudo make install
rm –r *

../mpc-1.0.3/configure --prefix=/home/lyg/workspace/bin/mpc1.0.3 --with-gmp=/home/lyg/workspace/bin/gmp6.1.0 --with-mpfr=/home/lyg/workspace/bin/mpfr3.1.4
make -j4
sudo make install
rm –r *

#可能在/usr/lib/x86_64-linux-gnu/中找不到 libmpfr.so.4，所以这里要建立一个符号链接；已存在就忽略
sudo ln -s /home/lyg/workspace/bin/mpfr3.1.4/lib/libmpfr.so.4 /usr/lib/x86_64-linuxgnu/libmpfr.so.4

  The compilation process for gcc may take a very long time (the author is about 1h):

../gcc-8.1.0/configure --prefix=/home/lyg/workspace/bin/gcc8.1.0 --enable-threads=posix --disable-checking --disable-multilib --enable-languages=c,c++ --with-gmp=/home/lyg/workspace/bin/gmp6.1.0 --with-mpfr=/home/lyg/workspace/bin/mpfr3.1.4 --with-mpc=/home/lyg/workspace/bin/mpc1.0.3
make -j4
sudo make install
rm –r *

sudo ln -s /home/lyg/workspace/bin/gcc8.1.0/bin/gcc /usr/local/bin/gcc8
sudo ln -s /home/lyg/workspace/bin/gcc8.1.0/bin/g++ /usr/local/bin/g++8

Compile the target kernel

  Download the kernel file to the workspace/sourcedirectory and decompress it, then enter the kernel root directory and execute the following command:

make CC="$GCC/bin/gcc" defconfig
make CC="$GCC/bin/gcc" kvmconfig # 这条命令可能会报ERROR，可以忽略

  Next, edit the .configfile and edit the following lines in the file. (Note: The following commands should be in the form of comments such as "CONFIG_KCOV is not set", so you need to convert the comments. Some non-existent ones need to be added manually, but be careful not to add them at the end, they should be added in the middle. )

CONFIG_KCOV=y
CONFIG_DEBUG_INFO=y
CONFIG_KASAN=y #这个默认配置中可能没有，需要添加
CONFIG_KASAN_INLINE=y  #这个默认配置中可能没有，需要添加
CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y

  Then execute the following command: (The compilation process is longer, 30mins)

make CC="$GCC/bin/gcc" olddefconfig
make CC="$GCC/bin/gcc" -j8

  After compiling, the image will be generated as follows:

linux-5.10.9/vmlinux
linux-5.10.9/arch/x86/boot/bzImage

Create test virtual machine image image

  In sourcethe directory to create a folder image, enter the file download directory create-image.sh(requires external network), of course, you can go directly to find syzkaller GitHub repository, and then find out the file copy in the tools folder.

wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh

  Give it the right to execute:

chmod 777 create-image.sh

  Since the script called in this script debootstrapwill access the debian's official website mirror, but due to network reasons (it is not possible to open a ladder), the download speed is too slow and errors are prone to occur, so you need to change the file and replace the mirror path with the Tsinghua mirror. As shown in the figure below, the author has added the content of the row in the yellow box below to specify the mirror path. (Due to environmental concerns, it may also enter the implementation of the green box, requiring the contents of the green box also, if necessary, replace and delete the contents of the yellow boxes that line. As the author of the environment will not go through the green box, so without modification.)

  Modify Run the script when finished:

./create-image.sh

  The results of the operation are as follows:


  after the operation is over, files will be generated in this directory stretch.img.

Test whether qemu can be used to enter the target virtual machine

  First check whether the system supports virtualization, use the following command:

egrep -c '(vmx|svm)' /proc/cpuinfo

  If the response value is greater than 0, it indicates that the virtualization support is enabled; otherwise, if it is a real host, you need to restart and enter the BIOS to enable VT virtualization. If it is VMware, you need to check the virtualization support as follows:

  When virtualization is supported, use the following Command to test:

sudo qemu-system-x86_64 \
 -kernel /home/lyg/workspace/source/linux-5.10.9/arch/x86/boot/bzImage \
 -append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ"\
 -hda /home/lyg/workspace/source/image/stretch.img \
 -net user,hostfwd=tcp::10021-:22 -net nic \
 -enable-kvm \
 -nographic \
 -m 2G \
 -smp 2 \
 -pidfile vm.pid \
 2>&1 | tee vm.log

  It is successful to enter the login interface (the root user can log in without a password).

Configure Go environment

  syzkaller is done in go language, so its installation and execution need go environment support. Go to the official website of go to download go and unzip the compressed package to ~/.bashrcthe GOROOTdirectory declared in the directory /home/lyg/workspace/bin. GOPATHSpecifies the default working directory of go.

Install syzkaller and test

  Download the syzkaller compressed package from GitHub, put it in the /home/lyg/workspace/fuzz/syzkaller/src/github.com/googledirectory and unzip it. After entering the decompression folder, execute git to prevent errors (ignore for existing git):

git init
git config user.name "lyg" #名称随意
git config user.email "[email protected]" #邮箱随意
git add *
git commit -m "some init msg"

  At this time, git may report an error saying " .gitignorebin will be ignored due to the existence of the file", this error does not need to be handled.
  Then execute makethe compilation of syzkaller in this directory . Go is called here, and the download speed may be slow due to network reasons . Here is how to improve the download speed .
After compiling, create a file in this folder my.cfg(pay attention to change the directory), as follows:

{
	"target": "linux/amd64",
	"http": "127.0.0.1:56741",
	"workdir": "/home/lyg/workspace/fuzz/syzkaller/src/github.com/google/syzkaller-master/workdir",
	"kernel_obj": "/home/lyg/workspace/source/linux-5.10.9",
	"image": "/home/lyg/workspace/source/image/stretch.img",
	"sshkey": "/home/lyg/workspace/source/image/stretch.id_rsa",
	"syzkaller": "/home/lyg/workspace/fuzz/syzkaller/src/github.com/google/syzkaller-master",
	"procs": 8,
	"type": "qemu",
	"vm": {
		"count": 4,
		"kernel": "/home/lyg/workspace/source/linux-5.10.9/arch/x86/boot/bzImage",
		"cpu": 1,
		"mem": 1024
	}
}

  Now you can test and run syzkaller:

sudo ./bin/syz-manager -config=my.cfg

  After running for a period of time, my.cfgcheck the results at the specified IP and port, as follows: So

  far, the construction of syzkaller is completed.