The initial environment configuration
sudo apt-get install subversion
sudo apt-get install g++
sudo apt-get install git
sudo apt install libssl-dev libelf-dev
sudo apt-get install kvm qemu-kvm
Installation of GCC
sudo apt-get install flex bison libc6-dev libc6-dev-i386 linux-libc-dev linux-libc-dev:i386 libgmp3-dev libmpfr-dev libmpc-dev
sudo apt-get install debootstrap
Direct download gcc environment
Compile the kernel boot
Select the kernel version to be tested, using the installed gcc to compile
several matches, gcc8.0.1 compiler to compile relatively smooth linux5.1.2
make CC="/home/joeat1/gcc/bin/gcc" defconfig
make CC="/home/joeat1/gcc/bin/gcc" kvmconfig
The following need to write in the middle position, otherwise fail
CONFIG_KCOV = the y-
CONFIG_DEBUG_INFO = the y-
CONFIG_KASAN = the y-
CONFIG_KASAN_INLINE the y-=
CONFIG_KCOV need to open the options on the kernel, you can also add "cover" in the configuration file: false, ie without the use of test coverage information
make CC="/home/joeat1/gcc/bin/gcc" oldconfig 运行此命令并在每次提示输入某个配置值时按Enter键将其保留为默认值
make CC="/home/joeat1/gcc/bin/gcc" -j64
//注意,此处不需要make install安装内核等组件
//注意,如果出现报错,可以不要 -j64 的选项
make clean CC="/home/joeat1/gcc/bin/gcc" CONFIG_KVM=m CONFIG_INTEL_KVM=m -C . M=./arch/x86/kvm
make CC="/home/joeat1/gcc/bin/gcc" CONFIG_KVM=m CONFIG_INTEL_KVM=m -C . M=./arch/x86/kvm
测试KVM虚拟机
qemu-system-x86_64 -kernel /home/joeat1/kernel/linux-5.1.2/arch/x86/boot/bzImage -append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ" -hda wheezy.img -net user,hostfwd=tcp::10021-:22 -net nic -enable-kvm -nographic -m 2G -smp 2 -pidfile vm.pid 2>&1 | tee vm.log
-hda /home/joeat1/image/stretch.img
ssh -i /home/joeat1/image/stretch.id_rsa -p 10021 -o "StrictHostKeyChecking no" root@localhost
chmod 600 wheezy.img.key
ssh -i /home/joeat1/image/wheezy.img.key -p 10021 -o "StrictHostKeyChecking no" root@localhost
Test syz-manager
my.cfg
{
"target": "linux/amd64",
"http": "127.0.0.1:56741",
"workdir": "/home/joeat1/gopath/src/github.com/google/syzkaller/workdir",
"kernel_obj": "/home/joeat1/kernel/linux-5.1.2",
"image": "/home/joeat1/image/wheezy.img",
"sshkey": "/home/joeat1/image/wheezy.img.key",
"syzkaller": "/home/joeat1/gopath/src/github.com/google/syzkaller",
"procs": 8,
"type": "qemu",
"vm": {
"count": 4,
"kernel": "/home/joeat1/kernel/linux-5.1.2/arch/x86/boot/bzImage",
"cpu": 2,
"mem": 2048
},
"reproduce": false
}
mkdir workdir
./bin/syz-manager -config=my.cfg
ps -A | grep qemu
kill pid
kill $(cat vm.pid)
https://mirrors.kernel.org/debian/dists/wheezy/Release
Syscallname before SyscallName $ Type $ number is the name of the system call, the interface is provided by the kernel, the source of $ (SYZKALLER_SOURCE) /sys/sys.txt have generic form of a declaration could call reference. Type the $ number refers to a particular type of system calls. Specific acts relied on to determine the parameters of the back.
Format parameters are as follows: ArgumentName ArgumentType [Limit] ArgumentName is a parameter name, ArgumentType refers to a parameter type
"enable_syscalls": [
"socket $ Packet", "socketpair $ Packet", "the Accept $ Packet", "accept4 $ Packet", "the bind $ Packet", "Connect $ Packet", "sendto $ Packet", "recvfrom $ Packet "," getsockname $ Packet "," getpeername $ Packet "," the listen "," setsockopt "," getsockopt "," syz_emit_ethernet "
],
should be noted that, here to write the way, need to meet the parameters of the target function can It is created, namely to ensure a coherent relationship.
Syzkaller the entire process is to go looking for the kernel to use the attack surface, and then construct api calls the template, and the rest handed over syzkaller based code coverage-driven approach to Fuzzing
"disable_syscalls": [
"socket$packet"
],
"enable_syscalls": [
"openat$kvm", "ioctl"]
Possible problems encountered
sudo service sshd start
sudo service sshd status
use latest gcc and linux kernel will handle this problem
my configuration: gcc 8.4, linux-4.20.13
Use -debug displays all operating information
[FAILED] Failed to mount /sys/kernel/config.
[FAILED] Failed to start Remount Root and Kernel File Systems.
The real cause of boot error is the missing of two config in kernel .config file:
CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-kasan.config
Use syz-extract utility symbolic constant value extracted from the kernel source. syz-extract generate a small C program, comprising instructions include references to kernel headers, defined define macro instruction specifies, and print the value of a symbolic constant. The results are stored in a file .const
Use syz-sysgen utility convert the Go will be described, this step and the first step in using the described system call generated const file and generates prog / types.go Examples Syscall defined type and Type. Use syzkaller value represented by the memory prog Call Arg values and / prog.go defined consisting of AST
failed to generate coverage profile: '/home/joeat1/kernel/linux-5.1.2/vmlinux' does not have debug info (set CONFIG_DEBUG_INFO=y)
merged = bio_attempt_front_merge(q, rq, bio); 717
bio_attempt_front_merge 调用 ll_front_merge_fn 622
if (!ll_front_merge_fn(q, req, bio))
ll_front_merge_fn 在block/blk-merge.c:678 if (!bio_flagged(req->bio, BIO_SEG_VALID))处报错 kasan: GPF could be caused by NULL-ptr deref or user memory access
leak checking : CONFIG_DEBUG_KMEMLEAK is not enabled
Use syzkaller tool linux5.1.2 fuzz kernel module, the configuration settings enable_syscalls = [ "openat $ kvm" , "ioctl $ KVM_CREATE_VM", "ioctl $ KVM_CREATE_VCPU", "syz_kvm_setup_cpu $ x86", "ioctl $ KVM_SET_GUEST_DEBUG", "ioctl $ KVM_RUN "],
to give crash information may be temporarily Reproduce not performed, and a very similar https://syzkaller.appspot.com/bug?id=2bf7b7983c2398ec6f0c4c6c87cb50223e8873f8
function process
kvm_cpu_vmxoff (void) -> cr4_clear_bits ( X86_CR4_VMXE); -> __cr4_set (cr4 & ~ mask); - > __write_cr4 (cr4); -> PVOP_VCALL1 (cpu.write_cr4, x);
I do not know which big brother can help explain it?
Description Count Last Time Report
general protection fault in ll_front_merge_fn 2 2019/05/24 19:19
general protection fault in native_write_cr4 8 2019/05/24 19:28
KASAN: use-after-free Read in ll_back_merge_fn 3 2019/05/24 19:18
lost connection to test machine 16 2019/05/24 19:27
possible deadlock in __queue_work 1 2019/05/24 09:51
There are 3 special types of crashes:
- no output from test machine: the test machine produces no output whatsoever
- lost connection to test machine: the ssh connection to the machine was unexpectedly closed
- test machine is not executing programs: the machine looks alive, but no test programs were executed for long period of time
Most likely you won't see reportN files for these crashes (e.g. if there is no output from the test machine, there is nothing to put into report). Sometimes these crashes indicate a bug in syzkaller itself (especially if you see a Go panic message in the logs). However, frequently they mean a kernel lockup or something similarly bad (here are just a few examples of bugs found this way: 1, 2, 3).