syzkaller安装

初始环境配置

sudo apt-get install subversion
sudo apt-get install g++
sudo apt-get install git
sudo apt install libssl-dev libelf-dev
sudo apt-get install kvm qemu-kvm

安装 GCC

sudo apt-get install flex bison libc6-dev libc6-dev-i386 linux-libc-dev linux-libc-dev:i386 libgmp3-dev libmpfr-dev libmpc-dev

sudo apt-get install debootstrap

直接下载gcc环境

编译内核 启动

选择需要测试的内核版本，使用安装好的gcc进行编译
几种匹配，gcc8.0.1编译linux5.1.2编译比较流畅

make CC="/home/joeat1/gcc/bin/gcc" defconfig
make CC="/home/joeat1/gcc/bin/gcc" kvmconfig

以下内容需要写在中间位置，否则失效
CONFIG_KCOV=y
CONFIG_DEBUG_INFO=y
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y

需要开启内核上的CONFIG_KCOV选项，也可以在配置文件中加入”cover”: false即不需要使用覆盖率的信息进行测试

make CC="/home/joeat1/gcc/bin/gcc" oldconfig 运行此命令并在每次提示输入某个配置值时按Enter键将其保留为默认值

make CC="/home/joeat1/gcc/bin/gcc" -j64
//注意，此处不需要make install安装内核等组件
//注意，如果出现报错，可以不要 -j64 的选项

make clean CC="/home/joeat1/gcc/bin/gcc" CONFIG_KVM=m CONFIG_INTEL_KVM=m -C . M=./arch/x86/kvm

make CC="/home/joeat1/gcc/bin/gcc" CONFIG_KVM=m CONFIG_INTEL_KVM=m -C . M=./arch/x86/kvm

测试KVM虚拟机

qemu-system-x86_64
-kernel /home/joeat1/kernel/linux-5.1.2/arch/x86/boot/bzImage
-append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ"
-hda wheezy.img
-net user,hostfwd=tcp::10021-:22 -net nic
-enable-kvm
-nographic
-m 2G
-smp 2
-pidfile vm.pid
2>&1 | tee vm.log

-hda /home/joeat1/image/stretch.img

ssh -i /home/joeat1/image/stretch.id_rsa -p 10021 -o "StrictHostKeyChecking no" root@localhost

chmod 600 wheezy.img.key
ssh -i /home/joeat1/image/wheezy.img.key -p 10021 -o "StrictHostKeyChecking no" root@localhost

测试syz-manager

my.cfg
{
"target": "linux/amd64",
"http": "127.0.0.1:56741",
"workdir": "/home/joeat1/gopath/src/github.com/google/syzkaller/workdir",
"kernel_obj": "/home/joeat1/kernel/linux-5.1.2",
"image": "/home/joeat1/image/wheezy.img",
"sshkey": "/home/joeat1/image/wheezy.img.key",
"syzkaller": "/home/joeat1/gopath/src/github.com/google/syzkaller",
"procs": 8,
"type": "qemu",
"vm": {
"count": 4,
"kernel": "/home/joeat1/kernel/linux-5.1.2/arch/x86/boot/bzImage",
"cpu": 2,
"mem": 2048
},
"reproduce": false
}

mkdir workdir
./bin/syz-manager -config=my.cfg

ps -A | grep qemu
kill pid
kill $(cat vm.pid)

https://mirrors.kernel.org/debian/dists/wheezy/Release

SyscallName$Type \(号前的syscallname是系统调用名，是内核提供的接口，在源码的\)(SYZKALLER_SOURCE)/sys/sys.txt中有通用的调用的形式申明可以参考。$号后的type是指特定类型的系统调用。具体行为靠的是后面的参数去确定。
参数的格式如下： ArgumentName ArgumentType[Limit] ArgumentName是指参数名，ArgumentType指的是参数类型

"enable_syscalls": [
"socket\(packet", "socketpair\)packet", "accept\(packet", "accept4\)packet", "bind\(packet", "connect\)packet", "sendto\(packet", "recvfrom\)packet", "getsockname\(packet", "getpeername\)packet", "listen", "setsockopt", "getsockopt", "syz_emit_ethernet"
],
需要注意的是，此处写的方式，需要满足函数的参数对象能被创建，即关联关系保证连贯。

整个syzkaller的使用过程就是先去寻找内核的攻击面，然后构造api调用模板，剩下交由syzkaller基于代码覆盖驱动的方式去Fuzzing

"disable_syscalls": [
"socket$packet"
],

"enable_syscalls": [
"openat$kvm", "ioctl"]

可能遇到的问题

sudo service sshd start
sudo service sshd status

use latest gcc and linux kernel will handle this problem
my configuration: gcc 8.4, linux-4.20.13

使用 -debug 显示所有的运行信息

[FAILED] Failed to mount /sys/kernel/config.
[FAILED] Failed to start Remount Root and Kernel File Systems.

The real cause of boot error is the missing of two config in kernel .config file:
CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-kasan.config

使用syz-extract实用程序从内核源提取符号常量的值 。syz-extract生成一个小的C程序，包括include指令引用的内核头，定义define指令指定的宏，并打印符号常量的值。结果存储在.const文件中

使用syz-sysgen实用程序将描述转换为Go代码，此步骤使用系统调用描述和第一步中生成的const文件，并生成prog / types.go中定义的实例Syscall和Type类型。syzkaller使用由在prog / prog.go中定义的值Call和Arg值组成的内存中的AST表示

failed to generate coverage profile: '/home/joeat1/kernel/linux-5.1.2/vmlinux' does not have debug info (set CONFIG_DEBUG_INFO=y)

merged = bio_attempt_front_merge(q, rq, bio); 717
bio_attempt_front_merge 调用 ll_front_merge_fn 622
if (!ll_front_merge_fn(q, req, bio))
ll_front_merge_fn 在block/blk-merge.c:678 if (!bio_flagged(req->bio, BIO_SEG_VALID))处报错 kasan: GPF could be caused by NULL-ptr deref or user memory access

leak checking : CONFIG_DEBUG_KMEMLEAK is not enabled

使用syzkaller工具fuzz内核linux5.1.2模块，配置中设置enable_syscalls = ["openat\(kvm","ioctl\)KVM_CREATE_VM","ioctl\(KVM_CREATE_VCPU","syz_kvm_setup_cpu\)x86", "ioctl\(KVM_SET_GUEST_DEBUG", "ioctl\)KVM_RUN"]，
得到可以crash信息，暂时未进行reproduce，和 https://syzkaller.appspot.com/bug?id=2bf7b7983c2398ec6f0c4c6c87cb50223e8873f8 中很相像
函数流程
kvm_cpu_vmxoff(void) --> cr4_clear_bits(X86_CR4_VMXE); --> __cr4_set(cr4 & ~mask); --> __write_cr4(cr4); --> PVOP_VCALL1(cpu.write_cr4, x);
不知道哪位大佬能帮忙解释解释？

Description Count Last Time Report
general protection fault in ll_front_merge_fn 2 2019/05/24 19:19
general protection fault in native_write_cr4 8 2019/05/24 19:28
KASAN: use-after-free Read in ll_back_merge_fn 3 2019/05/24 19:18
lost connection to test machine 16 2019/05/24 19:27
possible deadlock in __queue_work 1 2019/05/24 09:51

There are 3 special types of crashes:

• no output from test machine: the test machine produces no output whatsoever
• lost connection to test machine: the ssh connection to the machine was unexpectedly closed
• test machine is not executing programs: the machine looks alive, but no test programs were executed for long period of time
  Most likely you won't see reportN files for these crashes (e.g. if there is no output from the test machine, there is nothing to put into report). Sometimes these crashes indicate a bug in syzkaller itself (especially if you see a Go panic message in the logs). However, frequently they mean a kernel lockup or something similarly bad (here are just a few examples of bugs found this way: 1, 2, 3).