初始環境配置
sudo apt-get install subversion
sudo apt-get install g++
sudo apt-get install git
sudo apt install libssl-dev libelf-dev
sudo apt-get install kvm qemu-kvm
安裝 GCC
sudo apt-get install flex bison libc6-dev libc6-dev-i386 linux-libc-dev linux-libc-dev:i386 libgmp3-dev libmpfr-dev libmpc-dev
sudo apt-get install debootstrap
直接下載gcc環境
編譯內核 啟動
選擇需要測試的內核版本,使用安裝好的gcc進行編譯
幾種匹配,gcc8.0.1編譯linux5.1.2編譯比較流暢
make CC="/home/joeat1/gcc/bin/gcc" defconfig
make CC="/home/joeat1/gcc/bin/gcc" kvmconfig
以下內容需要寫在中間位置,否則失效
CONFIG_KCOV=y
CONFIG_DEBUG_INFO=y
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
需要開啟內核上的CONFIG_KCOV選項,也可以在配置文件中加入”cover”: false即不需要使用覆蓋率的信息進行測試
make CC="/home/joeat1/gcc/bin/gcc" oldconfig 運行此命令並在每次提示輸入某個配置值時按Enter鍵將其保留為默認值
make CC="/home/joeat1/gcc/bin/gcc" -j64
//注意,此處不需要make install安裝內核等組件
//注意,如果出現報錯,可以不要 -j64 的選項
make clean CC="/home/joeat1/gcc/bin/gcc" CONFIG_KVM=m CONFIG_INTEL_KVM=m -C . M=./arch/x86/kvm
make CC="/home/joeat1/gcc/bin/gcc" CONFIG_KVM=m CONFIG_INTEL_KVM=m -C . M=./arch/x86/kvm
測試KVM虛擬機
qemu-system-x86_64
-kernel /home/joeat1/kernel/linux-5.1.2/arch/x86/boot/bzImage
-append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ"
-hda wheezy.img
-net user,hostfwd=tcp::10021-:22 -net nic
-enable-kvm
-nographic
-m 2G
-smp 2
-pidfile vm.pid
2>&1 | tee vm.log
-hda /home/joeat1/image/stretch.img
ssh -i /home/joeat1/image/stretch.id_rsa -p 10021 -o "StrictHostKeyChecking no" root@localhost
chmod 600 wheezy.img.key
ssh -i /home/joeat1/image/wheezy.img.key -p 10021 -o "StrictHostKeyChecking no" root@localhost
測試syz-manager
my.cfg
{
"target": "linux/amd64",
"http": "127.0.0.1:56741",
"workdir": "/home/joeat1/gopath/src/github.com/google/syzkaller/workdir",
"kernel_obj": "/home/joeat1/kernel/linux-5.1.2",
"image": "/home/joeat1/image/wheezy.img",
"sshkey": "/home/joeat1/image/wheezy.img.key",
"syzkaller": "/home/joeat1/gopath/src/github.com/google/syzkaller",
"procs": 8,
"type": "qemu",
"vm": {
"count": 4,
"kernel": "/home/joeat1/kernel/linux-5.1.2/arch/x86/boot/bzImage",
"cpu": 2,
"mem": 2048
},
"reproduce": false
}
mkdir workdir
./bin/syz-manager -config=my.cfg
ps -A | grep qemu
kill pid
kill $(cat vm.pid)
https://mirrors.kernel.org/debian/dists/wheezy/Release
SyscallName$Type \(號前的syscallname是系統調用名,是內核提供的接口,在源碼的\)(SYZKALLER_SOURCE)/sys/sys.txt中有通用的調用的形式申明可以參考。$號后的type是指特定類型的系統調用。具體行為靠的是后面的參數去確定。
參數的格式如下: ArgumentName ArgumentType[Limit] ArgumentName是指參數名,ArgumentType指的是參數類型
"enable_syscalls": [
"socket\(packet", "socketpair\)packet", "accept\(packet", "accept4\)packet", "bind\(packet", "connect\)packet", "sendto\(packet", "recvfrom\)packet", "getsockname\(packet", "getpeername\)packet", "listen", "setsockopt", "getsockopt", "syz_emit_ethernet"
],
需要注意的是,此處寫的方式,需要滿足函數的參數對象能被創建,即關聯關系保證連貫。
整個syzkaller的使用過程就是先去尋找內核的攻擊面,然后構造api調用模板,剩下交由syzkaller基於代碼覆蓋驅動的方式去Fuzzing
"disable_syscalls": [
"socket$packet"
],
"enable_syscalls": [
"openat$kvm", "ioctl"
]
可能遇到的問題
sudo service sshd start
sudo service sshd status
use latest gcc and linux kernel will handle this problem
my configuration: gcc 8.4, linux-4.20.13
使用 -debug 顯示所有的運行信息
[FAILED] Failed to mount /sys/kernel/config.
[FAILED] Failed to start Remount Root and Kernel File Systems.
The real cause of boot error is the missing of two config in kernel .config file:
CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-kasan.config
使用syz-extract實用程序從內核源提取符號常量的值 。syz-extract生成一個小的C程序,包括include指令引用的內核頭,定義define指令指定的宏,並打印符號常量的值。結果存儲在.const文件中
使用syz-sysgen實用程序將描述轉換為Go代碼,此步驟使用系統調用描述和第一步中生成的const文件,並生成prog / types.go中定義的實例Syscall和Type類型。syzkaller使用由在prog / prog.go中定義的值Call和Arg值組成的內存中的AST表示
failed to generate coverage profile: '/home/joeat1/kernel/linux-5.1.2/vmlinux' does not have debug info (set CONFIG_DEBUG_INFO=y)
merged = bio_attempt_front_merge(q, rq, bio); 717
bio_attempt_front_merge 調用 ll_front_merge_fn 622
if (!ll_front_merge_fn(q, req, bio))
ll_front_merge_fn 在block/blk-merge.c:678 if (!bio_flagged(req->bio, BIO_SEG_VALID))處報錯 kasan: GPF could be caused by NULL-ptr deref or user memory access
leak checking : CONFIG_DEBUG_KMEMLEAK is not enabled
使用syzkaller工具fuzz內核linux5.1.2模塊,配置中設置enable_syscalls = ["openat\(kvm","ioctl\)KVM_CREATE_VM","ioctl\(KVM_CREATE_VCPU","syz_kvm_setup_cpu\)x86", "ioctl\(KVM_SET_GUEST_DEBUG", "ioctl\)KVM_RUN"],
得到可以crash信息,暫時未進行reproduce,和 https://syzkaller.appspot.com/bug?id=2bf7b7983c2398ec6f0c4c6c87cb50223e8873f8 中很相像
函數流程
kvm_cpu_vmxoff(void) --> cr4_clear_bits(X86_CR4_VMXE); --> __cr4_set(cr4 & ~mask); --> __write_cr4(cr4); --> PVOP_VCALL1(cpu.write_cr4, x);
不知道哪位大佬能幫忙解釋解釋?
Description Count Last Time Report
general protection fault in ll_front_merge_fn 2 2019/05/24 19:19
general protection fault in native_write_cr4 8 2019/05/24 19:28
KASAN: use-after-free Read in ll_back_merge_fn 3 2019/05/24 19:18
lost connection to test machine 16 2019/05/24 19:27
possible deadlock in __queue_work 1 2019/05/24 09:51
There are 3 special types of crashes:
- no output from test machine: the test machine produces no output whatsoever
- lost connection to test machine: the ssh connection to the machine was unexpectedly closed
- test machine is not executing programs: the machine looks alive, but no test programs were executed for long period of time
Most likely you won't see reportN files for these crashes (e.g. if there is no output from the test machine, there is nothing to put into report). Sometimes these crashes indicate a bug in syzkaller itself (especially if you see a Go panic message in the logs). However, frequently they mean a kernel lockup or something similarly bad (here are just a few examples of bugs found this way: 1, 2, 3).