How to target specific linux drivers
223 views
Skip to first unread message
kabuto hokage
Oct 31, 2023, 9:25:23 AM10/31/23
to syzkaller
Hey,
Im new to syzkaller and I want to start fuzzing drivers. For example if I wanted to target the following driver, https://github.com/google/syzkaller/blob/master/sys/linux/dev_i2c.txt how do I go about finding the syscalls needed to get coverage of the driver code? When I insert the syscalls from the above mentioned txt file, syzkaller will complain about not having any syscalls to execute.
best regards
Aleksandr Nogikh
Oct 31, 2023, 1:00:27 PM10/31/23
to kabuto hokage, syzkaller
Hi,
syz_open_dev$I2C(dev ptr[in, string["/dev/i2c-#"]], id intptr, flags flags[open_flags]) fd_i2c
syzkaller expects one of /dev/i2c- devices to be present on your VMs, otherwise it disables all related syscalls.
It should have printed a log message about this.
--
Aleksandr
syz_open_dev$I2C(dev ptr[in, string["/dev/i2c-#"]], id intptr, flags flags[open_flags]) fd_i2c
syzkaller expects one of /dev/i2c- devices to be present on your VMs, otherwise it disables all related syscalls.
It should have printed a log message about this.
--
Aleksandr
--
You received this message because you are subscribed to the Google Groups "syzkaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/a4e76581-2904-4c01-9585-21f689aca07dn%40googlegroups.com.
kabuto hokage
Nov 2, 2023, 5:25:56 AM11/2/23
to syzkaller
Thanks I got it to work. I also wanted to ask, how do I go about increasing the coverage? I don't know much about device drivers, but I can imagine that some of the driver code might rely on other syscalls to be added.
How do I find those syscalls?
best regards
Aleksandr Nogikh
Nov 2, 2023, 6:26:49 AM11/2/23
to kabuto hokage, syzkaller
On Thu, Nov 2, 2023 at 10:25 AM kabuto hokage <snakek...@gmail.com> wrote:
>
> Thanks I got it to work. I also wanted to ask, how do I go about increasing the coverage? I don't know much about device drivers, but I can imagine that some of the driver code might rely on other syscalls to be added.
> How do I find those syscalls?
I think there's no 100% working recipe. Reading kernel documentation /
>
> Thanks I got it to work. I also wanted to ask, how do I go about increasing the coverage? I don't know much about device drivers, but I can imagine that some of the driver code might rely on other syscalls to be added.
> How do I find those syscalls?
tutorials / exploring kernel source code might help.
You can also refer to the coverage reports of syzkaller -- you'll see
code lines where coverage stopped and deduce what needs to be done to
help syzkaller go further.
--
Aleksandr
>
> best regards
>
> On Tuesday, October 31, 2023 at 6:00:27 PM UTC+1 nog...@google.com wrote:
>>
>> Hi,
>>
>> syz_open_dev$I2C(dev ptr[in, string["/dev/i2c-#"]], id intptr, flags flags[open_flags]) fd_i2c
>>
>> syzkaller expects one of /dev/i2c- devices to be present on your VMs, otherwise it disables all related syscalls.
>> It should have printed a log message about this.
>>
>> --
>> Aleksandr
>>
>>
>> On Tue, Oct 31, 2023 at 2:25 PM kabuto hokage <snakek...@gmail.com> wrote:
>>>
>>> Hey,
>>> Im new to syzkaller and I want to start fuzzing drivers. For example if I wanted to target the following driver, https://github.com/google/syzkaller/blob/master/sys/linux/dev_i2c.txt how do I go about finding the syscalls needed to get coverage of the driver code? When I insert the syscalls from the above mentioned txt file, syzkaller will complain about not having any syscalls to execute.
>>>
>>> best regards
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "syzkaller" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
>>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/a4e76581-2904-4c01-9585-21f689aca07dn%40googlegroups.com.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
Aleksandr Nogikh
Nov 2, 2023, 7:58:34 AM11/2/23
to kabuto hokage, syzkaller
That's strange.
Do you look at the overall coverage report (the one you get by
clicking at coverage XXXX from the syzkaller dashboard)? Or at the one
generated for the specific syscall?
On Thu, Nov 2, 2023 at 12:46 PM kabuto hokage <snakek...@gmail.com> wrote:
>
> I was meaning to ask about that as well. None of the code listed in my coverage report in the browser is coloured. Is this feature removed ?
Do you look at the overall coverage report (the one you get by
clicking at coverage XXXX from the syzkaller dashboard)? Or at the one
generated for the specific syscall?
On Thu, Nov 2, 2023 at 12:46 PM kabuto hokage <snakek...@gmail.com> wrote:
>
> I was meaning to ask about that as well. None of the code listed in my coverage report in the browser is coloured. Is this feature removed ?
Aleksandr Nogikh
Nov 2, 2023, 8:16:18 AM11/2/23
to kabuto hokage, syzkaller
Not just in the driver you're interested in, but also in none of the
other kernel source files, right?
On Thu, Nov 2, 2023 at 1:03 PM kabuto hokage <snakek...@gmail.com> wrote:
>
> I have tried both and no colouring shows up.
other kernel source files, right?
On Thu, Nov 2, 2023 at 1:03 PM kabuto hokage <snakek...@gmail.com> wrote:
>
> I have tried both and no colouring shows up.
kabuto hokage
Nov 2, 2023, 8:54:28 AM11/2/23
to syzkaller
Yes exactly. I have some src files with more than 50% coverage and not a single line is coloured.
Aleksandr Nogikh
Nov 2, 2023, 9:28:49 AM11/2/23
to kabuto hokage, syzkaller
Could you please share the coverage report page that you get from your
syzkaller instance?
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/99eba466-13d1-4129-adbe-4a7eb9e0b53bn%40googlegroups.com.
syzkaller instance?
kabuto hokage
Nov 2, 2023, 11:05:03 AM11/2/23
to syzkaller
Aleksandr Nogikh
Nov 3, 2023, 7:04:11 AM11/3/23
to kabuto hokage, syzkaller
Could you please compress that big html page in a single archive? It's not really clear what to do with those 4 zip files.
If email doesn't let you share it as an attachment, you might upload it to e.g. a Google disk and share the download link.
If email doesn't let you share it as an attachment, you might upload it to e.g. a Google disk and share the download link.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/8d34ee48-ca5b-46c4-94dd-1f374f854a96n%40googlegroups.com.
kabuto hokage
Nov 3, 2023, 7:27:53 AM11/3/23
to syzkaller
Sorry, I wasn't sure what you were asking for, here you go.
kabuto hokage
Nov 6, 2023, 3:54:21 AM11/6/23
to syzkaller
Hi , were you able to access the file ?
Aleksandr Nogikh
Nov 9, 2023, 10:05:50 PM11/9/23
to kabuto hokage, syzkaller
Hi,
Yes, I downloaded it and yes, there's indeed something wrong with it.
I haven't yet had a chance to take a closer look at why, unfortunately.
Do you see the same problem if you build Linux with syzbot's config [1] (or with the one from [2]) and run fuzzing with "vm": "qemu"?
[1]
$ wget -O '.config' 'https://raw.githubusercontent.com/google/syzkaller/master/dashboard/config/linux/upstream-apparmor-kasan.config'
$ make olddefconfig && make -j$(nproc)
[2] https://github.com/google/syzkaller/blob/master/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md
--
Aleksandr
Yes, I downloaded it and yes, there's indeed something wrong with it.
I haven't yet had a chance to take a closer look at why, unfortunately.
Do you see the same problem if you build Linux with syzbot's config [1] (or with the one from [2]) and run fuzzing with "vm": "qemu"?
[1]
$ wget -O '.config' 'https://raw.githubusercontent.com/google/syzkaller/master/dashboard/config/linux/upstream-apparmor-kasan.config'
$ make olddefconfig && make -j$(nproc)
[2] https://github.com/google/syzkaller/blob/master/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md
--
Aleksandr
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/7179bf41-ae85-40d2-bb6a-4d3120da38b9n%40googlegroups.com.
Message has been deleted
Aleksandr Nogikh
Nov 21, 2023, 6:31:41 AM11/21/23
to kabuto hokage, syzkaller
No, these are separate things - having the most up-to-date constants helps the fuzzer go deeper into the code, but coverage report generation is done independently from that.
On Thu, Nov 16, 2023 at 2:46 PM kabuto hokage <snakek...@gmail.com> wrote:
Hi,Could the lack of code-coverage support be that I didn't run make extract specifying sourcedir as the kernel source code im fuzzing?It runs with the const files generated directly from the repo, so I haven't done much after clonning the repo.best regards
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/6a57fd34-266b-401a-86b1-07532fadb2a9n%40googlegroups.com.
kabuto hokage
Nov 23, 2023, 5:49:34 AM11/23/23
to syzkaller
Hi,
I have tried fuzzing using the qemu setup as well, still no highlighted coverage :(
best regards
On Friday, November 10, 2023 at 4:05:50 AM UTC+1 nog...@google.com wrote:
Aleksandr Nogikh
Nov 23, 2023, 10:44:35 AM11/23/23
to kabuto hokage, syzkaller
Is your syzkaller instance able to symbolize reports (i.e. convert raw addresses like ext4_bmap+0x58/0x35c to actual filename.c:line)? Do you have a fresh enough version of binutils and of the compiler toolchain you use?
You may try to build the kernel and run syzkaller from under our Docker container: gcr.io/syzkaller/syzbot
You may try to build the kernel and run syzkaller from under our Docker container: gcr.io/syzkaller/syzbot
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/58b399bf-70ea-4af3-8337-6ae85226682cn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages