Custom Pseudo Calls not being fuzzed

64 views
Skip to first unread message

Marcel Pokorski

unread,
May 24, 2024, 1:45:33 AM5/24/24
to syzkaller

Hello Syzkaller community,

I'm a student currently directing Syzkaller's fuzzing towards the BTRFS filesystem. After enabling the necessary kernel configurations and limiting the syscalls, I noticed low coverage in some BTRFS code files. To improve this, I'm considering adding pseudo syscalls in common_linux.h (similar to syz_mount_image) that hit some unfuzzed functions.

However, I'm encountering an issue where the pseudo syscalls I add are not executed at all. I've followed the Syzkaller guide for adding new pseudo syscalls, but it seems ineffective:

  1. I added a copy of syz_mount_image named syz_mount_image_alias to common_linux.h.
  2. I included a descriptor for syz_mount_image_alias in filesystem.txt.
  3. I listed syz_mount_image_alias in syscalls_linux.go with an "always supported" tag.
  4. Additionally, I added syz_mount_image_alias$btrfs in the filesystem.txt descriptions and syscalls.h mappings.
  5. I ran make generate & make.
  6. I modified my config.json to use syz_mount_image_alias and syz_mount_image_alias$btrfs instead of the original syz_mount_image and syz_mount_image$btrfs.

Despite these steps, there is still no coverage. Currently, I have only three other syscalls enabled to maintain a minimal environment and ensure that the new pseudo syscalls are not transitively disabled.

Could I be missing something in this setup? Any advice or suggestions would be greatly appreciated.

Aleksandr Nogikh

unread,
May 24, 2024, 5:30:40 AM5/24/24
to Marcel Pokorski, syzkaller
Hi Marcel,

If you visit the syscall list page of your syz-manager (that is,
/syscalls), do you see syz_mount_image_alias? If yes, you have very
likely done all your steps correctly.

Note that we pre-generate seed programs for syz_mount_image$ calls
with https://github.com/google/syzkaller/tree/master/tools/syz-imagegen
-- it's unreasonable to expect a fuzzer to be able to come up with an
(at least somewhat) valid fs image at random. These seed programs end
up here: https://github.com/google/syzkaller/tree/master/sys/linux/test
And here's e.g. one of the btrfs seeds:
https://github.com/google/syzkaller/blob/master/sys/linux/test/syz_mount_image_btrfs_2

You may try to manually check whether your pseudo syscall generates
any kernel coverage by crafting a program similar to the one above and
executing it with
https://github.com/google/syzkaller/blob/master/tools/syz-execprog/execprog.go

--
Aleksandr
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/ca363b9c-d9dc-482a-8bc6-63c3d4f71427n%40googlegroups.com.

Marcel Pokorski

unread,
May 24, 2024, 11:22:53 AM5/24/24
to syzkaller
Hello Aleksandr,

Thanks a lot for your input!
The syscall is indeed listed under /syscalls.

What solved my problem was your advice about the test.
As soon as I added a custom test program for my custom call, the coverage started going up.

Thank you for the help.

Marcel
Reply all
Reply to author
Forward
0 new messages