Hi Dmitry and syzkaller expert,
Greeting!
I’m interested with syzkaller, it’s powerful and great for Linux kernel fuzzing!
I wrote the CET user space SHSTK test “syzkaller/sys/linux/test/cet_user_shstk” and try to send out.
And try to use below command to make the new test work:
“
make generate
make
”
But in my pilot run, I’m not sure the new syscall hit was from new syscall description or from my test “cet_user_shstk”?
And I saw Dmitry already merged the CET user space SHSTK syscall which seems based on Linux tip repo.
“
commit b2d646a98ca1a17d263efbd7d19ddb736d376d62
Author: Dmitry Vyukov dvy...@google.com
Date: Mon Apr 3 07:45:08 2023 +0200
sys/linux: add description of PTRACE_ARCH_PRCTL
commit 11d0e932eb82ef70289fd831f1196b9594ff50fb
Author: Dmitry Vyukov dvy...@google.com
Date: Mon Apr 3 07:45:07 2023 +0200
sys/linux: add map_shadow_stack syscall descriptions
”
And I saw syzkaller hit below new syscall with user SHSTK host kernel and guest kernel and user SHSTK supported qemu:
“
ptrace$ARCH_SHSTK_DISABLE [2891] 4 263 prio
ptrace$ARCH_SHSTK_ENABLE [2892] 4 241 prio
ptrace$ARCH_SHSTK_LOCK [2893] 3 2842 prio
ptrace$ARCH_SHSTK_UNLOCK [2895] 1 95 prio
“
For example “ptrace$ARCH_SHSTK_DISABLE” -> “159 syz_clone-ptrace$ARCH_SHSTK_DISABLE”:
“
r0 = syz_clone(0x22084080, &(0x7f0000000040), 0x0, 0x0, 0x0, 0x0)
ptrace$ARCH_SHSTK_DISABLE(0x10, r0, 0x0, 0x5002) // Why is it filling 0x0 in the third parameter? Both shstk description and tests will use only 0x1(ARCH_SHSTK_SHSTK) or 0x2(ARCH_SHSTK_WRSS)? How did it come about?
”
Actually in my “cet_user_shstk” test, it should fill in 0x1 not 0x0 for the 3rd argument.
“
…
arch_prctl$ARCH_SHSTK_ENABLE(0x5001, 0x1)
…
r0 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
ptrace(0x10, r0)
…
ptrace$ARCH_SHSTK_DISABLE(0x1e, r0, 0x1, 0x5002) // 0x1e: PTRACE_ARCH_PRCTL, It should fill in 0x1: ARCH_SHSTK_SHSTK , 0x5002: ARCH_SHSTK_DISABLE
”
Even “ptrace$ARCH_SHSTK_DISABLE” was triggered by “syzkaller/sys/linux/sys.txt”:
“
ptrace$ARCH_SHSTK_DISABLE(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_DISABLE]) (breaks_returns)
”
shadow_stack_features was defined in “syzkaller/sys/linux/prctl.txt”:
“
_ = ARCH_SET_FS
shadow_stack_features = ARCH_SHSTK_SHSTK, ARCH_SHSTK_WRSS // ARCH_SHSTK_SHSTK:1, ARCH_SHSTK_WRSS:2
”
Thanks!
BR
Pengfei
And I’m surprised that, the basic arch_prctl$ARCH_SHSTK_DISABLE/ENABLE syscall for parent process could *not* be triggered after 8 hours syzkaller fuzzing.
“
arch_prctl$ARCH_SHSTK_DISABLE [50] 0 0 prio
arch_prctl$ARCH_SHSTK_ENABLE [51] 0 0 prio
”
I used below filter in my.cfg to make them work quickly:
"enable_syscalls": [
"syz_clone",
"arch_prctl$ARCH_SHSTK*",
"ptrace$ARCH_SHSTK*",
"ptrace$getregset",
"ptrace$setregset",
"mmap",
"map_shadow_stack"
],
Here is my test cet_user_shstk file, at first it will do “arch_prctl$ARCH_SHSTK_DISABLE and ENABLE” for parent process.
This syscall does not depend on any other syscall to work.
“
# requires: arch=amd64
arch_prctl$ARCH_SHSTK_DISABLE(0x5002, 0x1)
arch_prctl$ARCH_SHSTK_ENABLE(0x5001, 0x1)
”
Here is the description in “syzkaller/sys/linux/prctl.txt” which is already merged in syzkaller:
“
arch_prctl$ARCH_SHSTK_ENABLE(cmd const[ARCH_SHSTK_ENABLE], features flags[shadow_stack_features])
arch_prctl$ARCH_SHSTK_DISABLE(cmd const[ARCH_SHSTK_DISABLE], features flags[shadow_stack_features])
…
shadow_stack_features = ARCH_SHSTK_SHSTK, ARCH_SHSTK_WRSS
”
Thanks!
BR
Pengfei