How could I know syzkaller hit the new syscall by description or test?
Xu, Pengfei
Hi Dmitry and syzkaller expert,
Greeting!
I’m interested with syzkaller, it’s powerful and great for Linux kernel fuzzing!
I wrote the CET user space SHSTK test “syzkaller/sys/linux/test/cet_user_shstk” and try to send out.
And try to use below command to make the new test work:
“
make generate
make
”
But in my pilot run, I’m not sure the new syscall hit was from new syscall description or from my test “cet_user_shstk”?
And I saw Dmitry already merged the CET user space SHSTK syscall which seems based on Linux tip repo.
“
commit b2d646a98ca1a17d263efbd7d19ddb736d376d62
Author: Dmitry Vyukov dvy...@google.com
Date: Mon Apr 3 07:45:08 2023 +0200
sys/linux: add description of PTRACE_ARCH_PRCTL
commit 11d0e932eb82ef70289fd831f1196b9594ff50fb
Author: Dmitry Vyukov dvy...@google.com
Date: Mon Apr 3 07:45:07 2023 +0200
sys/linux: add map_shadow_stack syscall descriptions
”
And I saw syzkaller hit below new syscall with user SHSTK host kernel and guest kernel and user SHSTK supported qemu:
“
ptrace$ARCH_SHSTK_DISABLE [2891] 4 263 prio
ptrace$ARCH_SHSTK_ENABLE [2892] 4 241 prio
ptrace$ARCH_SHSTK_LOCK [2893] 3 2842 prio
ptrace$ARCH_SHSTK_UNLOCK [2895] 1 95 prio
“
For example “ptrace$ARCH_SHSTK_DISABLE” -> “159 syz_clone-ptrace$ARCH_SHSTK_DISABLE”:
“
r0 = syz_clone(0x22084080, &(0x7f0000000040), 0x0, 0x0, 0x0, 0x0)
ptrace$ARCH_SHSTK_DISABLE(0x10, r0, 0x0, 0x5002) // Why is it filling 0x0 in the third parameter? Both shstk description and tests will use only 0x1(ARCH_SHSTK_SHSTK) or 0x2(ARCH_SHSTK_WRSS)? How did it come about?
”
Actually in my “cet_user_shstk” test, it should fill in 0x1 not 0x0 for the 3rd argument.
“
…
arch_prctl$ARCH_SHSTK_ENABLE(0x5001, 0x1)
…
r0 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
ptrace(0x10, r0)
…
ptrace$ARCH_SHSTK_DISABLE(0x1e, r0, 0x1, 0x5002) // 0x1e: PTRACE_ARCH_PRCTL, It should fill in 0x1: ARCH_SHSTK_SHSTK , 0x5002: ARCH_SHSTK_DISABLE
”
Even “ptrace$ARCH_SHSTK_DISABLE” was triggered by “syzkaller/sys/linux/sys.txt”:
“
ptrace$ARCH_SHSTK_DISABLE(req const[PTRACE_ARCH_PRCTL], pid pid, features flags[shadow_stack_features], cmd const[ARCH_SHSTK_DISABLE]) (breaks_returns)
”
shadow_stack_features was defined in “syzkaller/sys/linux/prctl.txt”:
“
_ = ARCH_SET_FS
shadow_stack_features = ARCH_SHSTK_SHSTK, ARCH_SHSTK_WRSS // ARCH_SHSTK_SHSTK:1, ARCH_SHSTK_WRSS:2
”
Thanks!
BR
Pengfei
Xu, Pengfei
And I’m surprised that, the basic arch_prctl$ARCH_SHSTK_DISABLE/ENABLE syscall for parent process could *not* be triggered after 8 hours syzkaller fuzzing.
“
arch_prctl$ARCH_SHSTK_DISABLE [50] 0 0 prio
arch_prctl$ARCH_SHSTK_ENABLE [51] 0 0 prio
”
I used below filter in my.cfg to make them work quickly:
"enable_syscalls": [
"syz_clone",
"arch_prctl$ARCH_SHSTK*",
"ptrace$ARCH_SHSTK*",
"ptrace$getregset",
"ptrace$setregset",
"mmap",
"map_shadow_stack"
],
Here is my test cet_user_shstk file, at first it will do “arch_prctl$ARCH_SHSTK_DISABLE and ENABLE” for parent process.
This syscall does not depend on any other syscall to work.
“
# requires: arch=amd64
arch_prctl$ARCH_SHSTK_DISABLE(0x5002, 0x1)
arch_prctl$ARCH_SHSTK_ENABLE(0x5001, 0x1)
”
Here is the description in “syzkaller/sys/linux/prctl.txt” which is already merged in syzkaller:
“
arch_prctl$ARCH_SHSTK_ENABLE(cmd const[ARCH_SHSTK_ENABLE], features flags[shadow_stack_features])
arch_prctl$ARCH_SHSTK_DISABLE(cmd const[ARCH_SHSTK_DISABLE], features flags[shadow_stack_features])
…
shadow_stack_features = ARCH_SHSTK_SHSTK, ARCH_SHSTK_WRSS
”
Thanks!
BR
Pengfei
Dmitry Vyukov
Pengfei Xu
On 2023-05-02 at 08:47:39 +0200, Dmitry Vyukov wrote:
> See https://bugzilla.kernel.org/show_bug.cgi?id=198443
> I think this code is just not instrumented.
>
:)
And for previous email, there is another interested behavior:
"ptrace$ARCH_SHSTK_DISABLE(0x10, r0, 0x0, 0x5002)" for
ptrace$ARCH_SHSTK_DISABLE (disable SHSTK for child process by clone).
Whatever this syscall description and my new test, will fill 1 or 2(1 for
ARCH_SHSTK_SHSTK and 2 for ARCH_SHSTK_WRSS), no 0x0 option but the syscall
is generated in corpus, but no 0x1 or 0x2 syscall generated in corpus.
It's strange.
Maybe some of reason is from the BUG also: https://bugzilla.kernel.org/show_bug.cgi?id=198443
Thanks!
BR.
Dmitry Vyukov
>
> Hi Dmitry,
>
> On 2023-05-02 at 08:47:39 +0200, Dmitry Vyukov wrote:
> > See https://bugzilla.kernel.org/show_bug.cgi?id=198443
> > I think this code is just not instrumented.
> >
>
> Thanks for your issue link and description! Yes, it makes sense.
> :)
>
> And for previous email, there is another interested behavior:
> "ptrace$ARCH_SHSTK_DISABLE(0x10, r0, 0x0, 0x5002)" for
> ptrace$ARCH_SHSTK_DISABLE (disable SHSTK for child process by clone).
> Whatever this syscall description and my new test, will fill 1 or 2(1 for
> ARCH_SHSTK_SHSTK and 2 for ARCH_SHSTK_WRSS), no 0x0 option but the syscall
> is generated in corpus, but no 0x1 or 0x2 syscall generated in corpus.
> It's strange.
> Maybe some of reason is from the BUG also: https://bugzilla.kernel.org/show_bug.cgi?id=198443
not see that 0/1/2 make any difference and choses 0 as the simplest
value.
I see you contributed to the kernel, please send a patch that enables
coverage for that files and maybe few other similar ones.
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/ZFC9U25rMkjoWqQy%40xpf.sh.intel.com.
Pengfei Xu
On 2023-05-02 at 10:40:58 +0200, Dmitry Vyukov wrote:
> On Tue, 2 May 2023 at 09:34, Pengfei Xu <pengf...@intel.com> wrote:
> >
> > Hi Dmitry,
> >
> > On 2023-05-02 at 08:47:39 +0200, Dmitry Vyukov wrote:
> > > See https://bugzilla.kernel.org/show_bug.cgi?id=198443
> > > I think this code is just not instrumented.
> > >
> >
> > Thanks for your issue link and description! Yes, it makes sense.
> > :)
> >
> > And for previous email, there is another interested behavior:
> > "ptrace$ARCH_SHSTK_DISABLE(0x10, r0, 0x0, 0x5002)" for
> > ptrace$ARCH_SHSTK_DISABLE (disable SHSTK for child process by clone).
> > Whatever this syscall description and my new test, will fill 1 or 2(1 for
> > ARCH_SHSTK_SHSTK and 2 for ARCH_SHSTK_WRSS), no 0x0 option but the syscall
> > is generated in corpus, but no 0x1 or 0x2 syscall generated in corpus.
> > It's strange.
> > Maybe some of reason is from the BUG also: https://bugzilla.kernel.org/show_bug.cgi?id=198443
>
>
> Yes, it may likely be the same issue. Without coverage the fuzzer does
> not see that 0/1/2 make any difference and choses 0 as the simplest
> value.
> I see you contributed to the kernel, please send a patch that enables
> coverage for that files and maybe few other similar ones.
>
Yes, sure, I will send the patch soon. :)
Thanks!
BR.