Fuzzing specific device nodes and ioctl commands?

[miles....@gmail.com]

Hi,

Since many ioctl commands are hardware-dependent.

I would like to customize Syzkaller and fuzz ioctl and simple copy_to_user/copy_from_user vulnerabilities by hardware manufacturers.

Is this the correct way?

1.Use sys-extract to get "struct define" and "const value" (for fuzzing ioctl only).

2.Add to sys/sys.txt or a new sys/*.txt:

-------------------------------------------------------------

syz_open_dev$SPECIFIC_DEVICE(dev ptr[in, string["/dev/SPECIFIC_DEVICE"]], id intptr, flags flags[open_flags]) fd

ioctl$IOCT_LNAME(xxx)    (for fuzzing ioctl only)

-------------------------------------------------------------

Do I need to manually add the device node path and ioctl command of every device I want to fuzz?

3.Clean build Syzkaller

4.Add "syz_open_dev$SPECIFIC_DEVIC" and "ioctl$IOCT_LNAME" to enable_syscalls

Thanks,

Miles

[Dmitry Vyukov]

On Thu, Aug 17, 2017 at 10:04 AM, <miles....@gmail.com> wrote:
> Hi,
>
> Since many ioctl commands are hardware-dependent.
> I would like to customize Syzkaller and fuzz ioctl and simple
> copy_to_user/copy_from_user vulnerabilities by hardware manufacturers.
>
> Is this the correct way?
>
> 1.Use sys-extract to get "struct define" and "const value" (for fuzzing
> ioctl only).
>
> 2.Add to sys/sys.txt or a new sys/*.txt:
> -------------------------------------------------------------
> syz_open_dev$SPECIFIC_DEVICE(dev ptr[in, string["/dev/SPECIFIC_DEVICE"]], id
> intptr, flags flags[open_flags]) fd
>
> ioctl$IOCT_LNAME(xxx) (for fuzzing ioctl only)
> -------------------------------------------------------------
>
> Do I need to manually add the device node path and ioctl command of every
> device I want to fuzz?

Yes. See existing sys/*.txt files for examples.

For the rest see:
https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions.md#describing-new-system-calls

[miles....@gmail.com]

Hi Dmitry,

Thanks for the explanation!

Another question: 

Is it correct that bin/syz-extract only generates the "const". It will not generate the Syzkaller-type struct define?

That is I'll need to manually transform:

----------------------------------------------------------

struct xxx {

unsigned int a;

unsigned int b;

unsigned long c;

};

----------------------------------------------------------

Into: 

----------------------------------------------------------

xxx {

a int32

b int32

c int64

}

----------------------------------------------------------

In my sys/*.txt?

Is that correct? Or any tool by Syzkaller will do it for me?

Thanks,

Miles

[Dmitry Vyukov]

On Fri, Aug 18, 2017 at 11:27 AM, <miles....@gmail.com> wrote:
> Hi Dmitry,
>
> Thanks for the explanation!
>
> Another question:
> Is it correct that bin/syz-extract only generates the "const". It will not
> generate the Syzkaller-type struct define?
>
> That is I'll need to manually transform:
> ----------------------------------------------------------
> struct xxx {
> unsigned int a;
> unsigned int b;
> unsigned long c;
> };
> ----------------------------------------------------------
>
> Into:
> ----------------------------------------------------------
> xxx {
> a int32
> b int32
> c int64
> }
> ----------------------------------------------------------
>
> In my sys/*.txt?
> Is that correct? Or any tool by Syzkaller will do it for me?

Correct.
But note that most likely you need to do not just mechanical
transformation, but add necessary semantic info (which is lacking in C
type definitions, making such transformation impossible). E.g. you can
end up with something like instead:

xxx {
a fd
b flags[xxx_flags, int32]
c resource_foo
}

[miles....@gmail.com]

Hi Dmitry,

I'm not sure how syz-extract works to get const define?

Could you briefly explain how it works (like parsing which file to find xxx)?

I'm now playing with Android.

My kernel source directory is kernel-4.4

My kernel image out directory is /android-build/out/target/product/[project]/

I tried the below command but it is not getting some useful information (sys/test_arm64.const file is empty):

./bin/syz-extract -arch arm64 -linux "kernel-4.4/" -linuxbld "/android-build/out/target/product/[project]/obj/KERNEL_OBJ/" sys/test.txt

Not sure if I put the "linux" and "linuxbld" parameters correctly?

Thanks,

Miles

[Dmitry Vyukov]

On Fri, Aug 18, 2017 at 3:02 PM, <miles....@gmail.com> wrote:
> Hi Dmitry,
>
> I'm not sure how syz-extract works to get const define?
> Could you briefly explain how it works (like parsing which file to find
> xxx)?
>
> I'm now playing with Android.
> My kernel source directory is kernel-4.4
> My kernel image out directory is
> /android-build/out/target/product/[project]/
> I tried the below command but it is not getting some useful information
> (sys/test_arm64.const file is empty):
> ./bin/syz-extract -arch arm64 -linux "kernel-4.4/" -linuxbld
> "/android-build/out/target/product/[project]/obj/KERNEL_OBJ/" sys/test.txt

Try some other file, for example, sys/sys.txt. sys/test.txt does not
contain any constants to extract.

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[z...@google.com]

On Friday, August 18, 2017 at 10:27:49 AM UTC+1, miles....@gmail.com wrote:

Hi Dmitry,

Thanks for the explanation!

Another question: 

Is it correct that bin/syz-extract only generates the "const". It will not generate the Syzkaller-type struct define?

That is I'll need to manually transform:

----------------------------------------------------------

struct xxx {

unsigned int a;

unsigned int b;

unsigned long c;

};

----------------------------------------------------------

Into: 

----------------------------------------------------------

xxx {

a int32

b int32

c int64

}

----------------------------------------------------------

In my sys/*.txt?

Is that correct? Or any tool by Syzkaller will do it for me?

Hi, tools/syz-headerparser[1][2] can be used for partial auto-generation of system call descriptions from struct types.

[1] https://github.com/google/syzkaller/tree/master/tools/syz-headerparser

[2] https://github.com/google/syzkaller/blob/master/docs/headerparser_usage.md

Hope this helps!

[$rik@nth]

Hi zsm,

I have tired the above specified tool on one of the header file and it
showed below stack trace. Also the doc [1] says to specify device
type. But there is no such argument support from syz-headerparser.

Traceback (most recent call last):
File "headerparser.py", line 61, in <module>
main()
File "headerparser.py", line 51, in main
loglvl=loglvl, include_lines=include_lines)
File "/local/mnt/workspace2/syzkaller-02202017/src/github.com/google/syzkaller/tools/syz-headerparser/headerlib/container.py",
line 172, in __init__
self.load_header_files()
File "/local/mnt/workspace2/syzkaller-02202017/src/github.com/google/syzkaller/tools/syz-headerparser/headerlib/container.py",
line 205, in load_header_files
local_hierarchy = struct_walker.generate_local_hierarchy()
File "/local/mnt/workspace2/syzkaller-02202017/src/github.com/google/syzkaller/tools/syz-headerparser/headerlib/struct_walker.py",
line 249, in generate_local_hierarchy
self.visit(self.ast)
File "/usr/local/lib/python2.7/dist-packages/pycparser/c_ast.py",
line 120, in visit
return visitor(node)
File "/usr/local/lib/python2.7/dist-packages/pycparser/c_ast.py",
line 127, in generic_visit
self.visit(c)
File "/usr/local/lib/python2.7/dist-packages/pycparser/c_ast.py",
line 120, in visit
return visitor(node)
File "/usr/local/lib/python2.7/dist-packages/pycparser/c_ast.py",
line 127, in generic_visit
self.visit(c)
File "/usr/local/lib/python2.7/dist-packages/pycparser/c_ast.py",
line 120, in visit
return visitor(node)
File "/local/mnt/workspace2/syzkaller-02202017/src/github.com/google/syzkaller/tools/syz-headerparser/headerlib/struct_walker.py",
line 234, in visit_Struct
desc = self._traverse_ast(node)
File "/local/mnt/workspace2/syzkaller-02202017/src/github.com/google/syzkaller/tools/syz-headerparser/headerlib/struct_walker.py",
line 222, in _traverse_ast
item = self._recursive_process_item(child[1], {}, None)
File "/local/mnt/workspace2/syzkaller-02202017/src/github.com/google/syzkaller/tools/syz-headerparser/headerlib/struct_walker.py",
line 162, in _recursive_process_item
return self._recursive_process_item(item_ast.type, processed_item, item_ast)
File "/local/mnt/workspace2/syzkaller-02202017/src/github.com/google/syzkaller/tools/syz-headerparser/headerlib/struct_walker.py",
line 197, in _recursive_process_item
processed_item['array_size'].append(int(item_ast.dim.value))
AttributeError: 'BinaryOp' object has no attribute 'value'

[1] https://github.com/google/syzkaller/blob/master/docs/headerparser_usage.md

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Thanks & Regards,
M.Srikanth Kumar.

[Zubin Mithra]

Could you share the layout of the structure that you are trying to parse?

The "--device" argument has been deprecated, I'll update the
documentation, thanks for letting me know.

--
- Zubin

[$rik@nth]

Hi zsm,

Here is the file which i am trying to parse using syz-headerparser
https://source.codeaurora.org/quic/la/kernel/msm-4.4/tree/include/uapi/linux/qseecom.h?h=rel/msm-4.4.r9

[Zubin Mithra]

On Sat, Aug 26, 2017 at 8:54 AM, $rik@nth <srikan...@gmail.com> wrote:
> Hi zsm,
>

> Here is the file which i am trying to parse using syz-headerparser
> https://source.codeaurora.org/quic/la/kernel/msm-4.4/tree/include/uapi/linux/qseecom.h?h=rel/msm-4.4.r9

Substituting "char digest[SHA256_DIGEST_LENGTH];" with "char
digest[32];" and running headerparser as follows should work.

$ python headerparser.py --filenames=test_headers/qseecom.h