[Question] Trouble fuzzing the Trusty IPC interface with Syzkaller
5 views
Skip to first unread message
Swapnil Dey
Dec 15, 2025, 2:58:00 AM (8 days ago) Dec 15
to syzkaller
Hi,
I was trying to play around with fuzzing the Trusty IPC interface with Syzkaller as a part of my research. However, I am facing errors upon running the Syzkaller.
From the documentation (https://github.com/google/syzkaller/tree/master/docs/trusty),
Building Trusty
mkdir trusty; cd trusty
repo init -u https://android.googlesource.com/trusty/manifest -b master
repo sync -j32
source trusty/vendor/google/aosp/scripts/envsetup.sh
make -j32 generic-arm64
# Build Trusty and qemu images:
trusty/vendor/google/aosp/scripts/build.py qemu-generic-arm64-test-debug
# Create qemu-comb.dtb:
KERNEL_DIR=$KERNEL build-root/build-qemu-generic-arm64-test-debug/run-qemu
I think "run-qemu" has been replaced by just "run". I was able to build the trusty and qemu images successfully.
I did the following,
KERNEL_DIR=$KERNEL build-root/build-qemu-generic-arm64-test-debug/run
But, it generated tos_fw_config.dtb instead of qemu-comb.dtb.
This is my trusty config file.
{
"name": "trusty",
"target": "linux/arm64",
"http": ":10000",
"workdir": "/workdir",
"kernel_obj": "$KERNEL",
"syzkaller": "$SYZKALLER",
"image": "$BUILDROOT/output/images/rootfs.ext4",
"sshkey": "$BUILDROOT/key",
"cover": false,
"procs": 4,
"type": "qemu",
"vm": {
"count": 4,
"cpu": 1,
"mem": 1024,
"qemu": "$TRUSTY/build-root/build-qemu-generic-arm64-test-debug/qemu-build/bin/qemu-system-aarch64",
"qemu_args": "-machine virt,secure=on,virtualization=on -cpu cortex-a57 -bios $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug/bl1.bin -d unimp -semihosting-config enable,target=native -no-acpi -dtb $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug/tos_fw_config.dtb",
"cmdline": "androidboot.hardware=qemu_trusty console=ttyAMA0,38400 root=/dev/vda",
"kernel": "$KERNEL/arch/arm64/boot/Image"
},
"enable_syscalls": [
"openat$trusty*",
"write$trusty*",
"read",
"ioctl$TIPC_IOC_CONNECT*",
"ppoll",
"dup3",
"tkill",
"gettid",
"close"
]
}
Finally, upon running the syzmanager with this config, it produces the following error:
2025/12/10 01:54:49 serving rpc on tcp://34351
2025/12/10 01:54:49 serving http on http://:10000
2025/12/10 01:54:50 skipped 23 seeds
2025/12/10 01:54:54 VM 0: crash: failed to read from qemu: EOF
2025/12/10 01:54:54 VM 0: crash: failed to read from qemu: EOF
2025/12/10 01:54:54 VM 0: crash: failed to read from qemu: EOF
Can you tell me what I am doing wrong? I followed the doc step by step. Please feel free to help me out. Thank you!
Best,
Swapnil
I was trying to play around with fuzzing the Trusty IPC interface with Syzkaller as a part of my research. However, I am facing errors upon running the Syzkaller.
From the documentation (https://github.com/google/syzkaller/tree/master/docs/trusty),
Building Trusty
mkdir trusty; cd trusty
repo init -u https://android.googlesource.com/trusty/manifest -b master
repo sync -j32
source trusty/vendor/google/aosp/scripts/envsetup.sh
make -j32 generic-arm64
# Build Trusty and qemu images:
trusty/vendor/google/aosp/scripts/build.py qemu-generic-arm64-test-debug
# Create qemu-comb.dtb:
KERNEL_DIR=$KERNEL build-root/build-qemu-generic-arm64-test-debug/run-qemu
I think "run-qemu" has been replaced by just "run". I was able to build the trusty and qemu images successfully.
I did the following,
KERNEL_DIR=$KERNEL build-root/build-qemu-generic-arm64-test-debug/run
But, it generated tos_fw_config.dtb instead of qemu-comb.dtb.
This is my trusty config file.
{
"name": "trusty",
"target": "linux/arm64",
"http": ":10000",
"workdir": "/workdir",
"kernel_obj": "$KERNEL",
"syzkaller": "$SYZKALLER",
"image": "$BUILDROOT/output/images/rootfs.ext4",
"sshkey": "$BUILDROOT/key",
"cover": false,
"procs": 4,
"type": "qemu",
"vm": {
"count": 4,
"cpu": 1,
"mem": 1024,
"qemu": "$TRUSTY/build-root/build-qemu-generic-arm64-test-debug/qemu-build/bin/qemu-system-aarch64",
"qemu_args": "-machine virt,secure=on,virtualization=on -cpu cortex-a57 -bios $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug/bl1.bin -d unimp -semihosting-config enable,target=native -no-acpi -dtb $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug/tos_fw_config.dtb",
"cmdline": "androidboot.hardware=qemu_trusty console=ttyAMA0,38400 root=/dev/vda",
"kernel": "$KERNEL/arch/arm64/boot/Image"
},
"enable_syscalls": [
"openat$trusty*",
"write$trusty*",
"read",
"ioctl$TIPC_IOC_CONNECT*",
"ppoll",
"dup3",
"tkill",
"gettid",
"close"
]
}
Finally, upon running the syzmanager with this config, it produces the following error:
2025/12/10 01:54:49 serving rpc on tcp://34351
2025/12/10 01:54:49 serving http on http://:10000
2025/12/10 01:54:50 skipped 23 seeds
2025/12/10 01:54:54 VM 0: crash: failed to read from qemu: EOF
2025/12/10 01:54:54 VM 0: crash: failed to read from qemu: EOF
2025/12/10 01:54:54 VM 0: crash: failed to read from qemu: EOF
Can you tell me what I am doing wrong? I followed the doc step by step. Please feel free to help me out. Thank you!
Best,
Swapnil
Aleksandr Nogikh
Dec 15, 2025, 8:55:41 PM (7 days ago) Dec 15
to Swapnil Dey, syzkaller
Hi Swapnil,
It looks like qemu is refusing to start, possibly due to invalid
arguments. You could try running syzkaller with `-debug` to see the
exact arguments it passed to the qemu process and then try running
qemu yourself; this might help spot the error(s).
--
Aleksandr
arguments. You could try running syzkaller with `-debug` to see the
exact arguments it passed to the qemu process and then try running
qemu yourself; this might help spot the error(s).
--
Aleksandr
Reply all
Reply to author
Forward
0 new messages