trying to fuzz /dev/binder

[r.ky...@gmail.com]

Hi!

I have trying to fuzz /dev/binder in qemu, linux kernel is 4.6.7 x86_64.

I use qemu with gdb server enabled.

In gdb I have 2 breakpoints: binder_open and binder_ioctl

In .cfg file I enable same 2 syscalls:

"enable_syscalls": ["openat$binder", "ioctl$BINDER_WRITE_READ"]

After I run syz-manager, binder_open is breaks into gdb and this is OK.

binder_ioctl breakpoint is not raising ever!

and i see many binder_mmap calls.

Can I disable binder_mmap calls, and why binder_ioctl is not calls?

Thanks.

Here is my binder.txt file in syzkaller/sys:

include <uapi/linux/android/binder.h>

resource fd_binder[fd]

openat$binder(fd const[AT_FDCWD], file ptr[in, string["/dev/binder"]], flags flags[open_flags], mode const[0]) fd_binder

ioctl$BINDER_WRITE_READ(fd fd_binder, cmd const[BINDER_WRITE_READ], arg ptr[in, binder_write_read])

binder_write_read {

write_size int64

write_consumed int64

write_buffer int64

read_size int64

read_consumed int64

read_buffer int64

} 

[Dmitry Vyukov]

On Fri, Jul 14, 2017 at 11:11 AM, <r.ky...@gmail.com> wrote:
>
> Hi!
>
> I have trying to fuzz /dev/binder in qemu, linux kernel is 4.6.7 x86_64.
>
> I use qemu with gdb server enabled.
> In gdb I have 2 breakpoints: binder_open and binder_ioctl
>
> In .cfg file I enable same 2 syscalls:
>
> "enable_syscalls": ["openat$binder", "ioctl$BINDER_WRITE_READ"]
>
> After I run syz-manager, binder_open is breaks into gdb and this is OK.
> binder_ioctl breakpoint is not raising ever!
> and i see many binder_mmap calls.
>
> Can I disable binder_mmap calls, and why binder_ioctl is not calls?

Hi,

binder_mmap come from mmap. Mmap is always enabled because syzkaller
uses it to allocate memory. It's not harmful, even useful -- more
coverage for binder code. So let's put it aside.

Re ioctl. I suspect it's becaue fuzzer does not have permissions to do
the ioctl. Try to set "sandbox": "none" manager config parameter.

Do you mind contributing this description to syzkaller later?

> Thanks.
>
> Here is my binder.txt file in syzkaller/sys:
>
> include <uapi/linux/android/binder.h>
>
> resource fd_binder[fd]
>
> openat$binder(fd const[AT_FDCWD], file ptr[in, string["/dev/binder"]], flags flags[open_flags], mode const[0]) fd_binder
>
> ioctl$BINDER_WRITE_READ(fd fd_binder, cmd const[BINDER_WRITE_READ], arg ptr[in, binder_write_read])
>
> binder_write_read {
> write_size int64
> write_consumed int64
> write_buffer int64
>
> read_size int64
> read_consumed int64
> read_buffer int64
> }
>

> --

[r.ky...@gmail.com]

Re ioctl. I suspect it's becaue fuzzer does not have permissions to do
the ioctl. Try to set "sandbox": "none" manager config parameter.

tried "sandbox":"none" with no luck. selinux disabled.

I check permissions with the sample, binder_ioctl reached.

Definitions is same as syzkaller/binder_amd64.const:

#include <fcntl.h>

#define BINDER_WRITE_READ  3224396289

#define __NR_ioctl 16

#define __NR_openat 257

int main(void) {

char buf[1024];

int fd;

fd = syscall(__NR_openat, AT_FDCWD, "/dev/binder", O_RDWR);

if(fd < 0) {

printf("error\n");

}

syscall(__NR_ioctl, fd, BINDER_WRITE_READ, buf);

return 0;

}

[Dmitry Vyukov]

On Fri, Jul 14, 2017 at 1:05 PM, <r.ky...@gmail.com> wrote:
>> Re ioctl. I suspect it's becaue fuzzer does not have permissions to do
>> the ioctl. Try to set "sandbox": "none" manager config parameter.
>
>
> tried "sandbox":"none" with no luck. selinux disabled.
>
> I check permissions with the sample, binder_ioctl reached.
> Definitions is same as syzkaller/binder_amd64.const:

Then dunno. Try to set breakpoints/add printf earlier in the code
(starting from ioctl syscall). On maybe look at the code coverage on
the manager web page and check what it reaches and where it stops.

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Billy Lau]

You did not check whether or not the return value from ioctl call is successful or not. Or are you using strace to trace your execution to verify?

Other points:

Dmitry is right in that binder_mmap actually helps your case.

I have tried fuzzing binder myself some time earlier to test out my binder descriptions. But I am facing maybe similar issues in that I don't get coverage from the manager web page, and that it always end up in some time out. I haven't had the time to dig deeper into that yet so far.

- billy

[Andrey Konovalov]

On Fri, Jul 14, 2017 at 1:14 PM, 'Dmitry Vyukov' via syzkaller
<syzk...@googlegroups.com> wrote:
> On Fri, Jul 14, 2017 at 1:05 PM, <r.ky...@gmail.com> wrote:
>>> Re ioctl. I suspect it's becaue fuzzer does not have permissions to do
>>> the ioctl. Try to set "sandbox": "none" manager config parameter.
>>
>>
>> tried "sandbox":"none" with no luck. selinux disabled.
>>
>> I check permissions with the sample, binder_ioctl reached.
>> Definitions is same as syzkaller/binder_amd64.const:
>
> Then dunno. Try to set breakpoints/add printf earlier in the code
> (starting from ioctl syscall). On maybe look at the code coverage on
> the manager web page and check what it reaches and where it stops.

I can also recommend to try manually running (via syz-execprog) the
syzkaller program that is supposed to trigger that ioctl and see when
and why it bails out from the kernel on the path to that ioctl. Either
by adding debug printfs to the kernel code or by using perftools.

[r.ky...@gmail.com]

I solved this.

It was "disabling transitively unsupported syscall"

I found this by started syz-manager with -debug=1

There was old sys/sys_amd64.so with wrong syscall description.

'make generate' helped