How to efficiently extend syzkaller in order to reproduce a crash
235 views
Skip to first unread message
Kyle Zeng
Feb 3, 2022, 3:00:56 AM2/3/22
to syzkaller
Hi,
Even though I only enable necessary syscalls, syzkaller always gets lost in other irrelevant paths in those syscalls and cannot find the bug. Hence, I do not know whether my enhancement is enough: it just can't find the bug.
I tried to disable other functionalities in those syscalls to avoid irrelevant executions, but syz-sysgen starts complaining about "unused types" etc.
So, I wonder 1. is there a way to make syz-sysgen not error out on "unused types"? 2. how to efficiently enhance syscall descriptions to find known bugs?
Thanks,
Kyle
Aleksandr Nogikh
Feb 4, 2022, 12:37:39 PM2/4/22
to Kyle Zeng, syzkaller
Hi Kyle,
You know about a specific bug in the kernel and you want syzkaller to
discover it, right?
I'm not sure there's any straightforward solution. Some ideas off the
top of my head are:
1. Just let it run for some more time. Fuzzing is a randomized
process, so you may be just not giving syzkaller enough time to reach
the right code path. Also, if it is e.g. the result of some race
condition, the chances of hitting it are even lower.
2. It may be true that the descriptions are just not good enough. The
best you can do here is to explore the "coverage" page and see how
close syzkaller manages to get to the code you're interested in. This
might give you an idea about what's wrong about the descriptions.
3. Make sure that the target code path can be triggered by syzkaller
at all - e.g. if it's some device driver, it may never reach it
without the actual device connected.
4. You can write a program that reaches the needed code path and give
it to syzkaller as a seed (put it to the sys/linux/tests folder). You
can use tools/syz-execprog with the -coverfile flag to check whether
the program you wrote actually does what it was expected to.
5. You can use the coverage filter to let syzkaller focus more on the
files/functions you're interested in. See
https://github.com/google/syzkaller/blob/master/pkg/mgrconfig/config.go#L125
> but syz-sysgen starts complaining about "unused types" etc.
You can try to comment out this line
(https://github.com/google/syzkaller/blob/master/sys/syz-sysgen/sysgen.go#L145),
it should help.
--
Best Regards,
Aleksandr
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/4b0982a3-711e-4c46-9229-b77fbbd3837dn%40googlegroups.com.
You know about a specific bug in the kernel and you want syzkaller to
discover it, right?
I'm not sure there's any straightforward solution. Some ideas off the
top of my head are:
1. Just let it run for some more time. Fuzzing is a randomized
process, so you may be just not giving syzkaller enough time to reach
the right code path. Also, if it is e.g. the result of some race
condition, the chances of hitting it are even lower.
2. It may be true that the descriptions are just not good enough. The
best you can do here is to explore the "coverage" page and see how
close syzkaller manages to get to the code you're interested in. This
might give you an idea about what's wrong about the descriptions.
3. Make sure that the target code path can be triggered by syzkaller
at all - e.g. if it's some device driver, it may never reach it
without the actual device connected.
4. You can write a program that reaches the needed code path and give
it to syzkaller as a seed (put it to the sys/linux/tests folder). You
can use tools/syz-execprog with the -coverfile flag to check whether
the program you wrote actually does what it was expected to.
5. You can use the coverage filter to let syzkaller focus more on the
files/functions you're interested in. See
https://github.com/google/syzkaller/blob/master/pkg/mgrconfig/config.go#L125
> but syz-sysgen starts complaining about "unused types" etc.
(https://github.com/google/syzkaller/blob/master/sys/syz-sysgen/sysgen.go#L145),
it should help.
--
Best Regards,
Aleksandr
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/4b0982a3-711e-4c46-9229-b77fbbd3837dn%40googlegroups.com.
Kyle Zeng
Feb 4, 2022, 1:17:13 PM2/4/22
to syzkaller
Hi Aleksandr,
Thank you so much for the advice. They are really helpful.
Regards,
Kyle
Reply all
Reply to author
Forward
0 new messages