Re: Questions on Linux Kernel - Qualcomm IPC Router
22 views
Skip to first unread message
Dmitry Vyukov
Jun 12, 2020, 3:11:20 AM6/12/20
to Necip Yildiran, syzkaller, handeh...@noogler.google.com
On Fri, Jun 12, 2020 at 8:34 AM Necip Yildiran <ne...@noogler.google.com> wrote:
>
> Good Morning!
>
> I have a few questions regarding linux kernel code, specifically about qualcomm IPC router. If the answers are not trivial, we can delay the discussion to our meeting today.
>
> Q1: In the list, Qualcomm IPC Router link is to a specific line at /net/qrtr/tun.c, where qrtr_tun_ops is defined. I believe it is because file_operations struct is used as an interface and this definition is a good hint to understand what functions to fuzz (i.e., focus on open, poll, read_iter, write_iter, release). Also, for the fuzzing point of view, I should be focusing on how the networking goes with this common interface instead of how it is implemented for Qualcomm IPC Router. Do these interpretations look accurate to you?
+syzkaller mailing list as it may be useful for other people adding
descriptions and for future reference
+Hande FYI
Hi Necip,
Yes, file_operations, if present, is always something to look for.
Open and poll callbacks may be not so interesting, but ioctl, write,
mmap are always interesting.
There are other types of such "anchor entry points". E.g. for netlink
it would be netlink argument policy definition and command list.
What exactly do you mean by "networking"?
Internal implementation details that do not affect the interface are
not very interesting for us.
Interfaces (with userspace and any remote parties, if present and
accessible) is what we are usually interested in.
> Q2: What would be a good resource to understand how this interface is used (i.e., typical scenarios)?
Well, there is no general answer for all subsystems. Sometimes there
is nothing besides the source code :) What may help:
- searching internet for the subsystem name and/or some unique constants
- grepping Documentation/ dir in the kernel
- searching tools/testing/ dir in the kernel
- looking for large comment blocks in the source code
- finding commit that added it via git blame/log and reading the
commit description
> Thanks in advance!
> Best regards,
> Necip
>
> Good Morning!
>
> I have a few questions regarding linux kernel code, specifically about qualcomm IPC router. If the answers are not trivial, we can delay the discussion to our meeting today.
>
> Q1: In the list, Qualcomm IPC Router link is to a specific line at /net/qrtr/tun.c, where qrtr_tun_ops is defined. I believe it is because file_operations struct is used as an interface and this definition is a good hint to understand what functions to fuzz (i.e., focus on open, poll, read_iter, write_iter, release). Also, for the fuzzing point of view, I should be focusing on how the networking goes with this common interface instead of how it is implemented for Qualcomm IPC Router. Do these interpretations look accurate to you?
+syzkaller mailing list as it may be useful for other people adding
descriptions and for future reference
+Hande FYI
Hi Necip,
Yes, file_operations, if present, is always something to look for.
Open and poll callbacks may be not so interesting, but ioctl, write,
mmap are always interesting.
There are other types of such "anchor entry points". E.g. for netlink
it would be netlink argument policy definition and command list.
What exactly do you mean by "networking"?
Internal implementation details that do not affect the interface are
not very interesting for us.
Interfaces (with userspace and any remote parties, if present and
accessible) is what we are usually interested in.
> Q2: What would be a good resource to understand how this interface is used (i.e., typical scenarios)?
Well, there is no general answer for all subsystems. Sometimes there
is nothing besides the source code :) What may help:
- searching internet for the subsystem name and/or some unique constants
- grepping Documentation/ dir in the kernel
- searching tools/testing/ dir in the kernel
- looking for large comment blocks in the source code
- finding commit that added it via git blame/log and reading the
commit description
> Thanks in advance!
> Best regards,
> Necip
Andrey Konovalov
Jun 12, 2020, 8:49:59 AM6/12/20
to Dmitry Vyukov, Necip Yildiran, syzkaller, Nazime Harputluoglu
- Reading source code of or tracing libraries or applications that are
known to use this interface.
I've added all this to:
https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions.md#describing-new-system-calls
>
> > Thanks in advance!
> > Best regards,
> > Necip
>
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/CACT4Y%2Ba%2BvXxM5NHpFWj_rA9Yh7gxnfwRwkfW3KFik3bd3GeU_w%40mail.gmail.com.
Necip Yildiran
Jun 15, 2020, 4:04:29 AM6/15/20
to Andrey Konovalov, Dmitry Vyukov, syzkaller, Nazime Harputluoglu
Thanks for the answers!
I was trying to build the linux kernel, such that, CONFIG_QRTR and CONFIG_QRTR_TUN are set so that I can use it to fuzz qrtr and also compile/run some sample qrtr code.
I used syzbot config as it seemed to enable these options together with many others. However, when I run make olddefconfig as suggested, qrtr options disappear in the .config file. My understanding was that this was not supposed to happen.
What is the reason behind this, and how could I obtain a valid config file with qrtr options set?
Thanks for your kind help in advance.
Dmitry Vyukov
Jun 15, 2020, 4:10:55 AM6/15/20
to Necip Yildiran, Andrey Konovalov, syzkaller, Nazime Harputluoglu
On Mon, Jun 15, 2020 at 10:04 AM Necip Yildiran
<ne...@noogler.google.com> wrote:
>
> Thanks for the answers!
>
> I was trying to build the linux kernel, such that, CONFIG_QRTR and CONFIG_QRTR_TUN are set so that I can use it to fuzz qrtr and also compile/run some sample qrtr code.
>
> I used syzbot config as it seemed to enable these options together with many others. However, when I run make olddefconfig as suggested, qrtr options disappear in the .config file. My understanding was that this was not supposed to happen.
>
> What is the reason behind this, and how could I obtain a valid config file with qrtr options set?
>
> Thanks for your kind help in advance.
Humm... you may have a kernel source code version that does not have QRTR.
<ne...@noogler.google.com> wrote:
>
> Thanks for the answers!
>
> I was trying to build the linux kernel, such that, CONFIG_QRTR and CONFIG_QRTR_TUN are set so that I can use it to fuzz qrtr and also compile/run some sample qrtr code.
>
> I used syzbot config as it seemed to enable these options together with many others. However, when I run make olddefconfig as suggested, qrtr options disappear in the .config file. My understanding was that this was not supposed to happen.
>
> What is the reason behind this, and how could I obtain a valid config file with qrtr options set?
>
> Thanks for your kind help in advance.
Is it already in the Linus tree? If not, then you may use:
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
(master branch), though linux-next is sometimes broken.
If you have it, try to run 'make menuconfig'. Then press "/" and enter "QRTR".
It shows all dependencies of these configs, if one of the dependencies
is not enabled, then QRTR can't be enabled.
Then you can press 1/2/3, go to the option and enable it. If
menuconfig does not allow you to enable it, then olddefconfig will
disable it as well.
│ Symbol: QRTR [=n]
│
│ Type : tristate
│
│ Defined at net/qrtr/Kconfig:5
│
│ Prompt: Qualcomm IPC Router support
│
│ Depends on: NET [=y] && (ARCH_QCOM || COMPILE_TEST [=n])
│
│ Location:
│
│ -> Networking support (NET [=y])
│
│ (1) -> Networking options
│
│
│
│
│
│ Symbol: QRTR_SMD [=n]
│
│ Type : tristate
│
│ Defined at net/qrtr/Kconfig:18
│
│ Prompt: SMD IPC Router channels
│
│ Depends on: NET [=y] && QRTR [=n] && (RPMSG [=n] || COMPILE_TEST
[=n] && RPMSG [=n]=n)
│
│ Location:
│
│ -> Networking support (NET [=y])
│
│ (2) -> Networking options
│
│ -> Qualcomm IPC Router support (QRTR [=n])
│
│
│
│
│
│ Symbol: QRTR_TUN [=n]
│
│ Type : tristate
│
│ Defined at net/qrtr/Kconfig:25
│
│ Prompt: TUN device for Qualcomm IPC Router
│
│ Depends on: NET [=y] && QRTR [=n]
│
│ Location:
│
│ -> Networking support (NET [=y])
│
│ (3) -> Networking options
│
│ -> Qualcomm IPC Router support (QRTR [=n])
Necip Yildiran
Jun 16, 2020, 4:34:28 AM6/16/20
to Dmitry Vyukov, Andrey Konovalov, syzkaller, Nazime Harputluoglu
Thanks for the answer!
Using Linus tree, the QRTR options were preserved within the .config file after make olddefconfig. Menuconfig also reflected that the dependencies were enabled.
However, I am experiencing another issue, as I believe, it might be due to the missing header files.
Building the kernel, I try to compile a C code using gcc with "linux/qrtr.h" included, which gives me the following compilation error (trying to include "uapi/linux/qrtr.h" fails the same way):
test.c:9:29: fatal error: linux/qrtr.h: No such file or directory
#include <linux/qrtr.h>I tried running make headers_install before creating the Debian Stretch Linux image, which didn't help.
Here is what I got when I search for files with name qrtr included in it:
root@syzkaller:/# find . -name "*qrtr*"
./dev/qrtr-tun
./sys/kernel/debug/tracing/events/qrtr
./sys/kernel/debug/tracing/events/qrtr/qrtr_ns_service_announce_new
./sys/kernel/debug/tracing/events/qrtr/qrtr_ns_service_announce_del
./sys/kernel/debug/tracing/events/qrtr/qrtr_ns_server_add
./sys/kernel/debug/tracing/events/qrtr/qrtr_ns_message
./sys/class/misc/qrtr-tun
./sys/devices/virtual/misc/qrtr-tun
./dev/qrtr-tun
./sys/kernel/debug/tracing/events/qrtr
./sys/kernel/debug/tracing/events/qrtr/qrtr_ns_service_announce_new
./sys/kernel/debug/tracing/events/qrtr/qrtr_ns_service_announce_del
./sys/kernel/debug/tracing/events/qrtr/qrtr_ns_server_add
./sys/kernel/debug/tracing/events/qrtr/qrtr_ns_message
./sys/class/misc/qrtr-tun
./sys/devices/virtual/misc/qrtr-tun
Also, the qrtr related lines printed while building the kernel is as follows:
cat build_log.txt | grep "qrtr" -i
CC net/qrtr/qrtr.o
CC net/qrtr/ns.o
CC net/qrtr/tun.o
AR net/qrtr/built-in.a
CC net/qrtr/qrtr.o
CC net/qrtr/ns.o
CC net/qrtr/tun.o
AR net/qrtr/built-in.a
Do you have any idea on what might be the reason behind this issue?
Thanks in advance for your kind help!
Dmitry Vyukov
Jun 16, 2020, 6:37:39 AM6/16/20
to Necip Yildiran, Andrey Konovalov, syzkaller, Nazime Harputluoglu
This was answered offline. FTR, in short, things to try:
- add -I flag to gcc
- copy kernel headers to the VM and install there
- copy-paste header contents into the test program
On Tue, Jun 16, 2020 at 10:34 AM Necip Yildiran
- add -I flag to gcc
- copy kernel headers to the VM and install there
- copy-paste header contents into the test program
On Tue, Jun 16, 2020 at 10:34 AM Necip Yildiran
Reply all
Reply to author
Forward
0 new messages