How to set one PoC file as the fuzzing corpus?

[慕冬亮]

Hi Dmitry,

I would like to conduct a simple experiment to fuzz the patched kernel
with the original PoC, and see if syzkaller can find any further bug
around the patch. From my code review, I only find the corpus is
created from preloadCorpus and the seeds are from sys/linux/test. Can
I modify this folder to load my own PoC file to achieve this goal? Or
there is more suitable and easier way to perform this experiment?

--
My best regards to you.

No System Is Safe!
Dongliang Mu

[Dmitry Vyukov]

On Tue, May 4, 2021 at 4:13 PM 慕冬亮 <mudongl...@gmail.com> wrote:
>
> Hi Dmitry,
>
> I would like to conduct a simple experiment to fuzz the patched kernel
> with the original PoC, and see if syzkaller can find any further bug
> around the patch. From my code review, I only find the corpus is
> created from preloadCorpus and the seeds are from sys/linux/test. Can
> I modify this folder to load my own PoC file to achieve this goal? Or
> there is more suitable and easier way to perform this experiment?

Hi Dongliang,

Yes, you can commit the test into sys/linux/text, or you can use syz-db:
https://github.com/google/syzkaller/blob/master/tools/syz-db/syz-db.go
it can pack and unpack corpus.db into individual programs.

[慕冬亮]

For syz-db, if I understand correctly, I can use syz-pack my PoC file
into a corpus file.
Then I can feed it with workdir configuration option so that syzkaller
will only use this db file to fuzz the specified Linux kernel, right?

Thanks,
Dongliang Mu

[Dmitry Vyukov]

Yes, you can create corpus.db with 1 given program using "syz-db pack
/dir/with/the/program workdir/corpus.db".

[慕冬亮]

That's great. Thanks very much.