Can't reproduce crash using syz-execprog
324 views
Skip to first unread message
xfran...@gmail.com
Sep 27, 2017, 3:23:42 AM9/27/17
to syzkaller
Hi All,
I am using syzkaller to fuzzing drivers.
I have created some driver-spicific-syscalls, and enabled them in the config file.
The "reproduce" in config file is set to "false", because I think it takes way too much time to do the repro work.
The "procs" config is set to 1, to eliminate the possibility of competition.
After some fuzzing, We successfully found lots of crashes, including more than 20 phone-panics.
But when trying to reproduce the panic using following command, all panic-logs failed to reboot the phone:
./syz-execprog -executor=./syz-executor -threaded=0 -collide=0 -repeat=1000 -procs=1 -cover=1 panic-log
Remove " -threaded=0 -collide=0 " didn't work also.
I change the "-cover" to "0" and run the commamd in a phone wihtout kcov enabled, all failed again.
So,
How to reproduce crash and get some 'POC' with this logs?
Thanks.
Dmitry Vyukov
Sep 27, 2017, 5:28:05 AM9/27/17
to xfran...@gmail.com, syzkaller
Make sure value of -sandbox flag match value specified in manager
config file ("setuid" by default).
Don't pass -threaded=0 -collide=0, fuzzer always uses threaded mode.
Set -repeat to 0 (infinite).
Make sure you use the same kernel and run syz-execprog under root.
This should reproduce most of crashes.
Still may still be non-reproducible. There are multiple reasons for
that. Kernel constantly accumulates state, that state can be different
when you run syz-execprog. Some bugs are subtle races and can be hard
to reproduce. There is no magic here.
xfran...@gmail.com
Sep 30, 2017, 3:42:12 AM9/30/17
to syzkaller
Hi Dmitry,
Thanks for your reply.
I tried your suggestions, with -repeat=10000, but still failed to reproduce a single panic!
:(
在 2017年9月27日星期三 UTC+8下午5:28:05,Dmitry Vyukov写道:
Dmitry Vyukov
Sep 30, 2017, 5:22:59 AM9/30/17
to xfran...@gmail.com, syzkaller
On Sat, Sep 30, 2017 at 9:42 AM, <xfran...@gmail.com> wrote:
> Hi Dmitry,
> Thanks for your reply.
> I tried your suggestions, with -repeat=10000, but still failed to reproduce
> a single panic!
> :(
Well, I can only say that syz-execprog executes programs exactly the
> Hi Dmitry,
> Thanks for your reply.
> I tried your suggestions, with -repeat=10000, but still failed to reproduce
> a single panic!
> :(
way fuzzer does (provided that all flags are set correctly).
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages