Re: how to exclude syscalls in syzkaller

[Dmitry Vyukov]

On Wed, Dec 23, 2015 at 2:43 PM, Xin Long <lucie...@gmail.com> wrote:
> Hi Dmitry:
>
> I built the syzkaller, but every time when i run it, all the syscalls
> will be tested, even I configure disable_syscalls or enable_syscalls
> in my.cfg.
> "disable_syscalls": [
> "alarm",
> "bpf",
> "capget",
> "capset",
> "chmod",
> "chown",
> "clock_adjtime",
> "clock_getres",
> "clock_gettime",
> "clock_nanosleep",
> "clock_settime",
> "creat"
> ]
>
> it still cannot work. do you know why? if i just want to test only
> one syscall like 'connnect', what should i do?

+syzkaller mailing list

Hi Xin,

disable_syscalls should work. Why do you think that all syscalls are used?

If you want to test only connect, then specify:

"enable_syscalls": [
"connect"
]

However, note that for connect you most likely also want at least
socket syscall. Otherwise syzkaller will always pass -1 as fd to
connect, which is probably not very useful.

[Xin Long]

On Wed, Dec 23, 2015 at 11:24 PM, Dmitry Vyukov <dvy...@google.com> wrote:
> On Wed, Dec 23, 2015 at 2:43 PM, Xin Long <lucie...@gmail.com> wrote:
>> Hi Dmitry:
>>
>> I built the syzkaller, but every time when i run it, all the syscalls
>> will be tested, even I configure disable_syscalls or enable_syscalls
>> in my.cfg.
>> "disable_syscalls": [
>> "alarm",
>> "bpf",
>> "capget",
>> "capset",
>> "chmod",
>> "chown",
>> "clock_adjtime",
>> "clock_getres",
>> "clock_gettime",
>> "clock_nanosleep",
>> "clock_settime",
>> "creat"
>> ]
>>
>> it still cannot work. do you know why? if i just want to test only
>> one syscall like 'connnect', what should i do?
>
> +syzkaller mailing list
>
> Hi Xin,
>
> disable_syscalls should work. Why do you think that all syscalls are used?
>

cause in the website report:

manager new inputs: 64/min
vm restarts: 7/hour

accept inputs:930 cover:8393 prio
accept4 inputs:911 cover:8309 prio
acct inputs:1 cover:13 prio
add_key inputs:30 cover:1011 prio
alarm inputs:3 cover:88 prio
bind inputs:1010 cover:8403 prio
bpf inputs:39 cover:1747 prio
capget inputs:4 cover:69 prio
capset inputs:6 cover:119 prio
chmod inputs:14 cover:816 prio
chown inputs:11 cover:1564 prio
clock_adjtime inputs:4 cover:154 prio
clock_getres inputs:10 cover:637 prio
clock_gettime inputs:31 cover:1137 prio
clock_nanosleep inputs:5 cover:219 prio
clock_settime inputs:1 cover:29 prio
....

does it prove these syscalls are used ?
if not, how should i check the used syscalls ?

> If you want to test only connect, then specify:
>
> "enable_syscalls": [
> "connect"
> ]
>

what if the configure that, and also, I add "disable_syscalls":

does that mean "disable_syscalls" options will be useless ?

> However, note that for connect you most likely also want at least
> socket syscall. Otherwise syzkaller will always pass -1 as fd to
> connect, which is probably not very useful.

got you.

[Dmitry Vyukov]

Yes, it proves that these syscalls are still used.
Please share your config file. Json parser silently ignores unknown
parameters, so maybe you put disable_syscalls into a wrong place of
config file.

>> If you want to test only connect, then specify:
>>
>> "enable_syscalls": [
>> "connect"
>> ]
>>
> what if the configure that, and also, I add "disable_syscalls":
>
> does that mean "disable_syscalls" options will be useless ?

disable_syscalls will take precedence.
However, yes, if you want to test just a handful of syscalls, then you
need to list them in enable_syscalls. disable_syscalls is not useful
in this situation.

[Xin Long]

attachment is the config file
in my env:
/usr/lib/golang/src/github.com/google/syzkaller/my.cfg

and i run it, like:

cd /usr/lib/golang/src/github.com/google/syzkaller

./bin/syz-manager -config my.cfg

>
>
>>> If you want to test only connect, then specify:
>>>
>>> "enable_syscalls": [
>>> "connect"
>>> ]
>>>
>> what if the configure that, and also, I add "disable_syscalls":
>>
>> does that mean "disable_syscalls" options will be useless ?
>
> disable_syscalls will take precedence.
> However, yes, if you want to test just a handful of syscalls, then you
> need to list them in enable_syscalls. disable_syscalls is not useful
> in this situation.

ok, thanks.

[Xin Long]

> attachment is the config file
> in my env:
> /usr/lib/golang/src/github.com/google/syzkaller/my.cfg
>
> and i run it, like:
>
> cd /usr/lib/golang/src/github.com/google/syzkaller
>
> ./bin/syz-manager -config my.cfg
>

i wanted to do tests for some syscalls about network via this config
file, just FYI

[Dmitry Vyukov]

Hi Xin,

I suspect that the issue is that you already have programs with these
disabled syscalls in workdir/corpus. Disable_syscalls does not affect
these programs. I've filed
https://github.com/google/syzkaller/issues/9 for this.

Try to remove workdir directory. And I would suggest to switch to
enable_syscalls instead, because then you can enumerate only
interesting syscalls. Something along the lines of:

"enable_syscalls": [
"socket",
"socketpair",
"bind",
"connect",
"accept",
"accept4",
"shutdown",
"listen",
"close",
"getpeername",
"getsockname",
"getsockopt",
"setsockopt",
"ioctl",
"sendto",
"recvfrom",
"sendmsg",
"sendmmsg",
"recvmsg",
"recvmmsg",
"pipe",
"sendfile",
"splice",
"vmsplice"
],

[Xin Long]

On Thu, Dec 24, 2015 at 1:15 AM, Dmitry Vyukov <dvy...@google.com> wrote:
> On Wed, Dec 23, 2015 at 5:06 PM, Xin Long <lucie...@gmail.com> wrote:
>>> attachment is the config file
>>> in my env:
>>> /usr/lib/golang/src/github.com/google/syzkaller/my.cfg
>>>
>>> and i run it, like:
>>>
>>> cd /usr/lib/golang/src/github.com/google/syzkaller
>>>
>>> ./bin/syz-manager -config my.cfg
>>>
>>
>> i wanted to do tests for some syscalls about network via this config
>> file, just FYI
>
> Hi Xin,
>
> I suspect that the issue is that you already have programs with these
> disabled syscalls in workdir/corpus. Disable_syscalls does not affect
> these programs. I've filed
> https://github.com/google/syzkaller/issues/9 for this.

yes, you're right, after I remove the directory, it works now.

this is very nice, thank you, :)

Xin Long
Thanks

[Dmitry Vyukov]

+syzkaller mailing list

On Thu, Dec 24, 2015 at 1:09 PM, Dmitry Vyukov <dvy...@google.com> wrote:
> On Thu, Dec 24, 2015 at 1:01 PM, Xin Long <lucie...@gmail.com> wrote:
>> Hi, Dmitry:
>>
>> I've run the test for network in syzkaller for all the day, but i still cannot
>> reproduce this issue:
>> https://groups.google.com/d/msg/syzkaller/OUaLglyQNYM/UWs4GxGUDQAJ
>>
>> did I do something wrong?
>> can you give the cfg file for that?
>
>
> Here is my config:
>
> {
> "http": "localhost:50000",
> "workdir": "/src/gopath/src/github.com/google/syzkaller/workdir",
> "kernel": "/src/linux-dvyukov/arch/x86/boot/bzImage",
> "vmlinux": "/src/linux-dvyukov/vmlinux",
> "image": "/src/linux_image/wheezy.img",
> "sshkey": "/src/linux_image/ssh/id_rsa",
> "syzkaller": "/src/gopath/src/github.com/google/syzkaller",
> "type": "qemu",
> "count": 22,
> "procs": 8,
> "cpu": 2,
> "mem": 2048,
> "disable_syscalls": [
> "syz_fuseblk_mount",
> "perf_event_open",
> "socket$alg",
> "bind$alg"
> ],
> "suppressions": [
> "gsm_cleanup_mux",
> "irtty_open",
> "at net/ipv4/tcp.c:1729 tcp_recvmsg",
> "n_hdlc_buf_put",
> "n_hdlc_tty_read",
> "pps_device_destruct"
> ]
> }
>
>
> You also need to enable SCTP in kernel config, here is an excerpt from
> my kernel config:
>
> CONFIG_IP_SCTP=y
> CONFIG_NET_SCTPPROBE=y
> CONFIG_SCTP_DBG_OBJCNT=y
> # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5 is not set
> # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
> CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE=y
> # CONFIG_SCTP_COOKIE_HMAC_MD5 is not set
> # CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
>
> And of course you need CONFIG_KASAN (preferably with
> CONFIG_KASAN_INLINE=y). Did you enable it?

[Xin Long]

no sendto? what is $alg?

>> "suppressions": [
>> "gsm_cleanup_mux",
>> "irtty_open",
>> "at net/ipv4/tcp.c:1729 tcp_recvmsg",
>> "n_hdlc_buf_put",
>> "n_hdlc_tty_read",
>> "pps_device_destruct"
>> ]
>> }
>>
>>
>> You also need to enable SCTP in kernel config, here is an excerpt from
>> my kernel config:
>>
>> CONFIG_IP_SCTP=y
>> CONFIG_NET_SCTPPROBE=y
>> CONFIG_SCTP_DBG_OBJCNT=y
>> # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5 is not set
>> # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
>> CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE=y
>> # CONFIG_SCTP_COOKIE_HMAC_MD5 is not set
>> # CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set

do i have to do it with 'y' ?, cause I did with 'm'
CONFIG_IP_SCTP=m
CONFIG_NET_SCTPPROBE=m
# CONFIG_SCTP_DBG_OBJCNT is not set

# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5 is not set

CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y
# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
CONFIG_SCTP_COOKIE_HMAC_MD5=y
CONFIG_SCTP_COOKIE_HMAC_SHA1=y

>>
>> And of course you need CONFIG_KASAN (preferably with
>> CONFIG_KASAN_INLINE=y). Did you enable it?

this is my .config about KASAN
CONFIG_KASAN=y
CONFIG_KASAN_OUTLINE=y
# CONFIG_KASAN_INLINE is not set
CONFIG_TEST_KASAN=m
CONFIG_KCOV=y

I have enabled CONFIG_KASAN_OUTLINE, do i have to change to CONFIG_KASAN_INLINE?

[Dmitry Vyukov]

I don't disable sendto.
Syscalls names with $ are special variations of the normal syscall.
For example, socket$alg creates PF_ALG sockets. You can see full list
in sys/sys.txt file.

I don't know. Are these modules loaded by default?

>>> And of course you need CONFIG_KASAN (preferably with
>>> CONFIG_KASAN_INLINE=y). Did you enable it?
> this is my .config about KASAN
> CONFIG_KASAN=y
> CONFIG_KASAN_OUTLINE=y
> # CONFIG_KASAN_INLINE is not set
> CONFIG_TEST_KASAN=m
> CONFIG_KCOV=y
>
> I have enabled CONFIG_KASAN_OUTLINE, do i have to change to CONFIG_KASAN_INLINE?

CONFIG_KASAN_OUTLINE should be OK.


That particular use-after-free happens in pr_dbg macro. Maybe your
config/compiler removes pr_dbg entirely. Check generated code for that
function.

[Xin Long]

ok, thanks.
every time when i do this test, there are always alot of crash-* in
crashes/, but most of them are the same. how do you handle them?

no, I don't think so. maybe i should have them loaded when system start

[Dmitry Vyukov]

I report them upstream. Reproducer creation is described here:
https://github.com/google/syzkaller/wiki/Crash-reproducer-programs
If you mean duplicates, then I use suppressions in config file and
also I pull in fixes for some already fixed bugs.

or just change 'm' to 'y'

[Xin Long]

hi, Dmitry
sorry to trouble you again.

in my env, it seems still not to work well.

can you send me your kernel .config file, thanks. :D

[Dmitry Vyukov]

Hi Xin,

I've attached my current config.

You can also try to reproduce the bug with the test program that I
provided with bug report. This will bisect the problem to: kernel
build problem/syzkaller not triggering the bug.