Basic syzkaller running

[ghs...@g.rit.edu]

I am very new to syzkaller and just trying to get it up and running on my Samsung Galaxy S7 (My host computer is running a standard distribution of ubuntu 16.04). Before doing anything specific with my fuzzing, I am just trying to produce an output similar to what was shown in the install guide here (https://github.com/google/syzkaller/blob/master/docs/setup.md). Following the android guide here (https://github.com/google/syzkaller/blob/master/docs/setup_linux-host_android-device_arm64-kernel.md), I am able to get the fuzzer to run, but I am not convinced I have it working properly. Here is the output I get when I run syzkaller.

2017/08/28 14:14:54 loading corpus...
2017/08/28 14:14:54 loaded 0 programs (0 total, 0 deleted)
2017/08/28 14:14:54 serving http on http://127.0.0.1:50000
2017/08/28 14:14:54 serving rpc on tcp://[::]:36531
2017/08/28 14:14:54 booting test machines...
2017/08/28 14:14:54 wait for the connection from test machine...
2017/08/28 14:15:53 failed to associate adb device 9886334b3644444955 with console: no console is associated with this device
2017/08/28 14:15:53 falling back to 'adb shell dmesg -w'
2017/08/28 14:15:53 note: some bugs may be detected as 'lost connection to test machine' with no kernel output
2017/08/28 14:15:58 vm-0: crash: WARNING in device_create_file

The phone will then reboot and continue to produce that same crash. I noticed the rpc line has no address and I cannot seem to make it take one (I am also not sure how I would do that and the things I have tried have not worked). I am also not sure how big of an issue that is. I ran the program a second time with the debug flag set. That output is shown below.

2017/08/28 14:18:23 loading corpus...
2017/08/28 14:18:23 loaded 0 programs (0 total, 0 deleted)
2017/08/28 14:18:23 serving http on http://127.0.0.1:50000
2017/08/28 14:18:23 serving rpc on tcp://[::]:34811
2017/08/28 14:18:23 booting test machines...
2017/08/28 14:18:23 wait for the connection from test machine...
2017/08/28 14:18:24 executing adb [shell pwd]
2017/08/28 14:18:24 adb returned
2017/08/28 14:18:24 executing adb [shell reboot]
2017/08/28 14:18:25 adb returned
2017/08/28 14:18:36 executing adb [shell pwd]
2017/08/28 14:18:36 adb failed: exit status 1
error: device '9886334b3644444955' not found
...
2017/08/28 14:19:03 executing adb [shell pwd]
2017/08/28 14:19:03 adb failed: exit status 1
error: device '9886334b3644444955' not found
2017/08/28 14:19:04 executing adb [shell pwd]
2017/08/28 14:19:04 adb returned
2017/08/28 14:19:04 executing adb [root]
2017/08/28 14:19:04 adb returned
2017/08/28 14:19:05 executing adb [shell pwd]
2017/08/28 14:19:05 adb returned
2017/08/28 14:19:26 failed to associate adb device 9886334b3644444955 with console: no console is associated with this device
2017/08/28 14:19:26 falling back to 'adb shell dmesg -w'
2017/08/28 14:19:26 note: some bugs may be detected as 'lost connection to test machine' with no kernel output
2017/08/28 14:19:26 executing adb [shell rm -Rf /data/local/tmp/syzkaller*]
2017/08/28 14:19:26 adb returned
2017/08/28 14:19:26 executing adb [reverse tcp:35099 tcp:34811]
2017/08/28 14:19:26 adb returned
2017/08/28 14:19:26 executing adb [push /home/bf/shared/go/src/github.com/google/syzkaller/bin/syz-fuzzer /data/local/tmp/syz-fuzzer]
2017/08/28 14:19:29 adb returned
2017/08/28 14:19:29 executing adb [push /home/bf/shared/go/src/github.com/google/syzkaller/bin/syz-executor /data/local/tmp/syz-executor]
2017/08/28 14:19:29 adb returned
2017/08/28 14:19:29 starting: adb shell /data/local/tmp/syz-fuzzer -executor=/data/local/tmp/syz-executor -name=vm-0 -manager=127.0.0.1:35099 -procs=1 -leak=false -cover=true -sandbox=none -debug=true -v=100

After the last line it prints out what looks like a kernel log. It then crashes and reboots.

2017/08/28 14:19:29 vm-0: crash: WARNING in device_create_file
2017/08/28 14:19:31 executing adb [shell pwd]
2017/08/28 14:19:31 adb returned
2017/08/28 14:19:31 executing adb [shell reboot]
2017/08/28 14:19:31 adb returned
2017/08/28 14:19:42 executing adb [shell pwd]
2017/08/28 14:19:42 adb failed: exit status 1
error: device '9886334b3644444955' not found
...

It will do this forever, as far as I can tell. It seems like the person on this thread (https://groups.google.com/forum/#!topic/syzkaller/Y_lQNl8yKVw) was having a similar issue, but I am not sure how it was resolved. I will attach the log and report file form the debug run as well as the config file I am using. Sorry for the long-winded question, but any thoughts and/or suggestions would be welcome. Thanks!

[Dmitry Vyukov]

Hi,

This is a combination of the kernel bug (WARNING in
device_create_file) and the fact that you use usb cable without proper
console support. The kernel bug happens during boot, normally we
ignore boot output, but 'adb shell dmesg -w' pipes all boot output, so
syz-manager instantly thinks that it triggered a kernel bug (which is
in fact true) and reboots the device.
Either: 1. fix the kernel bug
or 2. figure out how to remove boot output from 'adb shell dmesg -w'
or 3. try to add "ignores": ["WARNING: .* device_create_file"] to manager config

[ghs...@g.rit.edu]

Dmitry,

I added the ignore line and it worked well! However it is not crashing with this bug:
vm-0: crash: BUG: start networkManagement

After some Googling, I could not find much that was helpful. Just to see what would happen I added two new ignore statements to the .cfg file:
"ignores": ["WARNING: .* device_create_file",
                "BUG: start networkManagement",
                "BUG: end networkManagement"]

It did in fact ignore them, but then produced this:
vm-0: crash: lost connection to test machine

This error, from what I can tell, is a bit more generic and is probably caused by the BUG I am ignoring. That's my guess, I could be wrong. I will attach the log file and debug output. Any suggestions?

One more thing; I saw you mention a cable with console support. Is there a special cable I should be using?

Thanks again for the help!

[Dmitry Vyukov]

On Tue, Aug 29, 2017 at 3:46 PM, <ghs...@g.rit.edu> wrote:
> Dmitry,
>
> I added the ignore line and it worked well! However it is not crashing with
> this bug:
> vm-0: crash: BUG: start networkManagement

This is actually "DEBUG:", not "BUG:". Should be fixed by:
https://github.com/google/syzkaller/commit/1d0002255d805442ff43c5c4265950179aac77c9

> After some Googling, I could not find much that was helpful. Just to see
> what would happen I added two new ignore statements to the .cfg file:
> "ignores": ["WARNING: .* device_create_file",
> "BUG: start networkManagement",
> "BUG: end networkManagement"]
>
> It did in fact ignore them, but then produced this:
> vm-0: crash: lost connection to test machine
>
> This error, from what I can tell, is a bit more generic and is probably
> caused by the BUG I am ignoring. That's my guess, I could be wrong. I will
> attach the log file and debug output. Any suggestions?

What's in the log files for "lost connection to test machine" crashes?

> One more thing; I saw you mention a cable with console support. Is there a
> special cable I should be using?

Syzkaller is more reliable with a special cable that exposes device
console output to host. Search this group for Syzy-Q. I don't know the
details about these cables, nor where one can get one.

[ghs...@g.rit.edu]

 

This is actually "DEBUG:", not "BUG:". Should be fixed by:
https://github.com/google/syzkaller/commit/1d0002255d805442ff43c5c4265950179aac77c9

This worked very well!

 

Here are the attached files.

I was looking at this thread (https://groups.google.com/forum/#!topic/syzkaller/ZZPqSdueEm4). I know I am jumping around a bunch and I do not know if the problems are related, but I think I am having a similar problem. I actually removed the -w from the dmesg command. Initially when I was running the syzkaller it was complaining it did not know what the -w option was. I am not sure if this information is helpful.

Thanks!

[Dmitry Vyukov]

On Wed, Aug 30, 2017 at 3:39 PM, <ghs...@g.rit.edu> wrote:
>
>>
>> This is actually "DEBUG:", not "BUG:". Should be fixed by:
>>
>> https://github.com/google/syzkaller/commit/1d0002255d805442ff43c5c4265950179aac77c9
>
>
> This worked very well!
>
> Here are the attached files.

Are you sure these are matching files? There is no output from
syz-fuzzer in the log file. Please post full syz-manager output with
-debug flag.

[ghs...@g.rit.edu]

Are you sure these are matching files? There is no output from
syz-fuzzer in the log file. Please post full syz-manager output with
-debug flag.

Sorry about that. Let's try this again.

[Dmitry Vyukov]

It seems that syz-fuzzer did not even start. Are you sure it is built
for arm64? Try to run syz-fuzzer binary manually on the device. What
does it say? Does it start at all?

[ghs...@g.rit.edu]

It seems that syz-fuzzer did not even start. Are you sure it is built
for arm64? Try to run syz-fuzzer binary manually on the device. What
does it say? Does it start at all?

root@herolte:/data/local/tmp # ./syz-fuzzer                                   
2017/08/30 14:38:23 fuzzer started
2017/08/30 14:38:23 dialing manager at
panic: dial tcp: missing address

goroutine 1 [running]:
main.main()
    /home/gio/go/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:132 +0x1f10
 

[ghs...@g.rit.edu]

I think I have it started now. I am not sure what it was doing before. Look at this log.

 

[Dmitry Vyukov]

It looks like the same log. What has changed? What have you started?

[ghs...@g.rit.edu]

It looks like the same log. What has changed? What have you started?

My mistake. You are correct, it is basically the same log. I did not go over the first log as well as I should have. For whatever reason, one of the runs I did manually produced a segfault. I think the phone was in a bad state because I am unable to reproduce it. I thought that might have been the issue, but not anymore. When I run syz-fuzzer manually on the device I get this consistently:

2017/08/30 16:09:23 fuzzer started
2017/08/30 16:09:23 dialing manager at

panic: dial tcp: missing address

goroutine 1 [running]:
main.main()
    /home/gio/go/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:132 +0x1f10

What should I expect?

[Dmitry Vyukov]

That is the expected output. It means the binary is built for the right arch.

Looking at adb code... you said that you removed a flag from dmesg.
Are you sure it still continuously pipes output a-la tail -f ? If it
writes current output and exits, it would lead to such error. Because
form sys-manager point of view it looks like console connection was
suddenly lost, which means that the machine is probably lost as well.

[ghs...@g.rit.edu]

Looking at adb code... you said that you removed a flag from dmesg.
Are you sure it still continuously pipes output a-la tail -f ? If it
writes current output and exits, it would lead to such error. Because
form sys-manager point of view it looks like console connection was
suddenly lost, which means that the machine is probably lost as well.

So instead of just doing dmesg -w, which my phone does not support, I changed that line to be: cat /proc/kmsg. Then I got a permission denied. This made me think I did not have root, so I manually ran "adb root" which returned to me "adbd cannot run as root in production builds". This seems to be the root of the issue, so to speak.

I achieved root on my phone with a stock ROM and chainfire autoroot (my device is exynos version of  S7). It is important to my project that I continue to use a production build, so I do not what to switch to a debug or engineering ROM of any kind. I should have realized that root was not working a while ago, because I was unable to push to /data and am instead pushing to /data/local/tmp which shell can do. Anyway I changed "cat /proc/kmsg" to "su -c cat /proc/kmsg" and it seems to move me forward.

After doing some reading on what "adb root" does, I was wondering how necessary it was to give the full daemon root permissions. Maybe I could get away with running only things necessary as root using su? I have currently made it so any "adb shell" command runs as "adb shell su -c". This is definitely getting the syzkaller further down the fuzzing line. What are your thoughts?

I will attach the debug logs of my most recent runs:
debug_log: Log of 1 run with the debug flag
non_debug_output: What the terminal shows during a run without the debug flag
crash1_log and crash2_log: from the same non_debug run

[Dmitry Vyukov]

panic: invalid syscall in -calls flag: '1473

The error suggests that you manager/fuzzer/execprog/executor are built
on different commits/from different sources.

[ghs...@g.rit.edu]

panic: invalid syscall in -calls flag: '1473

The error suggests that you manager/fuzzer/execprog/executor are built
on different commits/from different sources.

I recloned the repo and added my small changes back in. After a few tests it is producing panics with various flags. I have seen 1444, 1506, and 1448. I wonder if my changes are causing this? I can attach the source files if you want to see it.

[ghs...@g.rit.edu]

I also have acquired a qualcom S7 with an engineering ROM on it. I cloned the repo again and changed only the "dmesg -w" to "cat /sys/proc". I got a similar panic, the number was 1496 this time.

[ghs...@g.rit.edu]

On Thursday, August 31, 2017 at 2:51:26 PM UTC-4, ghs...@g.rit.edu wrote:

I also have acquired a qualcom S7 with an engineering ROM on it. I cloned the repo again and changed only the "dmesg -w" to "cat /sys/proc". I got a similar panic, the number was 1496 this time.

Sorry. Not "cat /sys/proc" ... long day ... "cat /proc/kmsg". I also verified that I could do "adb root" and I could. So none of my "su -c" changes were necessary.

[zhangbo...@gmail.com]

Hi

dont use cat /proc/kmsg, if your dmesg didnt support '-w' opition, you can recompile it to support this featur or try this tricky command instead: 'while true;do dmesg -c;sleep 1;done'

在 2017年9月1日星期五 UTC+8上午2:53:20，ghs...@g.rit.edu写道：

[ghs...@g.rit.edu]

> dont use cat /proc/kmsg, if your dmesg didnt support '-w' opition, you can recompile it to support this featur or try this tricky command instead: 'while true;do dmesg -c;sleep  > 1;done'

When you say "recompile it" do you mean busybox? Alternatively, I am not sure what I would replace with that while loop. Would I replace the whole OpenRemoteConsole function call, just the dmesg line, or a portion of that function? I guess I am also a little confused what the issue would be with using /proc/kmsg. I thought that was what dmesg looked at.

[ghs...@g.rit.edu]

I downloaded util-linux 2.30, crosscompiled dmesg, and moved it to the phone. I am now using dmesg -w. I am still getting: lost connection to test machine. I will attach the log.

[Dmitry Vyukov]

I think I see the problem. It is caused by some recent changes and
manifest only in cross-arch scenarios (amd64->arm64), which we don't
use a lot. Should be fixed by :
https://github.com/google/syzkaller/commit/2c0b7b7ff31bbb899cc0c95766b5d04ebbd2d269

[ghs...@g.rit.edu]

 

I think I see the problem. It is caused by some recent changes and
manifest only in cross-arch scenarios (amd64->arm64), which we don't
use a lot. Should be fixed by :
https://github.com/google/syzkaller/commit/2c0b7b7ff31bbb899cc0c95766b5d04ebbd2d269

 

I pulled the patch. I am now getting two different errors with the two different phones I am working on. The log files now have wierd characters in them. I will attach both the debug output and associated log file.

[Dmitry Vyukov]

unrooted seems to be the same problem with dmesg -w exiting and not
streaming console output
rooted seems to be the same problem with "panic: invalid syscall in
-calls flag: '1473". Are you sure you've rebuilt everything after
pulling the commmit?

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[ghs...@g.rit.edu]

unrooted seems to be the same problem with dmesg -w exiting and not
streaming console output
rooted seems to be the same problem with "panic: invalid syscall in
-calls flag: '1473". Are you sure you've rebuilt everything after
pulling the commmit?

I am sure I remade them, so just in case I pulled again. It pulled more stuff down. I am not sure what went wrong the first time I tried doing this, but now both fuzzers are starting. The rooted returns: vm-0: crash: INFO::LINEx0010], and I am not seeing the same panic. The unrooted returns: vm-0: crash: lost connection to test machine; I am not sure if this is still the same dmesg -w issue. 

I am attaching the two new logs.

[ghs...@g.rit.edu]

Dmitry,

Any ideas on how to move forward with this.

Thanks!

[Dmitry Vyukov]

The unrooted case seems to be due to dmesg not streaming console output.

The rooted crashes because syzkaller thinks that these lines in
console output indicate kernel oops (it greps for "INFO:" lines):

[ 15.833876] [syscamera][msm_companion_pll_init::526][BIN_INFO::0x0010]
[ 15.837004] [syscamera][msm_companion_pll_init::544][WAFER_INFO::0x1e7f]
[ 15.837059] [syscamera][msm_companion_pll_init::583] cam_vdig_comp
voltage setting: 800000 for pwr binning
[ 15.837596] [syscamera][msm_companion_pll_init::594][BIN_INFO::0x0010][WAFER_INFO::0x1e7f][voltage
0.800]

This does not seem to be kernel output at all, so another problem due
to working around absence of proper console output.
I guess we need another patch along the lines of:
https://github.com/google/syzkaller/commit/1d0002255d805442ff43c5c4265950179aac77c9
to filter them out.

[ghs...@g.rit.edu]

The unrooted case seems to be due to dmesg not streaming console output.

What in the log file are you using to identify this issue? I am going to try and solve why this is happening.

[Dmitry Vyukov]

The fact that manager loses connection to the machine before
syz-fuzzer is started and absence of other errors in the console
output.

[ghs...@g.rit.edu]

The fact that manager loses connection to the machine before
syz-fuzzer is started and absence of other errors in the console
output.

Ok. I guess I am still a little confused. On line 149 it says: fuzzer started. As far as I can tell, nothing in the log before that suggests that the connection was lost. What am I missing?

[Dmitry Vyukov]

I don't know, it's just my guess. You can try to replace dmesg with
"sleep 100000" and see if it fixes the lost connection crash on start.

[ghs...@g.rit.edu]

I have decided to move away from what I am doing with my unrooted device and come back to that at a different point. For now I am going to do all of my testing on the rooted S7.
I ran some tests and the first thing I noticed is that the phone no longer reboots in the middle of running the syzkaller and therefore am not getting spammed with the connection lost messages, which is great. The program is still now crashing with: vm-0: crash: INFO::LINEx0008]. I will attach the log. I remember before I was getting something like: vm-0: crash: INFO::LINEx0010].

[ghs...@g.rit.edu]

> I guess we need another patch along the lines of:
> https://github.com/google/syzkaller/commit/1d0002255d805442ff43c5c4265950179aac77c9
> to filter them out.

I have looked at this patch you were talking about a few days ago. I do not entirely understand how it works. Do you have any suggestions as to how I can go about patching these INFO errors as I see them?

[Dmitry Vyukov]

Try this:
https://github.com/google/syzkaller/commit/997ce2252ab1a4dc2d5d673b50b6c035e2dca17b

[ghs...@g.rit.edu]

 Dmitry,

The patch worked. I had to disable CONFIG_KCOV to make it work, but everything is running now. Thank you very much for the help.

[Nickleman]

Sorry to hijack this thread, but it seemed like the main issue is resolved while I have some very basic questions related to the title...

I have yet to start syzkalling an Android device, but I would like to know:

1) Does the device need to be rooted? Can stock device be used?

2) Does the kernel on the device need to be rebuilt (with instrumentation)?

3) Any recommendations on devices that have been known to work with syzkaller?

[ghs...@g.rit.edu]

1) Does the device need to be rooted? Can stock device be used?

I have successfully got syzkaller running on my rooted device that is currently has an engineering ROM on it. I have a device a superuser (su) binary on it, but I have not gotten syzkaller running on it yet. From what I can tell, the difference is you cannot start the adb daemon as root with SU. I have not yet tried calling su from the actual syzkaller api, but I have tried putting it in front of all adb command and I was still having some problems. I have not tried it with the last patch set that came out, maybe it fixed, I am not sure.

 

2) Does the kernel on the device need to be rebuilt (with instrumentation)?

As far as I can tell, no. You may need to put a cross compiled version of dmesg on the phone. Mine did not have the -w option which does seem to be necessary.

 

3) Any recommendations on devices that have been known to work with syzkaller?

I am currently using the Samsung Galaxy S7. I have not tried anything else. I am successfully running on the Qualcom version with and eng rom. I have the Exynos rooted (sort of) and am still working on making that work.

[pengfei xu]

Hello syzkaller experts!

I have a special request regarding syzkaller:

Is there an easy way to run syzkaller on a bare metal platform?

For example, a sample my.cfg file for bare metal.

Thanks!

[Aleksandr Nogikh]

Hi Pengfei,

On Thu, Sep 25, 2025 at 3:47 AM pengfei xu <xpf...@gmail.com> wrote:
>
> Hello syzkaller experts!
>
> I have a special request regarding syzkaller:
>
> Is there an easy way to run syzkaller on a bare metal platform?
>
> For example, a sample my.cfg file for bare metal.

There's a special "isolated" mode for running it on individual machines:
https://github.com/google/syzkaller/blob/master/docs/linux/setup_linux-host_isolated.md
(I hope the docs is up to date enough)

I see that the forwarded email mentions an Android phone, FWIW there's
support for adb devices as well:
https://github.com/google/syzkaller/blob/master/docs/linux/setup_linux-host_android-device_arm-kernel.md

--
Aleksandr