Need some information about syzkaller
Anurag Verma
Hi
This is Anurag Verma from Broadcom Inc.
I am using syzkaller for fuzzing linux kernel and in order to begin with I am just trying to fuzz some limited system calls in linux kernel version 5.4.0-66 on Ubuntu 18 VM, by using the option enable_syscall.
My query is that I can see that execve system call is getting fuzzed, but am not able to get its c code generated or stored somewhere. Please let me know where I can keep the corresponding c code of the system call being fuzzed. I have gone through the document but did not find any configurable item where the c files can be stored.
My config file is attached herewith for reference.
FYI, I am pasting the console output where execve system call is being fuzzed with some random inputs. >>>
98499ms] -> execve(0x20000040, 0x0, 0x0)
#0 [98500ms] <- execve=0xffffffffffffffff errno=13 cover=9994
<<<
Here is the excerpt of console logs:
17:07:33 executing program 0:
r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x1c, 0x1c, 0x8, [@int={0xd, 0x0, 0x0, 0x1, 0x0, 0x11, 0x0, 0x5e, 0x4}, @ptr={0x5, 0x0, 0x0, 0x2, 0x3}]}, {0x0, [0x30, 0x5f, 0x61, 0x2e, 0x30, 0x5f]}}, &(0x7f0000000080)=""/180, 0x3c, 0xb4}, 0x20)
bpf$MAP_CREATE(0x0, &(0x7f0000000180)={0xa, 0x5, 0x3d, 0xfff, 0x1260, 0x1, 0x0, '\x00', 0x0, r0, 0x1, 0x2, 0x3}, 0x40)
execve(&(0x7f0000000040)='.\x00', 0x0, 0x0)
[98496ms] exec opts: procid=0 threaded=1 collide=0 cover=1 comps=0 dedup=1 fault=0/0/0 timeouts=50/5000/1 prog=0 filter=0
spawned worker pid 469
#0 [98499ms] -> bpf$BPF_BTF_LOAD(0x12, 0x20000140, 0x20)
#0 [98499ms] <- bpf$BPF_BTF_LOAD=0xffffffffffffffff errno=1 cover=60
#0 [98499ms] -> bpf$MAP_CREATE(0x0, 0x20000180, 0x40)
#0 [98499ms] <- bpf$MAP_CREATE=0xffffffffffffffff errno=22 cover=50
#0 [98499ms] -> execve(0x20000040, 0x0, 0x0)
#0 [98500ms] <- execve=0xffffffffffffffff errno=13 cover=9994
2021/08/24 17:07:33 result hanged=false:
2021/08/24 17:07:37 VMs 1, executed 215, cover 3936, signal 4554/4554, crashes 0, repro 0
2021/08/24 17:07:43 poll: candidates=0 inputs=0 signal=0
Thanks and Regards
/A\nurag \V/erma
RnD Engineer
Broadcom Inc
This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.
Aleksandr Nogikh
If you want to generate C code for some previously executed program, you need to take it from the log, save as a file and execute syz-prog2c.
In your case:
r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x1c, 0x1c, 0x8, [@int={0xd, 0x0, 0x0, 0x1, 0x0, 0x11, 0x0, 0x5e, 0x4}, @ptr={0x5, 0x0, 0x0, 0x2, 0x3}]}, {0x0, [0x30, 0x5f, 0x61, 0x2e, 0x30, 0x5f]}}, &(0x7f0000000080)=""/180, 0x3c, 0xb4}, 0x20)
bpf$MAP_CREATE(0x0, &(0x7f0000000180)={0xa, 0x5, 0x3d, 0xfff, 0x1260, 0x1, 0x0, '\x00', 0x0, r0, 0x1, 0x2, 0x3}, 0x40)
execve(&(0x7f0000000040)='.\x00', 0x0, 0x0)
./bin/syz-prog2c -arch amd64 -os linux -prog program.txt
Note that there are many options affecting this process (OS, platform, sandboxing, extra features to enable, etc.). You can find their (short) description if you run that command without parameters.
./bin/syz-prog2c
Also you can find some useful information in these links. They're related to crash reproduction, but the considerations are the same.
https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
https://github.com/google/syzkaller/blob/master/docs/reproducing_crashes.md
--
Best Regards,
Aleksandr
--
You received this message because you are subscribed to the Google Groups "syzkaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/4f2a4285ee836dfbe3c357c484a11c33%40mail.gmail.com.