diff options
author | Ovidiu Panait <ovidiu.panait@windriver.com> | 2022-10-21 13:25:36 +0300 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2022-10-21 09:57:59 -0700 |
commit | cfac82c560e514333ebb1de772778554d1aca49c (patch) | |
tree | abba1c3d3572ff3391ffc8c97a6bfb646131363c /meta-oe/recipes-test | |
parent | bd8defdcd8b6c8e50c7b90587c551d6505f6487c (diff) | |
download | meta-openembedded-cfac82c560e514333ebb1de772778554d1aca49c.tar.gz |
syzkaller: add recipe and selftest for syzkaller fuzzing
Syzkaller is a coverage-guided fuzzer that is widely used to find bugs in
the Linux kernel:
https://github.com/google/syzkaller
Add the recipe and a selftest for running the fuzzer in a qemux86-64
kvm environment. The following steps can be used to start the test:
"""
cat >> conf/local.conf <<EOF
SYZ_WORKDIR="<path>"
SYZ_FUZZTIME="30"
SYZ_QEMU_VM_COUNT="2"
SYZ_QEMU_MEM="2048"
SYZ_QEMU_CPUS="2"
EOF
oe-selftest -r syzkaller
...
loading corpus...
serving http on http://127.0.0.1:49605
serving rpc on tcp://[::]:46475
booting test machines...
wait for the connection from test machine...
vm-0: crash: KCSAN: data-race in poll_schedule_timeout.constprop.NUM / pollwake
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
machine check:
syscalls : 2227/4223
code coverage : enabled
comparison tracing : enabled
extra coverage : enabled
delay kcov mmap : mmap returned an invalid pointer
setuid sandbox : enabled
namespace sandbox : enabled
Android sandbox : /sys/fs/selinux/policy does not exist
fault injection : enabled
leak checking : enabled
net packet injection : enabled
net device setup : enabled
concurrency sanitizer : enabled
devlink PCI setup : PCI device 0000:00:10.0 is not available
USB emulation : enabled
hci packet injection : enabled
wifi device emulation : enabled
802.15.4 emulation : enabled
corpus : 0 (deleted 0 broken)
seeds : 0/0
VMs 2, executed 1, cover 0, signal 0/0, crashes 2, repro 0
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
"""
This will fuzz the yocto kernel for 30 minutes using 2 qemu VMs, each VM
getting 2048MB of memory and 2 CPUs.
The path in SYZ_WORKDIR must be an absolute path that is persistent across
oe-selftest runs, so that fuzzing does not start all over again on each
invocation. Syzkaller will save the corpus database in that directory and will
use the database to keep track of the interfaces already fuzzed.
After the test is done, <workdir>/crashes directory will contain the report
files for all the bugs found.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/recipes-test')
-rw-r--r-- | meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch | 67 | ||||
-rw-r--r-- | meta-oe/recipes-test/syzkaller/syzkaller_git.bb | 73 |
2 files changed, 140 insertions, 0 deletions
diff --git a/meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch b/meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch new file mode 100644 index 000000000..d647b8d4a --- /dev/null +++ b/meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From aca1030d29f627314d13884ebc7b2c313d718df7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
3 | Date: Wed, 13 Apr 2022 17:17:54 +0300 | ||
4 | Subject: [PATCH] sys/targets/targets.go: allow users to override hardcoded | ||
5 | cross-compilers | ||
6 | |||
7 | Currently, cross compiler names are hardcoded for each os/arch combo. However, | ||
8 | toolchain tuples differ, especially when using vendor provided toolchains. | ||
9 | Allow users to specify the cross compiler for an os/arch combo using | ||
10 | SYZ_CC_<os>_<arch> environment variables. | ||
11 | |||
12 | Also, remove hardcoded "-march=armv6" flag to fix compilation on arm. | ||
13 | |||
14 | Upstream-Status: Inappropriate [embedded specific] | ||
15 | |||
16 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
17 | --- | ||
18 | sys/targets/targets.go | 19 +++++++++++-------- | ||
19 | 1 file changed, 11 insertions(+), 8 deletions(-) | ||
20 | |||
21 | diff --git a/sys/targets/targets.go b/sys/targets/targets.go | ||
22 | index f3be708f3..19a8bb681 100644 | ||
23 | --- a/sys/targets/targets.go | ||
24 | +++ b/sys/targets/targets.go | ||
25 | @@ -258,7 +258,6 @@ var List = map[string]map[string]*Target{ | ||
26 | PtrSize: 4, | ||
27 | PageSize: 4 << 10, | ||
28 | LittleEndian: true, | ||
29 | - CFlags: []string{"-D__LINUX_ARM_ARCH__=6", "-march=armv6"}, | ||
30 | Triple: "arm-linux-gnueabi", | ||
31 | KernelArch: "arm", | ||
32 | KernelHeaderArch: "arm", | ||
33 | @@ -670,12 +669,16 @@ func initTarget(target *Target, OS, arch string) { | ||
34 | for i := range target.CFlags { | ||
35 | target.replaceSourceDir(&target.CFlags[i], sourceDir) | ||
36 | } | ||
37 | - if OS == Linux && arch == runtime.GOARCH { | ||
38 | - // Don't use cross-compiler for native compilation, there are cases when this does not work: | ||
39 | - // https://github.com/google/syzkaller/pull/619 | ||
40 | - // https://github.com/google/syzkaller/issues/387 | ||
41 | - // https://github.com/google/syzkaller/commit/06db3cec94c54e1cf720cdd5db72761514569d56 | ||
42 | - target.Triple = "" | ||
43 | + if OS == Linux { | ||
44 | + if cc := os.Getenv("SYZ_CC_" + OS + "_" + arch); cc != "" { | ||
45 | + target.CCompiler = cc | ||
46 | + } else if arch == runtime.GOARCH { | ||
47 | + // Don't use cross-compiler for native compilation, there are cases when this does not work: | ||
48 | + // https://github.com/google/syzkaller/pull/619 | ||
49 | + // https://github.com/google/syzkaller/issues/387 | ||
50 | + // https://github.com/google/syzkaller/commit/06db3cec94c54e1cf720cdd5db72761514569d56 | ||
51 | + target.Triple = "" | ||
52 | + } | ||
53 | } | ||
54 | if target.CCompiler == "" { | ||
55 | target.setCompiler(useClang) | ||
56 | @@ -803,7 +806,7 @@ func (target *Target) lazyInit() { | ||
57 | // On CI we want to fail loudly if cross-compilation breaks. | ||
58 | // Also fail if SOURCEDIR_GOOS is set b/c in that case user probably assumes it will work. | ||
59 | if (target.OS != runtime.GOOS || !runningOnCI) && os.Getenv("SOURCEDIR_"+strings.ToUpper(target.OS)) == "" { | ||
60 | - if _, err := exec.LookPath(target.CCompiler); err != nil { | ||
61 | + if _, err := exec.LookPath(strings.Fields(target.CCompiler)[0]); err != nil { | ||
62 | target.BrokenCompiler = fmt.Sprintf("%v is missing (%v)", target.CCompiler, err) | ||
63 | return | ||
64 | } | ||
65 | -- | ||
66 | 2.25.1 | ||
67 | |||
diff --git a/meta-oe/recipes-test/syzkaller/syzkaller_git.bb b/meta-oe/recipes-test/syzkaller/syzkaller_git.bb new file mode 100644 index 000000000..f7c751f80 --- /dev/null +++ b/meta-oe/recipes-test/syzkaller/syzkaller_git.bb | |||
@@ -0,0 +1,73 @@ | |||
1 | DESCRIPTION = "syzkaller is an unsupervised coverage-guided kernel fuzzer" | ||
2 | LICENSE = "Apache-2.0" | ||
3 | LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=5335066555b14d832335aa4660d6c376" | ||
4 | |||
5 | inherit go-mod | ||
6 | |||
7 | GO_IMPORT = "github.com/google/syzkaller" | ||
8 | |||
9 | SRC_URI = "git://${GO_IMPORT};protocol=https;destsuffix=${BPN}-${PV}/src/${GO_IMPORT};branch=master \ | ||
10 | file://0001-sys-targets-targets.go-allow-users-to-override-hardc.patch;patchdir=src/${GO_IMPORT} \ | ||
11 | " | ||
12 | SRCREV = "67cb024cd1a3c95e311263a5c95e957f9abfd8ca" | ||
13 | |||
14 | COMPATIBLE_HOST = "(x86_64|i.86|arm|aarch64).*-linux" | ||
15 | |||
16 | B = "${S}/src/${GO_IMPORT}/bin" | ||
17 | |||
18 | GO_EXTRA_LDFLAGS += ' -X ${GO_IMPORT}/prog.GitRevision=${SRCREV}' | ||
19 | |||
20 | export GOHOSTFLAGS="${GO_LINKSHARED} ${GOBUILDFLAGS}" | ||
21 | export GOTARGETFLAGS="${GO_LINKSHARED} ${GOBUILDFLAGS}" | ||
22 | export TARGETOS = '${GOOS}' | ||
23 | export TARGETARCH = '${GOARCH}' | ||
24 | export TARGETVMARCH = '${GOARCH}' | ||
25 | |||
26 | CGO_ENABLED = "0" | ||
27 | |||
28 | DEPENDS:class-native += "qemu-system-native" | ||
29 | |||
30 | do_compile:class-native() { | ||
31 | export HOSTOS="${GOHOSTOS}" | ||
32 | export HOSTARCH="${GOHOSTARCH}" | ||
33 | |||
34 | oe_runmake HOSTGO="${GO}" host | ||
35 | } | ||
36 | |||
37 | do_compile:class-target() { | ||
38 | export HOSTOS="${GOOS}" | ||
39 | export HOSTARCH="${GOARCH}" | ||
40 | export SYZ_CC_${TARGETOS}_${TARGETARCH}="${CC}" | ||
41 | |||
42 | # Unset GOOS and GOARCH so that the correct syz-sysgen binary can be | ||
43 | # generated. Fixes: | ||
44 | # go install: cannot install cross-compiled binaries when GOBIN is set | ||
45 | unset GOOS | ||
46 | unset GOARCH | ||
47 | |||
48 | oe_runmake GO="${GO}" CC="${CXX}" CFLAGS="${CXXFLAGS} ${LDFLAGS}" REV=${SRCREV} target | ||
49 | } | ||
50 | |||
51 | do_install:class-native() { | ||
52 | SYZ_BINS_NATIVE="syz-manager syz-runtest syz-repro syz-mutate syz-prog2c \ | ||
53 | syz-db syz-upgrade" | ||
54 | |||
55 | install -d ${D}${bindir} | ||
56 | |||
57 | for i in ${SYZ_BINS_NATIVE}; do | ||
58 | install -m 0755 ${B}/${i} ${D}${bindir} | ||
59 | done | ||
60 | } | ||
61 | |||
62 | do_install:class-target() { | ||
63 | SYZ_TARGET_DIR="${TARGETOS}_${TARGETARCH}" | ||
64 | SYZ_BINS_TARGET="syz-fuzzer syz-execprog syz-stress syz-executor" | ||
65 | |||
66 | install -d ${D}${bindir}/${SYZ_TARGET_DIR} | ||
67 | |||
68 | for i in ${SYZ_BINS_TARGET}; do | ||
69 | install -m 0755 ${B}/${SYZ_TARGET_DIR}/${i} ${D}${bindir}/${SYZ_TARGET_DIR} | ||
70 | done | ||
71 | } | ||
72 | |||
73 | BBCLASSEXTEND += "native" | ||