• syzkaller安装


    初始环境配置

    sudo apt-get install subversion
    sudo apt-get install g++
    sudo apt-get install git
    sudo apt install libssl-dev libelf-dev
    sudo apt-get install kvm qemu-kvm

    安装 GCC

    sudo apt-get install flex bison libc6-dev libc6-dev-i386 linux-libc-dev linux-libc-dev:i386 libgmp3-dev libmpfr-dev libmpc-dev

    sudo apt-get install debootstrap

    直接下载gcc环境

    编译内核 启动

    选择需要测试的内核版本,使用安装好的gcc进行编译
    几种匹配,gcc8.0.1编译linux5.1.2编译比较流畅

    make CC="/home/joeat1/gcc/bin/gcc" defconfig
    make CC="/home/joeat1/gcc/bin/gcc" kvmconfig

    以下内容需要写在中间位置,否则失效
    CONFIG_KCOV=y
    CONFIG_DEBUG_INFO=y
    CONFIG_KASAN=y
    CONFIG_KASAN_INLINE=y

    需要开启内核上的CONFIG_KCOV选项,也可以在配置文件中加入”cover”: false即不需要使用覆盖率的信息进行测试

    make CC="/home/joeat1/gcc/bin/gcc" oldconfig 运行此命令并在每次提示输入某个配置值时按Enter键将其保留为默认值

    make CC="/home/joeat1/gcc/bin/gcc" -j64
    //注意,此处不需要make install安装内核等组件
    //注意,如果出现报错,可以不要 -j64 的选项

    make clean CC="/home/joeat1/gcc/bin/gcc" CONFIG_KVM=m CONFIG_INTEL_KVM=m -C . M=./arch/x86/kvm

    make CC="/home/joeat1/gcc/bin/gcc" CONFIG_KVM=m CONFIG_INTEL_KVM=m -C . M=./arch/x86/kvm

    测试KVM虚拟机

    qemu-system-x86_64
    -kernel /home/joeat1/kernel/linux-5.1.2/arch/x86/boot/bzImage
    -append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ"
    -hda wheezy.img
    -net user,hostfwd=tcp::10021-:22 -net nic
    -enable-kvm
    -nographic
    -m 2G
    -smp 2
    -pidfile vm.pid
    2>&1 | tee vm.log

    -hda /home/joeat1/image/stretch.img

    ssh -i /home/joeat1/image/stretch.id_rsa -p 10021 -o "StrictHostKeyChecking no" root@localhost

    chmod 600 wheezy.img.key
    ssh -i /home/joeat1/image/wheezy.img.key -p 10021 -o "StrictHostKeyChecking no" root@localhost

    测试syz-manager

    my.cfg
    {
    "target": "linux/amd64",
    "http": "127.0.0.1:56741",
    "workdir": "/home/joeat1/gopath/src/github.com/google/syzkaller/workdir",
    "kernel_obj": "/home/joeat1/kernel/linux-5.1.2",
    "image": "/home/joeat1/image/wheezy.img",
    "sshkey": "/home/joeat1/image/wheezy.img.key",
    "syzkaller": "/home/joeat1/gopath/src/github.com/google/syzkaller",
    "procs": 8,
    "type": "qemu",
    "vm": {
    "count": 4,
    "kernel": "/home/joeat1/kernel/linux-5.1.2/arch/x86/boot/bzImage",
    "cpu": 2,
    "mem": 2048
    },
    "reproduce": false
    }

    mkdir workdir
    ./bin/syz-manager -config=my.cfg

    ps -A | grep qemu
    kill pid
    kill $(cat vm.pid)

    https://mirrors.kernel.org/debian/dists/wheezy/Release

    SyscallName$Type (号前的syscallname是系统调用名,是内核提供的接口,在源码的)(SYZKALLER_SOURCE)/sys/sys.txt中有通用的调用的形式申明可以参考。$号后的type是指特定类型的系统调用。具体行为靠的是后面的参数去确定。
    参数的格式如下: ArgumentName ArgumentType[Limit] ArgumentName是指参数名,ArgumentType指的是参数类型

    "enable_syscalls": [
    "socket(packet", "socketpair)packet", "accept(packet", "accept4)packet", "bind(packet", "connect)packet", "sendto(packet", "recvfrom)packet", "getsockname(packet", "getpeername)packet", "listen", "setsockopt", "getsockopt", "syz_emit_ethernet"
    ],
    需要注意的是,此处写的方式,需要满足函数的参数对象能被创建,即关联关系保证连贯。

    整个syzkaller的使用过程就是先去寻找内核的攻击面,然后构造api调用模板,剩下交由syzkaller基于代码覆盖驱动的方式去Fuzzing

    "disable_syscalls": [
    "socket$packet"
    ],

    "enable_syscalls": [
    "openat$kvm", "ioctl"
    ]

    可能遇到的问题

    sudo service sshd start
    sudo service sshd status

    use latest gcc and linux kernel will handle this problem
    my configuration: gcc 8.4, linux-4.20.13

    使用 -debug 显示所有的运行信息

    [FAILED] Failed to mount /sys/kernel/config.
    [FAILED] Failed to start Remount Root and Kernel File Systems.

    The real cause of boot error is the missing of two config in kernel .config file:
    CONFIG_CONFIGFS_FS=y
    CONFIG_SECURITYFS=y
    https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-kasan.config

    使用syz-extract实用程序从内核源提取符号常量的值 。syz-extract生成一个小的C程序,包括include指令引用的内核头,定义define指令指定的宏,并打印符号常量的值。结果存储在.const文件中

    使用syz-sysgen实用程序将描述转换为Go代码,此步骤使用系统调用描述和第一步中生成的const文件,并生成prog / types.go中定义的实例Syscall和Type类型。syzkaller使用由在prog / prog.go中定义的值Call和Arg值组成的内存中的AST表示

    failed to generate coverage profile: '/home/joeat1/kernel/linux-5.1.2/vmlinux' does not have debug info (set CONFIG_DEBUG_INFO=y)

    merged = bio_attempt_front_merge(q, rq, bio); 717
    bio_attempt_front_merge 调用 ll_front_merge_fn 622
    if (!ll_front_merge_fn(q, req, bio))
    ll_front_merge_fn 在block/blk-merge.c:678 if (!bio_flagged(req->bio, BIO_SEG_VALID))处报错 kasan: GPF could be caused by NULL-ptr deref or user memory access

    leak checking : CONFIG_DEBUG_KMEMLEAK is not enabled

    使用syzkaller工具fuzz内核linux5.1.2模块,配置中设置enable_syscalls = ["openat(kvm","ioctl)KVM_CREATE_VM","ioctl(KVM_CREATE_VCPU","syz_kvm_setup_cpu)x86", "ioctl(KVM_SET_GUEST_DEBUG", "ioctl)KVM_RUN"],
    得到可以crash信息,暂时未进行reproduce,和 https://syzkaller.appspot.com/bug?id=2bf7b7983c2398ec6f0c4c6c87cb50223e8873f8 中很相像
    函数流程
    kvm_cpu_vmxoff(void) --> cr4_clear_bits(X86_CR4_VMXE); --> __cr4_set(cr4 & ~mask); --> __write_cr4(cr4); --> PVOP_VCALL1(cpu.write_cr4, x);
    不知道哪位大佬能帮忙解释解释?

    Description Count Last Time Report
    general protection fault in ll_front_merge_fn 2 2019/05/24 19:19
    general protection fault in native_write_cr4 8 2019/05/24 19:28
    KASAN: use-after-free Read in ll_back_merge_fn 3 2019/05/24 19:18
    lost connection to test machine 16 2019/05/24 19:27
    possible deadlock in __queue_work 1 2019/05/24 09:51

    There are 3 special types of crashes:

    • no output from test machine: the test machine produces no output whatsoever
    • lost connection to test machine: the ssh connection to the machine was unexpectedly closed
    • test machine is not executing programs: the machine looks alive, but no test programs were executed for long period of time
      Most likely you won't see reportN files for these crashes (e.g. if there is no output from the test machine, there is nothing to put into report). Sometimes these crashes indicate a bug in syzkaller itself (especially if you see a Go panic message in the logs). However, frequently they mean a kernel lockup or something similarly bad (here are just a few examples of bugs found this way: 1, 2, 3).
  • 相关阅读:
    步入大公司一年及三十而立的一些思考
    let和const
    简明学习webpack
    npm&&yarn和package.json
    基于jQuery.i18n.properties插件实现前端页面国际化
    Sequence Model
    系统性整理项目:第一篇(续篇)-osm存入PostgreSQL+PostGIS并构建路网表结构
    系统性整理项目:第一篇(环境+数据)
    window下源码编译mmcv-full==1.2.1
    多边形平滑算法-ChaikinSmoothing
  • 原文地址:https://www.cnblogs.com/joeat1/p/11081601.html
Copyright © 2020-2023  润新知