compsec-snu / razzer Goto Github PK
View Code? Open in Web Editor NEWA Kernel fuzzer focusing on race bugs
A Kernel fuzzer focusing on race bugs
I find nop instead of vmcall instruction in each kernel/hypercall.c
I'm not that familiar with virtualization but it seems that the hypercall implementation will never call into VMM?
Please help me with it. Do I misunderstand sth about the implementation or how should I modify it to make razzer work?
Thanks.
静态分析的时候.执行/run-partition-analysis.py出现
File "/usr/lib/python3.5/os.py", line 725, in getitem
raise KeyError(key) from None
KeyError: 'KERNEL_VERSION'
请问是什么原因?
Hi,
I'm interested in razzer and I want to inspect race cases reported by razzer. It seems that links to C repro & kernel config in lkml are unavailable now.
Are they still available somewhere? Since I don't have enough memory(less than 16GB, not enough even under N_PROC = 1), it's hard for me to perform complete static analysis of razzer. So it's problematic for me to get razzer work at full speed and it helps a lot if those C repros & config are still available.
Thanks in advance.
Hello,
After going through the process to get everything built and running, when I start syzkaller none of the fuzzers appear to be working.
~/razzer/tools/race-syzkaller/exp$ sudo -E ./run.sh --config configs/kernel/config
~/razzer/tools/qemu-2.5.0 ~/fast/razzer/tools/race-syzkaller/exp
[*] Rebuilding QEMU
VMLINUX: ~/razzer/tools/race-syzkaller/kernel-build/build-v4.17/vmlinux
HYPEADDR: 0xffffffff8031be1e
CC disas/i386.o
CC x86_64-softmmu/cpus.o
CC x86_64-softmmu/hypercall.o
CC x86_64-softmmu/kvm-all.o
LINK x86_64-softmmu/qemu-system-x86_64
~/fast/razzer/tools/race-syzkaller/exp
[*] KERNEL_VERSION: v4.17
[*] git: e289c23db10a60854a602a2c6ae7df8c449dce75 (master)
kernels_repo | 2 +-
scripts/install.sh | 2 +-
scripts/kernel_version.lst | 1 +
scripts/qemu/install.sh | 2 ++
tools/llvmlinux/targets/x86_64/build-kernel.sh | 4 ++--
tools/llvmlinux/targets/x86_64/configs/static_analysis_v4.8.mk | 2 +-
tools/race-syzkaller/exp/configs/kernel/config | 5 ++---
tools/race-syzkaller/exp/partition-scripts/partitioned_analysis.sh | 5 ++++-
tools/race-syzkaller/exp/partition-scripts/run-partition-analysis.py | 1 +
9 files changed, 15 insertions(+), 9 deletions(-)
[*] Running: syz-manager -config configs/kernel/config -v 0
2019/07/09 09:36:08 Suppress option: 1
2019/07/09 09:36:08 RootCause option: false
2019/07/09 09:36:08 Loading race candidate pairs...
2019/07/09 09:36:13 Loading suppressed mempair: 1148234
2019/07/09 09:36:14 Removed supp-ed mempair: 1158064
2019/07/09 09:36:14 Remaining mempair: 0
2019/07/09 09:36:14 Total # of mempair: 0
2019/07/09 09:36:14 Total # of mapping: 0
2019/07/09 09:36:14 Initializing cover per mapping...
2019/07/09 09:36:14 Building Sparse race candidates...
2019/07/09 09:36:14 Total # of sparseRaceCandPairs: 0 (0)
2019/07/09 09:36:14 [*] loading corpus
2019/07/09 09:36:15 [+] loaded 1192 corpus programs (1192 total, 0 deleted)
2019/07/09 09:36:15 [*] loading racecorpus
2019/07/09 09:36:15 [-] No raceprog cand loaded from racecorpus
2019/07/09 09:36:15 [*] loading likelycorpus
2019/07/09 09:36:15 [-] No raceprog cand loaded from likelycorpus
2019/07/09 09:36:15 serving http on http://0.0.0.0:56741
2019/07/09 09:36:15 serving rpc on tcp://[::]:33495
2019/07/09 09:36:15 booting test machines...
2019/07/09 09:36:15 wait for the connection from test machine...
2019/07/09 09:36:36 received first connection from test machine fuzzer-9
2019/07/09 09:36:43 machine check: 1517 calls enabled, kcov=true, kleakcheck=false, faultinjection=false, comps=false
2019/07/09 09:36:45 #1 Fuzzer: exe 1 (1), sig 0 (0), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:36:45 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-2 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-7 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-12 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-6 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-10 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-8 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-1 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-5 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-13 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-14 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-11 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-15 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-4 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-0 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-1 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-15 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-4 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-5 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-12 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-9 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-8 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-6 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-10 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-13 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:55 #2 Fuzzer: exe 759 (379), sig 14016 (7008), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:36:55 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:05 #3 Fuzzer: exe 2356 (785), sig 16653 (5551), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:05 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:15 #4 Fuzzer: exe 3504 (876), sig 17635 (4408), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:15 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:25 #5 Fuzzer: exe 4438 (887), sig 17963 (3592), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:25 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:28 [*] Sent all cands from corpusDB
#####
cat configs/kernel/config
{
"target": "linux/amd64",
"http": "0.0.0.0:56741",
"workdir": "$PWD/workdir",
"vmlinux": "$KERNEL_BUILD/vmlinux",
"image": "$PWD/wheezy.img",
"sshkey": "$PWD/ssh/id_rsa",
"syzkaller": "$SYZKALLER_HOME/src/github.com/google/syzkaller",
"procs": 1,
"type": "qemu",
"mempair": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mempair",
"mapping": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mapping",
"callgraph": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/callgraph",
"distance": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/distance",
"sandbox": "none",
"vm": {
"schedcount": 16,
"count": 16,
"kernel": "$KERNEL_BUILD/arch/x86/boot/bzImage",
"cpu": 2,
"mem": 8192,
"qemu": "$QEMU_HOME/build/x86_64-softmmu/qemu-system-x86_64"
}
}
The reproducer and config file links seem invalid in BUG: soft lockup in snd_virmidi_output_trigger.
While I do fuzz for razzer, I found that:
razzer/tools/race-syzkaller/exp/wheezy.img' does not exist
where can I found the image?
Thanks!
When I use ./build.sh to compile linux-4.10.1, I can't get the built-in.bc files .
Do I need some patch?
While I use build-kernel.sh ,I found that kernel build is error:
undefined reference to `kmalloc'
how to deal with it?
Thanks!
When I run "scripts/install.sh" to install the environment, there is a question.
[ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddBddAbs.c.o
[ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddCompose.c.o
[ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddHarwell.c.o
[ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddPriority.c.o
[ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddSubsetHB.c.o
[ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddZddGroup.c.o
[ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddZddUtil.c.o
[ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/dddmpNodeAdd.c.o
[ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/epd.c.o
[ 68%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/restart.c.o
[ 68%] Linking C shared module Cudd.so
[ 68%] Built target Cudd
Makefile:129: recipe for target 'all' failed
make: *** [all] Error 2
I cannot understand it.
For example, does razzer support ARM architecture?If I use the kernel which is uesd ARM architecture,can it work well?
Thanks!
I am confused about what the config file(in tools/llvmlinux/targets/x86_64
, ) should look like, or how to generate the right config file, if I want to try to razzer another kernel version?
Now I have tried the following steps:
script/envsetup.sh
(add to script/kernel_version.lst
)tools/llvmlinux/targets/x86_64/configs/
to build linux(static analysis, so is llvmlinux). But all failed.So, I want to know how to generate the right config file? Thanks.
Your paper Razzer: Finding Kernel Race Bugs through Fuzzing is definately well written and we all appreciate this amazing work. But may I ask when will this code be released? Since your paper mentioned that
We will open source of RAZZER such that kernel developers and researchers can beneft from using RAZZER.
We will truely appreciate that.
While I do Static analysis according to docs/static-analysis.md, I found that ./run-partition-analysis.py is killed.The log is shown as below:
begin do_analyze( sound/built-in.bc init/built-in.bc fs/built-in.bc ipc/built-in.bc )
[] NAME: [sound]
[] Kernel version: v4.17
[] Making static analysis directory
[] DIR: /root/lava_workspace/razzer_test/razzer/tools/race-syzkaller/exp/configs/kernel/partition/v4.17
[] Generating combined-sound.bc
[] Generating mssa.sound
Killed
[] Generating mempair_all.net-vmw_vsock
[] Prune and check_testing_bugs
[WARN] Testing bug ('drivers/tty/n_hdlc.c:440', 'drivers/tty/n_hdlc.c:216') not found
[WARN] Testing bug ('net/packet/af_packet.c:3660', 'net/packet/af_packet.c:4229') not found
[WARN] Testing bug ('net/packet/af_packet.c:1653', 'net/packet/af_packet.c:1710') not found
[WARN] Testing bug ('net/ipv4/raw.c:640', 'net/ipv4/ip_sockglue.c:748') not found
[WARN] Testing bug ('net/sctp/associola.c:1088', 'net/sctp/socket.c:7423') not found
[WARN] Testing bug ('net/packet/af_packet.c:1645', 'net/packet/af_packet.c:367') not found
I found in scripts/misc/analysis.py,it do as below:
cmd = "wpa -indCallLimit=100000 -dump-callgraph -ander -vgep -svfg -dump-mssa -dump-race " + args.bitcode
What is it doing?
How to deal with it ?
Thanks!
"As a consequence, LLVM Linux will fail to build the entire kernel binary. It is okay if .bc files for files under interests and built-in.bc for each subdirectory (e.g., drivers/built-in.bc, net/built-in.bc) is built."
LLVM Linux will fail to build the entire kernel binary but merge-mempairs.py runs get_address.py and in get_address.py it requires vmlinux file. After I fail to build the entire kernel binary I can run run-partition-analysis.py successfully but merge-mempairs.py will remind me no vmlinux found.
Hello, thank you for your hard working.
I have read the paper and want to reproduce CVE-2017-2636. What I have done as belows:
After the instructions mentioned in docs/static-analysis.md, the mempair file has been generated. What I expected according to the paper is that I can found some strings in mempair file just like
drivers/tty/n_hdlc.c:440:x drivers/tty/n_hdlc.c:216:x W R
But there is nothing related to this.
I have found that the issue "KASAN: null-ptr-deref Write in binder_update_page_range
" reported by razzer is also exists in kernel-v4.17 and I tried the static analysis on kernel-4.17, but still found nothing related to binder in mempair.
Since I am not familiar with SVF, I'm not sure which part I have done was wrong. It will be so nice of you to give me some hints.
BTW, I'm sure that the line number of code is same with paper.
Thanks
Hi,
I met error "KVM: entry failed, hardware error 0x80000021" during fuzzing process. I followed all the instructions in static analysis and fuzzing pages and have successfully get the mempairs.
However, during fuzzing, I always got "no output from test machine". I inspected the log file under crashes directory and noticed the error "KVM: entry failed, hardware error 0x80000021". May I ask if you have met the same problems?
Thanks.
Hi, I am following the instructions to build bitcode files. However, after running ./build-kernel.sh --config configs/static_analysis_v4.16.mk
, for built-in.*
, only built-in.o
files were built but no built-in.bc
. For other files, e.g., kernel/pid.c
, the corresponding .o
files and .bc
files were built.
The ./build-kernel.sh
scripts also failed because of a bunch undefined reference to xxx
errors when executing the command tools/llvmlinux/arch/all/bin/llvm-link-bc.sh -m elf_x86_64 -z max-page-size=0x200000 --build-id -o .tmp_vmlinux1 -T ./arch/x86/kernel/vmlinux.lds --whole-archive built-in.o --no-whole-archive --start-group lib/lib.a arch/x86/lib/lib.a --end-group
, according to tmp/log
. As pointed out here, I can ignore the link error because it was expected, but I cannot find any built-in.bc
files built for subsequent analysis.
Any ideas? Thanks!
while I use ./scripts/qemu/install.sh, I found that QEMU build is error:
config-temp/qemu-conf.c:1:10: fatal error: sys/endian.h: No such file or directory
#include <sys/endian.h>
compilation terminated.
how to deal with it?
Thanks!
And there are other errors before this error, such as:
config-temp/qemu-conf.c: In function ‘main’:
config-temp/qemu-conf.c:6:3: error: too many arguments to function ‘xc_domain_create’
xc_domain_create(xc, 0, handle, 0, NULL, NULL);
In file included from config-temp/qemu-conf.c:1:0:
/usr/include/xenctrl.h:511:5: note: declared here
int xc_domain_create(xc_interface *xch,
and
/tmp/ccBwhhaj.o: In function
main': root/razzer/tools/qemu-2.5.0/build/config-temp/qemu-conf.c:5: undefined reference to
uuid_generate'
collect2: error: ld returned 1 exit status
but these errors did not cause compilation terminated
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.