compsec-snu / razzer Goto Github PK
View Code? Open in Web Editor NEWA Kernel fuzzer focusing on race bugs
razzer's People
Contributors
Stargazers
Watchers
Forkers
molgryn micahhu paul1nh0 daydayup40 idkwim sucof fengjixuchui m4rm0k juanvazquez fatgrass explife0011 terry2012 y0d4a c002 n0thing2speak luojiaqs chubbymaggie slox3r attackgithub fuzzamos jack51706 manouchehri 0xbugspray 007alice csytang dshtanger 0x6b7966 hxlszxy zenhumany c0de3 littlesec guardil minhtranca fiappy zillr0 he1001 jbachell de4dcr0w vbty 5l1v3r1 ufwt maldiohead fengguohao hamzzi sheisc hikame lilycalculus wliuxingxiangyu liuwanke152 hartl3y94 cpslab-kaist luluno01 andyall0506 mengrj harperchen exiahan neoskypig qrxqrx xinguohua xingyizrazzer's Issues
Question about hypercall implementation in kernel_repo
I find nop instead of vmcall instruction in each kernel/hypercall.c
I'm not that familiar with virtualization but it seems that the hypercall implementation will never call into VMM?
Please help me with it. Do I misunderstand sth about the implementation or how should I modify it to make razzer work?
Thanks.
静态分析的问题
静态分析的时候.执行/run-partition-analysis.py出现
File "/usr/lib/python3.5/os.py", line 725, in getitem
raise KeyError(key) from None
KeyError: 'KERNEL_VERSION'
请问是什么原因?
Links to C repro in Trophies are unavailable
Hi,
I'm interested in razzer and I want to inspect race cases reported by razzer. It seems that links to C repro & kernel config in lkml are unavailable now.
Are they still available somewhere? Since I don't have enough memory(less than 16GB, not enough even under N_PROC = 1), it's hard for me to perform complete static analysis of razzer. So it's problematic for me to get razzer work at full speed and it helps a lot if those C repros & config are still available.
Thanks in advance.
Fuzzer not responding
Hello,
After going through the process to get everything built and running, when I start syzkaller none of the fuzzers appear to be working.
~/razzer/tools/race-syzkaller/exp$ sudo -E ./run.sh --config configs/kernel/config
~/razzer/tools/qemu-2.5.0 ~/fast/razzer/tools/race-syzkaller/exp
[*] Rebuilding QEMU
VMLINUX: ~/razzer/tools/race-syzkaller/kernel-build/build-v4.17/vmlinux
HYPEADDR: 0xffffffff8031be1e
CC disas/i386.o
CC x86_64-softmmu/cpus.o
CC x86_64-softmmu/hypercall.o
CC x86_64-softmmu/kvm-all.o
LINK x86_64-softmmu/qemu-system-x86_64
~/fast/razzer/tools/race-syzkaller/exp
[*] KERNEL_VERSION: v4.17
[*] git: e289c23db10a60854a602a2c6ae7df8c449dce75 (master)
kernels_repo | 2 +-
scripts/install.sh | 2 +-
scripts/kernel_version.lst | 1 +
scripts/qemu/install.sh | 2 ++
tools/llvmlinux/targets/x86_64/build-kernel.sh | 4 ++--
tools/llvmlinux/targets/x86_64/configs/static_analysis_v4.8.mk | 2 +-
tools/race-syzkaller/exp/configs/kernel/config | 5 ++---
tools/race-syzkaller/exp/partition-scripts/partitioned_analysis.sh | 5 ++++-
tools/race-syzkaller/exp/partition-scripts/run-partition-analysis.py | 1 +
9 files changed, 15 insertions(+), 9 deletions(-)
[*] Running: syz-manager -config configs/kernel/config -v 0
2019/07/09 09:36:08 Suppress option: 1
2019/07/09 09:36:08 RootCause option: false
2019/07/09 09:36:08 Loading race candidate pairs...
2019/07/09 09:36:13 Loading suppressed mempair: 1148234
2019/07/09 09:36:14 Removed supp-ed mempair: 1158064
2019/07/09 09:36:14 Remaining mempair: 0
2019/07/09 09:36:14 Total # of mempair: 0
2019/07/09 09:36:14 Total # of mapping: 0
2019/07/09 09:36:14 Initializing cover per mapping...
2019/07/09 09:36:14 Building Sparse race candidates...
2019/07/09 09:36:14 Total # of sparseRaceCandPairs: 0 (0)
2019/07/09 09:36:14 [*] loading corpus
2019/07/09 09:36:15 [+] loaded 1192 corpus programs (1192 total, 0 deleted)
2019/07/09 09:36:15 [*] loading racecorpus
2019/07/09 09:36:15 [-] No raceprog cand loaded from racecorpus
2019/07/09 09:36:15 [*] loading likelycorpus
2019/07/09 09:36:15 [-] No raceprog cand loaded from likelycorpus
2019/07/09 09:36:15 serving http on http://0.0.0.0:56741
2019/07/09 09:36:15 serving rpc on tcp://[::]:33495
2019/07/09 09:36:15 booting test machines...
2019/07/09 09:36:15 wait for the connection from test machine...
2019/07/09 09:36:36 received first connection from test machine fuzzer-9
2019/07/09 09:36:43 machine check: 1517 calls enabled, kcov=true, kleakcheck=false, faultinjection=false, comps=false
2019/07/09 09:36:45 #1 Fuzzer: exe 1 (1), sig 0 (0), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:36:45 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-2 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-7 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-12 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-6 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-10 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-8 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-1 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-5 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-13 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-14 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-11 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-15 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-4 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (fuzzer) fuzzer-0 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-1 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-15 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-4 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-5 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-12 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-9 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-8 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-6 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-10 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45 [WARN] (sched) sched-13 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:55 #2 Fuzzer: exe 759 (379), sig 14016 (7008), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:36:55 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:05 #3 Fuzzer: exe 2356 (785), sig 16653 (5551), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:05 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:15 #4 Fuzzer: exe 3504 (876), sig 17635 (4408), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:15 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:25 #5 Fuzzer: exe 4438 (887), sig 17963 (3592), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:25 fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:28 [*] Sent all cands from corpusDB
#####
cat configs/kernel/config
{
"target": "linux/amd64",
"http": "0.0.0.0:56741",
"workdir": "$PWD/workdir",
"vmlinux": "$KERNEL_BUILD/vmlinux",
"image": "$PWD/wheezy.img",
"sshkey": "$PWD/ssh/id_rsa",
"syzkaller": "$SYZKALLER_HOME/src/github.com/google/syzkaller",
"procs": 1,
"type": "qemu",
"mempair": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mempair",
"mapping": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mapping",
"callgraph": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/callgraph",
"distance": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/distance",
"sandbox": "none",
"vm": {
"schedcount": 16,
"count": 16,
"kernel": "$KERNEL_BUILD/arch/x86/boot/bzImage",
"cpu": 2,
"mem": 8192,
"qemu": "$QEMU_HOME/build/x86_64-softmmu/qemu-system-x86_64"
}
}
Cannot access Reproducer link in the mailing list
The reproducer and config file links seem invalid in BUG: soft lockup in snd_virmidi_output_trigger.
Fuzzing:can not find wheezy.img
While I do fuzz for razzer, I found that:
razzer/tools/race-syzkaller/exp/wheezy.img' does not exist
where can I found the image?
Thanks!
How to get built-in.bc?
When I use ./build.sh to compile linux-4.10.1, I can't get the built-in.bc files .
Do I need some patch?
kernel-build error
While I use build-kernel.sh ,I found that kernel build is error:
undefined reference to `kmalloc'
how to deal with it?
Thanks!
Makefile:129: recipe for target 'all' failed
When I run "scripts/install.sh" to install the environment, there is a question.
[ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddBddAbs.c.o
[ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddCompose.c.o
[ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddHarwell.c.o
[ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddPriority.c.o
[ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddSubsetHB.c.o
[ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddZddGroup.c.o
[ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddZddUtil.c.o
[ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/dddmpNodeAdd.c.o
[ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/epd.c.o
[ 68%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/restart.c.o
[ 68%] Linking C shared module Cudd.so
[ 68%] Built target Cudd
Makefile:129: recipe for target 'all' failed
make: *** [all] Error 2
I cannot understand it.
Does razzer support other architecture?
For example, does razzer support ARM architecture?If I use the kernel which is uesd ARM architecture,can it work well?
Thanks!
What should I do if I want to razzer another kernel version?
I am confused about what the config file(in tools/llvmlinux/targets/x86_64, ) should look like, or how to generate the right config file, if I want to try to razzer another kernel version?
Now I have tried the following steps:
- modify kernel base on static-analysis.md, and diff between origin and your kernels_repo.
- modifiy
script/envsetup.sh(add toscript/kernel_version.lst) - try some existing config files in
tools/llvmlinux/targets/x86_64/configs/to build linux(static analysis, so is llvmlinux). But all failed.
So, I want to know how to generate the right config file? Thanks.
Time of release?
Your paper Razzer: Finding Kernel Race Bugs through Fuzzing is definately well written and we all appreciate this amazing work. But may I ask when will this code be released? Since your paper mentioned that
We will open source of RAZZER such that kernel developers and researchers can beneft from using RAZZER.
We will truely appreciate that.
static-analysis is killed while do_analyze
While I do Static analysis according to docs/static-analysis.md, I found that ./run-partition-analysis.py is killed.The log is shown as below:
begin do_analyze( sound/built-in.bc init/built-in.bc fs/built-in.bc ipc/built-in.bc )
[] NAME: [sound]
[] Kernel version: v4.17
[] Making static analysis directory
[] DIR: /root/lava_workspace/razzer_test/razzer/tools/race-syzkaller/exp/configs/kernel/partition/v4.17
[] Generating combined-sound.bc
[] Generating mssa.sound
Killed
[] Generating mempair_all.net-vmw_vsock
[] Prune and check_testing_bugs
[WARN] Testing bug ('drivers/tty/n_hdlc.c:440', 'drivers/tty/n_hdlc.c:216') not found
[WARN] Testing bug ('net/packet/af_packet.c:3660', 'net/packet/af_packet.c:4229') not found
[WARN] Testing bug ('net/packet/af_packet.c:1653', 'net/packet/af_packet.c:1710') not found
[WARN] Testing bug ('net/ipv4/raw.c:640', 'net/ipv4/ip_sockglue.c:748') not found
[WARN] Testing bug ('net/sctp/associola.c:1088', 'net/sctp/socket.c:7423') not found
[WARN] Testing bug ('net/packet/af_packet.c:1645', 'net/packet/af_packet.c:367') not found
I found in scripts/misc/analysis.py,it do as below:
cmd = "wpa -indCallLimit=100000 -dump-callgraph -ander -vgep -svfg -dump-mssa -dump-race " + args.bitcode
What is it doing?
How to deal with it ?
Thanks!
a little confusion
"As a consequence, LLVM Linux will fail to build the entire kernel binary. It is okay if .bc files for files under interests and built-in.bc for each subdirectory (e.g., drivers/built-in.bc, net/built-in.bc) is built."
LLVM Linux will fail to build the entire kernel binary but merge-mempairs.py runs get_address.py and in get_address.py it requires vmlinux file. After I fail to build the entire kernel binary I can run run-partition-analysis.py successfully but merge-mempairs.py will remind me no vmlinux found.
Questions about static analysis
Hello, thank you for your hard working.
I have read the paper and want to reproduce CVE-2017-2636. What I have done as belows:
- Roll back the patch "tty: n_hdlc: get rid of racy n_hdlc.tbuf" from kernel-4.18-rc3, I have modified the codes in razzer/kernel-repo/static_analysis/kernel_v4.18-rc3/
- Enable CONFIG_N_HDLC=y in razzer/tools/llvmlinux/targets/x86_64/configs/config-v4.18-rc3-syzkaller
After the instructions mentioned in docs/static-analysis.md, the mempair file has been generated. What I expected according to the paper is that I can found some strings in mempair file just like
drivers/tty/n_hdlc.c:440:x drivers/tty/n_hdlc.c:216:x W R
But there is nothing related to this.
I have found that the issue "KASAN: null-ptr-deref Write in binder_update_page_range
" reported by razzer is also exists in kernel-v4.17 and I tried the static analysis on kernel-4.17, but still found nothing related to binder in mempair.
Since I am not familiar with SVF, I'm not sure which part I have done was wrong. It will be so nice of you to give me some hints.
BTW, I'm sure that the line number of code is same with paper.
Thanks
KVM: entry failed, hardware error 0x80000021
Hi,
I met error "KVM: entry failed, hardware error 0x80000021" during fuzzing process. I followed all the instructions in static analysis and fuzzing pages and have successfully get the mempairs.
However, during fuzzing, I always got "no output from test machine". I inspected the log file under crashes directory and noticed the error "KVM: entry failed, hardware error 0x80000021". May I ask if you have met the same problems?
Thanks.
Failed to build built-in.bc files
Hi, I am following the instructions to build bitcode files. However, after running ./build-kernel.sh --config configs/static_analysis_v4.16.mk, for built-in.*, only built-in.o files were built but no built-in.bc. For other files, e.g., kernel/pid.c, the corresponding .o files and .bc files were built.
The ./build-kernel.sh scripts also failed because of a bunch undefined reference to xxx errors when executing the command tools/llvmlinux/arch/all/bin/llvm-link-bc.sh -m elf_x86_64 -z max-page-size=0x200000 --build-id -o .tmp_vmlinux1 -T ./arch/x86/kernel/vmlinux.lds --whole-archive built-in.o --no-whole-archive --start-group lib/lib.a arch/x86/lib/lib.a --end-group, according to tmp/log. As pointed out here, I can ignore the link error because it was expected, but I cannot find any built-in.bc files built for subsequent analysis.
Any ideas? Thanks!
QEMU build error
while I use ./scripts/qemu/install.sh, I found that QEMU build is error:
config-temp/qemu-conf.c:1:10: fatal error: sys/endian.h: No such file or directory
#include <sys/endian.h>
compilation terminated.
how to deal with it?
Thanks!
And there are other errors before this error, such as:
config-temp/qemu-conf.c: In function ‘main’:
config-temp/qemu-conf.c:6:3: error: too many arguments to function ‘xc_domain_create’
xc_domain_create(xc, 0, handle, 0, NULL, NULL);
In file included from config-temp/qemu-conf.c:1:0:
/usr/include/xenctrl.h:511:5: note: declared here
int xc_domain_create(xc_interface *xch,
and
/tmp/ccBwhhaj.o: In function
main': root/razzer/tools/qemu-2.5.0/build/config-temp/qemu-conf.c:5: undefined reference touuid_generate'
collect2: error: ld returned 1 exit status
but these errors did not cause compilation terminated
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.