diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2016-08-26 07:09:25 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2016-08-26 07:09:25 +0200 |
| commit | 0d0fbbe73f5b02bfeac0aedd0b6b9e8417ab0b0f (patch) | |
| tree | a412c7d3e6d9af44a29c35c6d3f1ecfe8067419f /README.md | |
| parent | 34120ddc6e1ab0de360d3467b0d678fa6693e4c9 (diff) | |
overhaul syscall description generation process
This splits generation process into two phases:
1. Extract values of constants from linux kernel sources.
2. Generate Go code.
Constant values are checked in.
The advantage is that the second phase is now completely independent
from linux source files, kernel version, presence of headers for
particular drivers, etc. This allows to change what Go code we generate
any time without access to all kernel headers (which in future won't be
limited to only upstream headers).
Constant extraction process does require proper kernel sources,
but this can be done only once by the person who added the driver
and has access to the required sources. Then the constant values
are checked in for others to use.
Consant extraction process is per-file/per-arch. That is,
if I am adding a driver that is not present upstream and that
works only on a single arch, I will check in constants only for
that driver and for that arch.
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 54 |
1 files changed, 3 insertions, 51 deletions
@@ -146,18 +146,9 @@ written in C++, compiled as static binary and uses shared memory for communicati ## Syscall description -syzkaller uses declarative description of syscalls to generate, mutate, minimize, -serialize and deserialize programs (sequences of syscalls). Below you can see -(hopefully self-explanatory) excerpt from the description: - -``` -open(file filename, flags flags[open_flags], mode flags[open_mode]) fd -read(fd fd, buf buffer[out], count len[buf]) len[buf] -close(fd fd) -open_mode = S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH -``` - -The description is contained in [sys/sys.txt](sys/sys.txt) file. +`syzkaller` uses declarative description of syscalls to generate, mutate, minimize, +serialize and deserialize programs (sequences of syscalls). See details about the +format and extending the descriptions in [sys/README.md](sys/README.md). ## Troubleshooting @@ -202,45 +193,6 @@ Here are some things to check if there are problems running syzkaller. In this case, running the `syz-execprog` test with the `-nobody=0` option fixes the problem, so the main configuration needs to be updated to set `dropprivs` to `false`. - -## Fuzzing new system calls - -This section describes how to extend syzkaller to allow fuzz testing of a new system call; -this is particularly useful for kernel developers who are proposing new system calls. - -First, add a declarative description of the new system call to the appropriate file: - - Various `sys/<subsystem>.txt` files hold system calls for particular kernel - subsystems, for example `bpf` or `socket`. - - [sys/sys.txt](sys/sys.txt) holds descriptions for more general system calls. - - An entirely new subsystem can be added as a new `sys/<new>.txt` file, but needs - the `generate` target in the [Makefile](Makefile) to be updated to include it. - -The description format is described [above](#syscall-description) and in the -master [sys/sys.txt](sys/sys.txt) file. - -Next, run `make LINUX=$KSRC generate` with `KSRC` set to the location of a kernel -source tree (for up to date kernel headers); if the kernel was built into a separate -directory (with `make O=...`) then also set `LINUXBLD=$KBLD` to the location of the -build directory. - -This will re-create the following source code files: - - `sys/sys.go`: Code to initialize a Go [data structure](sys/decl.go) with information - about all of the available system calls. - - `prog/consts.go`: Constant definitions for all the named constants that are - mentioned in the system call descriptions. - - `sys/sys_<ARCH>.go`: Data structure to map syzkaller internal syscall IDs to - (per-architecture) kernel syscall numbers. - - `executor/syscalls.h`: Constant definitions (in C) for all system call numbers. - -If there are problems with this step, run `bin/syz-sysgen` directly and add -the use `-v=5` flag to show more details of the generation process. - -Rebuild syzkaller (`make clean all`) to force use of the new system call definitions. - -Finally, adjust the `enable_syscalls` configuration value for syzkaller to specifically target the -new system calls. - - ## Disclaimer This is not an official Google product. |