diff options
| author | Aleksandr Nogikh <nogikh@google.com> | 2024-11-28 11:02:58 +0100 |
|---|---|---|
| committer | Aleksandr Nogikh <nogikh@google.com> | 2024-11-29 14:35:53 +0000 |
| commit | 8f3b15c4213fbdd6918d7ddd9ffa9fd4a623dc49 (patch) | |
| tree | 5504bc5ee059ac50c9fc585efe196f59a26de424 /docs/reproducing_crashes.md | |
| parent | b5d2be89685d997057176b6647393ba33b431d78 (diff) | |
docs: update reproduction instructions
1. Get rid of executing_syzkaller_programs.md as it now mostly overlaps
with reproducing_crashes.md.
2. Update the instructions on building the kernel with syzbot compilers.
3. Update the links throughout the documentation.
Diffstat (limited to 'docs/reproducing_crashes.md')
| -rw-r--r-- | docs/reproducing_crashes.md | 55 |
1 files changed, 52 insertions, 3 deletions
diff --git a/docs/reproducing_crashes.md b/docs/reproducing_crashes.md index 9a76a899e..41156069e 100644 --- a/docs/reproducing_crashes.md +++ b/docs/reproducing_crashes.md @@ -71,16 +71,65 @@ $ cd syzkaller $ ./tools/syz-env make ``` -Build the kernel and boot the VM as described above. +Build the kernel and boot the VM as described in the section above. -Download and run the reproducer: +Download the reproducer: ``` -$ export SYZKALLER_PATH="~/syzkaller" $ wget -O 'repro.syz' 'https://syzkaller.appspot.com/x/repro.syz?x=137beac0580000' +``` + +Copy the reproducer and the syzkaller binaries to the test machine: +``` +$ export SYZKALLER_PATH="~/syzkaller" $ scp -P 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes $SYZKALLER_PATH/bin/linux_amd64/* ./repro.syz root@127.0.0.1:/root/ +``` + +Now you can use the `syz-execprog` tool to actually execute the program. + +``` $ ssh -p 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes root@127.0.0.1 './syz-execprog -enable=all -repeat=0 -procs=6 ./repro.syz' ``` +Several useful `syz-execprog` flags: +``` + -procs int + number of parallel processes to execute programs (default 1) + -repeat int + repeat execution that many times (0 for infinite loop) (default 1) + -sandbox string + sandbox for fuzzing (none/setuid/namespace) (default "setuid") + -threaded + use threaded mode in executor (default true) +``` + +If you pass `-threaded=0`, all syscalls will be executed in the same thread. +`-threaded=1` forces execution of each syscall in a separate thread, so that +execution can proceed over blocking syscalls. + +Before 2021, `syz-execprog` also supported the following flag: +``` + -collide + collide syscalls to provoke data races (default true) +``` +`-collide=1` forced second round of execution of syscalls when pairs of syscalls +are executed concurrently. + +Starting from the revision +[fd8caa54](https://github.com/google/syzkaller/commit/fd8caa5462e64f37cb9eebd75ffca1737dde447d), +the behavior is controlled [directly in syzlang](/docs/program_syntax.md#async). +If you are running older reproducers, you might still need to set the `-collide=1` flag. + + +If you are replaying a reproducer program that contains a header along the +following lines: +``` +# {Threaded:true Repeat:true RepeatTimes:0 Procs:8 Slowdown:1 Sandbox:none Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true UseTmpDir:true HandleSegv:true Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} +``` +then you need to adjust `syz-execprog` flags based on the values in the +header. Namely, `Threaded`/`Procs`/`Sandbox` directly relate to +`-threaded`/`-procs`/`-sandbox` flags. If `Repeat` is set to `true`, add +`-repeat=0` flag to `syz-execprog`. + ## Using ktest [ktest](https://evilpiepirate.org/git/ktest.git/tree/README.md) is a collection |