diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2018-04-05 11:56:07 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2018-04-05 11:56:07 +0200 |
| commit | 5883462aab8849850a648457016f02bcc5690efe (patch) | |
| tree | 8af2b3e2c9a1f94c01bede4a260abf923a33ef31 /docs/syzbot.md | |
| parent | 5e1ccffca26286c058fc72cc2b0ef51136f54b26 (diff) | |
docs: add KMSAN description to syzbot page
Diffstat (limited to 'docs/syzbot.md')
| -rw-r--r-- | docs/syzbot.md | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/docs/syzbot.md b/docs/syzbot.md index 759e358a8..8fe2cc402 100644 --- a/docs/syzbot.md +++ b/docs/syzbot.md @@ -97,7 +97,10 @@ machine, so the reproducer worked for it somehow. If the reproducer exits quickly, try to run it several times, or in a loop. There can be some races involved. -Exact compiler used by `syzbot` can be found [here](https://storage.googleapis.com/syzkaller/gcc-7.tar.gz) (245MB). +Exact compilers used by `syzbot` can be found here: +- [gcc 7.1.1 20170620](https://storage.googleapis.com/syzkaller/gcc-7.tar.gz) (245MB) +- [gcc 8.0.1 20180301](https://storage.googleapis.com/syzkaller/gcc-8.0.1-20180301.tar.gz) (286MB) +- [clang 7.0.0 (trunk 329060)](https://storage.googleapis.com/syzkaller/clang-kmsan-329060.tar.gz) (44MB) A qemu-suitable Debian/wheezy image can be found [here](https://storage.googleapis.com/syzkaller/wheezy.img) (1GB, compression somehow breaks it), root ssh key for it is [here](https://storage.googleapis.com/syzkaller/wheezy.img.key). @@ -112,6 +115,24 @@ state in kernel (e.g. lockdep reports); some crashes are caused by non-reproducible coincidences (e.g. an integer `0x12345` happened to reference an existing IPC object) and there is long tail of other reasons. +## KMSAN bugs + +`KMSAN` is a dynamic, compiler-based tool (similar to `KASAN`) that detects +uses of uninitialized values. As compared to (now deleted) `KMEMCHECK` which +simply detected loads of non-stored-to memory, `KMSAN` tracks precise +propagation of uninitialized values through memory and registers and only flags +actual eventual uses of uninitialized values. For example, `KMSAN` will detect +a branch on or a `copy_to_user()` of values that transitively come from +uninitialized memory created by heap/stack allocations. This ensures +/theoretical/ absense of both false positives and false negatives (with some +implementation limitations of course). + +`KMSAN` is not upstream yet, though, we want to upstream it later. For now, +it lives in [github.com/google/kmsan](https://github.com/google/kmsan) and is +based on a reasonably fresh upstream tree. As the result, any patch testing +requests for `KMSAN` bugs need to go to `KMSAN` tree. Also note that `KMSAN` +requires `clang` compiler. + ## Is syzbot code available? Yes, it is [here](https://github.com/google/syzkaller/tree/master/dashboard/app). |