diff options
Diffstat (limited to 'docs/linux')
7 files changed, 54 insertions, 54 deletions
diff --git a/docs/linux/external_fuzzing_usb.md b/docs/linux/external_fuzzing_usb.md index 226576ec1..1309bf5ba 100644 --- a/docs/linux/external_fuzzing_usb.md +++ b/docs/linux/external_fuzzing_usb.md @@ -151,48 +151,48 @@ These instructions describe how to set this up on a Raspberry Pi Zero W, but any 9. Download syzkaller, apply the patch below and build `syz-executor`: - ``` c - diff --git a/executor/common_usb.h b/executor/common_usb.h - index e342d808..278c2f4e 100644 - --- a/executor/common_usb.h - +++ b/executor/common_usb.h - @@ -269,9 +269,7 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil - - // TODO: consider creating two dummy_udc's per proc to increace the chance of - // triggering interaction between multiple USB devices within the same program. - - char device[32]; - - sprintf(&device[0], "dummy_udc.%llu", procid); - - rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); - + rv = usb_raw_init(fd, speed, "20980000.usb", "20980000.usb"); - if (rv < 0) { - debug("syz_usb_connect: usb_raw_init failed with %d\n", rv); - return rv; - diff --git a/executor/executor.cc b/executor/executor.cc - index 34949a01..1afcb288 100644 - --- a/executor/executor.cc - +++ b/executor/executor.cc - @@ -604,8 +604,8 @@ retry: - call_extra_cover = true; - } - if (strncmp(syscalls[call_num].name, "syz_usb_connect", strlen("syz_usb_connect")) == 0) { - - prog_extra_timeout = 2000; - - call_extra_timeout = 2000; - + prog_extra_timeout = 5000; - + call_extra_timeout = 5000; - } - if (strncmp(syscalls[call_num].name, "syz_usb_control_io", strlen("syz_usb_control_io")) == 0) - call_extra_timeout = 300; - ``` +``` c +diff --git a/executor/common_usb.h b/executor/common_usb.h +index e342d808..278c2f4e 100644 +--- a/executor/common_usb.h ++++ b/executor/common_usb.h +@@ -269,9 +269,7 @@ static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatil + + // TODO: consider creating two dummy_udc's per proc to increace the chance of + // triggering interaction between multiple USB devices within the same program. +- char device[32]; +- sprintf(&device[0], "dummy_udc.%llu", procid); +- rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); ++ rv = usb_raw_init(fd, speed, "20980000.usb", "20980000.usb"); + if (rv < 0) { + debug("syz_usb_connect: usb_raw_init failed with %d\n", rv); + return rv; +diff --git a/executor/executor.cc b/executor/executor.cc +index 34949a01..1afcb288 100644 +--- a/executor/executor.cc ++++ b/executor/executor.cc +@@ -604,8 +604,8 @@ retry: + call_extra_cover = true; + } + if (strncmp(syscalls[call_num].name, "syz_usb_connect", strlen("syz_usb_connect")) == 0) { +- prog_extra_timeout = 2000; +- call_extra_timeout = 2000; ++ prog_extra_timeout = 5000; ++ call_extra_timeout = 5000; + } + if (strncmp(syscalls[call_num].name, "syz_usb_control_io", strlen("syz_usb_control_io")) == 0) + call_extra_timeout = 300; +``` - ``` bash - go get -u -d github.com/google/syzkaller/prog - cd ~/gopath/src/github.com/google/syzkaller - # Put the patch above into ./syzkaller.patch - git apply ./syzkaller.patch - make executor - mkdir ~/syz-bin - cp bin/linux_arm/syz-executor ~/syz-bin/ - ``` +``` bash +go get -u -d github.com/google/syzkaller/prog +cd ~/gopath/src/github.com/google/syzkaller +# Put the patch above into ./syzkaller.patch +git apply ./syzkaller.patch +make executor +mkdir ~/syz-bin +cp bin/linux_arm/syz-executor ~/syz-bin/ +``` 10. Build `syz-execprog` on your host machine for arm32 with `make TARGETARCH=arm execprog` and copy to `~/syz-bin` onto the SD card. You may try building syz-execprog on the Raspberry Pi itself, but that worked poorly for me due to large memory consumption during the compilation process. diff --git a/docs/linux/setup_linux-host_android-device_arm-kernel.md b/docs/linux/setup_linux-host_android-device_arm-kernel.md index a4859fdf5..90996637a 100644 --- a/docs/linux/setup_linux-host_android-device_arm-kernel.md +++ b/docs/linux/setup_linux-host_android-device_arm-kernel.md @@ -5,7 +5,7 @@ This document details the steps involved in setting up a syzkaller instance fuzzing an `arm32/64` linux kernel on an Android device. Some features of syzkaller may not yet work properly on `arm32`. For example, not all debugging and test coverage features are available in the Linux kernel for `arm32`, limiting the efficacy of syskaller in finding bugs fast. - + These were tested on an NXP Pico-Pi-IMX7D following the instructions [here](https://developer.android.com/things/hardware/developer-kits.html). You may find additional details in syzkaller's `adb` vm implementation [here](/vm/adb/adb.go). diff --git a/docs/linux/setup_linux-host_qemu-vm_arm-kernel.md b/docs/linux/setup_linux-host_qemu-vm_arm-kernel.md index c88d9a8f6..3745cbcc1 100644 --- a/docs/linux/setup_linux-host_qemu-vm_arm-kernel.md +++ b/docs/linux/setup_linux-host_qemu-vm_arm-kernel.md @@ -5,7 +5,7 @@ Obtain a fresh `arm-linux-gnueabihf-gcc`. Latest Debian distributions provide version 7.2.0, which should be enough. Otherwise you can download Linaro compiler [here](https://www.linaro.org/downloads). - + # Kernel The instructions are tested with `v4.16.1`. Check that you have/backport @@ -77,7 +77,7 @@ debugfs /sys/kernel/debug debugfs defaults 0 0 ``` Then replace `output/target/etc/ssh/sshd_config` with the following contents: - + ``` PermitRootLogin yes PasswordAuthentication yes diff --git a/docs/linux/setup_linux-host_qemu-vm_arm64-kernel.md b/docs/linux/setup_linux-host_qemu-vm_arm64-kernel.md index d4eab5b43..a5148916d 100644 --- a/docs/linux/setup_linux-host_qemu-vm_arm64-kernel.md +++ b/docs/linux/setup_linux-host_qemu-vm_arm64-kernel.md @@ -109,7 +109,7 @@ At the top of /etc/init.d/S50sshd add the following lines: mount -t debugfs none /sys/kernel/debug chmod 777 /sys/kernel/debug/kcov -Comment out the line +Comment out the line /usr/bin/ssh-keygen -A diff --git a/docs/linux/setup_linux-host_qemu-vm_s390x-kernel.md b/docs/linux/setup_linux-host_qemu-vm_s390x-kernel.md index 162016c62..adcb63c75 100644 --- a/docs/linux/setup_linux-host_qemu-vm_s390x-kernel.md +++ b/docs/linux/setup_linux-host_qemu-vm_s390x-kernel.md @@ -75,7 +75,7 @@ Now you should have `vmlinux` (kernel binary) and `bzImage` (packed kernel image ``` bash $ ls $KERNEL/vmlinux $KERNEL/vmlinux -$ ls $KERNEL/arch/s390/boot/bzImage +$ ls $KERNEL/arch/s390/boot/bzImage $KERNEL/arch/s390/boot/bzImage ``` diff --git a/docs/linux/setup_ubuntu-host_odroid-c2-board_arm64-kernel.md b/docs/linux/setup_ubuntu-host_odroid-c2-board_arm64-kernel.md index dfcd2eaa4..6ecf5a894 100644 --- a/docs/linux/setup_ubuntu-host_odroid-c2-board_arm64-kernel.md +++ b/docs/linux/setup_ubuntu-host_odroid-c2-board_arm64-kernel.md @@ -80,7 +80,7 @@ Some message ``` bash $ ssh root@172.16.0.31 - root@172.16.0.31's password: + root@172.16.0.31's password: ... Last login: Thu Feb 11 11:30:51 2016 root@odroid64:~# @@ -93,7 +93,7 @@ This hub has support for a feature called [Per Port Power Switching](http://www. [To be able to open the hub device entry](http://www.janosgyerik.com/adding-udev-rules-for-usb-debugging-android-devices/) under `/dev/` without being root, add the following file to `/etc/udev/rules.d/` on the host machine: ``` bash -$ cat /etc/udev/rules.d/10-local.rules +$ cat /etc/udev/rules.d/10-local.rules SUBSYSTEM=="usb", ATTR{idVendor}=="2001", ATTR{idProduct}=="f103", MODE="0664", GROUP="plugdev" ``` @@ -101,7 +101,7 @@ SUBSYSTEM=="usb", ATTR{idVendor}=="2001", ATTR{idProduct}=="f103", MODE="0664", Don't forget to replug the hub after you add this file. ``` bash -$ lsusb +$ lsusb ... Bus 003 Device 026: ID 2001:f103 D-Link Corp. DUB-H7 7-port USB 2.0 hub ... @@ -159,14 +159,14 @@ index 165cf9783a5d..ff8b40dca9e2 100644 @@ -653,6 +653,11 @@ KBUILD_CFLAGS += $(call cc-ifversion, -lt, 0409, \ # Tell gcc to never replace conditional load with a non-conditional one KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) - + +# Stop gcc from converting switches into a form that defeats dead code +# elimination and can subsequently lead to calls to intentionally +# undefined functions appearing in the final link. +KBUILD_CFLAGS += $(call cc-option,--param=max-fsm-thread-path-insns=1) + include scripts/Makefile.gcc-plugins - + ifdef CONFIG_READABLE_ASM ``` @@ -177,12 +177,12 @@ index 9576775a86f6..8bc4eb36fc1b 100644 --- a/scripts/Makefile.kasan +++ b/scripts/Makefile.kasan @@ -11,7 +11,6 @@ CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address - + CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \ -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \ - --param asan-stack=1 --param asan-globals=1 \ --param asan-instrumentation-with-call-threshold=$(call_threshold)) - + ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),) ``` diff --git a/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md b/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md index 0efc42196..faa087c60 100644 --- a/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md +++ b/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md @@ -70,7 +70,7 @@ Now you should have `vmlinux` (kernel binary) and `bzImage` (packed kernel image ``` bash $ ls $KERNEL/vmlinux $KERNEL/vmlinux -$ ls $KERNEL/arch/x86/boot/bzImage +$ ls $KERNEL/arch/x86/boot/bzImage $KERNEL/arch/x86/boot/bzImage ``` |