From b554370c533a736225a2d18de39c3d83984ba14b Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Sat, 8 Dec 2018 15:26:30 +0100 Subject: docs/darwin: add some info about darwin Also move windows into separate dir, mention windows/darwin in found bugs. --- README.md | 13 +++++++-- docs/darwin/README.md | 10 +++++++ docs/found_bugs.md | 4 +++ docs/setup.md | 2 +- docs/windows.md | 65 -------------------------------------------- docs/windows/README.md | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 99 insertions(+), 68 deletions(-) create mode 100644 docs/darwin/README.md delete mode 100644 docs/windows.md create mode 100644 docs/windows/README.md diff --git a/README.md b/README.md index 216e117b2..8da5d4fb1 100644 --- a/README.md +++ b/README.md @@ -11,9 +11,18 @@ You can subscribe to it with a google account or by sending an email to syzkalle ## Documentation -Initially, syzkaller was developed with Linux kernel fuzzing in mind, but now it's being extended to support other OS kernels as well. +Initially, syzkaller was developed with Linux kernel fuzzing in mind, but now +it's being extended to support other OS kernels as well. Most of the documentation at this moment is related to the Linux kernel. -For other OS kernels check: [Akaros](docs/akaros/README.md), [FreeBSD](docs/freebsd.md), [Fuchsia](docs/fuchsia.md), [NetBSD](docs/netbsd.md), [OpenBSD](docs/openbsd/setup.md), [Windows](docs/windows.md), [gVisor](docs/gvisor.md). +For other OS kernels check: +[Akaros](docs/akaros/README.md), +[Darwin/XNU](docs/darwin/README.md), +[FreeBSD](docs/freebsd.md), +[Fuchsia](docs/fuchsia.md), +[NetBSD](docs/netbsd.md), +[OpenBSD](docs/openbsd/setup.md), +[Windows](docs/windows/README.md), +[gVisor](docs/gvisor.md). - [How to install syzkaller](docs/setup.md) - [How to use syzkaller](docs/usage.md) diff --git a/docs/darwin/README.md b/docs/darwin/README.md new file mode 100644 index 000000000..f4c75e6b0 --- /dev/null +++ b/docs/darwin/README.md @@ -0,0 +1,10 @@ +# Darwin/XNU + +`Darwin/XNU` is not supported at the moment. + +[panicall](https://twitter.com/panicaII) has +[ported](https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-Juwei_Lin-Drill-The-Apple-Core.pdf) +syzkaller to `Darwin/XNU` and that has found more than +[50 bugs](https://twitter.com/panicaII/status/1070696972326133760) including +`CVE-2018-4447` and `CVE-2018-4435` mentioned in +[Apple security updates](https://support.apple.com/en-us/HT209341). diff --git a/docs/found_bugs.md b/docs/found_bugs.md index d77d33744..469ea33cd 100644 --- a/docs/found_bugs.md +++ b/docs/found_bugs.md @@ -5,3 +5,7 @@ [Akaros kernel bugs](akaros/found_bugs.md) [OpenBSD kernel bugs](openbsd/found_bugs.md) + +[Darwin/XNU](darwin/README.md) + +[Windows](windows/README.md) diff --git a/docs/setup.md b/docs/setup.md index 7c8438d02..d40d85cfc 100644 --- a/docs/setup.md +++ b/docs/setup.md @@ -1,7 +1,7 @@ # How to set up syzkaller Generic setup instructions for fuzzing Linux kernel are outlined [here](linux/setup.md). -For other OS kernels check: [Akaros](/docs/akaros/README.md), [FreeBSD](/docs/freebsd.md), [Fuchsia](/docs/fuchsia.md), [NetBSD](/docs/netbsd.md), [Windows](/docs/windows.md). +For other OS kernels check: [Akaros](/docs/akaros/README.md), [FreeBSD](/docs/freebsd.md), [Fuchsia](/docs/fuchsia.md), [NetBSD](/docs/netbsd.md), [Windows](/docs/windows/README.md). After following these instructions you should be able to run `syz-manager`, see it executing programs and be able to access statistics exposed at `http://127.0.0.1:56741`: diff --git a/docs/windows.md b/docs/windows.md deleted file mode 100644 index 37990b3b8..000000000 --- a/docs/windows.md +++ /dev/null @@ -1,65 +0,0 @@ -# Windows support - -To update descriptions run (assumes `cl` cross-compiler is in PATH): -``` -syz-extract -os=windows -syz-sysgen -``` - -`sys/windows/windows.txt` was auto-extracted from windows headers with `tools/syz-declextract`. - -To build binaries: -``` -make fuzzer execprog stress TARGETOS=windows -REV=git rev-parse HEAD -cl executor\executor_windows.cc /EHsc -o bin\windows_amd64\syz-executor.exe \ - -DGIT_REVISION=\"$REV\" \ - kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib \ - shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib \ - winmm.lib rpcrt4.lib Crypt32.lib imm32.lib Urlmon.lib Oleaut32.lib \ - Winscard.lib Opengl32.lib Mpr.lib Ws2_32.lib Bcrypt.lib Ncrypt.lib \ - Synchronization.lib Shell32.lib Rpcns4.lib Mswsock.lib Mincore.lib \ - Msimg32.lib RpcRT4.lib Rpcrt4.lib lz32.lib -``` - -To run `syz-stress`: -``` -bin\windows_amd64\syz-stress.exe -executor c:\full\path\to\bin\windows_amd64\syz-executor.exe -``` - -Windows is supported by only `gce` VMs at the moment. -To use `gce`, create a Windows GCE VM, inside of the machine: - - - Enable serial console debugging (see [this](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-parameters-to-enable-debugging) for details): -``` -bcdedit /debug on -bcdedit /dbgsettings serial debugport:1 baudrate:115200 /noumex -``` - - - Disable automatic restart in `sysdm.cpl -> Advanced -> Startup and Recovery` - - - Setup sshd with key auth, [these](https://winscp.net/eng/docs/guide_windows_openssh_server) instructions worked for me. - Preferably use non-admin user. Save private ssh key. - -Then shutdown the machine, stop the instance and create an image from the disk. -Then start `syz-manager` with config similar to the following one: - -``` -{ - "name": "windows", - "target": "windows/amd64", - "http": ":20000", - "workdir": "/workdir", - "syzkaller": "/syzkaller", - "sshkey": "/id_rsa", - "ssh_user": "you", - "cover": false, - "procs": 8, - "type": "gce", - "vm": { - "count": 10, - "machine_type": "n1-highcpu-2", - "gce_image": "your-gce-image" - } -} -``` diff --git a/docs/windows/README.md b/docs/windows/README.md new file mode 100644 index 000000000..1511db135 --- /dev/null +++ b/docs/windows/README.md @@ -0,0 +1,73 @@ +# Windows + +`Windows` support is very raw and preliminary (read, non-working). + +There is a more complete +[closed-source Windows port](https://www.slideshare.net/AnthonyLAOUHINETSUEI/wsl-reloaded) +done by [Fritz](https://twitter.com/anarcheuz) and [zer0mem](https://twitter.com/zer0mem). +The port has found 6 bugs including +[CVE-2018-8441](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8441). + +To update descriptions run (assumes `cl` cross-compiler is in PATH): +``` +syz-extract -os=windows +syz-sysgen +``` + +`sys/windows/windows.txt` was auto-extracted from windows headers with `tools/syz-declextract`. + +To build binaries: +``` +make fuzzer execprog stress TARGETOS=windows +REV=git rev-parse HEAD +cl executor\executor_windows.cc /EHsc -o bin\windows_amd64\syz-executor.exe \ + -DGIT_REVISION=\"$REV\" \ + kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib \ + shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib \ + winmm.lib rpcrt4.lib Crypt32.lib imm32.lib Urlmon.lib Oleaut32.lib \ + Winscard.lib Opengl32.lib Mpr.lib Ws2_32.lib Bcrypt.lib Ncrypt.lib \ + Synchronization.lib Shell32.lib Rpcns4.lib Mswsock.lib Mincore.lib \ + Msimg32.lib RpcRT4.lib Rpcrt4.lib lz32.lib +``` + +To run `syz-stress`: +``` +bin\windows_amd64\syz-stress.exe -executor c:\full\path\to\bin\windows_amd64\syz-executor.exe +``` + +Windows is supported by only `gce` VMs at the moment. +To use `gce`, create a Windows GCE VM, inside of the machine: + + - Enable serial console debugging (see [this](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-parameters-to-enable-debugging) for details): +``` +bcdedit /debug on +bcdedit /dbgsettings serial debugport:1 baudrate:115200 /noumex +``` + + - Disable automatic restart in `sysdm.cpl -> Advanced -> Startup and Recovery` + + - Setup sshd with key auth, [these](https://winscp.net/eng/docs/guide_windows_openssh_server) instructions worked for me. + Preferably use non-admin user. Save private ssh key. + +Then shutdown the machine, stop the instance and create an image from the disk. +Then start `syz-manager` with config similar to the following one: + +``` +{ + "name": "windows", + "target": "windows/amd64", + "http": ":20000", + "workdir": "/workdir", + "syzkaller": "/syzkaller", + "sshkey": "/id_rsa", + "ssh_user": "you", + "cover": false, + "procs": 8, + "type": "gce", + "vm": { + "count": 10, + "machine_type": "n1-highcpu-2", + "gce_image": "your-gce-image" + } +} +``` -- cgit mrf-deployment