From 6ed5e0a6f4db9bc4b8a49bcec926f46983369f17 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Wed, 14 Jun 2017 13:33:38 +0200 Subject: docs: move executing syzkaller page from wiki --- docs/executing_syzkaller_programs.md | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 docs/executing_syzkaller_programs.md (limited to 'docs/executing_syzkaller_programs.md') diff --git a/docs/executing_syzkaller_programs.md b/docs/executing_syzkaller_programs.md new file mode 100644 index 000000000..bd1570c0e --- /dev/null +++ b/docs/executing_syzkaller_programs.md @@ -0,0 +1,47 @@ +# Executing syzkaller programs + +This page describes how to execute existing syzkaller programs for the purpose of bug reproduction. This way you can replay a single program or a whole execution log with several programs. + +1. Setup Go toolchain (if you don't yet have it, you need version 1.8 or higher): +Download latest Go distribution from (https://golang.org/dl/). Unpack it to `$HOME/go1.8`. +``` bash +$ export GOROOT=$HOME/go1.8 +$ export GOPATH=$HOME/gopath +``` + +2. Download syzkaller sources: +``` bash +$ go get -u -d github.com/google/syzkaller/... +``` + +3. Build necessary syzkaller binaries: +``` bash +$ cd $GOPATH/src/github.com/google/syzkaller +$ make +``` + +4. Copy binaries and the program to test machine: +``` bash +$ scp bin/syz-execprog bin/syz-executor program test@machine +``` + +5. Run the program on the test machine: +``` bash +$ ./syz-execprog -executor ./syz-executor -cover=0 -repeat=0 -procs=16 program +``` + +Several useful `syz-execprog` flags: +``` + -collide + collide syscalls to provoke data races (default true) + -procs int + number of parallel processes to execute programs (default 1) + -repeat int + repeat execution that many times (0 for infinite loop) (default 1) + -sandbox string + sandbox for fuzzing (none/setuid/namespace) (default "setuid") + -threaded + use threaded mode in executor (default true) +``` + +If you pass `-threaded=0 -collide=0`, programs will be executed as a simple single-threaded sequence of syscalls. `-threaded=1` forces execution of each syscall in a separate thread, so that execution can proceed over blocking syscalls. `-collide=0` forces second round of execution of syscalls when pairs of syscalls are executed concurrently. -- cgit mrf-deployment