reactos/syzkaller
1
0
Fork 0
mirror of https://github.com/reactos/syzkaller.git synced 2025-02-07 12:26:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

sys/android: dev_ prefix for ion descriptions

Browse Source
This commit is contained in:
Andrey Konovalov 2020-05-06 17:31:09 +02:00 committed by Dmitry Vyukov
parent 1b2b36d6ab
commit 44cf2476f3
4 changed files with 88 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/linux/setup.md
View File

@ -6,8 +6,7 @@ Instructions for a particular VM type or kernel arch can be found on these pages
- [Setup: Ubuntu host, QEMU vm, x86-64 kernel](setup_ubuntu-host_qemu-vm_x86-64-kernel.md)
- [Setup: Linux host, QEMU vm, arm64 kernel](setup_linux-host_qemu-vm_arm64-kernel.md)
- [Setup: Linux host, QEMU vm, arm kernel](setup_linux-host_qemu-vm_arm-kernel.md)
- [Setup: Linux host, Android device, arm64 kernel](setup_linux-host_android-device_arm64-kernel.md)
- [Setup: Ubuntu host, Android device, arm32 kernel](setup_ubuntu-host_android-device_arm32-kernel.md)
- [Setup: Linux host, Android device, arm32/64 kernel](setup_linux-host_android-device_arm-kernel.md)
- [Setup: Linux isolated host](setup_linux-host_isolated.md)
- [Setup: Ubuntu host, Odroid C2 board, arm64 kernel](setup_ubuntu-host_odroid-c2-board_arm64-kernel.md)

87
docs/linux/setup_linux-host_android-device_arm-kernel.md Normal file
View File

@ -0,0 +1,87 @@
# Setup: Linux host, Android device, arm32/64 kernel
**Note: fuzzing the kernel on a real Android device may brick it.**
This document details the steps involved in setting up a syzkaller instance fuzzing an `arm32/64` linux kernel on an Android device.
Some features of syzkaller may not yet work properly on `arm32`. For example, not all debugging and test coverage features are available in the Linux kernel for `arm32`, limiting the efficacy of syskaller in finding bugs fast.
These were tested on an NXP Pico-Pi-IMX7D following the instructions [here](https://developer.android.com/things/hardware/developer-kits.html).
You may find additional details in syzkaller's `adb` vm implementation [here](/vm/adb/adb.go).
## Device setup
Follow the instructions for your board to install Android and make sure the device boots properly.
Set up the adb bridge so that adb and fastboot work.
Set up a serial port, following the instructions for your device so that you can monitor kernel log messages. On Android-based boards the serial port is typically exposed as a USB (or some custom) port, or over GPIO pins. On phones you can use Android Serial Cable or [Suzy-Q](https://chromium.googlesource.com/chromiumos/platform/ec/+/master/docs/case_closed_debugging.md). syzkaller can work without a dedicated serial port as well (by falling back to `adb shell dmesg -w`), but that is unreliable and turns lots of crashes into "lost connection to test machine" crashes with no additional info.
Get the proper compiler toolchain for your device.
Recompile and reinstall the Linux kernel with [debugging kernel options](https://github.com/xairy/syzkaller/blob/up-docs/docs/linux/kernel_configs.md) available on your board. You might benefit from backporting KCOV or KASAN patches.
## Building syzkaller
Get syzkaller as described [here](/docs/linux/setup.md#go-and-syzkaller).
The build it for either `arm` or `arm64` target architecture depending on the device you're using.
``` bash
make TARGETOS=linux TARGETARCH=arm
```
``` bash
make TARGETOS=linux TARGETARCH=arm64
```
In case you have old Android `/dev/ion` driver (kernel <= 3.18) before building syzkaller copy old `/dev/ion` descriptions:
``` bash
cp sys/android/* sys/linux
```
## Manager config
Create a manager config `android.cfg`:
```
{
"target": "linux/arm",
"http": "127.0.0.1:56741",
"workdir": "$GOPATH/src/github.com/google/syzkaller/workdir",
"kernel_obj": "$KERNEL",
"syzkaller": "$GOPATH/src/github.com/google/syzkaller",
"sandbox": none,
"procs": 1,
"type": "adb",
"cover": true,
"vm": {
"devices": [$DEVICES],
"battery_check": true
}
}
```
Replace the variables `$GOPATH`, `$KERNEL` (path to kernel build directory), and `$DEVICES` (the device ID for your board as reported by adb devices, e.g. `ABCD000010`) with their actual values.
For `arm64` use `"target": "linux/arm64"`.
If your kernel doesn't support coverage collection (e.g. `arm32` without KCOV patches) set `"cover": false`.
Turn off `battery_check` if your device doesn't have battery service, see the comment [here](/vm/adb/adb.go) for details.
## Running syzkaller
Run syzkaller manager:
``` bash
./bin/syz-manager -config=android.cfg
```
Now syzkaller should be running, you can check manager status with your web browser at `127.0.0.1:56741`.
If you get issues after `syz-manager` starts, consider running it with the `-debug` flag.
Also see [this page](/docs/troubleshooting.md) for troubleshooting tips and [Building a Pixel kernel with KASAN+KCOV](https://source.android.com/devices/tech/debug/kasan-kcov) or [Building a PH-1 kernel with KASAN+KCOV](https://github.com/EssentialOpenSource/kernel-manifest/blob/master/README.md) for kernel build/boot instructions.

40
docs/linux/setup_linux-host_android-device_arm64-kernel.md
View File

@ -1,40 +0,0 @@
# Setup: Linux or Mac OS host, Android device, arm64 kernel
Prerequisites:
- Android Serial Cable or [Suzy-Q](https://chromium.googlesource.com/chromiumos/platform/ec/+/master/docs/case_closed_debugging.md) device to capture console output is preferable but optional. syzkaller can work with normal USB cable as well, but that can be somewhat unreliable and turn lots of crashes into "lost connection to test machine" crashes with no additional info.
- Build syzkaller as described [here](/docs/linux/setup.md#go-and-syzkaller).
In case you have old Android `/dev/ion` driver:
```sh
cp sys/android/* sys/linux
make generate
```
Then:
```sh
make TARGETOS=linux TARGETARCH=arm64
```
- Create config with `"type": "adb"` and specify adb devices to use. For example:
```
{
"target": "linux/arm64",
"http": "localhost:50000",
"workdir": "/gopath/src/github.com/google/syzkaller/workdir",
"syzkaller": "/gopath/src/github.com/google/syzkaller",
"sandbox": "none",
"procs": 8,
"type": "adb",
"vm": {
"devices": ["ABCD000010"]
}
}
```
- Start `syz-manager -config adb.cfg` as usual.
If you get issues after `syz-manager` starts, consider running it with the `-debug` flag.
Also see [this page](/docs/troubleshooting.md) for troubleshooting tips and [Building a Pixel kernel with KASAN+KCOV](https://source.android.com/devices/tech/debug/kasan-kcov) or [Building a PH-1 kernel with KASAN+KCOV](https://github.com/EssentialOpenSource/kernel-manifest/blob/master/README.md) for kernel build/boot instructions.

56
docs/linux/setup_ubuntu-host_android-device_arm32-kernel.md
View File

@ -1,56 +0,0 @@
# Setup: Ubuntu host, arm32 kernel on an Android device
This document will detail the steps involved in setting up a syzkaller instance fuzzing an ARM32 linux kernel on an Android (or Android Things) device. This is a work-in-progress at this time and being provided to spur further development. Some features of syzkaller may not yet work on ARM32. For example, not all debugging and test coverage features are available in the Linux kernel for ARM32, limiting the efficacy of syskaller in finding bugs fast. These instructions help set up syzkaller to be a basic fuzzer that does not rely on test coverage data from the kernel.
## Install Android and Linux kernel on an ARM32 device
Follow the instructions for the ARM32 board to install Android or
Android Things and make sure the device boots properly.
Set up the adb bridge so that adb and fastboot work.
Setup a serial port, following the instructions for your board so that you can monitor any messages from the kernel.
These were tested on an NXP Pico-Pi-IMX7D following the instructions [here](https://developer.android.com/things/hardware/developer-kits.html).
If feasible, recompile and reinstall the Linux kernel with any debugging options available on your board.
## Build syzkaller executables
Build syzkaller as described [here](/docs/linux/setup.md#go-and-syzkaller), with `arm` target:
```
make TARGETOS=linux TARGETARCH=arm
```
## Create a manager configuration file
Create a manager config myboard.cfg, replacing the environment
variables `$GOPATH`, `$KERNEL` (path to kernel build dir for the ARM32 board), and `$DEVICES` (the device ID for your board as reported by adb devices) with their actual values. Change any other flags as needed for your ARM board.
```
{
"target": "linux/arm",
"http": "127.0.0.1:56741",
"workdir": "$GOPATH/src/github.com/google/syzkaller/workdir",
"kernel_obj": "$KERNEL",
"syzkaller": "$GOPATH/src/github.com/google/syzkaller",
"sandbox": none,
"procs": 1,
"type": "adb",
"cover": false,
"vm": {
"devices": [$DEVICES],
"battery_check": false
}
}
```
Run syzkaller manager:
``` bash
./bin/syz-manager -config=myboard.cfg
```
Now syzkaller should be running, you can check manager status with your web browser at `127.0.0.1:56741`.
If you get issues after `syz-manager` starts, consider running it with the `-debug` flag.
Also see [this page](troubleshooting.md) for troubleshooting tips.