diff --git a/README.md b/README.md index 96f8e4e8..8214ba53 100644 --- a/README.md +++ b/README.md @@ -10,9 +10,11 @@ or [KUBSAN](https://kernel.org/doc/html/latest/dev-tools/ubsan.html) (available Project mailing list: [syzkaller@googlegroups.com](https://groups.google.com/forum/#!forum/syzkaller). You can subscribe to it with a google account or by sending an email to syzkaller+subscribe@googlegroups.com. -List of [found bugs](https://github.com/google/syzkaller/wiki/Found-Bugs). +List of [found bugs](docs/found_bugs.md). -How to [report Linux kernel bugs](https://github.com/google/syzkaller/wiki/How-to-report-kernel-bugs). +How to [report Linux kernel bugs](docs/linux_kernel_reporting_bugs.md). + +How to [contribute](docs/contributing.md). ## Usage @@ -24,7 +26,7 @@ The following components are needed to use syzkaller: - syzkaller itself Generic steps to set up syzkaller are described below. -More specific information (like the exact steps for a particular host system, VM type and a kernel architecture) can be found on [the wiki](https://github.com/google/syzkaller/wiki). +More specific information (like the exact steps for a particular host system, VM type and a kernel architecture) can be found in [the documentation](docs/). ### C Compiler @@ -38,7 +40,7 @@ KCOV was committed upstream in Linux kernel version 4.6 and can be enabled by co For older kernels you need to backport commit [kernel: add kcov code coverage](https://github.com/torvalds/linux/commit/5c9a8750a6409c63a0f01d51a9024861022f6593). To enable more syzkaller features and improve bug detection abilities, it's recommended to use additional config options. -See [Kernel configs](https://github.com/google/syzkaller/wiki/Kernel-configs) for details. +See [this page](docs/linux_kernel_configs.md) for details. ### VM Setup @@ -62,9 +64,9 @@ These are the generic requirements for a syzkaller VM: To use QEMU syzkaller VMs you have to install QEMU on your host system, see [QEMU docs](http://wiki.qemu.org/Manual) for details. The [create-image.sh](tools/create-image.sh) script can be used to create a suitable Linux image. -Detailed steps for setting up syzkaller with QEMU on a Linux host can be found on wiki for [x86-64](https://github.com/google/syzkaller/wiki/Setup:-Ubuntu-host,-QEMU-vm,-x86_64-kernel) and [arm64](https://github.com/google/syzkaller/wiki/Setup:-Linux-host,-QEMU-vm,-arm64-kernel) kernels. +Detailed steps for setting up syzkaller with QEMU on a Linux host are avaialble for [x86-64](docs/setup_ubuntu-host_qemu-vm_x86-64-kernel.md) and [arm64](docs/setup_linux-host_qemu-vm_arm64-kernel.md) kernels. -For some details on fuzzing the kernel on an Android device check out [this wiki page](https://github.com/google/syzkaller/wiki/Setup:-Linux-host,-Android-device,-arm64-kernel) and the explicit instructions for an Odroid C2 board are available [here](https://github.com/google/syzkaller/wiki/Setup:-Ubuntu-host,-Odroid-C2-board,-arm64-kernel). +For some details on fuzzing the kernel on an Android device check out [this page](docs/setup_linux-host_android-device_arm64-kernel.md) and the explicit instructions for an Odroid C2 board are available [here](docs/setup_ubuntu-host_odroid-c2-board_arm64-kernel.md). ### Syzkaller @@ -179,7 +181,7 @@ When `syzkaller` finds a crasher, it saves information about it into `workdir/cr Descriptions are extracted using a set of [regular expressions](report/report.go#L33). This set may need to be extended if you are using a different kernel architecture, or are just seeing a previously unseen kernel error messages. -`logN` files contain raw `syzkaller` logs and include kernel console output as well as programs executed before the crash. These logs can be fed to `syz-repro` tool for [crash location and minimization](https://github.com/google/syzkaller/wiki/Tools:-execprog,-prog2c,-repro), or to `syz-execprog` tool for [manual localization](https://github.com/google/syzkaller/wiki/How-to-execute-syzkaller-programs). `reportN` files contain post-processed and symbolized kernel crash reports (e.g. a KASAN report). Normally you need just 1 pair of these files (i.e. `log0` and `report0`), because they all presumably describe the same kernel bug. However, `syzkaller` saves up to 100 of them for the case when the crash is poorly reproducible, or if you just want to look at a set of crash reports to infer some similarities or differences. +`logN` files contain raw `syzkaller` logs and include kernel console output as well as programs executed before the crash. These logs can be fed to `syz-repro` tool for [crash location and minimization](docs/tools_syz-execprog_syz-prog2c_syz-repro.md), or to `syz-execprog` tool for [manual localization](docs/executing_syzkaller_programs.md). `reportN` files contain post-processed and symbolized kernel crash reports (e.g. a KASAN report). Normally you need just 1 pair of these files (i.e. `log0` and `report0`), because they all presumably describe the same kernel bug. However, `syzkaller` saves up to 100 of them for the case when the crash is poorly reproducible, or if you just want to look at a set of crash reports to infer some similarities or differences. There are 3 special types of crashes: - `no output from test machine`: the test machine produces no output whatsoever @@ -191,7 +193,7 @@ Most likely you won't see `reportN` files for these crashes (e.g. if there is no `syzkaller` uses declarative description of syscalls to generate, mutate, minimize, serialize and deserialize programs (sequences of syscalls). See details about the -format and extending the descriptions in [sys/README.md](sys/README.md). +format and extending the descriptions [here](docs/syscall_descriptions.md). ## Troubleshooting @@ -246,10 +248,6 @@ Here are some things to check if there are problems running syzkaller. - [Linux Plumbers 2016 talk slides](https://docs.google.com/presentation/d/1iAuTvzt_xvDzS2misXwlYko_VDvpvCmDevMOq2rXIcA/edit?usp=sharing) - [syzkaller: the next gen kernel fuzzer](https://www.slideshare.net/DmitryVyukov/syzkaller-the-next-gen-kernel-fuzzer) (basics of operations, tutorial on how to run syzkaller and how to extend it to fuzz new drivers) -## Contributing - -If you want to contribute to the project, you need to [sign Google CLA](https://cla.developers.google.com/) and add yourself to [AUTHORS](AUTHORS)/[CONTRIBUTORS](CONTRIBUTORS) files in the first pull request. Extending/improving [system call descriptions](sys/sys.txt) is always a good idea. If you want to work on something non-trivial, please briefly describe it on [syzkaller@googlegroups.com](https://groups.google.com/forum/#!forum/syzkaller) mailing list first so that there is agreement on high level approach and no duplication of work between contributors. - ## Disclaimer This is not an official Google product. diff --git a/docs/contributing.md b/docs/contributing.md new file mode 100644 index 00000000..88c80b5d --- /dev/null +++ b/docs/contributing.md @@ -0,0 +1,3 @@ +## Contributing + +If you want to contribute to the project, you need to [sign Google CLA](https://cla.developers.google.com/) and add yourself to [AUTHORS](AUTHORS)/[CONTRIBUTORS](CONTRIBUTORS) files in the first pull request. Extending/improving [system call descriptions](sys/sys.txt) is always a good idea. If you want to work on something non-trivial, please briefly describe it on [syzkaller@googlegroups.com](https://groups.google.com/forum/#!forum/syzkaller) mailing list first so that there is agreement on high level approach and no duplication of work between contributors. diff --git a/docs/executing_syzkaller_programs.md b/docs/executing_syzkaller_programs.md new file mode 100644 index 00000000..bd1570c0 --- /dev/null +++ b/docs/executing_syzkaller_programs.md @@ -0,0 +1,47 @@ +# Executing syzkaller programs + +This page describes how to execute existing syzkaller programs for the purpose of bug reproduction. This way you can replay a single program or a whole execution log with several programs. + +1. Setup Go toolchain (if you don't yet have it, you need version 1.8 or higher): +Download latest Go distribution from (https://golang.org/dl/). Unpack it to `$HOME/go1.8`. +``` bash +$ export GOROOT=$HOME/go1.8 +$ export GOPATH=$HOME/gopath +``` + +2. Download syzkaller sources: +``` bash +$ go get -u -d github.com/google/syzkaller/... +``` + +3. Build necessary syzkaller binaries: +``` bash +$ cd $GOPATH/src/github.com/google/syzkaller +$ make +``` + +4. Copy binaries and the program to test machine: +``` bash +$ scp bin/syz-execprog bin/syz-executor program test@machine +``` + +5. Run the program on the test machine: +``` bash +$ ./syz-execprog -executor ./syz-executor -cover=0 -repeat=0 -procs=16 program +``` + +Several useful `syz-execprog` flags: +``` + -collide + collide syscalls to provoke data races (default true) + -procs int + number of parallel processes to execute programs (default 1) + -repeat int + repeat execution that many times (0 for infinite loop) (default 1) + -sandbox string + sandbox for fuzzing (none/setuid/namespace) (default "setuid") + -threaded + use threaded mode in executor (default true) +``` + +If you pass `-threaded=0 -collide=0`, programs will be executed as a simple single-threaded sequence of syscalls. `-threaded=1` forces execution of each syscall in a separate thread, so that execution can proceed over blocking syscalls. `-collide=0` forces second round of execution of syscalls when pairs of syscalls are executed concurrently. diff --git a/docs/found_bugs.md b/docs/found_bugs.md new file mode 100644 index 00000000..ac42d1ca --- /dev/null +++ b/docs/found_bugs.md @@ -0,0 +1,462 @@ +# Found bugs + +_newer first_ + +* [usb/gadget: potential deadlock in gadgetfs_suspend](https://groups.google.com/forum/#!topic/syzkaller/J_It9ipKXhk) +* [net/can: trying to register non-static key in can_rx_register](https://groups.google.com/forum/#!topic/syzkaller/to2Or4lUrTU) +* [usb/gadget: another GPF in usb_gadget_unregister_driver](https://groups.google.com/forum/#!topic/syzkaller/I6t-ToS5cxE) +* [net: general protection fault in deactivate_slab](https://groups.google.com/forum/#!topic/syzkaller/k_Q4h-RPzkQ) +* [net/ipv4: use-after-free in add_grec](https://groups.google.com/forum/#!topic/syzkaller/dlHu8uuZWfg) +* [net/ipv6: use-after-free in ip6_dst_ifdown](https://groups.google.com/forum/#!topic/syzkaller/ZJaqAiFLe3k) +* [tty: possible deadlock in tty_buffer_flush](https://groups.google.com/forum/#!topic/syzkaller/PXe_ekNtIZ8) +* [net/ipv6: general protection fault in skb_release_data](https://groups.google.com/forum/#!topic/syzkaller/e3I2c8X2oWo) CVE-2017-9242 +* [drivers/net/hamradio: divide error in hdlcdrv_ioctl](https://groups.google.com/forum/#!topic/syzkaller/Uwy36npUcBQ) +* [tty: fix port buffer locking](https://lkml.org/lkml/2017/5/11/118) +* [kvm: warning in kvm_load_guest_fpu](https://groups.google.com/forum/#!topic/syzkaller/OSNJfH8rNPE) +* [drivers/scsi: GPF in sg_read](https://groups.google.com/forum/#!topic/syzkaller/FqYh6Jks6h0) +* [net/ipv4: use-after-free in ip_mc_drop_socket](https://groups.google.com/forum/#!topic/syzkaller/y3_fsYmwdio) CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 +* [net/ipv6: GPF in rt6_device_match](https://groups.google.com/forum/#!topic/syzkaller/PbCfeuGSoNI) +* [x86: warning: kernel stack regs has bad 'bp' value](https://groups.google.com/forum/#!topic/syzkaller/HQl-x5dWJ9Q) +* [net/key: slab-out-of-bounds in pfkey_compile_policy](https://groups.google.com/forum/#!topic/syzkaller/MHjh-tJo_wE) +* [net/ipv6: warning in inet6_ifa_finish_destroy](https://groups.google.com/forum/#!topic/syzkaller/Rt0pgY4wfiw) +* [net/ipv6: use-after-free in __call_rcu/in6_dev_finish_destroy_rcu](https://groups.google.com/forum/#!topic/syzkaller/OhkhEez1z1A) +* [net/ipv6: slab-out-of-bounds in ip6_tnl_xmit](https://groups.google.com/forum/#!topic/syzkaller/Wr3dZWAO8vw) +* [net/rose: null-ptr-deref in rose_route_frame](https://groups.google.com/forum/#!topic/syzkaller/RWKRCxpbS90) +* [time: hang due to timer_create/timer_settime](https://groups.google.com/forum/#!topic/syzkaller/355tWdc8oHY) +* [net/core: BUG in unregister_netdevice_many](https://groups.google.com/forum/#!topic/syzkaller/3zsXPUh-KzU) +* [net/xfrm: stack-out-of-bounds in xfrm_state_find](https://groups.google.com/forum/#!topic/syzkaller/WA6MdAfCYS0) +* [net/bonding: stack-out-of-bounds in bond_enslave](https://groups.google.com/forum/#!topic/syzkaller/IDoQHFmrnRI) +* [net: ipv6: RTF_PCPU should not be settable from userspace](https://www.spinics.net/lists/netdev/msg430947.html) +* [fs/notify/inotify: slab-out-of-bounds write in strcpy](https://groups.google.com/d/msg/syzkaller/ecGeXh44M50/r7OSshSOCAAJ) +* [net/ipv6: slab-out-of-bounds read in seg6_validate_srh](https://groups.google.com/forum/#!topic/syzkaller/U3NMWDD16PM) +* [kernel BUG at mm/hugetlb.c:742!](https://lkml.org/lkml/2017/4/10/1154) +* [net/key: slab-out-of-bounds in parse_ipsecrequests](https://groups.google.com/forum/#!topic/syzkaller/vG7Cyfx-mvU) +* [net/ipv4: use-after-free in ipv4_datagram_support_cmsg](https://groups.google.com/forum/#!topic/syzkaller/F79HOk-4RhA) +* [net/ipv4: use-after-free in ip_queue_xmit](https://groups.google.com/forum/#!topic/syzkaller/X6L7h46rDsw) +* [net: use-after-free in __ns_get_path](https://groups.google.com/forum/#!topic/syzkaller/Vnf3aEG-wqY) +* [net/ipv4: use-after-free in ip_check_mc_rcu](https://groups.google.com/forum/#!topic/syzkaller/6q5nFux7N2E) +* [net/ipv6: use-after-free in ipv6_sock_ac_close](https://groups.google.com/forum/#!topic/syzkaller/z4Y96bFyq7I) +* [net/ipv4: use-after-free in ipv4_mtu](https://groups.google.com/forum/#!topic/syzkaller/UAjEGZoiAF4) +* [net/dccp: BUG in tfrc_rx_hist_sample_rtt](https://groups.google.com/forum/#!topic/syzkaller/inWmASLpo8Q) +* [net/sctp: list double add warning in sctp_endpoint_add_asoc](https://groups.google.com/forum/#!topic/syzkaller/6_LZGvwjzcA) +* [kvm: use-after-free in srcu_reschedule](https://groups.google.com/d/msg/syzkaller/Sl0POwca6-s/QR_z6AsFCQAJ) +* [ata: WARNING in ata_bmdma_qc_issue](https://groups.google.com/d/msg/syzkaller/Hy5yHjgOri8/0fhs94QXCAAJ) +* [net/sched: GPF in qdisc_hash_add](https://groups.google.com/d/msg/syzkaller/--acxHx5yyo/WsS4Yw7PBwAJ) +* [sg: random memory corruptions](https://groups.google.com/d/msg/syzkaller/wWn_oXRfN7Y/kgtLfy_OBwAJ) +* [fs: GPF in deactivate_locked_super](https://groups.google.com/d/msg/syzkaller/xLJUOccIV48/4yXIAfnIBwAJ) +* [loop: WARNING in sysfs_remove_group](https://groups.google.com/d/msg/syzkaller/nq6tjrQLVo4/IL-lxLHIBwAJ) +* [lib, fs, cgroup: WARNING in percpu_ref_kill_and_confirm](https://groups.google.com/d/msg/syzkaller/sT2NZaIfP_E/B15roGnIBwAJ) +* [ata: WARNING in ata_qc_issue](https://groups.google.com/d/msg/syzkaller/r1iGG9w4a9U/l6FkC0HGBwAJ) +* [security, hugetlbfs: write to user memory in hugetlbfs_destroy_inode](https://groups.google.com/d/msg/syzkaller/GLiqkLgHpc8/RzD3JUTFBwAJ) +* [netlink: NULL timer crash](https://groups.google.com/d/msg/syzkaller/drVyP4zu3SM/yPx2taTEBwAJ) +* [kvm: use-after-free function call in kvm_io_bus_destroy](https://groups.google.com/d/msg/syzkaller/1zn_juvw7Fk/BAqe32_DBwAJ) +* [sound: use-after-free in snd_seq_cell_alloc](https://groups.google.com/d/msg/syzkaller/ZXLFJniQJJE/menSWN_CBwAJ) +* [usb: use-after-free write in usb_hcd_link_urb_to_ep](https://groups.google.com/d/msg/syzkaller/v5ra3_AduC4/8-43yozCBwAJ) +* [net/kcm: double free of kcm inode](https://groups.google.com/d/msg/syzkaller/CFYuMediESc/L31CuijCBwAJ) +* [crypto: out-of-bounds write in pre_crypt](https://groups.google.com/d/msg/syzkaller/ivRlyW1WX10/3M9rSuC9BwAJ) +* [security: double-free in superblock_doinit](https://groups.google.com/d/msg/syzkaller/AXrX3E0YOsg/dvcctKm8BwAJ) +* [kvm: WARNING in kvm_apic_accept_events](https://groups.google.com/d/msg/syzkaller/gBu_q0nPy9o/r3QmSIO6BwAJ) +* [tcp: fix potential double free issue for fastopen_req](https://www.spinics.net/lists/netdev/msg422971.html) +* [net/udp: slab-out-of-bounds Read in udp_recvmsg](https://groups.google.com/d/msg/syzkaller/K6CC1usBuWs/6aYxL79BBQAJ) +* [net: deadlock between ip_expire/sch_direct_xmit](https://groups.google.com/d/msg/syzkaller/e-2ANaCu2fk/zvSg0l4DBQAJ) +* [srcu: BUG in __synchronize_srcu](https://groups.google.com/forum/#!topic/syzkaller/2WSsltbI5Z8) +* [net/sctp: recursive locking in sctp_do_peeloff](https://groups.google.com/d/msg/syzkaller/5NY7KjBKgA0/nMm6k7bwEQAJ) +* [kvm: WARNING in vmx_handle_exit](https://groups.google.com/d/msg/syzkaller/D01HuY1tDhc/UIeC8eXfDQAJ) +* [futex: use-after-free in futex_wait_requeue_pi](https://groups.google.com/d/msg/syzkaller/MrJ5ckRkQBI/pXjdOFztEQAJ) +* [kvm/arm64: use-after-free in kvm_vm_ioctl/vmacache_update](https://groups.google.com/forum/#!topic/syzkaller/QUhNm5patag) +* [kvm/arm64: use-after-free in kvm_unmap_hva_handler/unmap_stage2_pmds](https://groups.google.com/forum/#!topic/syzkaller/Hk9R17J-2tA) +* [local privilege escalation flaw in n_hdlc](http://seclists.org/oss-sec/2017/q1/569) CVE-2017-2636 +* [netlink: GPF in netlink_unicast](https://groups.google.com/d/msg/syzkaller/AN-WbVHU0hw/iMmJEUSbEAAJ) +* [perf: use-after-free in perf_release](https://groups.google.com/d/msg/syzkaller/_P-SyZtwVXk/RhO-VB2YEAAJ) +* [net/ipv6: null-ptr-deref in ip6mr_sk_done](https://groups.google.com/forum/#!topic/syzkaller/H8hyTRfCClI) +* [bpf: kernel NULL pointer dereference in map_get_next_key](https://groups.google.com/d/msg/syzkaller/nyr1SaxHfyo/gp21-xhaEAAJ) +* [crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex](https://groups.google.com/d/msg/syzkaller/jtz84qFQ_3s/vzFV8YhaEAAJ) +* [kvm: use-after-free in vmx_check_nested_events/vmcs12_guest_cr0](https://groups.google.com/d/msg/syzkaller/_e1uwkRRVfk/CqEIKj9SEAAJ) +* [sound: another deadlock in snd_seq_pool_done](https://groups.google.com/d/msg/syzkaller/GAUhiTjyDfI/XcIntncQEAAJ) +* [rcu: WARNING in rcu_seq_end](https://groups.google.com/d/msg/syzkaller/M4UEuqSTMR8/JoEPLtQOEAAJ) +* [fs: use-after-free in path_lookupat](https://groups.google.com/d/msg/syzkaller/_8MZkKL2-QU/PA0q5XULEAAJ) +* [ucount: use-after-free read in inc_ucount & dec_ucount](https://groups.google.com/d/msg/syzkaller/xB_UphO1T7w/me1WddQAEAAJ) +* [net/ipv4: division by 0 in tcp_select_window](https://groups.google.com/d/msg/syzkaller/TFH8rl8yTrU/9PzPjkfHDwAJ) +* [net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone](https://groups.google.com/d/msg/syzkaller/3SS80JbVPKA/2tfIAcW7DwAJ) +* [mm: use-after-free in zap_page_range](https://groups.google.com/d/msg/syzkaller/-e9ZYxL9zts/6ip-8FK5DwAJ) +* [net/kcm: use-after-free in kcm_wq](https://groups.google.com/d/msg/syzkaller/c_jOLx9FEgk/nz2PJROtDwAJ) +* [idr: use-after-free write in ida_get_new_above](https://groups.google.com/d/msg/syzkaller/23J2nN6syEE/gFFk_xSsDwAJ) +* [sg: stack out-of-bounds write in sg_write](https://groups.google.com/d/msg/syzkaller/fvvhyYQHiT8/UOnInaajDwAJ) CVE-2017-7187 +* [cgroup: WARNING in cgroup_kill_sb](https://groups.google.com/d/msg/syzkaller/pWKI4ZQeOoI/SmTmQEF8DwAJ) +* [net/rds: use-after-free in rds_find_bound/memcmp](https://groups.google.com/d/msg/syzkaller/ZBEXtkNoG9o/kgQVbjjXDgAJ) +* [net: sleeping function called from invalid context in net_enable_timestamp](https://groups.google.com/d/msg/syzkaller/k5qJRYKqIgQ/EfJBkqwvDwAJ) +* [net: use-after-free in neigh_timer_handler/sock_wfree](https://groups.google.com/d/msg/syzkaller/2REBGTmpSTE/pT95olUuDwAJ) +* [net/sctp: use-after-free in sctp_association_put](https://groups.google.com/d/msg/syzkaller/AA_hWiHcgrs/4lIAQ94tDwAJ) +* [fs: use-after-free in userfaultfd_exit](https://groups.google.com/d/msg/syzkaller/Uu0ZwFPrmu8/WRWYCC8sDwAJ) +* [net/ipv4: inconsistent lock state in tcp_conn_request/inet_ehash_insert](https://groups.google.com/forum/#!topic/syzkaller/OnwnEEhZap8) +* [net/ipv4: suspicious RCU usage in ip_ra_control](https://groups.google.com/d/msg/syzkaller/mS6hi72YPkc/FwCYiR7JDwAJ) +* [net/ipv4: deadlock in ip_ra_control](https://groups.google.com/d/msg/syzkaller/mS6hi72YPkc/jZyjMMgRDwAJ) +* [net/dccp: dccp_create_openreq_child freed held lock](https://groups.google.com/d/msg/syzkaller/0jXubCbCmeQ/OXoQEjgODwAJ) +* [nested_vmx_merge_msr_bitmap](https://groups.google.com/d/msg/syzkaller/2631gzzWnA4/jm91h6HeDgAJ) +* [ipc: use-after-free in shm_get_unmapped_area](https://groups.google.com/d/msg/syzkaller/Kv2bIHYA8N8/kZqVCqXaDgAJ) +* [sounds: deadlocked processed in snd_seq_pool_done](https://groups.google.com/d/msg/syzkaller/ZARHLaXAmYQ/eSfeP-HVDgAJ) +* [net/atm: vcc_sendmsg calls kmem_cache_alloc in non-blocking context](https://groups.google.com/d/msg/syzkaller/5gb5kxihtps/oy4pVZ3SDgAJ) +* [ata: WARNING in ata_sff_qc_issue](https://groups.google.com/d/msg/syzkaller/0v1qHkmM-VU/6InmOLvPDgAJ) +* [net/rds: use-after-free in inet_create](https://groups.google.com/d/msg/syzkaller/ZBEXtkNoG9o/s46xtB7PDgAJ) +* [mm: fault in __do_fault](https://groups.google.com/d/msg/syzkaller/CRQxZS4nck0/6DD2SyfODgAJ) +* [kvm: WARNING in nested_vmx_vmexit](https://groups.google.com/d/msg/syzkaller/w3EBRlb2h6s/GdIi_y3IDgAJ) +* [net: GPF in rt6_nexthop_info](https://groups.google.com/d/msg/syzkaller/AMyOvIrf--c/RB-mpPjFDgAJ) +* [sound: spinlock lockup in snd_timer_user_tinterrupt](https://groups.google.com/d/msg/syzkaller/3efGwZt0nLI/pPt4WoGVDgAJ) +* [mm: GPF in bdi_put](https://groups.google.com/d/msg/syzkaller/ixaSKtOoO7k/UjxnRr2JDgAJ) +* [net/sctp: use-after-free in sctp_hash_transport](https://groups.google.com/forum/#!topic/syzkaller/Ew5hrZI7Obs) +* [net/bridge: warning in br_fdb_find](https://groups.google.com/forum/#!topic/syzkaller/d9XyhdJXwa0) +* [net/ipv6: null-ptr-deref in ip6_route_del/lock_acquire](https://groups.google.com/forum/#!topic/syzkaller/gEoL2QX519c) +* [net: possible deadlock in skb_queue_tail](https://groups.google.com/forum/#!topic/syzkaller/XEp_9K8FmIM) +* [DCCP double-free vulnerability (local root)](http://seclists.org/oss-sec/2017/q1/471) CVE-2017-6074 +* [net: warning in inet_sock_destruct](https://groups.google.com/forum/#!topic/syzkaller/QwkU6JMkjBg) +* [net/pptp: use-after-free in dst_release](https://groups.google.com/forum/#!topic/syzkaller/ZR9QP3JNE18) +* [net/udp: slab-out-of-bounds in udp_recvmsg/do_csum](https://groups.google.com/forum/#!topic/syzkaller/vCUAq86bJaA) CVE-2017-6347 +* [WARNING in skb_warn_bad_offload](https://patchwork.ozlabs.org/patch/722135/) +* [tty: panic in tty_ldisc_restore](https://groups.google.com/d/msg/syzkaller/ty5IhaYWVp8/aTN_hZ8qBQAJ) +* [net: BUG in __skb_gso_segment](https://groups.google.com/forum/#!topic/syzkaller/wLAp3HzIXSo) +* [net/dccp: use-after-free in dccp_feat_activate_values](https://groups.google.com/forum/#!topic/syzkaller/hyM_oK9QOXU) +* [net/kcm: GPF in kcm_sendmsg](https://groups.google.com/d/msg/syzkaller/8YB3cFmKRqs/DYu7vJiCCAAJ) +* [net/xfrm: stack out-of-bounds in xfrm_flowi_sport](https://groups.google.com/d/msg/syzkaller/J2qVz4ZJpPg/Fw0QURWBCAAJ) +* [net/llc: BUG in llc_sap_state_process/skb_set_owner_r](https://groups.google.com/forum/#!topic/syzkaller/c1SOlcflXz8) CVE-2017-6345 +* [net/llc: bug in llc_pdu_init_as_xid_cmd/skb_over_panic](https://groups.google.com/forum/#!topic/syzkaller/mVs8KWoW4d8) +* [net/packet: use-after-free in packet_rcv_fanout](https://groups.google.com/d/msg/syzkaller/nOwR6_b4rmw/ocp21bZBBwAJ) +* [net: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected in skb_array_produce](https://groups.google.com/d/msg/syzkaller/eHfRFbBg4LE/stDU3KYyBwAJ) +* [net/ipv4: null-ptr-deref in udp_rmem_release/sk_memory_allocated_sub](https://groups.google.com/forum/#!topic/syzkaller/8BMdxIXdH4g) +* [net/sctp: null-ptr-deref in sctp_put_port/sctp_endpoint_destroy](https://groups.google.com/forum/#!topic/syzkaller/S79Ss7ZUje8) +* [net/ipv4: warning in nf_nat_ipv4_fn](https://groups.google.com/forum/#!topic/syzkaller/5VxeBb85Ddg) +* [net/ipv6: double free in ipip6_dev_free](https://groups.google.com/d/msg/syzkaller/ZN9Ihlsum_s/4UuXXmn1BgAJ) +* [sound: use-after-free in snd_seq_queue_alloc](https://groups.google.com/d/msg/syzkaller/dhaTlAjxHVs/TXyPrX_nBgAJ) +* [loop: divide error in transfer_xor](https://groups.google.com/d/msg/syzkaller/1f1ziDbOTiQ/cFC0_wfnBgAJ) +* [net/xfrm: use of uninit spinlock in xfrm_policy_flush](https://groups.google.com/d/msg/syzkaller/vp1neyeoA8A/Is8aPdrpBgAJ) +* [mm: double-free in cgwb_bdi_init](https://groups.google.com/d/msg/syzkaller/tIx42qCVklk/fh0qjUboBgAJ) +* [packet: round up linear to header len](http://patchwork.ozlabs.org/patch/725335/) +* [net/icmp: null-ptr-deref in ping_v4_push_pending_frames](https://groups.google.com/forum/#!topic/syzkaller/DYyq0NyEY4g) +* [net/kcm: WARNING in kcm_write_msgs](https://groups.google.com/d/msg/syzkaller/vsh_MSFHizg/Uf-GzB1UBgAJ) +* [tcp: avoid infinite loop in tcp_splice_read()](https://www.mail-archive.com/netdev@vger.kernel.org/msg151936.html) CVE-2017-6214 +* [tun: read vnet_hdr_sz once](http://patchwork.ozlabs.org/patch/723964/) +* [macvtap: read vnet_hdr_size once](http://patchwork.ozlabs.org/patch/723965/) +* [udp: properly cope with csum errors](https://patchwork.ozlabs.org/patch/724263/) +* [ipv6: tcp: add a missing tcp_v6_restore_cb()](https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=7892032cfe67f4bde6fc2ee967e45a8fbaf33756) +* [ip6_gre: fix ip6gre_err() invalid reads](https://patchwork.ozlabs.org/patch/724187/) CVE-2017-5897 +* [ipv4: keep skb->dst around in presence of IP options](https://patchwork.ozlabs.org/patch/724136/) CVE-2017-5970 +* [net: use a work queue to defer net_disable_timestamp() work](https://patchwork.ozlabs.org/patch/723251/) +* [netlabel: out of bound access in cipso_v4_validate()](https://patchwork.ozlabs.org/patch/723457/) +* [ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()](https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git/+/63117f09c768be05a0bf465911297dc76394f686) +* [net: heap out-of-bounds in ip6_fragment](https://groups.google.com/d/msg/syzkaller/zakUQXz8ums/lNcDLtARBQAJ) CVE-2017-9074 +* [tcp: fix 0 divide in __tcp_select_window()](https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=06425c308b92eaf60767bc71d359f4cbc7a561f8) +* [keys: GPF in request_key](https://groups.google.com/d/msg/syzkaller/As2A-xeNp0g/eu50sRnKBAAJ) +* [net/tcp: warning in tcp_try_coalesce/skb_try_coalesce](https://groups.google.com/forum/#!topic/syzkaller/oeZW04VAQBM) +* [crypto: NULL deref in sha512_mb_mgr_get_comp_job_avx2](https://groups.google.com/d/msg/syzkaller/4nGqh82OL7g/0lU1zpp-BAAJ) +* [sound: unable to handle kernel paging request snd_seq_prioq_cell_out](https://groups.google.com/d/msg/syzkaller/wn-_0zA8ka4/kLB6BSR0BAAJ) +* [scsi: BUG in scsi_init_io](https://groups.google.com/d/msg/syzkaller/p2MBG9oRNdo/4MxGbWFwBAAJ) +* [mm: sleeping function called from invalid context shmem_undo_range](https://groups.google.com/d/msg/syzkaller/j8Zj72bs2xE/HjPk2dduBAAJ) +* [timerfd: use-after-free in timerfd_remove_cancel](https://groups.google.com/d/msg/syzkaller/bryiI66Pxxg/78NqwMhBBAAJ) +* [scsi: use-after-free in sg_start_req](https://groups.google.com/d/msg/syzkaller/Nft7hrE_CyM/QvEjMuUcBAAJ) +* [mm: deadlock between get_online_cpus/pcpu_alloc](https://groups.google.com/d/msg/syzkaller/G40CCUkkyDE/9Y3u-rXfAwAJ) +* [BUG at net/sctp/socket.c:7425](https://groups.google.com/d/msg/syzkaller/V2WPJ1BiXs0/-NO5Yea3AwAJ) +* [kvm: use-after-free in irq_bypass_register_consumer](https://groups.google.com/d/msg/syzkaller/UHiABsxXVaI/lQQ36P5eAwAJ) +* [net: suspicious RCU usage in nf_hook](https://groups.google.com/d/msg/syzkaller/9876JHd_awE/xqvU9HFeAwAJ) +* [kvm: fix page struct leak in handle_vmon](https://www.spinics.net/lists/kernel/msg2428945.html) CVE-2017-2596 +* [ipv6: fix ip6_tnl_parse_tlv_enc_lim()](https://patchwork.ozlabs.org/patch/718842/) +* [kvm: WARNING in mmu_spte_clear_track_bits](https://groups.google.com/d/msg/syzkaller/Ii09l8gpFO4/ZXcevV8NAgAJ) +* [perf: use-after-free in perf_event_for_each](https://groups.google.com/d/msg/syzkaller/UjDJeCgt3_M/xsv0cLUKAgAJ) +* [net: use-after-free in tw_timer_handler](https://groups.google.com/d/msg/syzkaller/p1tn-_Kc6l4/smuL_FMAAgAJ) +* [namespace: deadlock in dec_pid_namespaces](https://groups.google.com/d/msg/syzkaller/uhFVBGnXzHQ/-kZya8AdAQAJ) +* [sctp: kernel memory overwrite attempt detected in sctp_getsockopt_assoc_stats](https://groups.google.com/d/msg/syzkaller/Ok2fotcCSsg/10Tak7X0EQAJ) +* [kvm: deadlock in kvm_vgic_map_resources](https://groups.google.com/d/msg/syzkaller/7E0b8H0nJm8/-aoPnGW_EAAJ) +* [net/atm: warning in alloc_tx/__might_sleep](https://groups.google.com/forum/#!topic/syzkaller/3WJGPLm6FmQ) +* [net/ipv6: use-after-free in sock_wfree](https://groups.google.com/forum/#!topic/syzkaller/BhyN5OFd7sQ) +* [kvm: kvm: BUG in loaded_vmcs_init](https://groups.google.com/d/msg/syzkaller/VrcANKRU3iQ/KdZDHdIiDwAJ) +* [kvm: NULL deref in vcpu_enter_guest](https://groups.google.com/d/msg/syzkaller/6V-KXaMDYi8/rOvBl-69DAAJ) +* [kvm: use-after-free in complete_emulated_mmio](https://groups.google.com/d/msg/syzkaller/-Pl63SQ63FA/pYO4cRkUDAAJ) CVE-2017-2584 +* [kvm: BUG in kvm_unload_vcpu_mmu](https://groups.google.com/d/msg/syzkaller/VbGoa1nALVw/x7hPnUMXDAAJ) +* [x86: warning in unwind_get_return_address](https://groups.google.com/forum/#!topic/syzkaller/BQBlYH-dNNM) +* [ipc: BUG: sem_unlock unlocks non-locked lock](https://groups.google.com/d/msg/syzkaller/u_ldPlYJSxk/Iu6CmEmlCAAJ) +* [kvm: WARNING in mmu_spte_clear_track_bits](https://groups.google.com/d/msg/syzkaller/Ii09l8gpFO4/HOkydz_bBwAJ) +* [sctp: suspicious rcu_dereference_check() usage in sctp_epaddr_lookup_transport](https://groups.google.com/d/msg/syzkaller/4V6zHuGzYuM/sLQkIJTVBwAJ) +* [usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns](https://groups.google.com/forum/#!topic/syzkaller/wvB_W78nTh0) +* [usb/gadget: warning in ep_write_iter/__alloc_pages_nodemask](https://groups.google.com/forum/#!topic/syzkaller/d2FD55alPqY) +* [kvm: use-after-free in process_srcu](https://groups.google.com/d/msg/syzkaller/i48YZ8mwePY/0PQ8GkQTBwAJ) +* [kvm: assorted bugs after OOMs](https://groups.google.com/d/msg/syzkaller/ytVPh93HLnI/KhZdengZBwAJ) +* [kvm: deadlock between kvm_io_bus_register_dev/kvm_hv_set_msr_common](https://groups.google.com/d/msg/syzkaller/KYU8Ru7P2wo/fHM0gbuUBgAJ) +* [netlink: GPF in netlink_dump](https://groups.google.com/d/msg/syzkaller/wXVYTkQqmeM/KJFTDTE2BgAJ) +* [fs, net: deadlock between bind/splice on af_unix](https://groups.google.com/d/msg/syzkaller/E3_YC5Ac-dY/Wr42pcVBBgAJ) +* [usb/gadget: slab-out-of-bounds write in dev_config](https://groups.google.com/forum/#!topic/syzkaller/Y4hEomcJgjY) +* [usb/gadget: warning in dummy_free_request](https://groups.google.com/forum/#!topic/syzkaller/nNVKOT0fdaY) +* [usb/gadget: use-after-free in gadgetfs_setup](https://groups.google.com/forum/#!topic/syzkaller/PBWoEbmzrto) +* [usb/gadget: GPF in usb_gadget_unregister_driver](https://groups.google.com/forum/#!topic/syzkaller/HDawLBeeORI) +* [net: use-after-free in worker_thread](https://groups.google.com/forum/#!topic/syzkaller/RCnXAyhFBZs) +* [net: signed overflows in SO_{SND|RCV}BUFFORCE sockopts](https://groups.google.com/forum/#!topic/syzkaller/rXpw5jXjGBM) CVE-2016-9793 CVE-2012-6704 +* [usb/gadget: warning in dev_config/memdup_user](https://groups.google.com/forum/#!topic/syzkaller/bt6m57DyKLk) +* [net/can: warning in raw_setsockopt/__alloc_pages_slowpath](https://groups.google.com/forum/#!topic/syzkaller/6ceFXDer0ik) +* [net/ipv6: null-ptr-deref in ip6_rt_cache_alloc](https://groups.google.com/forum/#!topic/syzkaller/ryLwIsiKnmA) +* [net/dccp: use-after-free in dccp_invalid_packet](https://groups.google.com/forum/#!topic/syzkaller/5uW1cV_WjIQ) +* [net/sctp: vmalloc allocation failure in sctp_setsockopt/xt_alloc_table_info](https://groups.google.com/forum/#!topic/syzkaller/TMlGTPkIlFU) +* [net: BUG in unix_notinflight](https://groups.google.com/d/msg/syzkaller/4PFR0zm8JdU/XIGam5-dAgAJ) +* [net: GPF in eth_header](https://groups.google.com/d/msg/syzkaller/GFbGpX7nTEo/96LNG7KbAgAJ) CVE-2016-9755 +* [net: deadlock on genl_mutex](https://groups.google.com/d/msg/syzkaller/-YGhBYeg8Ew/jf9uD0maAgAJ) +* [net: GPF in rt6_get_cookie](https://groups.google.com/d/msg/syzkaller/3uDn6P5bwzA/gdzgPxeYAgAJ) +* [netlink: GPF in sock_sndtimeo](https://groups.google.com/d/msg/syzkaller/R_KZuzEDLeg/SkANc-yVAgAJ) +* [scsi: use-after-free in bio_copy_from_iter](https://groups.google.com/d/msg/syzkaller/Ut8nZJIJoEs/lhPdzXlSAgAJ) CVE-2016-9576 +* [net/udp: bug in skb_pull_rcsum](https://groups.google.com/forum/#!topic/syzkaller/fVj7UJ6nOow) +* [net/icmp: null-ptr-deref in icmp6_send](https://groups.google.com/forum/#!topic/syzkaller/exfKDuH5sLI) CVE-2016-9919 +* [net/can: use-after-free in bcm_rx_thr_flush](https://groups.google.com/forum/#!topic/syzkaller/1kM2GFIzSBU) +* [kvm: slab-out-of-bounds write in __apic_accept_irq](https://groups.google.com/d/msg/syzkaller/YWVsTBlRljk/xMwrqdOgCAAJ) CVE-2016-9777 +* [mm: BUG in pgtable_pmd_page_dtor](https://groups.google.com/d/msg/syzkaller/JGNtVzSymvw/6VbQla2gCAAJ) +* [logfs: GPF in logfs_alloc_inode](https://groups.google.com/d/msg/syzkaller/jj5WiCBNDh4/tYlsqCegCAAJ) +* [mm, floppy: unkillable task faulting on fd0](https://groups.google.com/d/msg/syzkaller/v6X8nr-XMqY/AKvXMjqdCAAJ) +* [kvm: deadlock between kvm_vm_ioctl_get_dirty_log/kvm_hv_set_msr_common/kvm_create_pit](https://groups.google.com/d/msg/syzkaller/AMBA62hsVnQ/vtH4SEeoBwAJ) +* [kvm: WARNING in em_jmp_far](https://groups.google.com/d/msg/syzkaller/vlC9IzBqaEs/S5sZl9ejBwAJ) CVE-2016-9756 +* [kvm: WARNING in rtc_status_pending_eoi_check_valid](https://groups.google.com/d/msg/syzkaller/WuAv_qE8dI8/jJd6E3ClBwAJ) +* [kvm: GPF in kvm_ioapic_set_irq](https://groups.google.com/d/msg/syzkaller/yOvg84HBx6E/6db4LE6jBwAJ) +* [mm: BUG in munlock_vma_pages_range](https://groups.google.com/d/msg/syzkaller/YrHKOMostEc/3Arq3dCiBwAJ) +* [kvm: WARNING in kvm_arch_vcpu_ioctl_run](https://groups.google.com/d/msg/syzkaller/24wCim9x3mI/RoV24W5yBwAJ) +* [kvm: use-after-free/GPF in kvm_irq_delivery_to_apic_fast](https://groups.google.com/d/msg/syzkaller/sue3X3IQanU/ypLWfHTpBgAJ) +* [kvm: out-of-bounds write in __rtc_irq_eoi_tracking_restore_one](https://groups.google.com/d/msg/syzkaller/8IXfmLUSkbA/8bbm6hbqBgAJ) +* [kvm: BUG in pte_list_remove](https://groups.google.com/d/msg/syzkaller/IqkesiRS-t0/aLcJuMXqBgAJ) +* [kvm: recursive lock in kvm_clear_async_pf_completion_queue](https://groups.google.com/d/msg/syzkaller/dGfcd0P7J-E/XD0h8n_rBgAJ) +* [kvm: WARNING in em_ret_far](https://groups.google.com/d/msg/syzkaller/o5ZftARBhrs/r1ivQ-HtBgAJ) +* [kvm: GPF in irqfd_shutdown/eventfd_ctx_remove_wait_queue](https://groups.google.com/d/msg/syzkaller/Zubs2yePdiY/svec5qrtBgAJ) +* [kvm: GPF in gfn_to_rmap](https://groups.google.com/d/msg/syzkaller/sHBCmfktDGg/dAhz7M7vBgAJ) +* [kvm: paging fault in kvm_gfn_to_hva_cache_init](https://groups.google.com/d/msg/syzkaller/ETU_E6Sc-rk/-iWFPpTwBgAJ) +* [kvm: suspicious RCU usage/missed lock in kvm_lapic_set_vapic_addr](https://groups.google.com/d/msg/syzkaller/Zw7Usg-FnDQ/QvHU6P69BgAJ) +* [kvm: use-after-free in irq_bypass_register_consumer](https://groups.google.com/d/msg/syzkaller/NKlClJzOOww/zX1sXW24BgAJ) +* [kvm: WARNING in kvm_load_guest_fpu](https://groups.google.com/d/msg/syzkaller/PeDBKPqz19o/VckGWlW0BgAJ) +* [kvm: GPF in kvm_pic_set_irq](https://groups.google.com/d/msg/syzkaller/T4ZFHqpmwKM/V_X9W8awBgAJ) +* [kvm: GPF in irq_bypass_unregister_consumer](https://groups.google.com/d/msg/syzkaller/Dz__GySpVr8/UQ5kpdWrBgAJ) +* [kvm: GPF in __get_kvmclock_ns](https://groups.google.com/d/msg/syzkaller/A5cpi35KlkQ/a35IrBmoBgAJ) +* [kvm: WARNING In kvm_apic_accept_events](https://groups.google.com/d/msg/syzkaller/1qxx4nU4hpE/qJlIQcWtBgAJ) +* [kvm: WARNING in __x86_set_memory_region](https://groups.google.com/d/msg/syzkaller/F3xBpkDRAiE/jdmpOIKtBgAJ) +* [tcp: take care of truncations done by sk_filter()](https://patchwork.ozlabs.org/patch/693484/) +* [net/l2tp: use-after-free write in l2tp_ip6_close](https://groups.google.com/forum/#!topic/syzkaller/rXbAbqydmsw) +* [net/sctp: null-ptr-deref in sctp_inet_listen](https://groups.google.com/forum/#!topic/syzkaller/rngiXb8aNVk) +* [net/tcp: warning in tcp_recvmsg](https://groups.google.com/forum/#!topic/syzkaller/xpNRe_86Dog) +* [net/netlink: another global-out-of-bounds in genl_family_rcv_msg/validate_nla](https://groups.google.com/forum/#!topic/syzkaller/BTjwhbtc9QE) +* [bpf: kernel BUG in htab_elem_free](https://groups.google.com/d/msg/syzkaller/NcK5XXQA-_o/DYskkVn1AwAJ) +* [net/netlink: global-out-of-bounds in genl_family_rcv_msg/validate_nla](https://groups.google.com/forum/#!topic/syzkaller/6k-N84V-Z88) +* [net/ipv6: null-ptr-deref in inet6_bind](https://groups.google.com/forum/#!topic/syzkaller/AdbicmLlFHk) +* [net/dccp: null-ptr-deref in dccp_parse_options](https://groups.google.com/forum/#!topic/syzkaller/_vGUxJLcdKY) +* [net/dccp: null-ptr-deref in dccp_v4_rcv/selinux_socket_sock_rcv_skb](https://groups.google.com/forum/#!topic/syzkaller/nyrJEo2pUJs) +* [net/tcp: null-ptr-deref in __inet_lookup_listener/inet_exact_dif_match](https://groups.google.com/forum/#!topic/syzkaller/zfXVCzJTXzQ) +* [net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep](https://groups.google.com/forum/#!topic/syzkaller/GDvJr49XK7g) +* [net/can: warning in bcm_connect/proc_register](https://groups.google.com/forum/#!topic/syzkaller/ltCQQCE44pQ) +* [net/ipv4: warning in inet_sock_destruct](https://groups.google.com/forum/#!topic/syzkaller/8tMiUcdWx78) +* [net/sctp: slab-out-of-bounds in sctp_sf_ootb](https://groups.google.com/forum/#!topic/syzkaller/pAUcHsUJbjk) CVE-2016-9555 +* [net/dccp: warning in dccp_set_state](https://groups.google.com/forum/#!topic/syzkaller/JdYwfv_22lA) +* [net/netlink: bad unlock balance in netlink_diag_dump](https://groups.google.com/forum/#!topic/syzkaller/Pk4VwBtZD2Y) +* [net/netlink: null-ptr-deref in netlink_dump/lock_acquire](https://groups.google.com/forum/#!topic/syzkaller/Pk4VwBtZD2Y) +* [net/ipx: null-ptr-deref in ipxrtr_route_packet](https://groups.google.com/forum/#!topic/syzkaller/xqRSxMxPVq0) +* [net/sctp: use-after-free in __sctp_connect](https://groups.google.com/forum/#!topic/syzkaller/W0swoIe25Eg) +* [fs: WARNING in locks_unlink_lock_ctx (not holding proper lock)](https://groups.google.com/d/msg/syzkaller/9DFicr6njUw/aaX3dVtNBQAJ) +* [kernel BUG in dio_get_page](https://groups.google.com/d/msg/syzkaller/rCCyOHJHflI/Ik7IhXWzBAAJ) +* [bpf related use-after-free](http://seclists.org/oss-sec/2016/q2/332) CVE-2016-4794 +* [drm: GPF in drm_getcap](https://groups.google.com/d/msg/syzkaller/dxVHCovRzhg/7QPBBqi4BwAJ) +* [fs: GPF in bd_mount](https://groups.google.com/d/msg/syzkaller/Z7OCclqCuq0/--YUa8QrBgAJ) +* [tty, fbcon: use-after-free in fbcon_invert_region](https://groups.google.com/d/msg/syzkaller/1DU69JpJwJg/n-6V4Wr5BQAJ) +* [drm: NULL pointer dereference in drm_mode_object_find()](https://groups.google.com/d/msg/syzkaller/7kyIupsNz-c/dWIIMpJXAQAJ) +* [6pack: stack-out-of-bounds in sixpack_receive_buf](https://groups.google.com/d/msg/syzkaller/A1x5I2hxcew/DjzZX7_mBQAJ) +* [logfs: GPF in logfs_init_inode](https://groups.google.com/d/msg/syzkaller/sU52_tpOsxQ/QTmqrIjlBQAJ) +* [tty: use-after-free in n_tty_receive_buf_fast](https://groups.google.com/d/msg/syzkaller/wz0PXUAcE7g/QN-MnqnjBQAJ) +* [sound: divide by 0 in snd_hrtimer_callback (or hang)](https://groups.google.com/d/msg/syzkaller/YZDD4SOU2Lk/LwRAiknjBQAJ) +* [mm: GPF in __insert_vmap_area](https://groups.google.com/d/msg/syzkaller/dTC7VpMKBu0/Aasz9zHiBQAJ) +* [fs, tty: WARNING in devpts_get_priv](https://groups.google.com/d/msg/syzkaller/qz7_4jCFPvw/nm19yTfbBQAJ) +* [fanotify: unkillable hanged processes](https://groups.google.com/d/msg/syzkaller/kY_ml6TCm9A/wDd5fYFXBQAJ) +* [drm: GPF in drm_context_switch_complete](https://groups.google.com/d/msg/syzkaller/ZB879NphOvw/ZDzsirsgBAAJ) +* [drm: GPF in drm_legacy_lock_free](https://groups.google.com/d/msg/syzkaller/VsfDwjS-Vk8/HOxWf1cgBAAJ) +* [sound: division by 0 in snd_hrtimer_callback](https://groups.google.com/d/msg/syzkaller/HOTZlap4aZ8/E9EnyqwfBAAJ) +* [perf: WARNING in perf_event_read](https://groups.google.com/d/msg/syzkaller/nQl0TADtoXc/qwp8erUdBAAJ) +* [drm: WARNING in drm_irq_by_busid](https://groups.google.com/d/msg/syzkaller/1ckoC7WPx3c/-JO150EIBAAJ) +* [dri: WARNING in idr_remove](https://groups.google.com/d/msg/syzkaller/wOfaszMuYSQ/2a5fyjkSBAAJ) +* [mm: use-after-free in collapse_huge_page](https://groups.google.com/d/msg/syzkaller/eFgUtJ_WbmM/yBQp-6QFBAAJ) +* [kcm: use-after-free in fput of kcm socket](https://groups.google.com/d/msg/syzkaller/1S98uAzWBLg/c9ANduUDBAAJ) +* [bdev: fix NULL pointer dereference in sync()/close() race](https://groups.google.com/d/msg/syzkaller/Gu28cO5tVSw/uAwLAuKrAwAJ) +* [bdev: fix NULL pointer dereference](https://groups.google.com/forum/#!topic/syzkaller/VF7tNBDWFMI) +* [BUG: sleeping function called from invalid context at mm/mempolicy.c:553](http://pastebin.com/uNQW3afN) +* [use-after-free in ppp_unregister_channel](http://review.cyanogenmod.org/#/c/145489/) +* [net/tipc: NULL-ptr dereference in tipc_nl_publ_dump](http://lists.openwall.net/netdev/2016/05/14/35) +* [HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()](https://patchwork.kernel.org/patch/8583981/) +* [mm: memory corruption on mmput](http://lists.openwall.net/linux-kernel/2016/04/17/72) +* [perf: WARNING in perf_event_read](https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1214159.html) +* [9p2000.L stat/unlink race (WARNING: fs/inode.c:280 drop_nlink)](https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1214157.html) +* [mm: page fault in __do_huge_pmd_anonymous_page](https://groups.google.com/d/msg/syzkaller/Ihm6d1NmRk8/WG-qZ6aMCQAJ) +* [usb: memory allocation WARNING in hcd_buffer_alloc](https://groups.google.com/d/msg/syzkaller/svY2Ac1RYCM/wD9pZHeJCQAJ) +* [dccp: potential deadlock in dccp_v4_ctl_send_reset](https://groups.google.com/d/msg/syzkaller/yrxEaY_QQEM/Xtx0LrSICQAJ) +* [mm: GPF in find_get_pages_tag](https://groups.google.com/d/msg/syzkaller/9XYmMfpNxCg/jl1EgpmHCQAJ) +* [mm: BUG in page_move_anon_rmap](https://groups.google.com/d/msg/syzkaller/E21YB1m9Fb4/yrj55fZZCAAJ) +* [block: GPF in get_task_ioprio](https://groups.google.com/d/msg/syzkaller/pCqmZTOvf7g/foAZqH71BwAJ) +* [tty: stall in n_tty_ioctl/inq_canon](https://groups.google.com/d/msg/syzkaller/JEOgcphr_FQ/zt5eiRfUBQAJ) +* [random: negative entropy/overflow: pool input count -40000](https://groups.google.com/d/msg/syzkaller/LvdDTS5Om_g/zJmN7RfOBQAJ) +* [bpf: use after free in array_map_alloc](http://seclists.org/oss-sec/2016/q2/332) CVE-2016-4794 +* [kvm: use-after-free in kvm_irqfd_release](https://groups.google.com/d/msg/syzkaller/mLrF0hWNsA0/qN0CYvVABQAJ) +* [kvm: GPF in kvm_lapic_set_tpr](https://groups.google.com/d/msg/syzkaller/kQW1tyy6vjc/0xbWT-JABQAJ) +* [sound: use-after-free in hrtimer_cancel](https://groups.google.com/d/msg/syzkaller/HMNrvp-Dt2g/kaQMrGQEAwAJ) +* [sound: hang in snd_timer_interrupt](https://groups.google.com/d/msg/syzkaller/s_OkwAWjJ1Q/8k7zhhEbAgAJ) +* [sound: deadlock involving snd_hrtimer_callback](https://groups.google.com/d/msg/syzkaller/s_OkwAWjJ1Q/O852Mz3HAQAJ) +* [fs: GPF in locked_inode_to_wb_and_lock_list](https://groups.google.com/d/msg/syzkaller/XvxH3cBQ134/F0-0r3MxAAAJ) +* [x86: bad pte in pageattr_test](https://groups.google.com/d/msg/syzkaller/Fu6BruqUHOU/nuJxpW7EAwAJ) +* [tty: memory leak in tty_open](https://groups.google.com/d/msg/syzkaller/wZUev9AXzDY/Nt4ih4B7EgAJ) +* [net: memory leak due to CLONE_NEWNET](https://groups.google.com/d/msg/syzkaller/dLbu8taoWVY/w3myILDuEQAJ) +* [lockdep WARNING in get_online_cpus](https://groups.google.com/d/msg/syzkaller/MHXa-o8foyc/o-mB1L_rEQAJ) +* [mm: BUG in khugepaged_scan_mm_slot](https://groups.google.com/d/msg/syzkaller/GNB2k9vLYc4/9Cu_fy7hEQAJ) +* [sound: use-after-free in snd_timer_interrupt](https://groups.google.com/d/msg/syzkaller/eIjELqsnpcE/xX-R8APfEQAJ) +* [scsi: machine hang due to write to /dev/sg0](https://groups.google.com/d/msg/syzkaller/oQ3Hg-JUVKA/8zwovr9lDAAJ) +* [AMD newest ucode 0x06000832 for Piledriver-based CPUs seems to behave in a problematic way](http://seclists.org/oss-sec/2016/q1/450) +* [sound: uninterruptible hang in snd_seq_oss_writeq_sync](https://groups.google.com/d/msg/syzkaller/bUvgnh0owos/Ps7Rep4XCAAJ) +* [fs: uninterruptible hang in handle_userfault](https://groups.google.com/d/msg/syzkaller/dSd90m_8O9w/-SAlwCUUCAAJ) +* [net: memory leak in N_6PACK driver](https://groups.google.com/d/msg/syzkaller/555eacbu6QQ/_3PGUrCbBQAJ) +* [net: memory leak in lapb_register](https://groups.google.com/d/msg/syzkaller/PqiopMXpNwU/8ChRtB6bBQAJ) +* [net: memory leak in mkiss_open](https://groups.google.com/d/msg/syzkaller/ylPCtzQr_jc/z_x_9uKaBQAJ) +* [sound: list corruption in delete_and_unsubscribe_port](https://groups.google.com/d/msg/syzkaller/XcYfdFeeyK8/R49jRCLCAwAJ) +* [kvm: GPF in kvm_pic_clear_all](https://groups.google.com/d/msg/syzkaller/FzqGSkRKwm0/h4Yz2CSBAwAJ) +* [kvm: GPF in kvm_irq_map_gsi](https://groups.google.com/d/msg/syzkaller/Rg4Y2Z6HbHI/w9zXygeAAwAJ) +* [tty: memory leak in tty_register_driver](https://groups.google.com/d/msg/syzkaller/iPxmOCKQLbU/0yLjf9x2AwAJ) +* [sound: memory leak in snd_seq_pool_init](https://groups.google.com/d/msg/syzkaller/hpzw94zvlLI/HBqrHjJzAwAJ) +* [tty: deadlock between tty_buffer_flush/n_tracesink_open](https://groups.google.com/d/msg/syzkaller/HX5NRBC8ubw/w4XgLENBAwAJ) +* [sound: heap out-of-bounds write in dummy_systimer_prepare](https://groups.google.com/d/msg/syzkaller/PBGF26zn2DY/8PdCofDMAAAJ) +* [fs: NULL deref in atime_needs_update](https://groups.google.com/d/msg/syzkaller/0SW33jMcrXQ/7qZfeV-HAAAJ) +* [sound: spinlock lockup in snd_seq_oss_write](https://groups.google.com/d/msg/syzkaller/aSwFzmSY7Rc/zIKYuKczAAAJ) +* [net: memory leak in ip_cmsg_send](https://groups.google.com/d/msg/syzkaller/keQktFmhfBM/UDsS4tEACAAJ) +* [net/irda: BUG: looking up invalid subclass: 4294967295](https://groups.google.com/d/msg/syzkaller/RSwLEwkWag8/S2kSuPn-BwAJ) CVE-2017-6348 +* [sound: use-after-free in snd_timer_start1](https://groups.google.com/d/msg/syzkaller/zF-7vhuSc9o/O89UIO3HBwAJ) +* [tty: tty_struct memory leak](https://groups.google.com/d/msg/syzkaller/ZPlLcAxOFSw/NyFyCAjIBwAJ) +* [gigaset: memory leak in gigaset_initcshw](https://groups.google.com/d/msg/syzkaller/wu3NyQ5ZJFE/sat9DwTFBwAJ) +* [sound: out-of-bounds write in snd_rawmidi_kernel_write1](https://groups.google.com/d/msg/syzkaller/Au60AgpecfQ/a3eWMIevBwAJ) +* [mm: uninterruptable tasks hanged on mmap_sem](https://groups.google.com/d/msg/syzkaller/6M2Z5r28UDA/nYPsJ1KIBwAJ) +* [sound: another WARNING in rawmidi_transmit_ack](https://groups.google.com/d/msg/syzkaller/FEjR2q-Ri-s/IXSua74aBwAJ) +* [sound: use-after-free in snd_seq_deliver_single_event](https://groups.google.com/d/msg/syzkaller/c8bhbCQP-XA/Abeq8ToXBwAJ) +* [sound: WARNING in snd_rawmidi_kernel_write1](https://groups.google.com/d/msg/syzkaller/BI280LemTW8/KgcuDJYWBwAJ) +* [sound: deadlock between snd_pcm_oss_write/snd_pcm_oss_mmap](https://groups.google.com/forum/#!topic/syzkaller/MlIO0DbOtsA) +* [ata: BUG in ata_sff_hsm_move](https://groups.google.com/d/msg/syzkaller/GyV2KfwtfTg/PiTmmqngBQAJ) +* [WARNING in set_restore_sigmask](https://groups.google.com/d/msg/syzkaller/unp9iTQ4IKc/bvJO8A4oBgAJ) +* [BUG: bad unlock balance detected in vma_unlock_anon_vma](https://groups.google.com/d/msg/syzkaller/SaJgfpbKTlg/kSdMBKWPBQAJ) +* [bluetooth: use-after-free in vhci_send_frame](https://groups.google.com/d/msg/syzkaller/oWvyWrgd3M4/nAu5XTMmBgAJ) +* [mm: another VM_BUG_ON_PAGE(PageTail(page))](https://groups.google.com/d/msg/syzkaller/boW7sZ0HoYA/j8hH8-vcBQAJ) +* [scsi: NULL deref in sg_start_req](https://groups.google.com/d/msg/syzkaller/8Fg8X9iguFM/u6sUrAvcBQAJ) +* [mm: BUG in expand_downwards](https://groups.google.com/d/msg/syzkaller/SaJgfpbKTlg/kSdMBKWPBQAJ) +* [sound: heap out-of-bounds write in dummy_systimer_prepare](https://groups.google.com/d/msg/syzkaller/PBGF26zn2DY/YMstW6CMBQAJ) +* [WARNING in do_jobctl_trap](https://groups.google.com/d/msg/syzkaller/67Ipm9Q3dN4/Mn1ZM1pPBQAJ) +* [mm: VM_BUG_ON_PAGE(PageTail(page)) in mbind](https://groups.google.com/d/msg/syzkaller/rUdHl1uq8GU/fd2lDLFHBQAJ) +* [net/bluetooth: workqueue destruction WARNING in hci_unregister_dev](https://groups.google.com/d/msg/syzkaller/uVXU3InAfRY/U7AuPXdEBQAJ) +* [gpu: kmalloc size WARNING in vga_arb_write](https://groups.google.com/d/msg/syzkaller/To4N4VWHTNU/k-5QDrk_BQAJ) +* [net/rfkill: WARNING in rfkill_fop_read](https://groups.google.com/d/msg/syzkaller/hijZUVUav8E/7tjnCAM-BQAJ) +* [sound: use-after-free in _snd_timer_stop](https://groups.google.com/d/msg/syzkaller/DjSwFNnJZn8/flxXWywRBQAJ) +* [net/irda: use-after-free in ircomm_param_request](https://groups.google.com/d/msg/syzkaller/p_WWX0G_UXQ/zGKfw04DBQAJ) +* [net/sctp: out-of-bounds access in sctp_add_bind_addr](https://groups.google.com/d/msg/syzkaller/BhOYz2ZBraw/-k3iDvD8BAAJ) +* [ext4: BUG: scheduling while atomic in ext4_commit_super](https://groups.google.com/d/msg/syzkaller/vIc3Dz_TTRI/dBNrj2G3BAAJ) +* [sound: WARNING in snd_rawmidi_transmit_ack](https://groups.google.com/d/msg/syzkaller/NJZR4sUggm8/ld5OCVu2BAAJ) +* [floppy: GPF in floppy_rb0_cb](https://groups.google.com/d/msg/syzkaller/AWXjFnnBN_s/RyzWTaKrBAAJ) +* [tty: kmalloc size WARNING in vc_do_resize](https://groups.google.com/d/msg/syzkaller/ufjvr5j0URo/6PSRe7mlBAAJ) +* [mm: WARNING in __delete_from_page_cache](https://groups.google.com/d/msg/syzkaller/w41UMMBPWRo/dyQTUcGjBAAJ) +* [sound: WARNING in snd_seq_oss_synth_cleanup](https://groups.google.com/d/msg/syzkaller/vfGuMIyOw1E/9-UwD5SiBAAJ) +* [sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect](https://groups.google.com/d/msg/syzkaller/T33gMP-856o/EyGhSkagBAAJ) +* [net: GPF in netlink_getsockbyportid](https://groups.google.com/d/msg/syzkaller/VlgAydM9Zu4/ts6sdhVuBAAJ) +* [fs: use-after-free in link_path_walk](https://groups.google.com/d/msg/syzkaller/t2QMO6N5F8s/MuY0RQ4tBAAJ) +* [fs: sandboxed process brings host down](https://groups.google.com/d/msg/syzkaller/gCyxNiVGGds/WP27JlAoBAAJ) +* [net: use-after-free in recvmmsg](https://groups.google.com/d/msg/syzkaller/amvYsa-I8yE/YRHrDOAmBAAJ) +* [struct pid memory leak](https://groups.google.com/d/msg/syzkaller/j7ld8eOG1OQ/7IJSStAUBAAJ) +* [net: WARNING in dccp_set_state](https://groups.google.com/d/msg/syzkaller/kWaUYryuwSY/9jbwNyRlAwAJ) +* [mm: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected in split_huge_page_to_list](https://groups.google.com/d/msg/syzkaller/zezMs3b7Vsc/Vo-6bujTAgAJ) +* [sound: BUG in snd_ctl_find_numid](https://groups.google.com/d/msg/syzkaller/rc3dZwnu5ZI/uRWvc2XUAgAJ) +* [net: GPF in __netlink_ns_capable](https://groups.google.com/forum/#!topic/syzkaller/daN8eU9ttSg) +* [crypto: slab-out-of-bounds in skcipher_recvmsg](https://groups.google.com/d/msg/syzkaller/VBcr-fy-t0w/KJo9r0r5AQAJ) +* [net: hang in ip_finish_output](https://groups.google.com/d/msg/syzkaller/OM7CXieBCoY/etzvFPX3AQAJ) +* [kvm: access to invalid memory in mmu_zap_unsync_children](https://groups.google.com/d/msg/syzkaller/4wAzRPswgQ8/IWGjISZQFQAJ) +* [kvm: using uninitialized var in tdp_page_fault](https://groups.google.com/d/msg/syzkaller/4u4EokUaq8U/jEkM-ZZQFQAJ) +* [sound: spinlock lockup in sound/core/timer.c](https://groups.google.com/d/msg/syzkaller/bbtG9_h1ONU/CPLblMC6FAAJ) +* [sound: GPF in snd_timer_user_params](https://groups.google.com/d/msg/syzkaller/pGyQMx7Fq84/Kzzp1yytFAAJ) +* [sound: use-after-free in snd_timer_interrupt](https://groups.google.com/d/msg/syzkaller/_jsbNkayw7w/vbivwMWsFAAJ) +* [sound: use-after-free in snd_timer_user_ioctl](https://groups.google.com/d/msg/syzkaller/9mIp43V-OS8/uCHNBiSsFAAJ) +* [crypto: use-after-free in skcipher_sock_destruct](https://groups.google.com/d/msg/syzkaller/GdqfroKSD8Q/goTM-tyiFAAJ) +* [net/sctp: use-after-free in __sctp_connect](https://groups.google.com/d/msg/syzkaller/wB2VUZcQRkE/NlNJBvybFAAJ) +* [net: WARNING in tcp_recvmsg](https://groups.google.com/d/msg/syzkaller/tDe2SCAzirE/ar2v6cZQFAAJ) +* [sound: use-after-free in snd_timer_stop](https://groups.google.com/d/msg/syzkaller/IAjJAaJOHZg/s1Ud2wVPFAAJ) +* [sound: GPF in snd_seq_fifo_clear](https://groups.google.com/d/msg/syzkaller/KbVqGu3WcPs/dYdSgjVOFAAJ) +* [crypto: ablk_decrypt causes BUG in scatterwalk](https://groups.google.com/d/msg/syzkaller/J5BIP1NxPVc/V5RQhCRMFAAJ) +* [kvm: GPF in native_set_debugreg](https://groups.google.com/d/msg/syzkaller/E_simxTrAxM/K70SOr4wEwAJ) +* [kvm: GPF in kvm_lapic_latched_init](https://groups.google.com/d/msg/syzkaller/Sw8voIm9wN4/AV_6rPsvEwAJ) +* [kvm: WARNING in kvm_apic_accept_events](https://groups.google.com/d/msg/syzkaller/qING1Xy24JY/v9sxuVErEwAJ) +* [kvm: vmalloc allocation failure in kvm_vm_ioctl](https://groups.google.com/d/msg/syzkaller/K47NvuAAPz4/PO9mb4c4EwAJ) +* [kvm: vmalloc allocation failure in kvm_vcpu_ioctl_set_cpuid](https://groups.google.com/d/msg/syzkaller/58wqKq6iCXk/qQsxAH8pEwAJ) +* [kvm: WARNING in __x86_set_memory_region](https://groups.google.com/d/msg/syzkaller/tYgkwrDQjkg/jTllLeYmEwAJ) +* [kvm: WARNING in exception_type](https://groups.google.com/d/msg/syzkaller/NVYxVRSPan4/WCVzMTImEwAJ) +* [mm: possible deadlock in mm_take_all_locks](https://groups.google.com/d/msg/syzkaller/AxduklbKrfc/VQ2r5VQqEwAJ) +* [net/nfc: GPF in llcp_sock_getname](https://groups.google.com/d/msg/syzkaller/uj-hx-eBQ28/KCztJ2z6EAAJ) +* [net/netlink: memory leak in netlink_sendmsg](https://groups.google.com/d/msg/syzkaller/UUAHYw5MtjA/JEEHUuykEAAJ) +* [net/tipc: memory leak in tipc_release](https://groups.google.com/d/msg/syzkaller/5-GmaFy2BUI/Z1RBMsigEAAJ) +* [memory leak in lapb_create_cb](https://groups.google.com/d/msg/syzkaller/A-AnLCJnfIM/TCX4G1N0EAAJ) +* [net/sctp: sctp_datamsg memory leak](https://groups.google.com/d/msg/syzkaller/hLdAYS7j_tM/rwo6p5x1EAAJ) +* [net/sctp: sock memory leak](https://groups.google.com/d/msg/syzkaller/rB_bD-M8ijs/m44UxFNzEAAJ) +* [net/nfc: user-controllable kmalloc size in nfc_llcp_send_ui_frame](https://groups.google.com/d/msg/syzkaller/D9S8Ji0HJtM/9nJc3SdTEAAJ) +* [tty: deadlock between n_tracerouter_receivebuf and flush_to_ldisc](https://groups.google.com/d/msg/syzkaller/YrV0bzdfa-g/n5Eyi6tSEAAJ) +* [crypto: use-after-free in alg_bind](https://groups.google.com/d/msg/syzkaller/exVfK_05eqU/hszZrHwjEAAJ) +* [crypto: deadlock in alg_setsockopt](https://groups.google.com/d/msg/syzkaller/t3fOIUvQRR0/Xf8Jw9sdEAAJ) +* [crypto: use-after-free in rng_recvmsg](https://groups.google.com/d/msg/syzkaller/4Ivvjq4KGhM/EbQX8Ze_DwAJ) +* [use-after-free in skcipher_bind](https://groups.google.com/d/msg/syzkaller/frb2XrB5aWk/iFcu_0R8DgAJ) +* [9p: sleeping function called from invalid context in v9fs_vfs_atomic_open_dotl](https://groups.google.com/d/msg/syzkaller/1YncbDVfdow/JudLnO49DgAJ) +* [fs: WARNING in locks_free_lock_context](https://groups.google.com/d/msg/syzkaller/AxzCz8bJPko/A6iFq0IsDgAJ) +* [net: user-controllable kmalloc size in __sctp_setsockopt_connectx](https://groups.google.com/d/msg/syzkaller/mv8Iaz0oHAs/b3dwSCD9DQAJ) +* [GPF in gf128mul_64k_bbe](https://groups.google.com/d/msg/syzkaller/BIjLNIO1g7k/6FTkQpFcDAAJ) +* [use-after-free in hash_sock_destruct](https://groups.google.com/d/msg/syzkaller/XSCcDfuj3Cw/cplfjIlcDAAJ) +* [GPF in lrw_crypt](https://groups.google.com/d/msg/syzkaller/frb2XrB5aWk/xCXzkIBcDAAJ) +* [bad page state due to PF_ALG socket](https://groups.google.com/d/msg/syzkaller/OEaEMF5cRpc/AyYAGndcDAAJ) +* [use-after-free in skcipher_sock_destruct](https://groups.google.com/d/msg/syzkaller/Oi2d1GRRnPY/rbZZ5lZcDAAJ) +* [use-after-free in sixpack_close](https://groups.google.com/d/msg/syzkaller/QRZjzAzG0wg/pvnCAZNWDAAJ) +* [net: heap-out-of-bounds in sock_setsockopt](https://groups.google.com/d/msg/syzkaller/5J4lQcwp0x4/ATAqYNZ0CwAJ) +* [BUG_ON(!PageLocked(page)) in munlock_vma_page](https://groups.google.com/d/msg/syzkaller/8KEw1_E05zs/-HzQwaQlCwAJ) +* [perf: stalls in perf_install_in_context/perf_remove_from_context](https://groups.google.com/d/msg/syzkaller/NyMvU8ClQEM/7PjQ1csQCwAJ) +* [Information leak in sco_sock_bind](https://groups.google.com/d/msg/syzkaller/L2DGhEYtnQo/e0pj2sQpCwAJ) CVE-2015-8575 +* [Information leak in llcp_sock_bind/llcp_raw_sock_bind](https://groups.google.com/d/msg/syzkaller/DHI06NjAnBw/02kKZKYnCwAJ) +* [Information leak in pptp_bind](https://groups.google.com/d/msg/syzkaller/fSqTaDjzcIo/HGa4cGi6CgAJ) +* [use-after-free in pptp_connect](https://groups.google.com/d/msg/syzkaller/w238o__gw7M/RrGhpOJ0CgAJ) +* [GPF in keyctl](https://bugzilla.redhat.com/show_bug.cgi?id=1290370) CVE-2015-7550 +* [another use-after-free in sctp_do_sm](https://groups.google.com/d/msg/syzkaller/OUaLglyQNYM/RQu4vcQ-CQAJ) +* [use-after-free in inet6_destroy_sock](https://groups.google.com/d/msg/syzkaller/u1NA-bgkR18/cMqpYl09CQAJ) +* [WARNING in crypto_wait_for_test](https://groups.google.com/d/msg/syzkaller/WZWajo0A2J4/K93w98fkCAAJ) +* [int overflow in io_getevents](https://groups.google.com/d/msg/syzkaller/UldJpka5MbA/riM5IbqTCAAJ) +* [use-after-free in ip6_xmit](https://groups.google.com/d/msg/syzkaller/YpU1_PMV_gU/FmLVGHqTCAAJ) +* [use-after-free in __perf_install_in_context](https://groups.google.com/d/msg/syzkaller/3Tk4BmoHxIk/x-EOZH_HBwAJ) +* [undefined shift in __bpf_prog_run](https://groups.google.com/d/msg/syzkaller/H7o2oz9CcKg/uzaiF7eqBwAJ) +* [signed integer overflow in ktime_add_safe](https://groups.google.com/d/msg/syzkaller/1R5FD_PtR1A/dVv99hGqBwAJ) +* [jump label: negative count!](https://groups.google.com/d/msg/syzkaller/OUaLglyQNYM/hCg9HfHjDgAJ) +* [memory leak in alloc_huge_page](https://groups.google.com/d/msg/syzkaller/zg4TVSy6Ri8/qs99M-bJDwAJ) +* [memory leak in do_ipv6_setsockopt](https://groups.google.com/d/msg/syzkaller/xWavbbgt0qg/SpY86JLEDwAJ) +* [heap out-of-bounds access in array_map_update_elem](https://groups.google.com/d/msg/syzkaller/5NHTQ3U60-s/Xlnq60JwDwAJ) +* [deadlock in perf_ioctl](https://groups.google.com/d/msg/syzkaller/pOiDJIU5zI4/UXIsO9BrDwAJ) +* [user-controllable kmalloc size in bpf syscall](https://groups.google.com/d/msg/syzkaller/vhm-Av765TY/VzjC4zMqDwAJ) +* [net: use after free in ip6_make_skb](https://groups.google.com/d/msg/syzkaller/Pa8ovVaYL9c/Mw32fULmDgAJ) +* [user-controllable kmalloc size in sctp_getsockopt_local_addrs](https://groups.google.com/d/msg/syzkaller/WWpkIGBC0ts/kpMmnYfZDgAJ) +* [use-after-free in ip6_setup_cork](https://groups.google.com/d/msg/syzkaller/fHZ42YrQM-Y/Z4Xf-BbUDgAJ) +* [gigaset: freeing an active object](https://groups.google.com/d/msg/syzkaller/bOJJJcbKtjM/IGkN5ZyTDgAJ) +* [Freeing active kobject in pps_device_destruct](https://groups.google.com/forum/#!topic/syzkaller/rueDAZYv5v0) +* [GPF in process_one_work (flush_to_ldisc)](https://groups.google.com/d/msg/syzkaller/z3WIRnS2q9g/_TXY3LBBDgAJ) +* [use-after-free in tty_check_change](https://groups.google.com/d/msg/syzkaller/PGnPGgljA8A/5yfiRls1DgAJ) +* [WARNING in tcp_recvmsg](https://groups.google.com/d/msg/syzkaller/vlk-2b1hAVQ/JpkM7K36DQAJ) +* [use-after-free in irtty_open](https://groups.google.com/d/msg/syzkaller/foW6EoJnc9Y/q0gKZ3f3DQAJ) +* [use-after-free in sock_wake_async](https://groups.google.com/forum/#!topic/syzkaller/IjAetA6uvIc) +* [WARNING in handle_mm_fault](https://groups.google.com/forum/#!topic/syzkaller/o8VqvYNEu_I) +* [WARNING in gsm_cleanup_mux](https://groups.google.com/d/msg/syzkaller/zAvZnQBWGac/IPU35GyYDQAJ) +* [use-after-free in sctp_do_sm](https://groups.google.com/d/msg/syzkaller/OUaLglyQNYM/UWs4GxGUDQAJ) +* [yet another uninterruptable hang in sendfile](https://groups.google.com/forum/#!topic/syzkaller/Jy08esFVw9k) +* [GPF in add_key](https://bugzilla.redhat.com/show_bug.cgi?id=1284059) +* [another uninterruptable hang in sendfile](https://groups.google.com/forum/#!topic/syzkaller/sjA9DrBQviw) +* [deadlock during fuseblk shutdown](https://groups.google.com/forum/#!topic/syzkaller/w-B4OeANKu8) +* [tty,net: use-after-free in x25_asy_open_tty](https://groups.google.com/d/msg/syzkaller/kYOghurchCg/aVg9hBBpDAAJ) +* [deadlock between tty_write and tty_send_xchar](https://groups.google.com/forum/#!topic/syzkaller/X12P_8jITAM) +* [WARNING in shmem_evict_inode](https://groups.google.com/forum/#!topic/syzkaller/HeT_3b2HIrs) +* [Deadlock between setsockopt/getsockopt](https://groups.google.com/forum/#!topic/syzkaller/46AwIkaOclk) +* [Deadlock between bind and splice](https://groups.google.com/forum/#!topic/syzkaller/HSofF04GVCA) +* [Use-after-free in ipv4_conntrack_defrag](https://groups.google.com/forum/#!topic/syzkaller/k62o6Fiu124) +* [Use-after-free in selinux_ip_postroute_compat](https://groups.google.com/forum/#!topic/syzkaller/eu-3LPXgdok) +* [Use-after-free in unshare](https://patchwork.ozlabs.org/patch/539061/) +* [GPF in tcp_sk_init/icmp_sk_init](https://patchwork.ozlabs.org/patch/539018/) +* [lockdep warning in ip_mc_msfget](https://groups.google.com/forum/#!topic/syzkaller/ScMRWhgAsbM) +* [WARNING in task_participate_group_stop](https://groups.google.com/forum/#!topic/syzkaller/p5ailXs8eEc) +* [Resource leak in unshare](https://groups.google.com/forum/#!topic/syzkaller/cdJvHvazRJk) +* [Paging fault with hard IRQs disabled in getsockopt](https://groups.google.com/forum/#!topic/syzkaller/AegFEboavHM) +* [Unkillable processes due to PTRACE_TRACEME](https://groups.google.com/forum/#!msg/syzkaller/uGzwvhlCXAw/E-cfY2ejAgAJ) +* [Use-after-free in ep_remove_wait_queue](https://groups.google.com/forum/#!topic/syzkaller/3twDUI4Cpm8) CVE-2013-7446 +* [GPF in shm_lock](https://groups.google.com/forum/#!topic/syzkaller/4jVzR278N9k) +* [GPF in rt6_uncached_list_flush_dev](https://groups.google.com/forum/#!topic/syzkaller/XmcaDo9DnSg) +* [Infinite loop in ip6_fragment](https://groups.google.com/forum/#!topic/syzkaller/PoD9yGkY1y8) +* [Uninterruptable hang in sendfile](https://groups.google.com/forum/#!topic/syzkaller/zfuHHRXL7Zg) +* [GPF in keyring_destroy](https://groups.google.com/forum/#!topic/syzkaller/E2DRBbUDEg8) [CVE-2015-7872](https://bugzilla.redhat.com/show_bug.cgi?id=1272371) diff --git a/docs/linux_kernel_configs.md b/docs/linux_kernel_configs.md new file mode 100644 index 00000000..5627a446 --- /dev/null +++ b/docs/linux_kernel_configs.md @@ -0,0 +1,55 @@ +# Linux kernel configs + +List of recommended kernel configs for `syzkaller`: + +## Syzkaller features + +To enable coverage collection, which is extremely important for effective fuzzing: +``` +CONFIG_KCOV=y +CONFIG_KCOV_INSTRUMENT_ALL=y +CONFIG_DEBUG_FS=y +``` + +To show code coverage in web interface: +``` +CONFIG_DEBUG_INFO=y +``` + +For `namespace` sandbox: +``` +CONFIG_NAMESPACES=y +CONFIG_USER_NS=y +CONFIG_UTS_NS=y +CONFIG_IPC_NS=y +CONFIG_PID_NS=y +CONFIG_NET_NS=y +``` + +If your kernel doesn't have commits [arm64: setup: introduce kaslr_offset()](https://github.com/torvalds/linux/commit/7ede8665f27cde7da69e8b2fbeaa1ed0664879c5) + and [kcov: make kcov work properly with KASLR enabled](https://github.com/torvalds/linux/commit/4983f0ab7ffaad1e534b21975367429736475205), disable the following config: +``` +# CONFIG_RANDOMIZE_BASE is not set +``` + +## Bug detection configs + +`KASAN` for use-after-free and out-of-bounds detection: +``` +CONFIG_KASAN=y +CONFIG_KASAN_INLINE=y +``` + +Any other debugging configs, the more the better, here are some that proved to be especially useful: +``` +CONFIG_LOCKDEP=y +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_ATOMIC_SLEEP=y +CONFIG_PROVE_RCU=y +CONFIG_DEBUG_VM=y +``` + +Increase RCU stall timeout to reduce false positive rate: +``` +CONFIG_RCU_CPU_STALL_TIMEOUT=60 +``` diff --git a/docs/linux_kernel_reporting_bugs.md b/docs/linux_kernel_reporting_bugs.md new file mode 100644 index 00000000..fde46057 --- /dev/null +++ b/docs/linux_kernel_reporting_bugs.md @@ -0,0 +1,15 @@ +## Reporting Linux kernel bugs + +Before reporting a bug make sure nobody else already reported it. The easiest way to do this is to search through the [syzkaller mailing list](https://groups.google.com/forum/#!forum/syzkaller) for key frames present in the kernel stack traces. + +Please report found bugs to the Linux kernel maintainers. +To find out the list of maintainers responsible for a particular kernel subsystem, use the [get_maintainer.pl](https://github.com/torvalds/linux/blob/master/scripts/get_maintainer.pl) script: `./scripts/get_maintainer.pl -f guilty_file.c`. +Please also add `syzkaller@googlegroups.com` to the CC list. + +If the bug is reproducible, include the reproducer (C source if possible, otherwise a syzkaller program) and `.config` you used for your kernel. +Bugs without reproducers are way less likely to be triaged and fixed. +Make sure to also mention the exact kernel branch and revision. + +Many kernel mailing lists reject HTML formatted messages, so use the plain text mode when sending the report. + +If you believe that a found bug poses potential security threat, consider reporting it directly to `security@kernel.org`. diff --git a/docs/setup_linux-host_android-device_arm64-kernel.md b/docs/setup_linux-host_android-device_arm64-kernel.md new file mode 100644 index 00000000..e7ba1788 --- /dev/null +++ b/docs/setup_linux-host_android-device_arm64-kernel.md @@ -0,0 +1,44 @@ +# Setup: Linux host, Android device, arm64 kernel + +Prerequisites: + - go1.8+ toolchain (can be downloaded from [here](https://golang.org/dl/)) + - Android NDK (tested with r12b) (can be downloaded from [here](https://developer.android.com/ndk/downloads/index.html)) + - [Suzy-Q](https://chromium.googlesource.com/chromiumos/platform/ec/+/master/docs/case_closed_debugging.md) device to capture console output (support for other development boards is possible, but it not implemented yet) + +From `syzkaller` checkout: + - Build `syz-manager` for host: +``` +go build -o bin/syz-manager ./syz-manager +``` + + - Build `syz-fuzzer` and `syz-execprog` for arm64: +``` +GOARCH=arm64 go build -o bin/syz-fuzzer ./syz-fuzzer +GOARCH=arm64 go build -o bin/syz-execprog ./tools/syz-execprog +``` + + - Build `syz-executor` for arm64: +``` +/android-ndk-r12b/toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/aarch64-linux-android-g++ \ + -I/android-ndk-r12b/sources/cxx-stl/llvm-libc++/libcxx/include \ + --sysroot=/android-ndk-r12b/platforms/android-22/arch-arm64 \ + executor/executor.cc -O1 -g -Wall -static -o bin/syz-executor +``` + + - Create config with `"type": "adb"` and specify adb devices to use. For example: +``` +{ + "http": "localhost:50000", + "workdir": "/gopath/src/github.com/google/syzkaller/workdir", + "syzkaller": "/gopath/src/github.com/google/syzkaller", + "vmlinux": "-", + "sandbox": "none", + "procs": 8, + "type": "adb", + "vm": { + "devices": ["ABCD000010"] + } +} +``` + + - Start `syz-manager -config adb.cfg` as usual. diff --git a/docs/setup_linux-host_qemu-vm_arm64-kernel.md b/docs/setup_linux-host_qemu-vm_arm64-kernel.md new file mode 100644 index 00000000..11ffdebc --- /dev/null +++ b/docs/setup_linux-host_qemu-vm_arm64-kernel.md @@ -0,0 +1,151 @@ +# Setup: Linux host, QEMU vm, arm64 kernel + +This document will detail the steps involved in setting up a Syzkaller instance fuzzing any ARM64 linux kernel of your choice. + +## Create a disk image + +We will use buildroot to create the disk image. +You can obtain buildroot from [here](https://buildroot.uclibc.org/download.html). +Extract the tarball and perform a `make menuconfig` inside it. +Choose the following options. + + Target options + Target Architecture - Aarch64 (little endian) + Toolchain type + External toolchain - Linaro AArch64 + System Configuration + [*] Enable root login with password + ( ) Root password ⇐= set your password using this option + [*] Run a getty (login prompt) after boot ---> + TTY port - ttyAMA0 + Target packages + [*] Show packages that are also provided by busybox + Networking applications + [*] dhcpcd + [*] openssh + Filesystem images + [*] ext2/3/4 root filesystem + ext2/3/4 variant - ext3 + exact size in blocks - 6000000 + [*] tar the root filesystem + +Run `make`. After the build, confirm that `output/images/rootfs.ext3` exists. + +## Get the ARM64 toolchain from Linaro + +You will require an ARM64 kernel with gcc plugin support. +If not, obtain the ARM64 toolchain from Linaro. +Get `gcc-linaro-6.1.1-2016.08-x86_64_aarch64-linux-gnu.tar.xz` from [here](https://releases.linaro.org/components/toolchain/binaries/latest/aarch64-linux-gnu/). +Extract and add its `bin/` to your `PATH`. +If you have another ARM64 toolchain on your machine, ensure that this newly downloaded toolchain takes precedence. + +## Compile the kernel + +Once you have obtained the source code for the linux kernel you wish to fuzz, do the following. + + $ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make defconfig + $ vim .config + +Change the following options : +``` + CONFIG_KCOV=y + CONFIG_KASAN=y + CONFIG_DEBUG_INFO=y + CONFIG_CMDLINE=”console=ttyAMA0” + CONFIG_KCOV_INSTRUMENT_ALL=y + CONFIG_DEBUG_FS=y + CONFIG_NET_9P=y + CONFIG_NET_9P_VIRTIO=y + CONFIG_CROSS_COMPILE="aarch64-linux-gnu-" +``` +``` + $ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make -j40 +``` + +If the build was successful, you should have a `arch/arm64/boot/Image` file. + +## Obtain qemu for ARM64 + +Obtain the QEMU source from git or from the latest source release. + + $ ./configure + $ make -j40 + +If the build was successful, you should have a `aarch64-softmmu/qemu-system-aarch64` binary. + +## Boot up manually + +You should be able to start up the kernel as follows. + + $ /path/to/aarch64-softmmu/qemu-system-aarch64 \ + -machine virt \ + -cpu cortex-a57 \ + -nographic -smp 1 \ + -hda /path/to/rootfs.ext3 \ + -kernel /path/to/arch/arm64/boot/Image \ + -append "console=ttyAMA0 root=/dev/vda oops=panic panic_on_warn=1 panic=-1 ftrace_dump_on_oops=orig_cpu debug earlyprintk=serial slub_debug=UZ" \ + -m 2048 \ + -net user,hostfwd=tcp::10023-:22 -net nic + +At this point, you should be able to see a login prompt. + +## Set up the QEMU disk + +Now that we have a shell, let us add a few lines to existing init scripts so that they are executed each time Syzkaller brings up the VM. + +At the top of /etc/init.d/S50sshd add the following lines: + + ifconfig eth0 up + dhcpcd + mount -t debugfs none /sys/kernel/debug + chmod 777 /sys/kernel/debug/kcov + +Comment out the line + + /usr/bin/ssh-keygen -A + +Next we set up ssh. Create an ssh keypair locally and copy the public key to `/authorized_keys` in `/`. Ensure that you do not set a passphrase when creating this key. + +Open `/etc/ssh/sshd_config` and modify the following lines as shown below. + + PermitRootLogin yes + PubkeyAuthentication yes + AuthorizedKeysFile /authorized_keys + PasswordAuthentication yes + +Reboot the machine, and ensure that you can ssh from host to guest as. + + $ ssh -i /path/to/id_rsa root@localhost -P10023 + +## Build syzkaller + +Instructions can be found [here](https://github.com/google/syzkaller/blob/master/README.md). + +## Modify your config file and start off syzkaller + +A sample config file that exercises the required options are shown below. Modify according to your needs. + +``` +{ + "name": "QEMU-aarch64", + "http": ":56700", + "workdir": "/path/to/a/dir/to/store/syzkaller/corpus”, + "vmlinux": “/path/to/vmlinux", + "syzkaller": "/path/to/syzkaller/arm64/", + "image": "/path/to/rootfs.ext3", + "procs": 8, + "type": "qemu", + "vm": { + "count": 1, + "qemu": "/path/to/qemu-system-aarch64", + "qemu_args": "-machine virt -cpu cortex-a57", + "cmdline": "console=ttyAMA0 root=/dev/vda", + "kernel": “/path/to/Image", + "sshkey": "/path/to/ida_rsa", + "cpu": 2, + "mem": 2048 + } +} +``` + +At this point, you should be able to visit `localhost:56700` and view the results of the fuzzing. diff --git a/docs/setup_ubuntu-host_odroid-c2-board_arm64-kernel.md b/docs/setup_ubuntu-host_odroid-c2-board_arm64-kernel.md new file mode 100644 index 00000000..7dd510f2 --- /dev/null +++ b/docs/setup_ubuntu-host_odroid-c2-board_arm64-kernel.md @@ -0,0 +1,332 @@ +# Setup: Ubuntu host, Odroid C2 board, arm64 kernel + +These are the instructions on how to fuzz the kernel on an [Odroid C2](http://www.hardkernel.com/main/products/prdt_info.php) board using Ubuntu 14.04 on the host machine and Ubuntu on the Odroid. + +## Hardware setup + +### Required hardware + +Your hardware setup must satisfy the following requirements: + +1. Host machine should be able to read the Odroid kernel log. +2. Host machine should be able to ssh to the Odroid board. +3. Host machine should be able to forcefully reboot the Odroid. + +The particular setup described below requires the following hardware: + +1. [Odroid C2 board](http://www.hardkernel.com/main/products/prdt_info.php) +2. SD card (8 GB should be enough) +3. SD card reader (like [this one](https://www.amazon.de/gp/product/B009D79VH4/ref=oh_aui_detailpage_o06_s00?ie=UTF8&psc=1)) +4. [USB-UART cable](http://www.hardkernel.com/main/products/prdt_info.php?g_code=G134111883934) +5. USB Ethernet adapter (like [this one](https://www.amazon.de/Apple-MC704LL-A-USB-Ethernet-Adapter/dp/B00W7W9FK0/ref=dp_ob_title_ce)) +6. Ethernet cable +7. USB hub with [Per Port Power Switching support](http://www.gniibe.org/development/ac-power-control-by-USB-hub/index.html) (like D-Link DUB H7, **silver** edition). +8. [USB-DC Plug Cable](http://www.hardkernel.com/main/products/prdt_info.php?g_code=G141637559827) + +If you decide to use a different setup, you will need to update [Odroid-related code](https://github.com/google/syzkaller/blob/master/vm/odroid/odroid.go) in syzkaller manager. + +### Setup Odroid + +1. Download and flash [Ubuntu image](http://odroid.com/dokuwiki/doku.php?id=en:c2_release_linux_ubuntu) onto SD card as described [here](http://odroid.com/dokuwiki/doku.php?id=en:odroid_flashing_tools). +2. Connect USB-UART cable and install minicom as described [here](http://odroid.com/dokuwiki/doku.php?id=en:usb_uart_kit). +3. Connect power plug, Odroid will start booting, make sure you see bootloader and kernel logs in minicom. +4. Make sure you can login through minicom as user `odroid` with password `odroid`. This user is a sudoer. + +When `systemd` starts Odroid stops sending kernel logs to UART. +To fix this login to the Odroid board and add `kernel.printk = 7 4 1 3` line to `/etc/sysctl.conf` and then do `sysctl -p`: +``` bash +$ cat /etc/sysctl.conf | tail -n 1 +kernel.printk = 7 4 1 3 +$ sudo sysctl -p +kernel.printk = 7 4 1 3 +``` + +Now make sure you can see kernel messages in minicom: +``` +$ echo "Some message" | sudo tee /dev/kmsg +Some message +[ 233.128597] Some message +``` + +### Setup network + +1. Connect USB Ethernet adapter to the host machine. +2. Use Ethernet cable to connect Odroid and the host adapter. +3. Use minicom to modify `/etc/network/interfaces` on Odroid: + + ``` + auto eth0 + iface eth0 inet static + address 172.16.0.31 + gateway 172.16.0.1 + netmask 255.255.255.0 + ``` + +4. Reboot Odroid. + +5. Setup the interface on the host machine (though Network Manager or via `/etc/network/interfaces`): + + ``` + auto eth1 + iface eth1 inet static + address 172.16.0.30 + gateway 172.16.0.1 + netmask 255.255.255.0 + ``` + +6. You should now be able to ssh to Odroid (user `root`, password `odroid`): + + ``` bash + $ ssh root@172.16.0.31 + root@172.16.0.31's password: + ... + Last login: Thu Feb 11 11:30:51 2016 + root@odroid64:~# + ``` + +### Setup USB hub + +To perform a hard reset of the Odroid board (by turning off power) I used a D-Link DUB H7 USB hub (**silver** edition, not the black one). +This hub has support for a feature called [Per Port Power Switching](http://www.gniibe.org/development/ac-power-control-by-USB-hub/index.html), which allows to turn off power on a selected port on the hub remotely (via USB connection to the host machine) . + +[To be able to open the hub device entry](http://www.janosgyerik.com/adding-udev-rules-for-usb-debugging-android-devices/) under `/dev/` without being root, add the following file to `/etc/udev/rules.d/` on the host machine: +``` bash +$ cat /etc/udev/rules.d/10-local.rules +SUBSYSTEM=="usb", ATTR{idVendor}=="2001", ATTR{idProduct}=="f103", MODE="0664", GROUP="plugdev" +``` + +`idVendor` and `idProduct` should correspond to the hub vendor and product id (can be seen via `lsusb`). +Don't forget to replug the hub after you add this file. + +``` bash +$ lsusb +... +Bus 003 Device 026: ID 2001:f103 D-Link Corp. DUB-H7 7-port USB 2.0 hub +... +``` + +Communication with the hub is done by sending USB control messages, which requires `libusb`: +``` bash +sudo apt-get install libusb-dev libusb-1.0-0-dev +``` + +Now plug in the hub and try to switch power on some of it's ports. +For that you can use the [hub-ctrl.c](https://github.com/codazoda/hub-ctrl.c) tool by Niibe Yutaka or it's [ simplified Go analog](https://gist.github.com/xairy/37264952ff35da6e7dcf51ef486368e5): +``` bash +$ go run hub.go -bus=3 -device=26 -port=6 -power=0 +Power turned off on port 6 +$ go run hub.go -bus=3 -device=26 -port=6 -power=1 +Power turned on on port 6 +``` + +Note, that the DUB-H7 hub has a weird port numbering: `5, 6, 1, 2, 7, 3, 4` from left to right. + +Connect the Odroid board with a power plug to one of the USB hub ports and make sure you can forcefully reboot the Odroid by turning the power off and back on on this port. + +## Cross-compiler + +You need to compile full GCC cross-compiler tool-chain for aarch64 as described [here](http://preshing.com/20141119/how-to-build-a-gcc-cross-compiler/) (including the standard libraries). +Use GCC revision 242378 (newer revisions should work as well, but weren't tested). +The result should be a `$PREFIX` directory with cross-compiler, standard library headers, etc. +``` +$ ls $PREFIX +aarch64-linux bin include lib libexec share +``` + +## Kernel + +Set environment variables, they will be detected and used during kernel compilation: +``` bash +export PATH="$PREFIX/bin:$PATH" +export ARCH=arm64 +export CROSS_COMPILE=aarch64-linux- +``` + +Clone the linux-next kernel into `$KERNEL`: +``` bash +git clone https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git $KERNEL +cd $KERNEL +``` + +Apply the following patch, otherwise building the kernel with newer GCC fails (the patch is taken from [here](https://patchwork.kernel.org/patch/9380181/)): +``` makefile +diff --git a/Makefile b/Makefile +index 165cf9783a5d..ff8b40dca9e2 100644 +--- a/Makefile ++++ b/Makefile +@@ -653,6 +653,11 @@ KBUILD_CFLAGS += $(call cc-ifversion, -lt, 0409, \ + # Tell gcc to never replace conditional load with a non-conditional one + KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) + ++# Stop gcc from converting switches into a form that defeats dead code ++# elimination and can subsequently lead to calls to intentionally ++# undefined functions appearing in the final link. ++KBUILD_CFLAGS += $(call cc-option,--param=max-fsm-thread-path-insns=1) ++ + include scripts/Makefile.gcc-plugins + + ifdef CONFIG_READABLE_ASM +``` + +Apply the following patch to disable KASAN bug detection on stack and globals (kernel doesn't boot, KASAN needs to be fixed): +``` makefile +diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan +index 9576775a86f6..8bc4eb36fc1b 100644 +--- a/scripts/Makefile.kasan ++++ b/scripts/Makefile.kasan +@@ -11,7 +11,6 @@ CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address + + CFLAGS_KASAN := $(call cc-option, -fsanitize=kernel-address \ + -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET) \ +- --param asan-stack=1 --param asan-globals=1 \ + --param asan-instrumentation-with-call-threshold=$(call_threshold)) + + ifeq ($(call cc-option, $(CFLAGS_KASAN_MINIMAL) -Werror),) +``` + +Configure the kernel (you might wan't to enable more configs as listed [here](docs/linux_kernel_configs.md)): +``` bash +make defconfig +# Edit .config to enable the following configs: +# CONFIG_KCOV=y +# CONFIG_KASAN=y +# CONFIG_KASAN_INLINE=y +# CONFIG_TEST_KASAN=m +# CONFIG_PANIC_ON_OOPS=y +make oldconfig +``` + +Build the kernel: +``` bash +make -j48 dtbs Image modules LOCALVERSION=-xc2 +``` + +## Installation + +Install the `mkimage` util with arm64 support (part of the `u-boot-tools` package). +You might have it by default, but it's not available on Ubuntu 14.04 in the default package repos. +In this case download the package from [here](https://launchpad.net/ubuntu/xenial/amd64/u-boot-tools/2016.01+dfsg1-2ubuntu1) and use `sudo dpkg -i` to install. + +Insert the SD card reader with the SD card inside into the host machine. +You should see two partitions automounted (or mount them manually), for example `sdb1` mounted at `$MOUNT_PATH/boot` and `sdb2` mounted at `$MOUNT_PATH/rootfs`. + +Build the kernel image: +``` bash +mkimage -A arm64 -O linux -T kernel -C none -a 0x1080000 -e 0x1080000 -n linux-next -d arch/arm64/boot/Image ./uImage +``` + +Copy the kernel image, modules and device tree: +``` bash +KERNEL_VERSION=`cat ./include/config/kernel.release` +cp ./uImage $MOUNT_PATH/boot/uImage-$KERNEL_VERSION +make modules_install LOCALVERSION=-xc2 INSTALL_MOD_PATH=$MOUNT_PATH/rootfs/ +cp ./arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dtb $MOUNT_PATH/boot/meson-gxbb-odroidc2-$KERNEL_VERSION.dtb +cp .config $MOUNT_PATH/boot/config-$KERNEL_VERSION +``` + +Backup the old bootloader config; if something doesn't work with the new kernel, you can always roll back to the old one by restoring `boot.ini`: +``` bash +cd $MOUNT_PATH/boot/ +cp boot.ini boot.ini.orig +``` + +Replace the bootloader config `boot.ini` (based on the one taken from [here](http://forum.odroid.com/viewtopic.php?p=162045#p162045)) with the following; don't forget to update `version`: +``` +ODROIDC2-UBOOT-CONFIG + +# Set version to $KERNEL_VERSION +setenv version 4.11.0-rc1-next-20170308-xc2-dirty +setenv uImage uImage-${version} +setenv fdtbin meson-gxbb-odroidc2-${version}.dtb + +setenv initrd_high 0xffffffff +setenv fdt_high 0xffffffff +setenv uimage_addr_r 0x01080000 +setenv fdtbin_addr_r 0x01000000 + +# You might need to use root=/dev/mmcblk0p2 below, try booting and see if the current one works. +setenv bootargs "console=ttyAML0,115200 root=/dev/mmcblk1p2 rootwait ro fsck.mode=force fsck.repair=yes net.ifnames=0 oops=panic panic_on_warn=1 panic=86400 systemd.show_status=no" + +fatload mmc 0:1 ${fdtbin_addr_r} ${fdtbin} +fatload mmc 0:1 ${uimage_addr_r} ${uImage} +bootm ${uimage_addr_r} - ${fdtbin_addr_r} +``` + +Sync and unmount: +``` bash +sync +umount $MOUNT_PATH/boot +umount $MOUNT_PATH/rootfs +``` + +Now plug the SD card into the Odroid board and boot. +The new kernel should now be used. +It makes sense to ensure that you still can ssh to Odroid. + +## Syzkaller + +Generate ssh key and copy it to Odroid: +``` bash +mkdir ssh +ssh-keygen -f ssh/id_rsa -t rsa -N '' +ssh root@172.16.0.31 "mkdir /root/.ssh/" +scp ./ssh/id_rsa.pub root@172.16.0.31:/root/.ssh/authorized_keys +``` + +Now make sure you can ssh with the key: +``` bash +ssh -i ./ssh/id_rsa root@172.16.0.31 +``` + +Build syzkaller on you host machine as you do usually. + +Build `syz-manager` and `syz-repro` with `odroid` build tag: +``` bash +go build -tags odroid -o ./bin/syz-manager ./syz-manager +go build -tags odroid -o ./bin/syz-repro ./tools/syz-repro +``` + +Cross compile `syz-fuzzer`, `syz-execprog` and `syz-executor` binaries for arm64: +``` bash +GOARCH=arm64 go build -o bin/syz-fuzzer ./syz-fuzzer +GOARCH=arm64 go build -o bin/syz-execprog ./tools/syz-execprog +$PREFIX/bin/aarch64-linux-gcc executor/executor.cc -O1 -g -Wall -static -o bin/syz-executor -lpthread +``` + +Use the following config: +``` +{ + "http": "127.0.0.1:56741", + "workdir": "/syzkaller/workdir", + "vmlinux": "/linux-next/vmlinux", + "syzkaller": "/go/src/github.com/google/syzkaller", + "rpc": "172.16.0.30:0", + "sandbox": "namespace", + "reproduce": false, + "procs": 8, + "type": "odroid", + "vm": { + "sshkey": "/odroid/ssh/id_rsa", + "host_addr": "172.16.0.30", + "slave_addr": "172.16.0.31", + "console": "/dev/ttyUSB0", + "hub_bus": 3, + "hub_device": 26, + "hub_port": 5 + } +} +``` + +Don't forget to update: + - `workdir` (path to the workdir) + - `vmlinux` (path to the `vmlinux` binary) + - `vm.sshkey` (path to the generated ssh private key) + - `vm.console` (serial device you used in `minicom`) + - `vm.hub_bus` (number of the bus to which USB hub is connected, view with `lsusb`) + - `vm.hub_device` (device number for the USB hub, view with `lsusb`) + - `vm.hub_port` (number of the USB hub port to which Odroid power plug is connected) + +Now start syzkaller: +``` bash +./bin/syz-manager -config=odroid.cfg +``` diff --git a/docs/setup_ubuntu-host_qemu-vm_x86-64-kernel.md b/docs/setup_ubuntu-host_qemu-vm_x86-64-kernel.md new file mode 100644 index 00000000..023b7cb2 --- /dev/null +++ b/docs/setup_ubuntu-host_qemu-vm_x86-64-kernel.md @@ -0,0 +1,234 @@ +# Setup: Ubuntu host, QEMU vm, x86-64 kernel + +These are the instructions on how to fuzz the x86-64 kernel in a QEMU with Ubuntu 14.04 on the host machine and Debian Wheezy in the QEMU instances. + +## GCC + +Since syzkaller requires coverage support in GCC, we need to use a recent GCC version. To checkout GCC 7.1.0 sources to `$GCC` dir: +``` bash +svn checkout svn://gcc.gnu.org/svn/gcc/trunk $GCC +cd $GCC +svn ls -v ^/tags | grep gcc_7_1_0_release +svn up -r 247494 +``` + +Unfortunately there's a typo in `gcc_7_1_0_release`. Apply [this fix](https://patchwork.ozlabs.org/patch/757421/): +``` c +diff --git a/gcc/tree.h b/gcc/tree.h +index 3bca90a..fdaa7af 100644 +--- a/gcc/tree.h ++++ b/gcc/tree.h +@@ -897,8 +897,8 @@ extern void omp_clause_range_check_failed (const_tree, const char *, int, + /* If this is true, we should insert a __cilk_detach call just before + this function call. */ + #define EXPR_CILK_SPAWN(NODE) \ +- (tree_check2 (NODE, __FILE__, __LINE__, __FUNCTION__, \ +- CALL_EXPR, AGGR_INIT_EXPR)->base.u.bits.unsigned_flag) ++ (TREE_CHECK2 (NODE, CALL_EXPR, \ ++ AGGR_INIT_EXPR)->base.u.bits.unsigned_flag) + + /* In a RESULT_DECL, PARM_DECL and VAR_DECL, means that it is + passed by invisible reference (and the TREE_TYPE is a pointer to the true +``` + +Install GCC prerequisites: +``` +sudo apt-get install flex bison libc6-dev libc6-dev-i386 linux-libc-dev linux-libc-dev:i386 libgmp3-dev libmpfr-dev libmpc-dev +``` + +Build GCC: +``` bash +mkdir build +mkdir install +cd build/ +../configure --enable-languages=c,c++ --disable-bootstrap --enable-checking=no --with-gnu-as --with-gnu-ld --with-ld=/usr/bin/ld.bfd --disable-multilib --prefix=$GCC/install/ +make -j64 +make install +``` + +Now you should have GCC binaries in `$GCC/install/bin/`: +``` bash +$ ls $GCC/install/bin/ +c++ gcc-ar gcov-tool x86_64-pc-linux-gnu-gcc-7.0.0 +cpp gcc-nm x86_64-pc-linux-gnu-c++ x86_64-pc-linux-gnu-gcc-ar +g++ gcc-ranlib x86_64-pc-linux-gnu-g++ x86_64-pc-linux-gnu-gcc-nm +gcc gcov x86_64-pc-linux-gnu-gcc x86_64-pc-linux-gnu-gcc-ranlib +``` + +## Kernel + +Checkout Linux kernel source: +``` bash +git clone https://github.com/torvalds/linux.git $KERNEL +``` + +Generate default configs: +``` bash +cd $KERNEL +make defconfig +make kvmconfig +``` + +Now we need to enable some config options required for syzkaller. +Edit `.config` file manually and enable: +``` +CONFIG_KCOV=y +CONFIG_DEBUG_INFO=y +CONFIG_KASAN=y +CONFIG_KASAN_INLINE=y +``` + +You might also want to enable some other kernel configs as described [here](docs/linux-kernel-configs.md). + +Since enabling these options results in more sub options being available, we need to regenerate config. Run this and press enter each time when prompted for some config value to leave it as default: +``` bash +make oldconfig +``` + +Build the kernel with previously built GCC: +``` +make CC='$GCC/install/bin/gcc' -j64 +``` + +Now you should have `vmlinux` (kernel binary) and `bzImage` (packed kernel image): +``` bash +$ ls $KERNEL/vmlinux +$KERNEL/vmlinux +$ ls $KERNEL/arch/x86/boot/bzImage +$KERNEL/arch/x86/boot/bzImage +``` + +## Image + +Install debootstrap: +``` bash +sudo apt-get install debootstrap +``` + +Use [this script](https://github.com/google/syzkaller/blob/master/tools/create-image.sh) to create a minimal Debian-wheezy Linux image. +The result should be `$IMAGE/wheezy.img` disk image. + +Sometimes it's useful to have some additional packages and tools available in the VM even though they are not required to run syzkaller. +The instructions to install some useful tools are below. +They should obviously be executed before packing the `.img` file. + +To install other packages (not required to run syzkaller): +``` bash +sudo chroot wheezy /bin/bash -c "apt-get update; apt-get install -y curl tar time strace gcc make sysbench git vim screen usbutils" +``` + +To install Trinity (not required to run syzkaller): +``` bash +sudo chroot wheezy /bin/bash -c "mkdir -p ~; cd ~/; wget https://github.com/kernelslacker/trinity/archive/v1.5.tar.gz -O trinity-1.5.tar.gz; tar -xf trinity-1.5.tar.gz" +sudo chroot wheezy /bin/bash -c "cd ~/trinity-1.5 ; ./configure.sh ; make -j16 ; make install" +``` + +To install perf (not required to run syzkaller): +``` bash +cp -r $KERNEL wheezy/tmp/ +sudo chroot wheezy /bin/bash -c "apt-get update; apt-get install -y flex bison python-dev libelf-dev libunwind7-dev libaudit-dev libslang2-dev libperl-dev binutils-dev liblzma-dev libnuma-dev" +sudo chroot wheezy /bin/bash -c "cd /tmp/linux/tools/perf/; make" +sudo chroot wheezy /bin/bash -c "cp /tmp/linux/tools/perf/perf /usr/bin/" +rm -r wheezy/tmp/linux +``` + +## QEMU + +Install `QEMU`: +``` bash +sudo apt-get install kvm qemu-kvm +``` + +Make sure the kernel boots and `sshd` starts: +``` bash +qemu-system-x86_64 \ + -kernel $KERNEL/arch/x86/boot/bzImage \ + -append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ"\ + -hda $IMAGE/wheezy.img \ + -net user,hostfwd=tcp::10021-:22 -net nic \ + -enable-kvm \ + -nographic \ + -m 2G \ + -smp 2 \ + -pidfile vm.pid \ + 2>&1 | tee vm.log +``` + +``` +early console in setup code +early console in extract_kernel +input_data: 0x0000000005d9e276 +input_len: 0x0000000001da5af3 +output: 0x0000000001000000 +output_len: 0x00000000058799f8 +kernel_total_size: 0x0000000006b63000 + +Decompressing Linux... Parsing ELF... done. +Booting the kernel. +[ 0.000000] Linux version 4.12.0-rc3+ ... +[ 0.000000] Command line: console=ttyS0 root=/dev/sda debug earlyprintk=serial +... +[ ok ] Starting enhanced syslogd: rsyslogd. +[ ok ] Starting periodic command scheduler: cron. +[ ok ] Starting OpenBSD Secure Shell server: sshd. +``` + +After that you should be able to ssh to QEMU instance in another terminal: +``` bash +ssh -i $IMAGE/ssh/id_rsa -p 10021 -o "StrictHostKeyChecking no" root@localhost +``` + +To kill the running QEMU instance: +``` bash +kill $(cat vm.pid) +``` + +## Go + +Install Go 1.8.1: +``` bash +wget https://storage.googleapis.com/golang/go1.8.1.linux-amd64.tar.gz +tar -xf go1.8.1.linux-amd64.tar.gz +mv go goroot +export GOROOT=`pwd`/goroot +export PATH=$PATH:$GOROOT/bin +mkdir gopath +export GOPATH=`pwd`/gopath +``` + +## syzkaller + +Get and build syzkaller: +``` bash +go get -u -d github.com/google/syzkaller/... +cd gopath/src/github.com/google/syzkaller/ +mkdir workdir +make +``` + +Create manager config like this: +``` +{ + "http": "127.0.0.1:56741", + "workdir": "/gopath/src/github.com/google/syzkaller/workdir", + "vmlinux": "/linux/upstream/vmlinux", + "image": "/image/wheezy.img", + "syzkaller": "/gopath/src/github.com/google/syzkaller", + "procs": 8, + "type": "qemu", + "vm": { + "count": 4, + "kernel": "/linux/arch/x86/boot/bzImage", + "sshkey": "/image/ssh/id_rsa", + "cpu": 2, + "mem": 2048 + } +} +``` + +Run syzkaller manager: +``` bash +./bin/syz-manager -config=my.cfg +``` + +Now syzkaller should be running, you can check manager status with your web browser at `127.0.0.1:56741`. diff --git a/sys/README.md b/docs/syscall_descriptions.md similarity index 99% rename from sys/README.md rename to docs/syscall_descriptions.md index b5b497bc..27239ca4 100644 --- a/sys/README.md +++ b/docs/syscall_descriptions.md @@ -1,4 +1,4 @@ -# Syscall Description +# Syscall descriptions `syzkaller` uses declarative description of syscalls to generate, mutate, minimize, serialize and deserialize programs (sequences of syscalls). Below you can see diff --git a/docs/tools_syz-execprog_syz-prog2c_syz-repro.md b/docs/tools_syz-execprog_syz-prog2c_syz-repro.md new file mode 100644 index 00000000..5765dcdd --- /dev/null +++ b/docs/tools_syz-execprog_syz-prog2c_syz-repro.md @@ -0,0 +1,24 @@ +# Tools: syz-execprog, syz-prog2c, syz-repro + +The process of creating reproducer programs for syzkaller bugs is automated, however it's not perfect, so syzkaller provides a few tools for executing and reproducing programs manually. + +Crash logs created in manager `workdir/crashes` dir contain programs executed just before a crash. In parallel execution mode (when `procs` parameter in manager config is set to value larger than 1), program that caused the crash does not necessary immediately precedes it; the guilty program can be somewhere before. +The are two tools that can help you identify and minimize the program that causes a crash: `tools/syz-execprog` and `tools/syz-prog2c`. + +`tools/syz-execprog` executes a single syzkaller program or a set of programs in various modes (once or loop indefinitely; in threaded/collide mode (see below), with or without coverage collection). You can start by running all programs in the crash log in a loop to check that at least one of them indeed crashes kernel: `./syz-execprog -executor=./syz-executor -repeat=0 -procs=16 -cover=0 crash-log`. Then try to identify the single program that causes the crash, you can test programs with `./syz-execprog -executor=./syz-executor -repeat=0 -procs=16 -cover=0 file-with-a-single-program`. + +Note: `syz-execprog` executes programs locally. So you need to copy `syz-execprog` and `syz-executor` into a VM with the test kernel and run it there. + +Once you have a single program that causes the crash, try to minimize it by removing individual syscalls from the program (you can comment out single lines with `#` at the beginning of line), and by removing unnecessary data (e.g. replacing `&(0x7f0000001000)="73656c6600"` syscall argument with `&(0x7f0000001000)=nil`). You can also try to coalesce all mmap calls into a single mmap call that maps whole required area. Again, test minimization with `syz-execprog` tool. + +Now that you have a minimized program, check if the crash still reproduces with `./syz-execprog -threaded=0 -collide=0` flags. If not, then you will need to do some additional work later. + +Now, run `syz-prog2c` tool on the program. It will give you executable C source. If the crash reproduces with -threaded/collide=0 flags, then this C program should cause the crash as well. + +If the crash id not reproducible with -threaded/collide=0 flags, then you need this last step. You can think of threaded/collide mode as if each syscall is executed in its own thread. To mode such execution mode, move individual syscalls into separate threads. You can see an example here: https://groups.google.com/d/msg/syzkaller/fHZ42YrQM-Y/Z4Xf-BbUDgAJ. + +This process is automated to some degree in the `syz-repro` utility. You need to give it your manager config and a crash report file: +``` +./syz-repro -config my.cfg crash-qemu-1-1455745459265726910 +``` +It will try to find the offending program and minimize it. But since there are lots of factors that can affect reproducibility, it does not always work. diff --git a/docs/tools_syz-hub.md b/docs/tools_syz-hub.md new file mode 100644 index 00000000..62646640 --- /dev/null +++ b/docs/tools_syz-hub.md @@ -0,0 +1,28 @@ +# Tools: syz-hub + +`syz-hub` program can be used to connect several `syz-manager`'s together and allow them to exchange programs. + +Build `syz-hub` with `go install github.com/google/syzkaller/syz-hub`. Then create a config file along the lines of: + +``` +{ + "http": ":80", + "rpc": ":55555", + "workdir": "/syzkaller/workdir", + "managers": [ + {"name": "manager1", "key": "6sCFsJVfyFQVhWVKJpKhHcHxpCH0gAxL"}, + {"name": "manager2", "key": "FZFSjthHHf8nKm2cqqAcAYKM5a3XM4Ao"}, + {"name": "manager3", "key": "fTrIBQCmkEq8NsvQXZiOUyop6uWLBuzf"} + ] +} +``` + +And start it with `$GOPATH/syz-hub -config hub.cfg`. Then add the following additional parameters to `syz-manager` config files of each manager: + +``` + "name": "manager1", + "hub_addr": "1.2.3.4:55555", + "hub_key": "6sCFsJVfyFQVhWVKJpKhHcHxpCH0gAxL", +``` + +And start managers. Once they triage local corpus, they will connect to the hub and start exchanging inputs. Both hub and manager web pages will show how many inputs they send/receive from the hub.