2.2 KiB
Executing syzkaller programs
This page describes how to execute existing syzkaller programs for the purpose of bug reproduction. This way you can replay a single program or a whole execution log with several programs.
- Setup Go toolchain (if you don't yet have it, you need version 1.8 or higher):
Download latest Go distribution from (https://golang.org/dl/). Unpack it to
$HOME/go1.8
.
$ export GOROOT=$HOME/go1.8
$ export GOPATH=$HOME/gopath
- Download syzkaller sources:
$ go get -u -d github.com/google/syzkaller/...
- Build necessary syzkaller binaries:
$ cd $GOPATH/src/github.com/google/syzkaller
$ make
- Copy binaries and the program to test machine:
$ scp bin/syz-execprog bin/syz-executor program test@machine
- Run the program on the test machine:
$ ./syz-execprog -executor ./syz-executor -cover=0 -repeat=0 -procs=16 program
Several useful syz-execprog
flags:
-collide
collide syscalls to provoke data races (default true)
-procs int
number of parallel processes to execute programs (default 1)
-repeat int
repeat execution that many times (0 for infinite loop) (default 1)
-sandbox string
sandbox for fuzzing (none/setuid/namespace) (default "setuid")
-threaded
use threaded mode in executor (default true)
If you pass -threaded=0 -collide=0
, programs will be executed as a simple single-threaded sequence of syscalls. -threaded=1
forces execution of each syscall in a separate thread, so that execution can proceed over blocking syscalls. -collide=0
forces second round of execution of syscalls when pairs of syscalls are executed concurrently.
If you are replaying a reproducer program that contains a header along the following lines:
#{Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:false}
then you need to adjust syz-execprog
flags based on the values in the header. Namely, Threaded
/Collide
/Procs
/Sandbox
directly relate to -threaded
/-collide
/-procs
/-sandbox
flags. If Repeat
is set to true
, add -repeat=0
flag to syz-execprog
.