Generic instructions on how to set up Linux kernel fuzzing with syzkaller are below.
Instructions for a particular VM type or kernel architecture can be found on these pages:
The following components are needed to use syzkaller:
If you encounter any troubles, check the troubleshooting page.
syzkaller
is written in Go, and Go 1.16+
toolchain is required for build. Generally we aim at supporting 2 latest releases of Go. The toolchain can be installed with:
wget https://dl.google.com/go/go1.17.6.linux-amd64.tar.gz tar -xf go1.17.6.linux-amd64.tar.gz export GOROOT=`pwd`/go export PATH=$GOROOT/bin:$PATH
See Go: Download and install for other options.
To download and build syzkaller
:
git clone https://github.com/google/syzkaller cd syzkaller make
As the result compiled binaries should appear in the bin/
dir.
Note: if you want to do cross-OS/arch testing, you need to specify TARGETOS
, TARGETVMARCH
and TARGETARCH
arguments to make
. See the Makefile for details.
You might need to properly setup binutils
if you're fuzzing in a cross-arch environment as described here.
Syzkaller is a coverage-guided fuzzer and therefore it needs the kernel to be built with coverage support, which requires a recent GCC version. Coverage support was submitted to GCC, released in GCC 6.1.0 or later. Make sure that your GCC meets this requirement, or get a GCC that syzbot uses here.
Besides coverage support in GCC, you also need support for it on the kernel side. KCOV was added into mainline Linux kernel in version 4.6 and is be enabled by CONFIG_KCOV=y
kernel configation option. For older kernels you need to at least backport commit kernel: add kcov code coverage. Besides that, it's recomended to backport all kernel patches that touch kernel/kcov.c
.
To enable more syzkaller features and improve bug detection abilities, it's recommended to use additional config options. See this page for details.
Syzkaller performs kernel fuzzing on worker virtual machines or physical devices. These worker enviroments are referred to as VMs. Out-of-the-box syzkaller supports QEMU, kvmtool and GCE virtual machines, Android devices and Odroid C2 boards.
These are the generic requirements for a syzkaller VM:
syz-manager
's configuration. In other words, you should be able to do ssh -i $SSHID -p $PORT root@localhost
without being prompted for a password (where SSHID
is the SSH identification file and PORT
is the port that are specified in the syz-manager
configuration file)./sys/kernel/debug
.To use QEMU syzkaller VMs you have to install QEMU on your host system, see QEMU docs for details. The create-image.sh script can be used to create a suitable Linux image.
See the links at the top of the document for instructions on setting up syzkaller for QEMU, Android and some other types of VMs.
QEMU requires root for -enable-kvm
.
Solution: add your user to the kvm
group (sudo usermod -a -G kvm
and relogin).
QEMU crashes with:
qemu-system-x86_64: error: failed to set MSR 0x48b to 0x159ff00000000 qemu-system-x86_64: /build/qemu-EmNSP4/qemu-4.2/target/i386/kvm.c:2947: kvm_put_msrs: Assertion `ret == cpu->kvm_msr_buf->nmsrs' failed.
Solution: remove -cpu host,migratable=off
from the QEMU command line. The easiest way to do that is to set qemu_args
to -enable-kvm
in the syz-manager
config file.