syzkaller

WARNING: this is just an unsorted collection of notes currently.

Are there any public syzkaller instances?

  1. syzbot (crash report mailing list)

  2. <more private ones run by some>

How to manually run a ``Syz repro``?

  1. install a few packages: go, gcc, gmake, and whatever comes along with it

  2. run go get -u github.com/google/syzkaller

  3. cd ~/go/src/github.com/google/syzkaller

  4. gmake

  5. Once the build finished successfully:

  6. bin/freebsd_amd64

  7. put the Syz repro output into a file (I call it x).

  8. ./syz-execprog x

    • you may want to play with -procs <n> -repeat <n|0> -stdout -debug

    • also note the head of the Syz repro output has options encoded already

How do I add a new system call?

  1. pkg install llvm, to get clang-format
  2. add a description of the system call to sys/freebsd/*.txt (start a new file if appropriate, e.g., capsicum.txt for Capsicum-related system calls)

  3. from the root of the syzkaller source tree, run gmake extract SOURCEDIR=/usr/src

  4. recreate automatically generated syscall definition files: gmake generate

  5. rebuild syzkaller: gmake

Step 1 may be non-trivial depending on the complexity of the system call interface in question. The syzkaller repo contains some pages describing the syscall description language: 1, 2.

netdump

echo 'dumpdev="NO"' >> /etc/rc.conf

# cat /etc/dhclient-exit-hooks

if [ "$reason" = BOUND ] || \
   [ "$reason" = REBOOT ] || \
   [ -z "$old_ip_address" ] || \
   [ "$old_ip_address" != "$new_ip_address" ]; then
        dumpon -s 169.254.0.1 -c $new_ip_address $interface
fi

Syzkaller (last edited 2019-05-21T20:45:07+0000 by AndrewTurner)