blob: 991946669586014708583107b881d128bbd80db3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
# Executing syzkaller programs
This page describes how to execute existing syzkaller programs for the purpose
of bug reproduction. This way you can replay a single program or a whole
execution log with several programs.
1. Setup Go toolchain (if you don't yet have it, you need version 1.9 or higher):
Download latest Go distribution from (https://golang.org/dl/). Unpack it to `$HOME/go1.9`.
``` bash
$ export GOROOT=$HOME/go1.9
$ export GOPATH=$HOME/gopath
```
2. Download syzkaller sources:
``` bash
$ go get -u -d github.com/google/syzkaller/...
```
3. Build necessary syzkaller binaries:
``` bash
$ cd $GOPATH/src/github.com/google/syzkaller
$ make
```
4. Copy binaries and the program to test machine (substitue target `linux_amd64`
as necessary):
``` bash
$ scp bin/linux_amd64/syz-execprog bin/linux_amd64/syz-executor program test@machine
```
5. Run the program on the test machine:
``` bash
$ ./syz-execprog -cover=0 -repeat=0 -procs=16 program
```
Several useful `syz-execprog` flags:
```
-collide
collide syscalls to provoke data races (default true)
-procs int
number of parallel processes to execute programs (default 1)
-repeat int
repeat execution that many times (0 for infinite loop) (default 1)
-sandbox string
sandbox for fuzzing (none/setuid/namespace) (default "setuid")
-threaded
use threaded mode in executor (default true)
```
If you pass `-threaded=0 -collide=0`, programs will be executed as a simple single-threaded sequence of syscalls. `-threaded=1` forces execution of each syscall in a separate thread, so that execution can proceed over blocking syscalls. `-collide=0` forces second round of execution of syscalls when pairs of syscalls are executed concurrently.
If you are replaying a reproducer program that contains a header along the following lines:
```
#{Threaded:true Collide:true Repeat:true Procs:8 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:true WaitRepeat:true Debug:false Repro:false}
```
then you need to adjust `syz-execprog` flags based on the values in the header. Namely, `Threaded`/`Collide`/`Procs`/`Sandbox` directly relate to `-threaded`/`-collide`/`-procs`/`-sandbox` flags. If `Repeat` is set to `true`, add `-repeat=0` flag to `syz-execprog`.
|
