diff options
3 files changed, 264 insertions, 0 deletions
diff --git a/meta-oe/lib/oeqa/selftest/cases/syzkaller.py b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py new file mode 100644 index 0000000000..64fc864bf8 --- /dev/null +++ b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py @@ -0,0 +1,124 @@ +# +# SPDX-License-Identifier: MIT +# + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars +from oeqa.utils.network import get_free_port + +class TestSyzkaller(OESelftestTestCase): + def setUpSyzkallerConfig(self, os_arch, qemu_postfix): + syz_target_sysroot = get_bb_var('PKGD', 'syzkaller') + syz_target = os.path.join(syz_target_sysroot, 'usr') + + qemu_native_bin = os.path.join(self.syz_native_sysroot, 'usr/bin/qemu-system-' + qemu_postfix) + kernel_cmdline = "ip=dhcp rootfs=/dev/sda dummy_hcd.num=%s" % (self.dummy_hcd_num) + kernel_objdir = self.deploy_dir_image + port = get_free_port() + + if not os.path.exists(self.syz_workdir): + os.mkdir(self.syz_workdir) + + with open(self.syz_cfg, 'w') as f: + f.write( +""" +{ + "target": "%s", + "http": "127.0.0.1:%s", + "workdir": "%s", + "kernel_obj": "%s", + "kernel_src": "%s", + "image": "%s", + "syzkaller": "%s", + "type": "qemu", + "reproduce" : false, + "sandbox": "none", + "vm": { + "count": %s, + "kernel": "%s", + "cmdline": "%s", + "cpu": %s, + "mem": %s, + "qemu": "%s", + "qemu_args": "-device virtio-scsi-pci,id=scsi -device scsi-hd,drive=rootfs -enable-kvm -cpu host,migratable=off", + "image_device": "drive index=0,id=rootfs,if=none,media=disk,file=" + } +} +""" +% (os_arch, port, self.syz_workdir, kernel_objdir, self.kernel_src, + self.rootfs, syz_target, self.syz_qemu_vms, self.kernel, kernel_cmdline, + self.syz_qemu_cpus, self.syz_qemu_mem, qemu_native_bin)) + + def test_syzkallerFuzzingQemux86_64(self): + self.image = 'core-image-minimal' + self.machine = 'qemux86-64' + self.fstype = "ext4" + + self.write_config( +""" +MACHINE = "%s" +IMAGE_FSTYPES = "%s" +KERNEL_IMAGETYPES += "vmlinux" +EXTRA_IMAGE_FEATURES += " ssh-server-openssh" +IMAGE_ROOTFS_EXTRA_SPACE = "512000" +KERNEL_EXTRA_FEATURES += " \ + cfg/debug/syzkaller/debug-syzkaller.scc \ +" +IMAGE_INSTALL:append = " syzkaller" +""" +% (self.machine, self.fstype)) + + build_vars = ['TOPDIR', 'DEPLOY_DIR_IMAGE', 'STAGING_KERNEL_DIR'] + syz_fuzz_vars = ['SYZ_WORKDIR', 'SYZ_FUZZTIME', 'SYZ_QEMU_MEM', 'SYZ_QEMU_CPUS', 'SYZ_QEMU_VM_COUNT'] + syz_aux_vars = ['SYZ_DUMMY_HCD_NUM'] + + needed_vars = build_vars + syz_fuzz_vars + syz_aux_vars + bb_vars = get_bb_vars(needed_vars) + + for var in syz_fuzz_vars: + if not bb_vars[var]: + self.skipTest( +""" +%s variable not set. +Please configure %s fuzzing parameters to run this test. + +Example local.conf config: +SYZ_WORKDIR="<path>" # syzkaller workdir location (must be persistent across os-selftest runs) +SYZ_FUZZTIME="30" # fuzzing time in minutes +SYZ_QEMU_VM_COUNT="1" # number of qemu VMs to be used for fuzzing +SYZ_QEMU_MEM="2048"' # memory used by each qemu VM +SYZ_QEMU_CPUS="2"' # number of cpus used by each qemu VM +""" +% (var, ', '.join(syz_fuzz_vars))) + + self.topdir = bb_vars['TOPDIR'] + self.deploy_dir_image = bb_vars['DEPLOY_DIR_IMAGE'] + self.kernel_src = bb_vars['STAGING_KERNEL_DIR'] + + """ + SYZ_WORKDIR must be set to an absolute path where syzkaller will store + the corpus database, config, runtime and crash data generated during + fuzzing. It must be persistent between oe-selftest runs, so the fuzzer + does not start over again on each run. + """ + self.syz_workdir = bb_vars['SYZ_WORKDIR'] + self.syz_fuzztime = int(bb_vars['SYZ_FUZZTIME']) * 60 + self.syz_qemu_mem = int(bb_vars['SYZ_QEMU_MEM']) + self.syz_qemu_cpus = int(bb_vars['SYZ_QEMU_CPUS']) + self.syz_qemu_vms = int(bb_vars['SYZ_QEMU_VM_COUNT']) + self.dummy_hcd_num = int(bb_vars['SYZ_DUMMY_HCD_NUM'] or 8) + + self.syz_cfg = os.path.join(self.syz_workdir, 'syzkaller.cfg') + self.kernel = os.path.join(self.deploy_dir_image, 'bzImage') + self.rootfs = os.path.join(self.deploy_dir_image, '%s-%s.%s' % (self.image, self.machine, self.fstype)) + + self.syz_native_sysroot = get_bb_var('RECIPE_SYSROOT_NATIVE', 'syzkaller-native') + + self.setUpSyzkallerConfig("linux/amd64", "x86_64") + + bitbake(self.image) + bitbake('syzkaller') + bitbake('syzkaller-native -c addto_recipe_sysroot') + + cmd = "syz-manager -config %s" % self.syz_cfg + runCmd(cmd, native_sysroot = self.syz_native_sysroot, timeout=self.syz_fuzztime, output_log=self.logger, ignore_status=True, shell=True) diff --git a/meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch b/meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch new file mode 100644 index 0000000000..d647b8d4a0 --- /dev/null +++ b/meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch @@ -0,0 +1,67 @@ +From aca1030d29f627314d13884ebc7b2c313d718df7 Mon Sep 17 00:00:00 2001 +From: Ovidiu Panait <ovidiu.panait@windriver.com> +Date: Wed, 13 Apr 2022 17:17:54 +0300 +Subject: [PATCH] sys/targets/targets.go: allow users to override hardcoded + cross-compilers + +Currently, cross compiler names are hardcoded for each os/arch combo. However, +toolchain tuples differ, especially when using vendor provided toolchains. +Allow users to specify the cross compiler for an os/arch combo using +SYZ_CC_<os>_<arch> environment variables. + +Also, remove hardcoded "-march=armv6" flag to fix compilation on arm. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + sys/targets/targets.go | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/sys/targets/targets.go b/sys/targets/targets.go +index f3be708f3..19a8bb681 100644 +--- a/sys/targets/targets.go ++++ b/sys/targets/targets.go +@@ -258,7 +258,6 @@ var List = map[string]map[string]*Target{ + PtrSize: 4, + PageSize: 4 << 10, + LittleEndian: true, +- CFlags: []string{"-D__LINUX_ARM_ARCH__=6", "-march=armv6"}, + Triple: "arm-linux-gnueabi", + KernelArch: "arm", + KernelHeaderArch: "arm", +@@ -670,12 +669,16 @@ func initTarget(target *Target, OS, arch string) { + for i := range target.CFlags { + target.replaceSourceDir(&target.CFlags[i], sourceDir) + } +- if OS == Linux && arch == runtime.GOARCH { +- // Don't use cross-compiler for native compilation, there are cases when this does not work: +- // https://github.com/google/syzkaller/pull/619 +- // https://github.com/google/syzkaller/issues/387 +- // https://github.com/google/syzkaller/commit/06db3cec94c54e1cf720cdd5db72761514569d56 +- target.Triple = "" ++ if OS == Linux { ++ if cc := os.Getenv("SYZ_CC_" + OS + "_" + arch); cc != "" { ++ target.CCompiler = cc ++ } else if arch == runtime.GOARCH { ++ // Don't use cross-compiler for native compilation, there are cases when this does not work: ++ // https://github.com/google/syzkaller/pull/619 ++ // https://github.com/google/syzkaller/issues/387 ++ // https://github.com/google/syzkaller/commit/06db3cec94c54e1cf720cdd5db72761514569d56 ++ target.Triple = "" ++ } + } + if target.CCompiler == "" { + target.setCompiler(useClang) +@@ -803,7 +806,7 @@ func (target *Target) lazyInit() { + // On CI we want to fail loudly if cross-compilation breaks. + // Also fail if SOURCEDIR_GOOS is set b/c in that case user probably assumes it will work. + if (target.OS != runtime.GOOS || !runningOnCI) && os.Getenv("SOURCEDIR_"+strings.ToUpper(target.OS)) == "" { +- if _, err := exec.LookPath(target.CCompiler); err != nil { ++ if _, err := exec.LookPath(strings.Fields(target.CCompiler)[0]); err != nil { + target.BrokenCompiler = fmt.Sprintf("%v is missing (%v)", target.CCompiler, err) + return + } +-- +2.25.1 + diff --git a/meta-oe/recipes-test/syzkaller/syzkaller_git.bb b/meta-oe/recipes-test/syzkaller/syzkaller_git.bb new file mode 100644 index 0000000000..f7c751f806 --- /dev/null +++ b/meta-oe/recipes-test/syzkaller/syzkaller_git.bb @@ -0,0 +1,73 @@ +DESCRIPTION = "syzkaller is an unsupervised coverage-guided kernel fuzzer" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=5335066555b14d832335aa4660d6c376" + +inherit go-mod + +GO_IMPORT = "github.com/google/syzkaller" + +SRC_URI = "git://${GO_IMPORT};protocol=https;destsuffix=${BPN}-${PV}/src/${GO_IMPORT};branch=master \ + file://0001-sys-targets-targets.go-allow-users-to-override-hardc.patch;patchdir=src/${GO_IMPORT} \ + " +SRCREV = "67cb024cd1a3c95e311263a5c95e957f9abfd8ca" + +COMPATIBLE_HOST = "(x86_64|i.86|arm|aarch64).*-linux" + +B = "${S}/src/${GO_IMPORT}/bin" + +GO_EXTRA_LDFLAGS += ' -X ${GO_IMPORT}/prog.GitRevision=${SRCREV}' + +export GOHOSTFLAGS="${GO_LINKSHARED} ${GOBUILDFLAGS}" +export GOTARGETFLAGS="${GO_LINKSHARED} ${GOBUILDFLAGS}" +export TARGETOS = '${GOOS}' +export TARGETARCH = '${GOARCH}' +export TARGETVMARCH = '${GOARCH}' + +CGO_ENABLED = "0" + +DEPENDS:class-native += "qemu-system-native" + +do_compile:class-native() { + export HOSTOS="${GOHOSTOS}" + export HOSTARCH="${GOHOSTARCH}" + + oe_runmake HOSTGO="${GO}" host +} + +do_compile:class-target() { + export HOSTOS="${GOOS}" + export HOSTARCH="${GOARCH}" + export SYZ_CC_${TARGETOS}_${TARGETARCH}="${CC}" + + # Unset GOOS and GOARCH so that the correct syz-sysgen binary can be + # generated. Fixes: + # go install: cannot install cross-compiled binaries when GOBIN is set + unset GOOS + unset GOARCH + + oe_runmake GO="${GO}" CC="${CXX}" CFLAGS="${CXXFLAGS} ${LDFLAGS}" REV=${SRCREV} target +} + +do_install:class-native() { + SYZ_BINS_NATIVE="syz-manager syz-runtest syz-repro syz-mutate syz-prog2c \ + syz-db syz-upgrade" + + install -d ${D}${bindir} + + for i in ${SYZ_BINS_NATIVE}; do + install -m 0755 ${B}/${i} ${D}${bindir} + done +} + +do_install:class-target() { + SYZ_TARGET_DIR="${TARGETOS}_${TARGETARCH}" + SYZ_BINS_TARGET="syz-fuzzer syz-execprog syz-stress syz-executor" + + install -d ${D}${bindir}/${SYZ_TARGET_DIR} + + for i in ${SYZ_BINS_TARGET}; do + install -m 0755 ${B}/${SYZ_TARGET_DIR}/${i} ${D}${bindir}/${SYZ_TARGET_DIR} + done +} + +BBCLASSEXTEND += "native" |