使用 syzkaller,测试 openEuler 2303
使用 syzkaller 测试 openEuler 23.03
准备环境:
- 一个 riscv64 QEMU 设备
- 一个宿主机 (with riscv 交叉编译工具链)
- syzkaller
- 开启调试参数的内核(
linux-6.1.19-4.oe2303.riscv64
)
准备工作
安装相关软件
paru -S riscv64-linux-gnu-gcc go
编译安装 syzkaller
直接看官网的教程
git clone https://github.com/google/syzkaller
# git checkout (using branch master)
# id: 4bce1a3
cd syzkaller
make TARGETOS=linux TARGETARCH=riscv64 # 交叉编译
得到 ./bin
目录下的文件
相关教程
Syzkaller 配置 Link
vm
字段:LinkDoc for QEMU vm, riscv64 kernel Link
编译内核
按照教程进行测试时,发现预编译的 23.03(kernel 6.1.19-2),没开启相应的调试参数,于是我想着自己编译内核(以前编译过,于是过程比较熟练)
Complier Linux Image for RISC-V
wget -c https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.1.19.tar.xz
tar -xf linux-6.1.19.tar.xz
cd linux-6.1.19
make ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- defconfig
nvim .config # 修改编译参数
make ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- olddefconfig
make ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- -j $(nproc)
然后按照这篇教程改qemu 启动参数:成功跑了起来!
但是这并不是 openEuler 的内核(后来才想到)
使用 OBS 编译内核
Linux 6.1.19
OBS 平台:https://build.tarsier-infra.com/
编译产物:http://obs-backend.tarsier-infra.com:82/
得到:kernel-6.1.19-4.oe2303.rpm
添加的调试参数
CONFIG_KCOV=y CONFIG_KCOV_INSTRUMENT_ALL=y CONFIG_KCOV_ENABLE_COMPARISONS=y CONFIG_DEBUG_FS=y CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_INFO=y CONFIG_KALLSYMS=y CONFIG_KALLSYMS_ALL=y CONFIG_NAMESPACES=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_CGROUP_PIDS=y CONFIG_MEMCG=y CONFIG_USER_NS=y CONFIG_CONFIGFS_FS=y CONFIG_SECURITYFS=y CONFIG_KASAN=y CONFIG_KASAN_INLINE=y CONFIG_FAULT_INJECTION=y CONFIG_FAULT_INJECTION_DEBUG_FS=y CONFIG_FAULT_INJECTION_USERCOPY=y CONFIG_FAILSLAB=y CONFIG_FAIL_PAGE_ALLOC=y CONFIG_FAIL_MAKE_REQUEST=y CONFIG_FAIL_IO_TIMEOUT=y CONFIG_FAIL_FUTEX=y CONFIG_LOCKDEP=y CONFIG_PROVE_LOCKING=y CONFIG_DEBUG_ATOMIC_SLEEP=y CONFIG_PROVE_RCU=y CONFIG_DEBUG_VM=y CONFIG_REFCOUNT_FULL=y CONFIG_FORTIFY_SOURCE=y CONFIG_HARDENED_USERCOPY=y CONFIG_LOCKUP_DETECTOR=y CONFIG_SOFTLOCKUP_DETECTOR=y CONFIG_HARDLOCKUP_DETECTOR=y CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y CONFIG_DETECT_HUNG_TASK=y CONFIG_WQ_WATCHDOG=y
见 https://gitee.com/geasscore/risc-v-kernel/tree/kernel-6.1.19/
安装新内核
# on qemu
rpm -ivh kernel-6.1.19-4.oe2303.rpm
# on host
scp -P 12055 [email protected]:/boot/vmlinuz-6.1.19-4.oe2303.riscv64
gunzip vmlinuz-6.1.19-4.oe2303.riscv64
start_vm.sh
vcpu=8
memory=8
memory_append=`expr $memory \* 1024`
drive="$(ls *.qcow2)"
kn="vmlinuz-6.1.19-4.oe2303"
ssh_port=12055
cmd="qemu-system-riscv64 \
-nographic -machine virt \
-smp "$vcpu" -m "$memory"G \
-kernel "$kn" \
-drive file="$drive",format=qcow2,id=hd0 \
-object rng-random,filename=/dev/urandom,id=rng0 \
-device virtio-vga \
-device virtio-rng-device,rng=rng0 \
-device virtio-blk-device,drive=hd0 \
-device virtio-net-device,netdev=usernet \
-netdev user,id=usernet,hostfwd=tcp::"$ssh_port"-:22 \
-device qemu-xhci -usb -device usb-kbd -device usb-tablet \
-append 'root=/dev/vda2 rw'"
配置 syzkaller 相关
参考教程: 链接
riscv64.cfg
{
"name": "riscv64",
"target": "linux/riscv64",
"http": "127.0.0.1:56700",
"rpc": "127.0.0.1:0",
"sshkey": "pathto/id_ed25519",
"workdir": "pathto/syzkaller/workdir",
"syzkaller": "pathto/syzkaller",
"type": "isolated",
"vm": {
"targets": [ "127.0.0.1:12055" ],
"pstore": false,
"target_dir": "/root/fuzzdir",
"target_reboot": false
}
}
启动 目标机
向目标机器复制 ssh pub key
新建 /root/fuzzdir
开始测试
./bin/syz-manager -config riscv64.cfg
测试 结果
BUG: soft lockup in corrupted
跑了一个小时,只报了这个 crash,好像是由于未指定 kernel_obj
(linux 编译的 arch 路径),显示不了一些参数(可能是这样)
看了一下报告:是一个 soft lockup
,「软死锁」,但是看不太懂打印出的信息
in folder reports