Last updated on:April 11, 2023 pm
留个备忘录方便查看做kernel fuzzing中遇到的问题和解决技巧(持续更新中ing)
常用脚本
- 一键安装syzkaller
#!/bin/bash
set -e
sudo apt update
sudo apt install -y debootstrap qemu qemu-kvm
sudo apt install -y git make build-essential openssh-server
sudo apt install -y libssl-dev libelf-dev
sudo apt install -y flex bison libc6-dev libc6-dev-i386 linux-libc-dev libgmp3-dev libmpfr-dev libmpc-dev
pushd ~
wget https://dl.google.com/go/go1.17.6.linux-amd64.tar.gz
tar -zxvf go1.17.6.linux-amd64.tar.gz
echo "export GOPATH=~/go" >> ~/.bashrc
echo "export PATH=$GOPATH/bin:$PATH" >> ~/.bashrc
source ~/.bashrc
git clone https://github.com/google/syzkaller.git
cd syzkaller
make -j
echo -e "\nDone!"- 查看crashs目录结果
#!/bin/bash
set -e
print_help() {
echo -e "Usage: ./get_result.sh /path/to/crashs_dir"
}
if [[ ! -n "$1" ]]
then
print_help
else
ls $1 | while read crash
do
echo -e "\n======== $crash ========"
desc=`cat $1/$crash/description`
echo -e "$desc"
syz_repro=`ls $1/$crash | grep "repro.prog" | wc -l`
c_repro=`ls $1/$crash | grep "repro.cprog" | wc -l`
repro=`echo "$syz_repro + $c_repro" | bc`
echo -e "Repro: $repro"
done
echo -e "\nDone!"
fi- TBD
qemu+gdb调试内核
通过qemu启动待调试的内核:./debug.sh
# debug.sh
# 基于syzkaller的create-image.sh,开启nokaslr
KERNEL=../linux-6.1.12
IMAGE=./stretch.img
qemu-system-x86_64 \
-kernel $KERNEL/arch/x86/boot/bzImage \
-append "console=ttyS0 root=/dev/sda nokaslr slub_debug=P kmemleak=on"\
-hda $IMAGE \
-net user,hostfwd=tcp::16112-:22 -net nic \
-enable-kvm \
-cpu host \
-nographic \
-serial mon:stdio \
-m 1G \
-s \
-smp 1 \
-pidfile kernel.debug.pid \
2>&1 | tee kernel.debug.log相关参数解释:
-s:监听gdb 1234端口-S:启动后挂起,等待连接(optional)-nographic:不启动图形界面,与console=ttyS0组合使用,将调试信息输出到ttyS0
gdb连接进行调试(我安装的是gdb 10.2,不存在部分博客中提到需要修改gdb源码再编译的问题):
gdb vmlinux --eval-command="target remote tcp::1234"Trouble shooting
Cannot insert breakpoint 1. Cannot access memory at address 0xffffffff8610ae1b- 用硬件断点
hbreak而不是软件断点break
- 用硬件断点
本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!
