github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/bisect.md

github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/bisect.md (about)

     1  # Syz-bisect
     2  
     3  `syz-bisect` program can be used to bisect culprit and fix commits for
     4  crashes found by syzkaller. It can also identify configuration options
     5  that are triggers for the crash.
     6  
     7  ## Usage
     8  
     9  Build `syz-bisect` with `make bisect`.
    10  
    11  During bisection different compilers depending on kernel revision are
    12  used. These compilers are available
    13  [here](https://storage.googleapis.com/syzkaller/bisect_bin.tar.gz).
    14  
    15  Install ccache to speed up kernel compilations during bisecton.
    16  
    17  Create user-space (chroot) using [create-image.sh](../tools/create-image.sh)
    18  
    19  Create a config file with following lines adjusted for your environment:
    20  
    21  ```
    22  {
    23  	"bin_dir": "/home/syzkaller/bisect_bin",
    24  	"ccache": "/usr/bin/ccache",
    25  	"kernel_repo": "git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git",
    26  	"kernel_branch": "master",
    27  	"syzkaller_repo": "https://github.com/google/syzkaller",
    28  	"userspace": "/home/syzkaller/image/chroot",
    29  	"kernel_config": "/home/syzkaller/go/src/github.com/google/syzkaller/dashboard/config/linux/upstream-apparmor-kasan.config",
    30  	"kernel_baseline_config": "/home/syzkaller/go/src/github.com/google/syzkaller/dashboard/config/linux/upstream-apparmor-kasan-base.config",
    31  	"syzctl": /home/syzkaller/go/src/github.com/google/syzkaller/dashboard/config/linux/upstream.sysctl,
    32  	"cmdline": /home/syzkaller/go/src/github.com/google/syzkaller/dashboard/config/linux/upstream.cmdline,
    33  	"manager":
    34  	{
    35  		"name" : "bisect",
    36  		"target": "linux/amd64",
    37  		"http": "127.0.0.1:56741",
    38  		"workdir": "/home/syzkaller/workdir",
    39  		"kernel_obj": "/home/syzkaller/linux",
    40  		"image": "/home/syzkaller/workdir/image/image",
    41  		"sshkey": "/home/syzkaller/workdir/image/key",
    42  		"syzkaller": "/home/syzkaller/go/src/github.com/google/syzkaller_bisect",
    43  		"procs": 8,
    44  		"type": "qemu",
    45  		"kernel_src": "/syzkaller/linux",
    46  		"vm": {
    47  		      "count": 4,
    48  		      "kernel": "/home/syzkaller/linux/arch/x86/boot/bzImage",
    49  		      "cpu": 2,
    50  		      "mem": 2048,
    51  		      "cmdline": "root=/dev/sda1 rw console=ttyS0 kaslr crashkernel=512M minnowboard_1:eth0::: security=none"
    52  		}
    53  	}
    54  }
    55  ```
    56  
    57  And run bisection with `bin/syz-bisect -config vm_bisect.cfg -crash
    58  /syzkaller/workdir/crashes/03ee30ae11dfd0ddd062af26566c34a8c853698d`.
    59  
    60  `Syz-bisect` is expecting finding repro.cprog or repro.prog in given
    61  crash directory. It will also utilize repro.opts, but it's not
    62  mandatory.
    63  
    64  ## Additional Arguments
    65  
    66  `-syzkaller_commit` use this if you want to use specific version of syzkaller
    67  
    68  `-kernel_commit` kernel commit where crash is known to reproduce. You
    69  want to use this when bisecting fixing commit
    70  
    71  `-fix` use this if you want to bisect a fixing commit.
    72  
    73  ## Output
    74  
    75  It takes some time, but after `syz-bisect` completes it dumps out it's
    76  results into console It also stores results into files in given crash
    77  directory:
    78  
    79  `cause.commit` commit identified causing the crash or text "the crash
    80  already happened on the oldest tested release"
    81  
    82  `fix.commit` commit identified fixing the crash or text "the crash
    83  still happens on HEAD"
    84  
    85  `cause.config` config options identified working as one trigger for the crash
    86  
    87  `original.config, baseline.config, minimized.config` config files used
    88  in config bisection