github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/executing_syzkaller_programs.md

github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/executing_syzkaller_programs.md (about)

     1  # Executing syzkaller programs
     2  
     3  This page describes how to execute existing syzkaller programs for the purpose
     4  of bug reproduction. This way you can replay a single program or a whole
     5  execution log with several programs.
     6  
     7  1. Setup Go toolchain (if you don't yet have it, you need version 1.16 or higher):
     8  Download latest Go distribution from (https://golang.org/dl/). Unpack it to `$HOME/goroot`.
     9  ``` bash
    10  export GOROOT=$HOME/goroot
    11  export GOPATH=$HOME/gopath
    12  ```
    13  
    14  2. Download syzkaller sources:
    15  ``` bash
    16  git clone https://github.com/google/syzkaller
    17  ```
    18  
    19  Note that your syzkaller revision must be the same as the one that generated the
    20  program you're trying to execute.
    21  
    22  3. Build necessary syzkaller binaries:
    23  ``` bash
    24  cd syzkaller
    25  make
    26  ```
    27  
    28  4. Copy binaries and the program to test machine (substitute target `linux_amd64`
    29  as necessary):
    30  ``` bash
    31  scp -P 10022 -i bullseye.img.key bin/linux_amd64/syz-execprog bin/linux_amd64/syz-executor program root@localhost:
    32  ```
    33  
    34  5. Run the program on the test machine:
    35  ``` bash
    36  ./syz-execprog -repeat=0 -procs=8 program
    37  ```
    38  
    39  Several useful `syz-execprog` flags:
    40  ```
    41    -procs int
    42      	number of parallel processes to execute programs (default 1)
    43    -repeat int
    44      	repeat execution that many times (0 for infinite loop) (default 1)
    45    -sandbox string
    46      	sandbox for fuzzing (none/setuid/namespace) (default "setuid")
    47    -threaded
    48      	use threaded mode in executor (default true)
    49  ```
    50  
    51  If you pass `-threaded=0`, programs will be executed as a simple single-threaded
    52  sequence of syscalls. `-threaded=1` forces execution of each syscall in a
    53  separate thread, so that execution can proceed over blocking syscalls.
    54  
    55  Older syzkaller versions also had the following flag:
    56  ```
    57    -collide
    58      	collide syscalls to provoke data races (default true)
    59  ```
    60  `-collide=1` forced second round of execution of syscalls when pairs of syscalls
    61  are executed concurrently. You might need to use this flag if you're running an
    62  old reproducer.
    63  
    64  
    65  If you are replaying a reproducer program that contains a header along the
    66  following lines:
    67  ```
    68  # {Threaded:true Repeat:true RepeatTimes:0 Procs:8 Slowdown:1 Sandbox:none Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true UseTmpDir:true HandleSegv:true Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
    69  ```
    70  then you need to adjust `syz-execprog` flags based on the values in the
    71  header. Namely, `Threaded`/`Procs`/`Sandbox` directly relate to
    72  `-threaded`/`-procs`/`-sandbox` flags. If `Repeat` is set to `true`, add
    73  `-repeat=0` flag to `syz-execprog`.