github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/netbsd/README.md (about) 1 # NetBSD 2 3 Instructions to set up syzkaller for a Linux host and a NetBSD guest. 4 5 ## Preparing the NetBSD sources 6 7 1. Get the NetBSD kernel source (preferably HEAD). 8 ```sh 9 host$ mdkir $HOME/netbsd 10 host$ cd $HOME/netbsd 11 host$ git clone https://github.com/NetBSD/src.git 12 ``` 13 14 2. Build the tools. You will have the toolchain in `$HOME/netbsd/tools`. 15 ```sh 16 host$ cd src 17 host$ ./build.sh -j4 -m amd64 -U -T ../tools tools 18 ``` 19 20 3. Build the distribution. This might take a while. 21 ```sh 22 host$ ./build.sh -j4 -m amd64 -U -T ../tools -D ../dest distribution 23 ``` 24 25 At this point you should have a NetBSD distribution in `$HOME/netbsd/dest`. 26 27 ## Installing and building syzkaller on the Linux host 28 29 1. Install all the dependencies for syzkaller. 30 31 2. Clone the syzkaller repository. 32 ```sh 33 host$ git clone https://github.com/google/syzkaller 34 host$ cd syzkaller 35 ``` 36 37 3. Compile syzkaller for NetBSD. 38 ```sh 39 host$ make TARGETOS=netbsd SOURCEDIR=$HOME/netbsd 40 ``` 41 42 The above steps should have built the syzkaller binaries for NetBSD. 43 44 You can see the compiled binaries in `bin/netbsd_amd64`. 45 46 ## Setting up a NetBSD VM with qemu 47 48 You can use the script given [here](https://github.com/R3x/netbsd-fuzzing-aids/blob/master/install_netbsd.sh) to create a disk image with NetBSD installed. 49 The script would also automatically give you a ssh key to ssh into the VM. 50 51 Alternatively, you can follow the tutorial given [here](https://wiki.qemu.org/Hosts/BSD#NetBSD) to 52 set up a basic NetBSD VM with qemu. 53 54 After installing and running the NetBSD VM on qemu, please follow the steps below to 55 configure ssh. 56 57 1. Create a ssh-keypair on the host and save it as `netbsdkey`. 58 ```sh 59 host$ ssh-keygen -f netbsdkey -t rsa -N "" 60 ``` 61 62 2. Make sure you have a NAT enabled in your Qemu command line. Typically to 63 forward the host port `10022` to the guest port `22`: 64 ```sh 65 host$ qemu-system-x86_64 ... -netdev user,id=mynet0,hostfwd=tcp:127.0.0.1:10022-:22 -device e1000,netdev=mynet0 66 ``` 67 68 3. Append the following lines to `/etc/rc.conf` on the guest. You can use the `vi` editor to do that. 69 ``` 70 sshd=YES 71 dhcpcd=YES 72 ifconfig_wm0="inet 10.0.2.15 netmask 255.255.255.0" 73 ``` 74 75 4. Append this to `/etc/ssh/sshd_config` on the guest. 76 ``` 77 Port 22 78 ListenAddress 10.0.2.15 79 PermitRootLogin yes 80 PermitRootLogin without-password 81 ``` 82 83 5. Now you should be able to ssh into the NetBSD VM. 84 ```sh 85 host$ ssh -p 10022 root@127.0.0.1 86 ``` 87 88 6. Copy and paste your public key to `/root/.ssh/authorized_keys` on the guest 89 and `reboot` the VM. 90 91 7. After reboot make sure that ssh is working properly. Replace the port with what 92 you have configured. 93 ```sh 94 host$ ssh -i path/to/netbsdkey -p 10022 root@127.0.0.1 95 ``` 96 97 If the last command returns a proper shell it means the VM has been configured. 98 99 ## Compiling a NetBSD kernel (Optional) 100 101 You can compile a kernel with KASAN to increase the chances of finding bugs. 102 103 1. Make a copy of the config file. 104 ```sh 105 host$ cd $HOME/netbsd/src 106 host$ cp sys/arch/amd64/conf/GENERIC sys/arch/amd64/conf/SYZKALLER 107 ``` 108 109 2. Uncomment the following lines in `sys/arch/amd64/conf/SYZKALLER` to enable KASAN. 110 ``` 111 #makeoptions KASAN=1 # Kernel Address Sanitizer 112 #options KASAN 113 #no options SVS 114 ``` 115 116 3. Compile the kernel with KASAN (assuming you have followed the initial steps to 117 build tools). 118 ```sh 119 host$ cd $HOME/netbsd/src 120 host$ ./build.sh -m amd64 -U -T ../tools -j4 kernel=SYZKALLER 121 ``` 122 123 4. At this point you should have the new compiled kernel image which can be found in 124 `$HOME/netbsd/src/sys/arch/amd64/compile/SYZKALLER` and should have the name 125 `netbsd`. You need to copy it to the installed VM and reboot the VM. 126 127 ## Running syzkaller 128 129 1. If all of the above worked, `poweroff` the VM and create the `netbsd.cfg` config 130 file on the host with the following contents (alter paths as necessary): 131 ``` 132 { 133 "name": "netbsd", 134 "target": "netbsd/amd64", 135 "http": ":10000", 136 "workdir": "work", 137 "syzkaller": "$GOPATH/src/github.com/google/syzkaller", 138 "image": "path/to/netbsd.img", 139 "sshkey": "/path/to/netbsdkey", 140 "sandbox": "none", 141 "procs": 2, 142 "cover": false, 143 "type": "qemu", 144 "vm": { 145 "qemu": "qemu-system-x86_64", 146 "count": 2, 147 "cpu": 2, 148 "mem": 2048 149 } 150 } 151 ``` 152 The above directories have to be specified to the exact locations and the ssh keys 153 must be in a separate directory with chmod 700 permissions set to that directory 154 and chmod 600 permissions to the files in both the guest and the host. 155 156 2. Then, inside the syzkaller folder where the `netbsd.cfg` file also exists, start `syz-manager` with: 157 ```sh 158 host$ bin/syz-manager -config netbsd.cfg 159 ``` 160 You can add a `-debug` flag to the above command to view the log if any issues arise. 161 162 3. Once syzkaller has started executing, it should start printing output along the lines of: 163 ``` 164 booting test machines... 165 wait for the connection from test machine... 166 machine check: 253 calls enabled, kcov=true, kleakcheck=false, faultinjection=false, comps=false 167 executed 3622, cover 1219, crashes 0, repro 0 168 executed 7921, cover 1239, crashes 0, repro 0 169 executed 32807, cover 1244, crashes 0, repro 0 170 executed 35803, cover 1248, crashes 0, repro 0 171 ``` 172 173 ## syzbot 174 175 [syzbot](/docs/syzbot.md) tests NetBSD and reports bugs to 176 [syzkaller-netbsd-bugs](https://groups.google.com/forum/#!forum/syzkaller-netbsd-bugs) mailing list 177 (also can be seen on [dashboard](https://syzkaller.appspot.com/netbsd)). 178 179 The image `syzbot` uses can be downloaded [here](https://storage.googleapis.com/syzkaller/netbsd-image.tar.gz) (266MB, includes root ssh key). The image was built using this [script](https://github.com/R3x/netbsd-fuzzing-aids/blob/master/install_netbsd.sh). 180 181 The image can be used with qemu as follows: 182 ``` 183 qemu-system-x86_64 -m 1024 -smp 2 -nographic -enable-kvm \ 184 -netdev user,id=mynet0,hostfwd=tcp:127.0.0.1:10022-:22 \ 185 -device e1000,netdev=mynet0 -hda netbsd-image.raw 186 ``` 187 188 And then you can ssh/scp into the VM using: 189 ``` 190 ssh -i netbsd-image.key -p 10022 -o IdentitiesOnly=yes root@localhost 191 scp -i netbsd-image.key -P 10022 -o IdentitiesOnly=yes FILE root@localhost:/root/ 192 ``` 193 194 Note: the image contains a stock kernel, so if you are reproducing a bug 195 most likely you want to update kernel as the first step: 196 ``` 197 scp -i netbsd-image.key -P 10022 -o IdentitiesOnly=yes \ 198 src/sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/netbsd root@localhost:/netbsd 199 ssh -i netbsd-image.key -p 10022 -o IdentitiesOnly=yes root@localhost /sbin/reboot 200 ``` 201 202 ## Missing things 203 204 - Automating the configuration changes (like appending to config files), generating the json config file on the fly (with customizable values to the keys using command line parameters) and calling syz-manager with `anita` using just a single command. 205 - System call descriptions. `sys/netbsd/*.txt` is a dirty copy from `sys/linux/*.txt` with everything that does not compile dropped. We need to go through syscalls and verify/fix/extend them, including devices/ioctls/etc. 206 - Currently only `amd64` arch is supported. Supporting `386` would be useful, because it should cover compat paths. Also, we could do testing of the linux-compatibility subsystem. 207 - `pkg/host` needs to be taught how to detect supported syscalls/devices. 208 - On Linux we have emission of external networking/USB traffic into kernel using tun/gadgetfs. Implementing these for NetBSD could uncover a number of high-profile bugs.