github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/syzbot_assets.md (about) 1 ## Reproduce a bug with syzbot's downloadable assets 2 3 As a part of every bug report, syzbot shares downloadable assets -- that is, 4 disk images and kernel binaries on which the bug was originally found. 5 6 This document serves as a guide on how to use those assets to reproce such bugs 7 locally. 8 9 ### A sample report 10 11 To be more specific, let's take this syzbot report: [[syzbot] [hfs?] kernel BUG 12 in hfsplus_bnode_put](https://lore.kernel.org/all/000000000000efee7905fe4c9a46@google.com/). 13 14 ``` 15 syzbot has found a reproducer for the following issue on: 16 17 HEAD commit: 40f71e7cd3c6 Merge tag 'net-6.4-rc7' of git://git.kernel.o.. 18 git tree: upstream 19 console+strace: https://syzkaller.appspot.com/x/log.txt?x=10482ae3280000 20 kernel config: https://syzkaller.appspot.com/x/.config?x=7ff8f87c7ab0e04e 21 dashboard link: https://syzkaller.appspot.com/bug?extid=005d2a9ecd9fbf525f6a 22 compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 23 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142e7287280000 24 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13fd185b280000 25 26 Downloadable assets: 27 disk image: https://storage.googleapis.com/syzbot-assets/073eea957569/disk-40f71e7c.raw.xz 28 vmlinux: https://storage.googleapis.com/syzbot-assets/c8a97aaa4cdc/vmlinux-40f71e7c.xz 29 kernel image: https://storage.googleapis.com/syzbot-assets/f536015eacbd/bzImage-40f71e7c.xz 30 mounted in repro: https://storage.googleapis.com/syzbot-assets/b5f1764cd64d/mount_0.gz 31 ``` 32 33 There are 4 linked assets: 34 * The bootable VM disk image on which the bug was found: `https://storage.googleapis.com/syzbot-assets/073eea957569/disk-40f71e7c.raw.xz` 35 * **The image is suitable both for GCE and for qemu**. 36 * The `vmlinux` file that can be used e.g. for report symbolization or for `gdb`-based debugging: `https://storage.googleapis.com/syzbot-assets/c8a97aaa4cdc/vmlinux-40f71e7c.xz` 37 * The separate `bzImage` file (it is already included in the disk image): `https://storage.googleapis.com/syzbot-assets/f536015eacbd/bzImage-40f71e7c.xz` 38 * The filesystem image that is mounted in the reproducer: `https://storage.googleapis.com/syzbot-assets/b5f1764cd64d/mount_0.gz` 39 40 All these links are also reachable from the web dashboard. 41 42 #### Run a C reproducer 43 44 Boot a VM: 45 ``` 46 $ wget 'https://storage.googleapis.com/syzbot-assets/073eea957569/disk-40f71e7c.raw.xz' 47 $ unxz disk-40f71e7c.raw.xz 48 $ qemu-system-x86_64 -m 2G -smp 2,sockets=2,cores=1 -drive file=./disk-40f71e7c.raw,format=raw -net nic,model=e1000 -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -enable-kvm -nographic -snapshot -machine pc-q35-7.1 49 ``` 50 51 Build and run the C reproducer: 52 ``` 53 $ wget -O 'repro.c' 'https://syzkaller.appspot.com/x/repro.c?x=13fd185b280000' 54 $ gcc repro.c -lpthread -static -o repro 55 $ scp -P 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ./repro root@127.0.0.1:/root/ 56 $ ssh -p 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes root@127.0.0.1 'chmod +x ./repro && ./repro' 57 ``` 58 59 Wait a minute and notice a crash report in the qemu's serial output: 60 61 ``` 62 [ 91.956238][ T81] ------------[ cut here ]------------ 63 [ 91.957508][ T81] kernel BUG at fs/hfsplus/bnode.c:618! 64 [ 91.958645][ T81] invalid opcode: 0000 [#1] PREEMPT SMP KASAN 65 [ 91.959861][ T81] CPU: 0 PID: 81 Comm: kworker/u5:3 Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 66 ``` 67 68 #### Run a syz reproducer directly 69 70 For some bugs, there's either no C reproducer or it's not reliable enough. In 71 that case, `syz` reproducers might be useful. 72 73 You'll need to [check out and build](/docs/linux/setup.md#go-and-syzkaller) 74 syzkaller first. The fastest way to do it is as follows (assuming Docker is 75 installed and configured on your machine): 76 77 ``` 78 $ git clone https://github.com/google/syzkaller.git 79 $ cd syzkaller 80 $ ./tools/syz-env make 81 ``` 82 83 Then boot a VM exactly like in the previous section. 84 85 Download and run the syz reproducer: 86 87 ``` 88 $ wget -O 'repro.syz' 'https://syzkaller.appspot.com/x/repro.syz?x=142e7287280000' 89 $ scp -P 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ./bin/linux_amd64/* ./repro.syz root@127.0.0.1:/root/ 90 $ ssh -p 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes root@127.0.0.1 './syz-execprog -enable=all -repeat=0 -procs=6 ./repro.syz' 91 ``` 92 93 In some time, you'll see the same bug report in the VM's serial output. 94 95 The commands above execute the `./syz-execprog -enable=all -repeat=0 -procs=6 ./repro.syz` 96 command inside the VM. For more details see [this document](/docs/executing_syzkaller_programs.md). 97 98 #### Use the `tools/syz-crush` tool 99 100 The `syz-crush` automatizes the steps above: it sets up and boots a pool of VMs 101 and runs the given `C` or `syz` reproducer in them. 102 103 First, download the disk image and reproducers (see instructions above). 104 105 Then, go to the syzkaller checkout and build the `syz-crush` tool: 106 ``` 107 $ make crush 108 ``` 109 110 Prepare a config file (let it be `config.json`): 111 112 ``` 113 { 114 "name": "test", 115 "http": "0.0.0.0:0", 116 "target": "linux/amd64", 117 "image": "/tmp/disk-40f71e7c.raw", 118 "syzkaller": "/tmp/syzkaller", 119 "workdir": "/tmp/syzkaller/workdir", 120 "type": "qemu", 121 "procs": 6, 122 "vm": { 123 "count": 5, 124 "cmdline": "root=/dev/sda1", 125 "cpu": 2, 126 "mem": 2048, 127 "qemu_args": "-machine pc-q35-7.1 -enable-kvm" 128 } 129 } 130 ``` 131 132 You need to replace `/tmp/syzkaller` with the location of your syzkaller 133 checkout and `/tmp/disk-40f71e7c.raw` with the location of the bootable disk 134 image. 135 136 Run the tool: 137 ``` 138 $ mkdir workdir 139 $ ./bin/syz-crush -config config.json repro.syz 140 ``` 141 142 143 ### Problems 144 145 #### The bug doesn't reproduce 146 147 If the `C` reproder did not work, try to run the `syz` reproducer. 148 149 If there's still no success, it might be that relatively rare case when the 150 execution environment becomes important. Syzbot fuzzes kernels on GCE VMs, which 151 might have a different instruction set / execution speed than locally run qemu 152 VMs. These changes might be critical for the generated reproducer. 153 154 There's unfortunately no universal solution. 155 156 Note that you can always ask syzbot to 157 [apply your git patch and re-run the reproducer](/docs/syzbot.md#testing-patches). 158 It will be run in the same GCE environment where the bug was originally found. 159 160 See also [this document](/docs/syzbot.md#crash-does-not-reproduce). 161 162 #### Assets are not downloadable 163 164 The downloadable assets are not stored infinitely. Syzbot keeps them until the 165 bug is fixed or marked as invalid + 30 days after that. 166 167 So if you cannot download the assets using the links from the email, this might 168 be a sign that the bug is actually no longer worth looking at. 169 170 #### Qemu doesn't boot 171 172 A [recent qemu problem](https://lore.kernel.org/qemu-devel/da39abab9785aea2a2e7652ed6403b6268aeb31f.camel@linux.ibm.com/) 173 may prevent it from booting large kernel images. Add `-machine pc-q35-7.1` to 174 the qemu args to make it work.