github.com/google/syzkaller@v0.0.0-20251211124644-a066d2bc4b02/docs/linux/setup_linux-host_android-virtual-device_x86-64-kernel.md

github.com/google/syzkaller@v0.0.0-20251211124644-a066d2bc4b02/docs/linux/setup_linux-host_android-virtual-device_x86-64-kernel.md (about)

     1  # Setup: Linux host, Android virtual device, x86-64 kernel
     2  
     3  This document details the steps involved in setting up a syzkaller instance fuzzing an `x86-64` linux kernel on an Android virtual device.
     4  
     5  In the instructions below, the `$VAR` notation (e.g. `$GSI`, `$GKI`, etc.) is used to denote paths to directories that are either created when executing the instructions, or that you have to create yourself before running the instructions. Substitute the values for those variables manually.
     6  
     7  Note:
     8  - All commands below assume root privileges.
     9  - It is recommended to have at least 64 GB of RAM and 500 GB of free disk space.
    10  
    11  ## Install prerequisites
    12  
    13  Command:
    14  ``` bash
    15  apt update
    16  apt install sudo git wget curl repo libncurses5 vim gcc make bison bc zip rsync language-pack-en-base
    17  ```
    18  
    19  ## Cuttlefish
    20  
    21  It is recommended to use [Cuttlefish](https://github.com/google/android-cuttlefish) to emulate Android devices. Build and install it from source (v1.16.0 as an example):
    22  
    23  Command:
    24  ``` bash
    25  apt install git devscripts equivs config-package-dev debhelper-compat golang curl
    26  git clone -b v1.16.0 https://github.com/google/android-cuttlefish
    27  cd android-cuttlefish
    28  tools/buildutils/build_packages.sh
    29  dpkg -i ./cuttlefish-base_*_*64.deb || sudo apt-get install -y -f
    30  dpkg -i ./cuttlefish-user_*_*64.deb || sudo apt-get install -y -f
    31  usermod -aG kvm,cvdnetwork,render root
    32  reboot
    33  ```
    34  
    35  ## Generic System Images (GSI)
    36  
    37  ### Checkout GSI source
    38  
    39  The GSI source checkout is close to 90 GB, and the build can take up about 300 GB of disk space.
    40  
    41  Command:
    42  ``` bash
    43  mkdir android13-gsi
    44  cd android13-gsi
    45  repo init -u https://android.googlesource.com/platform/manifest -b android13-gsi
    46  repo sync -c
    47  ```
    48  
    49  ### Build GSI
    50  
    51  Refresh the build environment and select the build target:
    52  
    53  Command:
    54  ``` bash
    55  source build/envsetup.sh
    56  lunch aosp_cf_x86_64_phone-userdebug
    57  ```
    58  
    59  The output should be as follows (may vary depending on the host):
    60  
    61  ``` text
    62  ============================================
    63  PLATFORM_VERSION_CODENAME=REL
    64  PLATFORM_VERSION=13
    65  TARGET_PRODUCT=aosp_cf_x86_64_phone
    66  TARGET_BUILD_VARIANT=userdebug
    67  TARGET_BUILD_TYPE=release
    68  TARGET_ARCH=x86_64
    69  TARGET_ARCH_VARIANT=silvermont
    70  TARGET_2ND_ARCH=x86
    71  TARGET_2ND_ARCH_VARIANT=silvermont
    72  HOST_ARCH=x86_64
    73  HOST_2ND_ARCH=x86
    74  HOST_OS=linux
    75  HOST_OS_EXTRA=Linux-6.8.0-65-generic-x86_64-Ubuntu-22.04.4-LTS
    76  HOST_CROSS_OS=windows
    77  HOST_CROSS_ARCH=x86
    78  HOST_CROSS_2ND_ARCH=x86_64
    79  HOST_BUILD_TYPE=release
    80  BUILD_ID=TP1A.220624.019
    81  OUT_DIR=out
    82  PRODUCT_SOONG_NAMESPACES=device/generic/goldfish-opengl device/generic/goldfish device/generic/goldfish-opengl hardware/google/camera hardware/google/camera/devices/EmulatedCamera device/google/cuttlefish/apex/com.google.cf.wifi_hwsim external/mesa3d vendor/google_devices/common/proprietary/confirmatioui_hal
    83  ============================================
    84  ```
    85  
    86  Start building:
    87  
    88  Command:
    89  ``` bash
    90  m
    91  ```
    92  
    93  You can test your setup by launching the virtual device:
    94  
    95  Command:
    96  ```bash
    97  launch_cvd
    98  ```
    99  
   100  Open [http://localhost:8443](http://localhost:8443) in your browser, you should see a virtual device. Click `Connect` to interact with it as you would with a real phone. Press `Ctrl-C` in the terminal to stop the simulator.
   101  
   102  ## Kernel
   103  
   104  ### Checkout Android Generic Kernel Image (GKI) source
   105  
   106  Command:
   107  ``` bash
   108  mkdir common-android13-5.15
   109  cd common-android13-5.15
   110  repo init -u https://android.googlesource.com/kernel/manifest -b common-android13-5.15
   111  repo sync -c
   112  ```
   113  
   114  ### Build GKI
   115  
   116  We need to build the Android Kernel with KASAN and KCOV so that syzkaller can get coverage and bug information during fuzzing.
   117  
   118  Command:
   119  ``` bash
   120  BUILD_CONFIG=common/build.config.gki_kasan.x86_64 build/build.sh
   121  ```
   122  
   123  Build vendor modules with KASAN and KCOV:
   124  
   125  Command:
   126  ``` bash
   127  BUILD_CONFIG=common-modules/virtual-device/build.config.virtual_device_kasan.x86_64 build/build.sh
   128  ```
   129  
   130  ## syzkaller
   131  
   132  ### Build syzkaller
   133  
   134  Build syzkaller as described [here](/docs/linux/setup.md#go-and-syzkaller).
   135  Then create a manager config like the following, replacing the environment
   136  variables `$GOPATH` and `$GKI` with their actual values.
   137  
   138  ``` json
   139  {
   140  	"target": "linux/amd64",
   141  	"http": "127.0.0.1:56741",
   142  	"workdir": "$GOPATH/src/github.com/google/syzkaller/workdir/android/out",
   143  	"kernel_obj": "$GKI/out/android13-5.15/dist",
   144  	"syzkaller": "$GOPATH/src/github.com/google/syzkaller",
   145  	"cover": true,
   146  	"type": "adb",
   147  	"vm": {
   148  		"devices": ["0.0.0.0:6520"],
   149  		"battery_check": true
   150  	}
   151  }
   152  ```
   153  
   154  ### Launch the virtual device
   155  
   156  Launch the Android system with the KASAN and KCOV kernel.
   157  
   158  Command:
   159  ``` bash
   160  cd $GSI
   161  source build/envsetup.sh
   162  lunch aosp_cf_x86_64_phone-userdebug
   163  launch_cvd -daemon -kernel_path=$GKI/out/android13-5.15/dist/bzImage -initramfs_path=$GKI/out/android13-5.15/dist/initramfs.img
   164  ```
   165  
   166  Connect to the virtual device with adb:
   167  
   168  Command:
   169  ``` bash
   170  adb connect 0.0.0.0:6520
   171  ```
   172  
   173  List available virtual devices:
   174  
   175  Command:
   176  ``` bash
   177  adb devices
   178  ```
   179  
   180  ### Run syzkaller
   181  
   182  Run syzkaller manager:
   183  
   184  Command:
   185  ```bash
   186  cd $GOPATH/src/github.com/google/syzkaller
   187  ./bin/syz-manager -config=android.cfg
   188  ```
   189  
   190  Now syzkaller should be running, you can check manager status with your web browser at `127.0.0.1:56741`.
   191  
   192  If you get issues after `syz-manager` starts, consider running it with the `-debug` flag.
   193  
   194  Here are some useful links:
   195  
   196  - [github - google/android-cuttlefish](https://github.com/google/android-cuttlefish)
   197  - [AOSP - Cuttlefish virtual Android devices](https://source.android.com/docs/devices/cuttlefish)
   198  - [AOSP - Cuttlefish: Get started](https://source.android.com/docs/devices/cuttlefish/get-started)
   199  - [AOSP - Download the Android source](https://source.android.com/docs/setup/download)
   200  - [AOSP - Build Android](https://source.android.com/docs/setup/build/building)
   201  - [AOSP - Generic system images](https://source.android.com/docs/core/tests/vts/gsi#building-gsis)
   202  - [AOSP - Architecture overview](https://source.android.com/docs/core/architecture)
   203  - [AOSP - Build kernels](https://source.android.com/docs/setup/build/building-kernels)
   204  - [AOSP - Kernel branches and their build systems](https://source.android.com/docs/setup/reference/bazel-support)