github.com/google/syzkaller@v0.0.0-20251211124644-a066d2bc4b02/docs/syzbot_assets.md (about) 1 ## Reproduce a bug with syzbot's downloadable assets 2 3 As a part of every bug report, syzbot shares downloadable assets -- that is, 4 disk images and kernel binaries on which the bug was originally found. 5 6 This document serves as a guide on how to use those assets to reproduce such bugs 7 locally. 8 9 ### A sample report 10 11 To be more specific, let's take this syzbot report: [[syzbot] [hfs?] kernel BUG 12 in hfsplus_bnode_put](https://lore.kernel.org/all/000000000000efee7905fe4c9a46@google.com/). 13 14 ``` 15 syzbot has found a reproducer for the following issue on: 16 17 HEAD commit: 40f71e7cd3c6 Merge tag 'net-6.4-rc7' of git://git.kernel.o.. 18 git tree: upstream 19 console+strace: https://syzkaller.appspot.com/x/log.txt?x=10482ae3280000 20 kernel config: https://syzkaller.appspot.com/x/.config?x=7ff8f87c7ab0e04e 21 dashboard link: https://syzkaller.appspot.com/bug?extid=005d2a9ecd9fbf525f6a 22 compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 23 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142e7287280000 24 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13fd185b280000 25 26 Downloadable assets: 27 disk image: https://storage.googleapis.com/syzbot-assets/073eea957569/disk-40f71e7c.raw.xz 28 vmlinux: https://storage.googleapis.com/syzbot-assets/c8a97aaa4cdc/vmlinux-40f71e7c.xz 29 kernel image: https://storage.googleapis.com/syzbot-assets/f536015eacbd/bzImage-40f71e7c.xz 30 mounted in repro: https://storage.googleapis.com/syzbot-assets/b5f1764cd64d/mount_0.gz 31 ``` 32 33 There are 4 linked assets: 34 * The bootable VM disk image on which the bug was found: `https://storage.googleapis.com/syzbot-assets/073eea957569/disk-40f71e7c.raw.xz` 35 * **The image is suitable both for GCE and for qemu**. 36 * The `vmlinux` file that can be used e.g. for report symbolization or for `gdb`-based debugging: `https://storage.googleapis.com/syzbot-assets/c8a97aaa4cdc/vmlinux-40f71e7c.xz` 37 * The separate `bzImage` file (it is already included in the disk image): `https://storage.googleapis.com/syzbot-assets/f536015eacbd/bzImage-40f71e7c.xz` 38 * The filesystem image that is mounted in the reproducer: `https://storage.googleapis.com/syzbot-assets/b5f1764cd64d/mount_0.gz` 39 40 All these links are also reachable from the web dashboard. 41 42 #### Run a C reproducer 43 44 Boot a VM: 45 ``` 46 $ wget 'https://storage.googleapis.com/syzbot-assets/073eea957569/disk-40f71e7c.raw.xz' 47 $ unxz disk-40f71e7c.raw.xz 48 $ qemu-system-x86_64 -m 2G -smp 2,sockets=2,cores=1 -drive file=./disk-40f71e7c.raw,format=raw -net nic,model=e1000 -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -enable-kvm -nographic -snapshot -machine pc-q35-7.1 49 ``` 50 51 Build and run the C reproducer: 52 ``` 53 $ wget -O 'repro.c' 'https://syzkaller.appspot.com/x/repro.c?x=13fd185b280000' 54 $ gcc repro.c -lpthread -static -o repro 55 $ scp -P 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ./repro root@127.0.0.1:/root/ 56 $ ssh -p 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes root@127.0.0.1 'chmod +x ./repro && ./repro' 57 ``` 58 59 Wait a minute and notice a crash report in the qemu's serial output: 60 61 ``` 62 [ 91.956238][ T81] ------------[ cut here ]------------ 63 [ 91.957508][ T81] kernel BUG at fs/hfsplus/bnode.c:618! 64 [ 91.958645][ T81] invalid opcode: 0000 [#1] PREEMPT SMP KASAN 65 [ 91.959861][ T81] CPU: 0 PID: 81 Comm: kworker/u5:3 Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 66 ``` 67 68 #### Run a syz reproducer directly 69 70 For some bugs, there's either no C reproducer or it's not reliable enough. In 71 that case, `syz` reproducers might be useful. 72 73 You'll need to [check out and build](/docs/linux/setup.md#go-and-syzkaller) 74 syzkaller first. The fastest way to do it is as follows (assuming Docker is 75 installed and configured on your machine): 76 77 ``` 78 $ git clone https://github.com/google/syzkaller.git 79 $ cd syzkaller 80 $ ./tools/syz-env make 81 ``` 82 83 Then boot a VM exactly like in the previous section. 84 85 Download and run the syz reproducer: 86 87 ``` 88 $ wget -O 'repro.syz' 'https://syzkaller.appspot.com/x/repro.syz?x=142e7287280000' 89 $ scp -P 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ./bin/linux_amd64/* ./repro.syz root@127.0.0.1:/root/ 90 $ ssh -p 10022 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes root@127.0.0.1 './syz-execprog -enable=all -repeat=0 -procs=6 ./repro.syz' 91 ``` 92 93 In some time, you'll see the same bug report in the VM's serial output. 94 95 The commands above execute the `./syz-execprog -enable=all -repeat=0 -procs=6 ./repro.syz` 96 command inside the VM. More details can be found in [this document](/docs/reproducing_crashes.md). 97 98 #### Use the `tools/syz-crush` tool 99 100 The `syz-crush` automatizes the steps above: it sets up and boots a pool of VMs 101 and runs the given `C` or `syz` reproducer in them. 102 103 First, download the disk image and reproducers (see instructions above). 104 105 Then, go to the syzkaller checkout and build the `syz-crush` tool: 106 ``` 107 $ make crush 108 ``` 109 110 Prepare a config file (let it be `config.json`): 111 112 ``` 113 { 114 "name": "test", 115 "http": "0.0.0.0:0", 116 "target": "linux/amd64", 117 "image": "/tmp/disk-40f71e7c.raw", 118 "syzkaller": "/tmp/syzkaller", 119 "workdir": "/tmp/syzkaller/workdir", 120 "type": "qemu", 121 "procs": 6, 122 "vm": { 123 "count": 5, 124 "cmdline": "root=/dev/sda1", 125 "cpu": 2, 126 "mem": 2048, 127 "qemu_args": "-machine pc-q35-7.1 -enable-kvm" 128 } 129 } 130 ``` 131 132 You need to replace `/tmp/syzkaller` with the location of your syzkaller 133 checkout and `/tmp/disk-40f71e7c.raw` with the location of the bootable disk 134 image. 135 136 Run the tool: 137 ``` 138 $ mkdir workdir 139 $ ./bin/syz-crush -config config.json repro.syz 140 ``` 141 142 143 #### Reproducing ARM64 bugs 144 145 If the bug was found on an ARM64 instance (e.g. the manager name is 146 `ci-upstream-gce-arm64`), you may use the following qemu command as a reference: 147 148 ``` 149 $ qemu-system-aarch64 -machine virt -cpu cortex-a57 -smp 4 -m 4G -nographic -drive file=disk.raw,if=none,format=raw,id=hd0 -device virtio-blk-device,drive=hd0 -kernel Image -net user,hostfwd=tcp::10023-:22 -net nic -append "root=/dev/vda2" -accel tcg,thread=multi 150 ``` 151 152 ### Problems 153 154 #### The bug doesn't reproduce 155 156 If the `C` reproducer did not work, try to run the `syz` reproducer. 157 158 If there's still no success, it might be that relatively rare case when the 159 execution environment becomes important. Syzbot fuzzes kernels on GCE VMs, which 160 might have a different instruction set / execution speed than locally run qemu 161 VMs. These changes might be critical for the generated reproducer. 162 163 There's unfortunately no universal solution. 164 165 Note that you can always ask syzbot to 166 [apply your git patch and re-run the reproducer](/docs/syzbot.md#testing-patches). 167 It will be run in the same GCE environment where the bug was originally found. 168 169 See also [this document](/docs/syzbot.md#crash-does-not-reproduce). 170 171 #### Assets are not downloadable 172 173 The downloadable assets are not stored infinitely. Syzbot keeps them until the 174 bug is fixed or marked as invalid + 30 days after that. 175 176 So if you cannot download the assets using the links from the email, this might 177 be a sign that the bug is actually no longer worth looking at. 178 179 #### Qemu doesn't boot 180 181 A [recent qemu problem](https://lore.kernel.org/qemu-devel/da39abab9785aea2a2e7652ed6403b6268aeb31f.camel@linux.ibm.com/) 182 may prevent it from booting large kernel images. Add `-machine pc-q35-7.1` to 183 the qemu args to make it work.