From owner-freebsd-hackers@freebsd.org  Thu Oct 19 12:05:29 2017
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5D595E39B19
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Thu, 19 Oct 2017 12:05:29 +0000 (UTC)
 (envelope-from dvyukov@google.com)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com
 [IPv6:2607:f8b0:4001:c0b::229])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 217C266EE8
 for <freebsd-hackers@freebsd.org>; Thu, 19 Oct 2017 12:05:29 +0000 (UTC)
 (envelope-from dvyukov@google.com)
Received: by mail-it0-x229.google.com with SMTP id n195so9913506itg.0
 for <freebsd-hackers@freebsd.org>; Thu, 19 Oct 2017 05:05:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
 bh=MhmmUwvHOIVv/HYlI3GNjmRk5TNsAtLW24lWCgXGsno=;
 b=CWCEgZLCUDVmMBFqb64NSMxq+/zjzA48XPrUwOi0qmBEKWecqC6qWZRFrZnETdxkaC
 xJD+6gXrBRv/PzZ1jtCa4ofclNcpaHzYLcwWmR0tUhZKZs7iSNH/fvzuF4lN6YqwQTob
 2+jAvE3sNj7fVXEOC+8gqj2ZUmGG6szSgeida6hLuWnVY5h2dAU1NQHslDPVnZhP850+
 OaVDJGhAD5yE3Sg4Wm7J/sw0Vt7DbDwzinPbWVc7j5wf3YkdmTpEpVuJW4Dlt3VYoNYb
 9L4Gat5ejB3YYtcg3pgeymuePC7w8Qi9AznqXonCPxxC644YTWbrwHWeHpvNNtJQvriH
 1DZA==
X-Gm-Message-State: AMCzsaVoYAGDRdzUv0Lmf7QDP+0U4yCq29g0etng0t6cNiU4tLqCczO6
 mJFFGToqIs9q+3fAP2bc+1mwIccqs+bCk8n5A2knI0fNXXk=
X-Google-Smtp-Source: ABhQp+SVHBzrU2Ycmkuvyqwx/n8o1TIvS/Cr1h00Vbz187snKPHuTfIRSv58xyopV+EfLACN1gdmAdghwp0YlPssnyQ=
X-Received: by 10.36.175.11 with SMTP id t11mr1998298ite.85.1508414728073;
 Thu, 19 Oct 2017 05:05:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.155.231 with HTTP; Thu, 19 Oct 2017 05:05:07 -0700 (PDT)
From: Dmitry Vyukov <dvyukov@google.com>
Date: Thu, 19 Oct 2017 14:05:07 +0200
Message-ID: <CACT4Y+ak76pMDefZ9sz_pOSRiH1XPQ7Jvo+V6XwX394krqLg-A@mail.gmail.com>
Subject: syzkaller for freebsd
To: freebsd-hackers@freebsd.org, rwatson@freebsd.org
Cc: syzkaller <syzkaller@googlegroups.com>, Kostya Serebryany <kcc@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailman-Approved-At: Thu, 19 Oct 2017 13:15:06 +0000
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Oct 2017 12:05:29 -0000

Hello,

Our team works on kernel testing and in particular on syzkaller system
call fuzzer (https://github.com/google/syzkaller). It started as
Linux-only fuzzer and has found 1000+ bugs in Linux. But we started
evolving towards supporting more OSes recently and added basic FreeBSD
support. I see that FreeBSD https://wiki.freebsd.org/IdeasPage
mentions syzkaller/KASAN, so I am reaching out to you share our
progress and discuss potential collaboration. Our main focus will
probably stay around Linux/Fuchsia and we don't have any experience
around FreeBSD kernel (e.g. implementing code coverage support and
even building). But if there is an active interest on FreeBSD
community side, we are ready to collaborate.

So, I was able to run syzkaller in full setup (including VM
management, console output monitoring, etc) and outlined the process
here:
https://github.com/google/syzkaller/blob/master/docs/freebsd.md

To warm up your interest, here is list of things I've found so far.
This is with off-the-shelf FreeBSD-11.1-RELEASE-amd64.qcow2 image.

panic: ffs_write: type 0xfffff80003eee760 8 (0,0)
https://pastebin.com/raw/Xm80kYSz
This one even comes with a C reproducer (which is surprising, because
syzkaller currently only generates/builds reproducers for Linux, still
it somehow run on FreeBSD and triggered the crash):
https://pastebin.com/raw/EZe8thej

Fatal trap 12: page fault in atrtc_settime
https://pastebin.com/raw/pFzSgNff

Fatal trap 12: page fault in bufdone
https://pastebin.com/raw/amHtWwQS

Fatal trap 12: page fault in sctp_sosend
https://pastebin.com/raw/Zf2hYwi7

Fatal trap 12: page fault in vnet_pf_uninit
https://pastebin.com/raw/0AiJJz7D

Fatal trap 9: general protection fault in udp_close
https://pastebin.com/raw/DzKYRkSm

There was also a bunch of silent crashes/hangs
https://pastebin.com/raw/gp5HDmHZ

But lots of things for full FreeBSD support are still missing. I've
sketched a list here:
https://github.com/google/syzkaller/blob/master/docs/freebsd.md#missing-things

Some are harder to do, some are easier to do. Just running it with a
debug kernel build (with debug info and as many debug checks as
possible) would probably be the simplest one.

Thanks,
Dmitry Vyukov