Date: Thu, 19 Oct 2017 14:05:07 +0200 From: Dmitry Vyukov <dvyukov@google.com> To: freebsd-hackers@freebsd.org, rwatson@freebsd.org Cc: syzkaller <syzkaller@googlegroups.com>, Kostya Serebryany <kcc@google.com> Subject: syzkaller for freebsd Message-ID: <CACT4Y%2Bak76pMDefZ9sz_pOSRiH1XPQ7Jvo%2BV6XwX394krqLg-A@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, Our team works on kernel testing and in particular on syzkaller system call fuzzer (https://github.com/google/syzkaller). It started as Linux-only fuzzer and has found 1000+ bugs in Linux. But we started evolving towards supporting more OSes recently and added basic FreeBSD support. I see that FreeBSD https://wiki.freebsd.org/IdeasPage mentions syzkaller/KASAN, so I am reaching out to you share our progress and discuss potential collaboration. Our main focus will probably stay around Linux/Fuchsia and we don't have any experience around FreeBSD kernel (e.g. implementing code coverage support and even building). But if there is an active interest on FreeBSD community side, we are ready to collaborate. So, I was able to run syzkaller in full setup (including VM management, console output monitoring, etc) and outlined the process here: https://github.com/google/syzkaller/blob/master/docs/freebsd.md To warm up your interest, here is list of things I've found so far. This is with off-the-shelf FreeBSD-11.1-RELEASE-amd64.qcow2 image. panic: ffs_write: type 0xfffff80003eee760 8 (0,0) https://pastebin.com/raw/Xm80kYSz This one even comes with a C reproducer (which is surprising, because syzkaller currently only generates/builds reproducers for Linux, still it somehow run on FreeBSD and triggered the crash): https://pastebin.com/raw/EZe8thej Fatal trap 12: page fault in atrtc_settime https://pastebin.com/raw/pFzSgNff Fatal trap 12: page fault in bufdone https://pastebin.com/raw/amHtWwQS Fatal trap 12: page fault in sctp_sosend https://pastebin.com/raw/Zf2hYwi7 Fatal trap 12: page fault in vnet_pf_uninit https://pastebin.com/raw/0AiJJz7D Fatal trap 9: general protection fault in udp_close https://pastebin.com/raw/DzKYRkSm There was also a bunch of silent crashes/hangs https://pastebin.com/raw/gp5HDmHZ But lots of things for full FreeBSD support are still missing. I've sketched a list here: https://github.com/google/syzkaller/blob/master/docs/freebsd.md#missing-things Some are harder to do, some are easier to do. Just running it with a debug kernel build (with debug info and as many debug checks as possible) would probably be the simplest one. Thanks, Dmitry Vyukov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACT4Y%2Bak76pMDefZ9sz_pOSRiH1XPQ7Jvo%2BV6XwX394krqLg-A>