Hello,

After going through the process to get everything built and running, when I start syzkaller none of the fuzzers appear to be working.

~/razzer/tools/race-syzkaller/exp$ sudo -E ./run.sh --config configs/kernel/config
~/razzer/tools/qemu-2.5.0 ~/fast/razzer/tools/race-syzkaller/exp
[*] Rebuilding QEMU
VMLINUX:  ~/razzer/tools/race-syzkaller/kernel-build/build-v4.17/vmlinux
HYPEADDR: 0xffffffff8031be1e
  CC    disas/i386.o
  CC    x86_64-softmmu/cpus.o
  CC    x86_64-softmmu/hypercall.o
  CC    x86_64-softmmu/kvm-all.o
  LINK  x86_64-softmmu/qemu-system-x86_64

~/fast/razzer/tools/race-syzkaller/exp
[*] KERNEL_VERSION: v4.17
[*] git: e289c23db10a60854a602a2c6ae7df8c449dce75 (master)
 kernels_repo                                                         | 2 +-
 scripts/install.sh                                                   | 2 +-
 scripts/kernel_version.lst                                           | 1 +
 scripts/qemu/install.sh                                              | 2 ++
 tools/llvmlinux/targets/x86_64/build-kernel.sh                       | 4 ++--
 tools/llvmlinux/targets/x86_64/configs/static_analysis_v4.8.mk       | 2 +-
 tools/race-syzkaller/exp/configs/kernel/config                       | 5 ++---
 tools/race-syzkaller/exp/partition-scripts/partitioned_analysis.sh   | 5 ++++-
 tools/race-syzkaller/exp/partition-scripts/run-partition-analysis.py | 1 +
 9 files changed, 15 insertions(+), 9 deletions(-)
[*] Running: syz-manager -config configs/kernel/config -v 0
2019/07/09 09:36:08 Suppress  option: 1
2019/07/09 09:36:08 RootCause  option: false
2019/07/09 09:36:08 Loading race candidate pairs...
2019/07/09 09:36:13 Loading suppressed mempair: 1148234
2019/07/09 09:36:14 Removed supp-ed mempair: 1158064
2019/07/09 09:36:14 Remaining mempair: 0
2019/07/09 09:36:14 Total # of mempair: 0
2019/07/09 09:36:14 Total # of mapping: 0
2019/07/09 09:36:14 Initializing cover per mapping...
2019/07/09 09:36:14 Building Sparse race candidates...
2019/07/09 09:36:14 Total # of sparseRaceCandPairs: 0 (0)
2019/07/09 09:36:14 [*] loading corpus
2019/07/09 09:36:15 [+] loaded 1192 corpus programs (1192 total, 0 deleted)
2019/07/09 09:36:15 [*] loading racecorpus
2019/07/09 09:36:15 [-] No raceprog cand loaded from racecorpus
2019/07/09 09:36:15 [*] loading likelycorpus
2019/07/09 09:36:15 [-] No raceprog cand loaded from likelycorpus
2019/07/09 09:36:15 serving http on http://0.0.0.0:56741
2019/07/09 09:36:15 serving rpc on tcp://[::]:33495
2019/07/09 09:36:15 booting test machines...
2019/07/09 09:36:15 wait for the connection from test machine...
2019/07/09 09:36:36 received first connection from test machine fuzzer-9
2019/07/09 09:36:43 machine check: 1517 calls enabled, kcov=true, kleakcheck=false, faultinjection=false, comps=false
2019/07/09 09:36:45 #1 Fuzzer: exe 1 (1), sig 0 (0), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:36:45      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-2 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-7 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-12 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-6 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-10 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-8 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-1 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-5 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-13 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-14 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-11 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-15 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-4 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-0 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-1 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-15 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-4 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-5 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-12 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-9 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-8 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-6 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-10 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-13 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:55 #2 Fuzzer: exe 759 (379), sig 14016 (7008), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:36:55      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:05 #3 Fuzzer: exe 2356 (785), sig 16653 (5551), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:05      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:15 #4 Fuzzer: exe 3504 (876), sig 17635 (4408), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:15      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:25 #5 Fuzzer: exe 4438 (887), sig 17963 (3592), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:25      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:28 [*] Sent all cands from corpusDB



#####


cat configs/kernel/config
{
  "target": "linux/amd64",
  "http": "0.0.0.0:56741",
  "workdir": "$PWD/workdir",
  "vmlinux": "$KERNEL_BUILD/vmlinux",
  "image": "$PWD/wheezy.img",
  "sshkey": "$PWD/ssh/id_rsa",
  "syzkaller": "$SYZKALLER_HOME/src/github.com/google/syzkaller",
  "procs": 1,
  "type": "qemu",
  "mempair":   "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mempair",
  "mapping":   "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mapping",
  "callgraph": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/callgraph",
  "distance":  "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/distance",
  "sandbox": "none",
  "vm": {
    "schedcount": 16,
    "count": 16,
    "kernel": "$KERNEL_BUILD/arch/x86/boot/bzImage",
    "cpu": 2,
    "mem": 8192,
    "qemu": "$QEMU_HOME/build/x86_64-softmmu/qemu-system-x86_64"
  }
}

Your paper Razzer: Finding Kernel Race Bugs through Fuzzing is definately well written and we all appreciate this amazing work. But may I ask when will this code be released? Since your paper mentioned that

We will open source of RAZZER such that kernel developers and researchers can beneft from using RAZZER.

We will truely appreciate that.

Hi, I am following the instructions to build bitcode files. However, after running ./build-kernel.sh --config configs/static_analysis_v4.16.mk, for built-in.*, only built-in.o files were built but no built-in.bc. For other files, e.g., kernel/pid.c, the corresponding .o files and .bc files were built.

The ./build-kernel.sh scripts also failed because of a bunch undefined reference to xxx errors when executing the command tools/llvmlinux/arch/all/bin/llvm-link-bc.sh -m elf_x86_64 -z max-page-size=0x200000 --build-id -o .tmp_vmlinux1 -T ./arch/x86/kernel/vmlinux.lds --whole-archive built-in.o --no-whole-archive --start-group lib/lib.a arch/x86/lib/lib.a --end-group, according to tmp/log. As pointed out here, I can ignore the link error because it was expected, but I cannot find any built-in.bc files built for subsequent analysis.

Any ideas? Thanks!

"As a consequence, LLVM Linux will fail to build the entire kernel binary. It is okay if .bc files for files under interests and built-in.bc for each subdirectory (e.g., drivers/built-in.bc, net/built-in.bc) is built."

LLVM Linux will fail to build the entire kernel binary but merge-mempairs.py runs get_address.py and in get_address.py it requires vmlinux file. After I fail to build the entire kernel binary I can run run-partition-analysis.py successfully but merge-mempairs.py will remind me no vmlinux found.

Hi,

I'm interested in razzer and I want to inspect race cases reported by razzer. It seems that links to C repro & kernel config in lkml are unavailable now.

Are they still available somewhere? Since I don't have enough memory(less than 16GB, not enough even under N_PROC = 1), it's hard for me to perform complete static analysis of razzer. So it's problematic for me to get razzer work at full speed and it helps a lot if those C repros & config are still available.

Thanks in advance.

When I run "scripts/install.sh" to install the environment, there is a question.

[ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddBddAbs.c.o

[ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddCompose.c.o

[ 65%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddHarwell.c.o

[ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddPriority.c.o

[ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddSubsetHB.c.o

[ 66%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddZddGroup.c.o

[ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/cuddZddUtil.c.o

[ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/dddmpNodeAdd.c.o

[ 67%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/epd.c.o

[ 68%] Building C object lib/CUDD/CMakeFiles/Cudd.dir/restart.c.o

[ 68%] Linking C shared module Cudd.so

[ 68%] Built target Cudd

Makefile:129: recipe for target 'all' failed
make: *** [all] Error 2

I cannot understand it.

静态分析的时候.执行/run-partition-analysis.py出现 File "/usr/lib/python3.5/os.py", line 725, in getitem raise KeyError(key) from None KeyError: 'KERNEL_VERSION' 请问是什么原因？

while I use ./scripts/qemu/install.sh, I found that QEMU build is error:

config-temp/qemu-conf.c:1:10: fatal error: sys/endian.h: No such file or directory #include <sys/endian.h> compilation terminated.

how to deal with it? Thanks!

And there are other errors before this error, such as:

config-temp/qemu-conf.c: In function ‘main’: config-temp/qemu-conf.c:6:3: error: too many arguments to function ‘xc_domain_create’ xc_domain_create(xc, 0, handle, 0, NULL, NULL); In file included from config-temp/qemu-conf.c:1:0: /usr/include/xenctrl.h:511:5: note: declared here int xc_domain_create(xc_interface *xch,

and

/tmp/ccBwhhaj.o: In function main': root/razzer/tools/qemu-2.5.0/build/config-temp/qemu-conf.c:5: undefined reference touuid_generate' collect2: error: ld returned 1 exit status

but these errors did not cause compilation terminated

I find nop instead of vmcall instruction in each kernel/hypercall.c

I'm not that familiar with virtualization but it seems that the hypercall implementation will never call into VMM?

Please help me with it. Do I misunderstand sth about the implementation or how should I modify it to make razzer work?

Thanks.

I am confused about what the config file(in tools/llvmlinux/targets/x86_64, ) should look like, or how to generate the right config file, if I want to try to razzer another kernel version? Now I have tried the following steps:

1. modify kernel base on static-analysis.md, and diff between origin and your kernels_repo.
2. modifiy script/envsetup.sh(add to script/kernel_version.lst)
3. try some existing config files in tools/llvmlinux/targets/x86_64/configs/ to build linux(static analysis, so is llvmlinux). But all failed.

So, I want to know how to generate the right config file? Thanks.

While I do Static analysis according to docs/static-analysis.md, I found that ./run-partition-analysis.py is killed.The log is shown as below:

begin do_analyze( sound/built-in.bc init/built-in.bc fs/built-in.bc ipc/built-in.bc ) [*] NAME: [sound] [*] Kernel version: v4.17 [*] Making static analysis directory [*] DIR: /root/lava_workspace/razzer_test/razzer/tools/race-syzkaller/exp/configs/kernel/partition/v4.17 [*] Generating combined-sound.bc [*] Generating mssa.sound Killed [*] Generating mempair_all.net-vmw_vsock [*] Prune and check_testing_bugs [WARN] Testing bug ('drivers/tty/n_hdlc.c:440', 'drivers/tty/n_hdlc.c:216') not found [WARN] Testing bug ('net/packet/af_packet.c:3660', 'net/packet/af_packet.c:4229') not found [WARN] Testing bug ('net/packet/af_packet.c:1653', 'net/packet/af_packet.c:1710') not found [WARN] Testing bug ('net/ipv4/raw.c:640', 'net/ipv4/ip_sockglue.c:748') not found [WARN] Testing bug ('net/sctp/associola.c:1088', 'net/sctp/socket.c:7423') not found [WARN] Testing bug ('net/packet/af_packet.c:1645', 'net/packet/af_packet.c:367') not found

I found in scripts/misc/analysis.py，it do as below: cmd = "wpa -indCallLimit=100000 -dump-callgraph -ander -vgep -svfg -dump-mssa -dump-race " + args.bitcode What is it doing?

How to deal with it ? Thanks!