Skip to content

Latest commit

 

History

History
246 lines (189 loc) · 7.09 KB

README.md

File metadata and controls

246 lines (189 loc) · 7.09 KB

Fuchsia support

For information about checking out and building Fuchsia see Get started with Fuchsia and Download the Fuchsia source code.

Caveat

Please note that Fuchsia support is currently incomplete, and may break at any time due to changes in Fuchsia and/or Syzkaller.

Some known issues include:

  • System call definitions require manual updates.
  • Crash parsing does not work reliably.
  • Coverage feedback is not supported.

Prerequisites

To run Syzkaller with a Fuchsia target, you will need a checkout of the Fuchsia source repository.

The rest of this document will use the environment variable SOURCEDIR to identify the path to your Fuchsia checkout (e.g. /home/you/fuchsia). The commands below assume you have set SOURCEDIR, like so:

export SOURCEDIR=/home/you/fuchsia

Quick and easy version

The shell script setup.sh automates the building and running syz-manager steps described below. Give it a try, and see if it works for you. For usage help, invoke it with no arguments.

Building Fuchsia

To build Fuchsia for x64, run:

fx --dir "out/x64" set core.x64 \
  --with-base "//bundles/tools" \
  --with-base "//src/testing/fuzzing/syzkaller" \
  --args=syzkaller_dir='"/full/path/to/syzkaller"' \
  --variant=kasan
fx build

Alternatively, for arm64, run:

fx --dir "out/arm64" set core.arm64 \
  --with-base "//bundles/tools" \
  --with-base "//src/testing/fuzzing/syzkaller" \
  --args=syzkaller_dir='"/full/path/to/syzkaller"' \
  --variant=kasan
fx clean-build

Building binaries for Fuchsia

To build all the binaries required for running Syzkaller in Fuchsia, run this from inside your Syzkaller checkout (assuming you built Fuchsia for x64):

make TARGETOS=fuchsia TARGETARCH=amd64 SOURCEDIR=${SOURCEDIR}

Running syz-manager

Running syz-manager requires you to have built Fuchsia previously, and added the ssh keys to the fuchsia.zbi image:

The output of the Fuchsia build is a product bundle. Look up the image files needed via ffx product get-image-path:

  product_bundle_path="$(ffx config get product.path | tr -d '"')"
  fxfs_path="$(ffx product get-image-path "$product_bundle_path" --slot a --image-type fxfs)"
  zbi_path="$(ffx product get-image-path "$product_bundle_path" --slot a --image-type zbi)"
  multiboot_path="$(ffx product get-image-path "$product_bundle_path" --slot a --image-type qemu-kernel)"

Make sure the ssh keys exist and are properly configured:

  # Make sure there are ssh keys available
  ffx config check-ssh-keys
  auth_keys_path="$(ffx config get ssh.pub | tr -d '"')"
  priv_key_path="$(ffx config get ssh.priv | tr -d '"')"

Add the authorized keys to the zbi.

fx host-tool zbi -o "${SOURCEDIR}/out/x64/fuchsia-ssh.zbi" \
  "${zbi_path}" \
  --entry "data/ssh/authorized_keys=${auth_keys_path}"

Note: This needs to be repeated after each fx build.

Create a syz-manager configuration file, using this as a starting point:

{
  "name": "fuchsia",
  "target": "fuchsia/amd64",
  "http": ":12345",
  "workdir": "/workdir.fuchsia",
  "kernel_obj": "/fuchsia/out/syz/kernel_x64-kasan/obj/zircon/kernel",
  "syzkaller": "/syzkaller",
  "image": "$fxfs_path",
  "sshkey": "$priv_key_path",
  "reproduce": false,
  "cover": false,
  "procs": 8,
  "type": "qemu",
  "vm": {
    "count": 10,
    "cpu": 4,
    "mem": 2048,
    "kernel": "${multiboot_path}",
    "initrd": " ${SOURCEDIR}/out/x64/fuchsia-ssh.zbi"
  }
}

Run syz-manager with that config:

bin/syz-manager -config manager.cfg

Note: You may need to modify your PATH so that qemu can be found, e.g.

export `PATH="$SOURCEDIR/prebuilt/third_party/qemu/linux-x64/bin:$PATH"`

Update syscall and FIDL definitions

Syscall descriptions live in the sys/fuchsia folder. To update a syscall, you need to modify the .txt file that contains it, make sure your new definition matches the one in Zircon's syscalls.abigen file. If the syscall was used in executor/common_fuchsia.h, you need to update the usages there as well. FIDL definitions do not need manual updating because they are extracted automatically when you run make extract, but they require Fuchsia to be rebuilt for each architecture (see Building Fuchsia above).

Once you updated the syscall definitions, everything can be regenerated by running (in your Syzkaller checkout):

make extract TARGETOS=fuchsia SOURCEDIR=${SOURCEDIR}
make generate

Caveat: This command does not currently work.

How to generate syscall definitions from FIDL

TODO: This section is out of date.

Syscall descriptions for FIDL are automatically generated as part of make extract as described above.

However, if you wish to manually generate syscall descriptions for a given .fidl file, do the following.

FIDL files should first be compiled into FIDL intermediate representation (JSON) files using fidlc:

${SOURCEDIR}/out/x64/host_x64/fidlc --json /tmp/io.json --files ${SOURCEDIR}/zircon/system/fidl/fuchsia-io/io.fidl

Then run the FIDL compiler backend fidlgen with the syzkaller generator, which compiles a FIDL IR file into a syscall description file:

${SOURCEDIR}/out/x64/host_x64/fidlgen -generators syzkaller -json /tmp/io.json -output-base fidl_io -include-base fidl_io

Running syz-ci locally

To run syz-ci locally for Fuchsia, you need:

  • bootstrapped Fuchsia checkout (in /bootstrap/fuchsia dir in the example below)
  • bootstrap syz-ci binary (in the current dir, build with make ci)
  • syz-ci config similar to the one below (in ci.cfg file in the current dir)
{
	"name": "testci",
	"http": ":50000",
	"manager_port_start": 50001,
	"syzkaller_repo": "https://github.com/google/syzkaller.git",
	"managers": [
		{
			"name": "fuchsia",
			"repo": "https://fuchsia.googlesource.com",
			"manager_config": {
				"target": "fuchsia/amd64",
				"type": "qemu",
				"cover": false,
				"procs": 8,
				"vm": {
					"count": 4,
					"cpu": 4,
					"mem": 1024
				}
			}
		}
	]
}

Run syz-ci as:

SOURCEDIR=/bootstrap/fuchsia ./syz-ci -config ci.cfg

Troubleshooting

While running the make extract step, it's possible that the FIDL definitions are not up to date. It could happen that they have been removed or renamed.

If this is the case, you would see an error mentioning that the fidl.json file could not be found:

go generate ./sys/fuchsia
cannot find /path-to-fuchsia/out/x64/fidling/gen/zircon/public/fidl/zircon-ethernet/zircon-ethernet.fidl.json
exit status 1

You can search for the string in the Fuchsia code search interface or in the Gerrit code-review tool to see what happened to it. If the FIDL interface was renamed or removed, you should update sys/fuchsia/fidlgen/main.go to reflect this change, and remove the stale autogenerated files.