For information about checking out and building Fuchsia see Get started with Fuchsia and Download the Fuchsia source code.
Please note that Fuchsia support is currently incomplete, and may break at any time due to changes in Fuchsia and/or Syzkaller.
Some known issues include:
- System call definitions require manual updates.
- Crash parsing does not work reliably.
- Coverage feedback is not supported.
To run Syzkaller with a Fuchsia target, you will need a checkout of the Fuchsia source repository.
The rest of this document will use the environment variable SOURCEDIR
to
identify the path to your Fuchsia checkout (e.g. /home/you/fuchsia
). The
commands below assume you have set SOURCEDIR
, like so:
export SOURCEDIR=/home/you/fuchsia
The shell script setup.sh automates the building and running
syz-manager
steps described below. Give it a try, and see if it works for you.
For usage help, invoke it with no arguments.
To build Fuchsia for x64, run:
fx --dir "out/x64" set core.x64 \
--with-base "//bundles/tools" \
--with-base "//src/testing/fuzzing/syzkaller" \
--args=syzkaller_dir='"/full/path/to/syzkaller"' \
--variant=kasan
fx build
Alternatively, for arm64, run:
fx --dir "out/arm64" set core.arm64 \
--with-base "//bundles/tools" \
--with-base "//src/testing/fuzzing/syzkaller" \
--args=syzkaller_dir='"/full/path/to/syzkaller"' \
--variant=kasan
fx clean-build
To build all the binaries required for running Syzkaller in Fuchsia, run this from inside your Syzkaller checkout (assuming you built Fuchsia for x64):
make TARGETOS=fuchsia TARGETARCH=amd64 SOURCEDIR=${SOURCEDIR}
Running syz-manager requires you to have built Fuchsia previously, and added the ssh keys to the fuchsia.zbi image:
The output of the Fuchsia build is a product bundle. Look up the image files needed
via ffx product get-image-path
:
product_bundle_path="$(ffx config get product.path | tr -d '"')"
fxfs_path="$(ffx product get-image-path "$product_bundle_path" --slot a --image-type fxfs)"
zbi_path="$(ffx product get-image-path "$product_bundle_path" --slot a --image-type zbi)"
multiboot_path="$(ffx product get-image-path "$product_bundle_path" --slot a --image-type qemu-kernel)"
Make sure the ssh keys exist and are properly configured:
# Make sure there are ssh keys available
ffx config check-ssh-keys
auth_keys_path="$(ffx config get ssh.pub | tr -d '"')"
priv_key_path="$(ffx config get ssh.priv | tr -d '"')"
Add the authorized keys to the zbi.
fx host-tool zbi -o "${SOURCEDIR}/out/x64/fuchsia-ssh.zbi" \
"${zbi_path}" \
--entry "data/ssh/authorized_keys=${auth_keys_path}"
Note: This needs to be repeated after each fx build
.
Create a syz-manager
configuration file, using this as a starting point:
{
"name": "fuchsia",
"target": "fuchsia/amd64",
"http": ":12345",
"workdir": "/workdir.fuchsia",
"kernel_obj": "/fuchsia/out/syz/kernel_x64-kasan/obj/zircon/kernel",
"syzkaller": "/syzkaller",
"image": "$fxfs_path",
"sshkey": "$priv_key_path",
"reproduce": false,
"cover": false,
"procs": 8,
"type": "qemu",
"vm": {
"count": 10,
"cpu": 4,
"mem": 2048,
"kernel": "${multiboot_path}",
"initrd": " ${SOURCEDIR}/out/x64/fuchsia-ssh.zbi"
}
}
Run syz-manager
with that config:
bin/syz-manager -config manager.cfg
Note: You may need to modify your PATH
so that qemu can be found, e.g.
export `PATH="$SOURCEDIR/prebuilt/third_party/qemu/linux-x64/bin:$PATH"`
Syscall descriptions live in the sys/fuchsia
folder. To update a syscall, you
need to modify the .txt
file that contains it, make sure your new definition
matches the one in Zircon's
syscalls.abigen
file. If the syscall was used in executor/common_fuchsia.h
, you need to
update the usages there as well. FIDL definitions do not need manual updating
because they are extracted automatically when you run make extract
, but they
require Fuchsia to be rebuilt for each architecture (see Building
Fuchsia above).
Once you updated the syscall definitions, everything can be regenerated by running (in your Syzkaller checkout):
make extract TARGETOS=fuchsia SOURCEDIR=${SOURCEDIR}
make generate
Caveat: This command does not currently work.
TODO: This section is out of date.
Syscall descriptions for FIDL are automatically generated as part of make extract
as described above.
However, if you wish to manually generate syscall descriptions for a given
.fidl
file, do the following.
FIDL files should first be compiled into FIDL intermediate representation (JSON)
files using fidlc
:
${SOURCEDIR}/out/x64/host_x64/fidlc --json /tmp/io.json --files ${SOURCEDIR}/zircon/system/fidl/fuchsia-io/io.fidl
Then run the FIDL compiler backend fidlgen
with the syzkaller generator, which
compiles a FIDL IR file into a syscall description file:
${SOURCEDIR}/out/x64/host_x64/fidlgen -generators syzkaller -json /tmp/io.json -output-base fidl_io -include-base fidl_io
To run syz-ci
locally for Fuchsia, you need:
- bootstrapped Fuchsia checkout (in
/bootstrap/fuchsia
dir in the example below) - bootstrap
syz-ci
binary (in the current dir, build withmake ci
) syz-ci
config similar to the one below (inci.cfg
file in the current dir)
{
"name": "testci",
"http": ":50000",
"manager_port_start": 50001,
"syzkaller_repo": "https://github.com/google/syzkaller.git",
"managers": [
{
"name": "fuchsia",
"repo": "https://fuchsia.googlesource.com",
"manager_config": {
"target": "fuchsia/amd64",
"type": "qemu",
"cover": false,
"procs": 8,
"vm": {
"count": 4,
"cpu": 4,
"mem": 1024
}
}
}
]
}
Run syz-ci
as:
SOURCEDIR=/bootstrap/fuchsia ./syz-ci -config ci.cfg
While running the make extract
step, it's possible that the FIDL definitions
are not up to date. It could happen that they have been removed or renamed.
If this is the case, you would see an error mentioning that the fidl.json file could not be found:
go generate ./sys/fuchsia
cannot find /path-to-fuchsia/out/x64/fidling/gen/zircon/public/fidl/zircon-ethernet/zircon-ethernet.fidl.json
exit status 1
You can search for the string in the Fuchsia code search
interface or in the
Gerrit code-review tool to see what
happened to it. If the FIDL interface was renamed or removed, you should update
sys/fuchsia/fidlgen/main.go
to reflect this change, and remove the stale
autogenerated files.