-
Notifications
You must be signed in to change notification settings - Fork 4
Inspect Results
├── BugReproduce Folder. Regular plugin folder
├── launch_ubuntu-18.04.4.sh File. Script for booting Ubuntu-18.04.4
├── launch_ubuntu-20.04.sh File. Script for booting Ubuntu-20.04
├── qemu-ubuntu-18.04.4-root0 File. QEMU log (root privilege)
├── qemu-ubuntu-20.04-root0 File. QEMU log (root privilege)
├── qemu-ubuntu-20.04-normal0 File. QEMU log (normal privilege)
├── Report_BugReproduce File. Plugin report
├── results.json File. Plugin results
├── VendorMemRead File. Exist if triggers a memory read bug
├── sandbox.h File. For enabling the sandbox
└── log File. Plugin log
Each plugin should generate a report named Report_{Plugin_Name}
, the detailed results should be serialized into a JSON file results.json
An example of Report_BugReproduce
looks like
ubuntu-22.04 triggers a bug: KASAN: slab-out-of-bounds in decrypt_internal by normal user
On the other hand, the resutls.json
contains much detailed information. It will look like this
{
"ubuntu-22.04": {
"missing_module": [],
"skip_funcs": [],
"device_tuning": [],
"env_modules": [],
"interface_tuning": [],
"namespace": true,
"root": false,
"minimized": false,
"repeat": false,
"hash": "02617ac69815ae324053c954118c2dc7ba0e59b2",
"trigger": true,
"unprivileged_module_loading": false
}
}
Each plugin has its own definition of keys, We will list the explanation of them for existing plugins.
{
"ubuntu-22.04": {
"missing_module": [],
"skip_funcs": [],
"device_tuning": [],
"env_modules": [],
"interface_tuning": [],
"namespace": true,
"root": false,
"minimized": false,
"repeat": false,
"hash": "02617ac69815ae324053c954118c2dc7ba0e59b2",
"trigger": true,
"unprivileged_module_loading": false
}
}
BugReproduce
results start with the map of distros. Each distro is the key in the results.json
, the value is also a map. It contains adaptation techniques that are required for bug reproducing. missing_module
contains a list of missing kernel modules that are related to the bug. They must be loaded before running the PoC. skip_funcs
contains a list of PoC functions that may interfere the execution. Skipping them won't affect the bug triggering. device_tuning
is a list of devices that need to be used by the PoC. Normally, loop
device is the only one in this list. env_modules
contains a list of kernel modules that are needed when setting up the PoC environment. interface_tuning
is similar to skip_funcs, the difference is that the function in skip_funcs
may be redundant but won't affect the PoC execution, while interface_tuning
only contains functions that must be removed in order to run the PoC successfully.
{
"psi": {
"name": "psi",
"src_file": "kernel/sched/psi.c",
"hook": false,
"missing": {
"ubuntu-18.04.4": {
"distro_name": "ubuntu-18.04.4",
"distro_version": "4.15.76",
"type": 0,
"missing_reason": "Module disabled"
}
}
}
}
In ModulesAnalysis
plugin, each kernel module name is a key to the map. It contains the module source file src_file
, module name psi
, hook function check hook
and missing in certain distros. Hook functions often link to unnecessary code that is irrelevant to the root cause, we can skip hook function if time is tight. For each distro that misses this module, we first decide what is the type
of the missing reason: 0 means MODULE_DISABLED
, 1 means MODULE_ENABLED
, 2 means MODULE_REQUIRED_LOADING
, 3 means MODULE_IN_BLACKLIST
, 4 means MODULE_REQUIRED_LOADING_BY_ROOT
, 5 means MODULE_REQUIRED_LOADING_BY_NON_ROOT
, 6 means MODULE_IS_IMPLICIT
.
{
"close_fds": false,
"prog_status": 0,
"no_sandbox": true
}
SyzFeatureMinimize
plugins minimize the upstream PoC and its enabled features. The results contain features from the upstream testcase. There is an additional key prog_status
, indicating only syzkaller prog triggers the bug (SYZ_PROG
), only C prog triggers the bug (C_PROG
), or both progs trigger the bug (BOTH_FAIL
)