Skip to content

Inspect Results

ETenal edited this page Sep 29, 2023 · 1 revision

Inspect Results

        ├── BugReproduce					Folder. Regular plugin folder
            ├── launch_ubuntu-18.04.4.sh			File. Script for booting Ubuntu-18.04.4
            ├── launch_ubuntu-20.04.sh			        File. Script for booting Ubuntu-20.04
            ├── qemu-ubuntu-18.04.4-root0			File. QEMU log (root privilege)
            ├── qemu-ubuntu-20.04-root0			        File. QEMU log (root privilege)
            ├── qemu-ubuntu-20.04-normal0			File. QEMU log (normal privilege)
            ├── Report_BugReproduce			        File. Plugin report
            ├── results.json			                File. Plugin results
            ├── VendorMemRead			                File. Exist if triggers a memory read bug
            ├── sandbox.h			                File. For enabling the sandbox
            └── log						File. Plugin log

Each plugin should generate a report named Report_{Plugin_Name}, the detailed results should be serialized into a JSON file results.json An example of Report_BugReproduce looks like

ubuntu-22.04 triggers a bug: KASAN: slab-out-of-bounds in decrypt_internal  by normal user

On the other hand, the resutls.json contains much detailed information. It will look like this

{
	"ubuntu-22.04": {
		"missing_module": [],
		"skip_funcs": [],
		"device_tuning": [],
		"env_modules": [],
		"interface_tuning": [],
		"namespace": true,
		"root": false,
		"minimized": false,
		"repeat": false,
		"hash": "02617ac69815ae324053c954118c2dc7ba0e59b2",
		"trigger": true,
		"unprivileged_module_loading": false
	}
}

Each plugin has its own definition of keys, We will list the explanation of them for existing plugins.

BugReproduce

{
	"ubuntu-22.04": {
		"missing_module": [],
		"skip_funcs": [],
		"device_tuning": [],
		"env_modules": [],
		"interface_tuning": [],
		"namespace": true,
		"root": false,
		"minimized": false,
		"repeat": false,
		"hash": "02617ac69815ae324053c954118c2dc7ba0e59b2",
		"trigger": true,
		"unprivileged_module_loading": false
	}
}

BugReproduce results start with the map of distros. Each distro is the key in the results.json, the value is also a map. It contains adaptation techniques that are required for bug reproducing. missing_module contains a list of missing kernel modules that are related to the bug. They must be loaded before running the PoC. skip_funcs contains a list of PoC functions that may interfere the execution. Skipping them won't affect the bug triggering. device_tuning is a list of devices that need to be used by the PoC. Normally, loop device is the only one in this list. env_modules contains a list of kernel modules that are needed when setting up the PoC environment. interface_tuning is similar to skip_funcs, the difference is that the function in skip_funcs may be redundant but won't affect the PoC execution, while interface_tuning only contains functions that must be removed in order to run the PoC successfully.

ModulesAnalysis

{
	"psi": {
		"name": "psi",
		"src_file": "kernel/sched/psi.c",
		"hook": false,
		"missing": {
			"ubuntu-18.04.4": {
				"distro_name": "ubuntu-18.04.4",
				"distro_version": "4.15.76",
				"type": 0,
				"missing_reason": "Module disabled"
			}
		}
	}
}

In ModulesAnalysis plugin, each kernel module name is a key to the map. It contains the module source file src_file, module name psi, hook function check hook and missing in certain distros. Hook functions often link to unnecessary code that is irrelevant to the root cause, we can skip hook function if time is tight. For each distro that misses this module, we first decide what is the type of the missing reason: 0 means MODULE_DISABLED, 1 means MODULE_ENABLED, 2 means MODULE_REQUIRED_LOADING, 3 means MODULE_IN_BLACKLIST, 4 means MODULE_REQUIRED_LOADING_BY_ROOT, 5 means MODULE_REQUIRED_LOADING_BY_NON_ROOT, 6 means MODULE_IS_IMPLICIT.

SyzFeatureMinimize

{
	"close_fds": false,
	"prog_status": 0,
	"no_sandbox": true
}

SyzFeatureMinimize plugins minimize the upstream PoC and its enabled features. The results contain features from the upstream testcase. There is an additional key prog_status, indicating only syzkaller prog triggers the bug (SYZ_PROG), only C prog triggers the bug (C_PROG), or both progs trigger the bug (BOTH_FAIL)