Re: [PATCH] kconfig: Add kernel config option for fuzz testing.
From: Theodore Y. Ts'o
Date: Mon Dec 16 2019 - 15:19:21 EST
On Tue, Dec 17, 2019 at 12:35:00AM +0900, Tetsuo Handa wrote:
> >> diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
> >> index 1ef6f75d92f1..9a2f95a78fef 100644
> >> --- a/kernel/printk/printk.c
> >> +++ b/kernel/printk/printk.c
> >> @@ -1198,6 +1198,14 @@ MODULE_PARM_DESC(ignore_loglevel,
> >>
> >> static bool suppress_message_printing(int level)
> >> {
> >> +#ifdef CONFIG_KERNEL_BUILT_FOR_FUZZ_TESTING
> >> + /*
> >> + * Changing console_loglevel causes "no output". But ignoring
> >> + * console_loglevel is easier than preventing change of
> >> + * console_loglevel.
> >> + */
> >> + return (level >= CONSOLE_LOGLEVEL_DEFAULT && !ignore_loglevel);
> >> +#endif
> >
> > I don't understand the need for this change at all.
>
> this case was too hard to blacklist, as explained at
> https://lore.kernel.org/lkml/4d1a4b51-999b-63c6-5ce3-a704013cecb6@xxxxxxxxxxxxxxxxxxx/ .
> syz_execute_func() can find deeper bug by executing arbitrary binary code, but
> we cannot blacklist specific syscalls/arguments for syz_execute_func() testcases.
> Unless we guard on the kernel side, we won't be able to re-enable syz_execute_func()
> testcases.
I looked at the reference, but I didn't see the explanation in the
above link about why it was "too hard to blacklist". In fact, it
looks like a bit earlier in the thread, Dmitry stated that adding this
find of blacklist "is not hard"?
https://lore.kernel.org/lkml/CACT4Y+Z_+H09iOPzSzJfs=_D=dczk22gL02FjuZ6HXO+p0kRyA@xxxxxxxxxxxxxx/
I suspect that adding whack-a-mole in the kernel is going to be just
as hard/annoying as adding it in Syzkaller.... The question is under
which rug are we proposing to hide the dirt? :-)
- Ted