Re: [PATCH] kconfig: Add kernel config option for fuzz testing.

From: Tetsuo Handa
Date: Mon Dec 16 2019 - 16:07:58 EST


On 2019/12/17 5:18, Theodore Y. Ts'o wrote:
>> this case was too hard to blacklist, as explained at
>> https://lore.kernel.org/lkml/4d1a4b51-999b-63c6-5ce3-a704013cecb6@xxxxxxxxxxxxxxxxxxx/ .
>> syz_execute_func() can find deeper bug by executing arbitrary binary code, but
>> we cannot blacklist specific syscalls/arguments for syz_execute_func() testcases.
>> Unless we guard on the kernel side, we won't be able to re-enable syz_execute_func()
>> testcases.
>
> I looked at the reference, but I didn't see the explanation in the
> above link about why it was "too hard to blacklist". In fact, it
> looks like a bit earlier in the thread, Dmitry stated that adding this
> find of blacklist "is not hard"?
>
> https://lore.kernel.org/lkml/CACT4Y+Z_+H09iOPzSzJfs=_D=dczk22gL02FjuZ6HXO+p0kRyA@xxxxxxxxxxxxxx/
>

That thread handled two bugs which disabled console output.

The former bug (March 2019) was that fuzzer was calling syslog(SYSLOG_ACTION_CONSOLE_LEVEL) and
was fixed by blacklisting syslog(SYSLOG_ACTION_CONSOLE_LEVEL). This case was easy to blacklist.

The latter bug (May 2019) was that fuzzer was calling binary code (via syz_execute_func()) which
emdebbed a system call that changes console loglevel. Since it was too difficult to blacklist,
syzkaller gave up use of syz_execute_func().