Re: [PATCH v2] Add kernel config option for fuzz testing.
From: Greg Kroah-Hartman
Date: Sun Mar 08 2020 - 01:52:20 EST
On Sat, Mar 07, 2020 at 10:58:22PM +0900, Tetsuo Handa wrote:
> While syzkaller is finding many bugs, sometimes syzkaller examines
> stupid operations. Currently we prevent syzkaller from examining
> stupid operations by blacklisting syscall arguments and/or disabling
> whole functionality using existing kernel config options, but it is
> a whack-a-mole approach. We need cooperation from kernel side [1].
>
> This patch introduces a kernel config option which allows disabling
> only specific operations. This kernel config option should be enabled
> only when building kernels for fuzz testing.
>
> We discussed possibility of disabling specific operations at run-time
> using some lockdown mechanism [2], but conclusion seems that build-time
> control (i.e. kernel config option) fits better for this purpose.
> Since patches for users of this kernel config option will want a lot of
> explanation [3], this patch provides only kernel config option for them.
>
> [1] https://github.com/google/syzkaller/issues/1622
> [2] https://lkml.kernel.org/r/CACdnJutc7OQeoor6WLTh8as10da_CN=crs79v3Fp0mJTaO=+yw@xxxxxxxxxxxxxx
> [3] https://lkml.kernel.org/r/20191216163155.GB2258618@xxxxxxxxx
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
> Cc: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> ---
> lib/Kconfig.debug | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> Changes since v1:
> Drop users of this kernel config option.
> Update patch description.
>
> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index 53e786e0a604..e360090e24c5 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -2208,4 +2208,14 @@ config HYPERV_TESTING
>
> endmenu # "Kernel Testing and Coverage"
>
> +config KERNEL_BUILT_FOR_FUZZ_TESTING
> + bool "Build kernel for fuzz testing"
> + default n
That's always the default, you can leave that.
> + help
No tabs for the above lines?
> + Say N unless you are building kernels for fuzz testing.
> + Saying Y here disables several things that legitimately cause
> + damage under a fuzzer workload (e.g. copying to arbitrary
> + user-specified kernel address, changing console loglevel,
> + freezing filesystems).
"cause damage under a fuzzer workload running as root."
And that's the issue here, the fuzzer wants to run as root and then do
things that are known to cause problems (poke at memory locations,
unmount filesystems, etc.) So you should describe why this is happening
and that it is to be expected :)
thanks,
greg k-h