Anefficientunittestandfuzztoolsforkernel/libcporting

BamvorJianZhang

Huawei

Oct,6,2016

Selfintroduction●KerneldeveloperfromHuawei●Linarokernelworkinggroupassignee●Focusonmigrationof32-bitapplication●Interestedinmemorymanagement

aarch64ILP32overview

WhatisILP32?

armarchitecture

*ThispictureisbelongtotheARMcompany

Datamodel

Migrate32-bitapplicationto64-bithardware

aarch32

kernel

aarch64_ILP32 aarch64_LP64

application

midware

libc

compat_syscall

application

midware

libc

syscall

application

midware

libc

ILP32enablement

WhyweneedunittestforILP32?

Lotsofchoicestobemadeforanewapi

●Thedefinitionofbasictypeinuserspace(NOTthekernelpart!)

●Argumentpassing:one64-bitregisterortwo32-bitregisters

●Sanitizeregistercontents

Thedefinitionofbasictypeinuserspace

#define__DEV_T_TYPE__UQUAD_TYPE#define__UID_T_TYPE__U32_TYPE#define__GID_T_TYPE__U32_TYPE#define__INO_T_TYPE__UQUAD_TYPE#define__INO64_T_TYPE__UQUAD_TYPE#define__MODE_T_TYPE__U32_TYPE#define__NLINK_T_TYPE__U32_TYPE#define__OFF_T_TYPE__SQUAD_TYPE#define__OFF64_T_TYPE__SQUAD_TYPE#define__PID_T_TYPE__S32_TYPE#define__RLIM_T_TYPE__UQUAD_TYPE#define__RLIM64_T_TYPE__UQUAD_TYPE#define__BLKCNT_T_TYPE__SQUAD_TYPE#define__BLKCNT64_T_TYPE__SQUAD_TYPE#define__FSBLKCNT_T_TYPE__UQUAD_TYPE#define__FSBLKCNT64_T_TYPE__UQUAD_TYPE#define__FSFILCNT_T_TYPE__UQUAD_TYPE#define__FSFILCNT64_T_TYPE__UQUAD_TYPE

Thedefinitionofbasictypeinuserspace(Cont.)

#define__FSWORD_T_TYPE__SWORD_TYPE#define__ID_T_TYPE__U32_TYPE#define__CLOCK_T_TYPE__SLONGWORD_TYPE#define__TIME_T_TYPE__SLONGWORD_TYPE#define__USECONDS_T_TYPE__U32_TYPE#define__SUSECONDS_T_TYPE__SLONGWORD_TYPE#define__DADDR_T_TYPE__S32_TYPE#define__KEY_T_TYPE__S32_TYPE#define__CLOCKID_T_TYPE__S32_TYPE#define__TIMER_T_TYPEvoid*#define__BLKSIZE_T_TYPE__S32_TYPE#define__FSID_T_TYPEstruct{int__val[2];}/*ssize_tisalwayssingedlonginbothABIs.*/#define__SSIZE_T_TYPE__SLONGWORD_TYPE#define__SYSCALL_SLONG_TYPE__SLONGWORD_TYPE#define__SYSCALL_ULONG_TYPE__ULONGWORD_TYPE#define__CPU_MASK_TYPE__ULONGWORD_TYPE

Fourbigchangesin3years

VersionA

●Mostofsyscallsarecompatsyscalls●time_tandoff_tare32-bit

VersionB

Similartox32(x86ILP32)

●Mostofsyscallsare64-bitsyscalls●time_tandoff_tare64-bit●Incompatiblewitharm32compat-ioctl

VersionC

ComebacktoversionA

●Mostofsyscallsarecompatsyscalls●time_tandoff_tare32-bit●Pass64-bitvariablethroughone64-bitreg●Dothesign/zeroextensionwhenenteringkernel

VersionD

●Morecompatsyscallscomparewithaarch32

●Pass64-bitvariablethroughtwo32-bitregs

●Clearthetop-halvesofofallthe64-bitregsofasyscallwhenenteringkernel

●time_tis32-bitandoff_tis64-bit

HowmanyissuesfoundbytrinitywhenLTPsyscallfailsare<20?

0

Compareexistingkernel/glibctesttools

●Whethereasytoreproduceafailure●Whethersupportcoverage●Whethersupportlibctest●Whethergeneratefullrandomdatatobasicdatatype

LTPandglibctestsuite●TheClassictestsuiteforkernelandglibc●Cons●Nofuzztest.Testmaypasswhilesomeissuesarehidden

Trinity●Pros●Generatefuzzdatainasetofdatatype●Supportlotsofarchitecture

●Cons●Generaterandomaddressinsteadofbasicdatatypeformostofpointers

●TakestoolongtoproduceanissueandTakesmuchlongertore-produceandanalyzeit

●Donotsupportcoverage(?)

Syzkaller

*Thispictureisbelongtothesyzkallerproject

Syzkaller(Cont.)●Pros●Canrecursivelyrandomizebasedatatype

●Cangeneratereadableshorttestcases●Candothecoverage

●Cons●DoesnottestClibrary

AFLandTriforce●Pros:●BaseontheTriforceAFL●Donotneedthecoveragesupportinkernel

●Cons●Needspecialinstructioninqemu

What'smissing?●Notestsuitecareabouttheportingoflibcandkernel

●Nofullunittestforsyscall

Introducesyscallunittest

Thetestflowofsyscallunittest

kernel

userspace

Dumpfunctionprototypefromkernel

Generatejprobehook

runtestcasewithmodified

trinityDumpfunctionprototype

fromuserspace

Generateparameterfuzzer

analysisresult

Dumptheprototypeoffunctionandstruct

●Scriptbaseonabi-dumper●Generatethefuzzerfromjson.

Thefuzzerforstructsinuserspace

structitimerspec*get_itimerspec(){structitimerspec*p=malloc(sizeof(structitimerspec));

p->it_interval.tv_sec=(unsignedlong)rand64();p->it_interval.tv_nsec=(unsignedlong)rand64();p->it_value.tv_sec=(unsignedlong)rand64();p->it_value.tv_nsec=(unsignedlong)rand64();

//printallthevalueofthisstructreturnp;}

TheJprobehookinkernelmodule

longJC_SyS_getitimer(intwhich,structcompat_itimerval*it){printk("parametervalue:it<%u>,which<%u>",it,which);printk("it->it_interval.tv_sec<%u>,it->it_interval.tv_usec<%u>,it->it_value.tv_sec<%u>,it->it_value.tv_usec<%u>"it->it_interval.tv_sec,it->it_interval.tv_usec,it->it_value.tv_sec,it->it_value.tv_usec);jprobe_return();/*Alwaysendwithacalltojprobe_return().*/return0;}

staticstructjprobemy_jprobe={.entry=JC_SyS_getitimer,.kp={.symbol_name="compat_sys_getitimer",},};

staticint__initjprobe_init(void){intret;

ret=register_jprobe(&my_jprobe);if(ret<0){printk(KERN_INFO"register_jprobefailed,returned%d\n",ret);return-1;}

return0;}

staticvoid__exitjprobe_exit(void){unregister_jprobe(&my_jprobe);printk(KERN_INFO"jprobeat%punregistered\n",my_jprobe.kp.addr);}

Modifytrinity

●CallsyscallthroughClibrary●Addthemissingstructinsyscall●Addjprobehooksforcapturingtheargumentsofsyscall

●AddorChangesomeoutputmessageforscript

Runit!

trinity/scripts/do_test_struct.sh

Foundtwoissuesinaspecificversion●readahead●sync_file_range

Thereturnvaluetestofsyscall●Randomreturnvaluethroughkretprobe

TODOlist●Supportallthesyscallswhicharenotwrappedbylibc

●Fullautomationingeneratingthefuzzcode

Whatisthefutureofsyscallunittest?ContributetoLTPand/orglibctestsuite?

Orkeepitasastandalonetestsuite?

Codepublishedingithubhttps://github.com/bjzhang/trinity/tree/syscall_unittest

https://github.com/bjzhang/abi-dumper/tree/json_output

Thanks