GitHub - compsec-snu/razzer: A Kernel fuzzer focusing on race bugs
source link: https://github.com/compsec-snu/razzer
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
Razzer: Finding kernel race bugs through fuzzing
Environment setup
Running scripts/envsetup.sh will set up necessary environment
variables. One should select the kernel version during environment
setup, for example, v4.17
Install
Initialize kernels_repo submodule
Kernel source codes used in this project are in the other reprository
which is included as a submodule. To initialize the submodule one
should execute git submodule update command as a follow.
git submodule update --init --depth=1 kernels_repo
Install toolchains / tools
scripts/install.sh will try to install all toolchains and tools.
Static analysis
The Razzer's static analysis is based on the LLVM toolchain and the
SVF static analysis tool. See documents in docs/static_analysis/.
Fuzzing
Razzer's two-phases fuzzing is based on Syzkaller. The deterministic
scheduler is implemented using QEMU/KVM. See documents in
docs/fuzzing/.
Paper
Razzer: Finding Kernel Race Bugs through Fuzzing (IEEE S&P 2019)
Trophies
- KASAN: slab-out-of-bounds write in tty_insert_flip_string_flag
- WARNING in __static_key_slow_dec
- Kernel BUG at net/packet/af_packet.c:LINE!
- WARNING in refcount_dec
- unable to handle kernel paging request in snd_seq_oss_readq_puts
- KASAN: use-after-free Read in loopback_active_get
- KASAN: null-ptr-deref Read in rds_ib_get_mr (assisted Syzkaller)
- KASAN: use-after-free Read in nd_jump_root (discussed more in the linux security mailing list)
- KASAN: use-after-free Read in link_path_walk (discussed in the linux security mailing list)
- WARNING in ip_recv_error
- KASAN: use-after-free Read in vhost_chr_write_iter
- BUG: soft lockup in snd_virmidi_output_trigger (assisted Syzkaller)
- KASAN: null-ptr-deref Read in smc_ioctl
- KASAN: null-ptr-deref Write in binder_update_page_range
- WARNING in port_delete
- KASAN: null-ptr-deref in inode_permission (discussed in the linux security mailing list)
Contributors
- Dae R. Jeong ([email protected])
- Kyungtae Kim ([email protected])
- Basavesh Ammanaghatta Shivakumar ([email protected])
- Byoungyoung Lee ([email protected])
- Insik Shin ([email protected])
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK