An efficient unit test and fuzz tools for kernel/libc porting
41
An efficient unit test and fuzz tools for kernel/libc porting Bamvor Jian Zhang Huawei Oct, 6, 2016
Transcript of An efficient unit test and fuzz tools for kernel/libc porting
Anefficientunittestandfuzztoolsforkernel/libcporting
BamvorJianZhang
Huawei
Oct,6,2016
Selfintroduction●KerneldeveloperfromHuawei●Linarokernelworkinggroupassignee●Focusonmigrationof32-bitapplication●Interestedinmemorymanagement
aarch64ILP32overview
WhatisILP32?
armarchitecture
*ThispictureisbelongtotheARMcompany
Datamodel
Migrate32-bitapplicationto64-bithardware
aarch32
kernel
aarch64_ILP32 aarch64_LP64
application
midware
libc
compat_syscall
application
midware
libc
syscall
application
midware
libc
ILP32enablement
WhyweneedunittestforILP32?
Lotsofchoicestobemadeforanewapi
●Thedefinitionofbasictypeinuserspace(NOTthekernelpart!)
●Argumentpassing:one64-bitregisterortwo32-bitregisters
●Sanitizeregistercontents
Thedefinitionofbasictypeinuserspace
#define__DEV_T_TYPE__UQUAD_TYPE#define__UID_T_TYPE__U32_TYPE#define__GID_T_TYPE__U32_TYPE#define__INO_T_TYPE__UQUAD_TYPE#define__INO64_T_TYPE__UQUAD_TYPE#define__MODE_T_TYPE__U32_TYPE#define__NLINK_T_TYPE__U32_TYPE#define__OFF_T_TYPE__SQUAD_TYPE#define__OFF64_T_TYPE__SQUAD_TYPE#define__PID_T_TYPE__S32_TYPE#define__RLIM_T_TYPE__UQUAD_TYPE#define__RLIM64_T_TYPE__UQUAD_TYPE#define__BLKCNT_T_TYPE__SQUAD_TYPE#define__BLKCNT64_T_TYPE__SQUAD_TYPE#define__FSBLKCNT_T_TYPE__UQUAD_TYPE#define__FSBLKCNT64_T_TYPE__UQUAD_TYPE#define__FSFILCNT_T_TYPE__UQUAD_TYPE#define__FSFILCNT64_T_TYPE__UQUAD_TYPE
Thedefinitionofbasictypeinuserspace(Cont.)
#define__FSWORD_T_TYPE__SWORD_TYPE#define__ID_T_TYPE__U32_TYPE#define__CLOCK_T_TYPE__SLONGWORD_TYPE#define__TIME_T_TYPE__SLONGWORD_TYPE#define__USECONDS_T_TYPE__U32_TYPE#define__SUSECONDS_T_TYPE__SLONGWORD_TYPE#define__DADDR_T_TYPE__S32_TYPE#define__KEY_T_TYPE__S32_TYPE#define__CLOCKID_T_TYPE__S32_TYPE#define__TIMER_T_TYPEvoid*#define__BLKSIZE_T_TYPE__S32_TYPE#define__FSID_T_TYPEstruct{int__val[2];}/*ssize_tisalwayssingedlonginbothABIs.*/#define__SSIZE_T_TYPE__SLONGWORD_TYPE#define__SYSCALL_SLONG_TYPE__SLONGWORD_TYPE#define__SYSCALL_ULONG_TYPE__ULONGWORD_TYPE#define__CPU_MASK_TYPE__ULONGWORD_TYPE
Fourbigchangesin3years
VersionA
●Mostofsyscallsarecompatsyscalls●time_tandoff_tare32-bit
VersionB
Similartox32(x86ILP32)
●Mostofsyscallsare64-bitsyscalls●time_tandoff_tare64-bit●Incompatiblewitharm32compat-ioctl
VersionC
ComebacktoversionA
●Mostofsyscallsarecompatsyscalls●time_tandoff_tare32-bit●Pass64-bitvariablethroughone64-bitreg●Dothesign/zeroextensionwhenenteringkernel
VersionD
●Morecompatsyscallscomparewithaarch32
●Pass64-bitvariablethroughtwo32-bitregs
●Clearthetop-halvesofofallthe64-bitregsofasyscallwhenenteringkernel
●time_tis32-bitandoff_tis64-bit
HowmanyissuesfoundbytrinitywhenLTPsyscallfailsare<20?
0
Compareexistingkernel/glibctesttools
●Whethereasytoreproduceafailure●Whethersupportcoverage●Whethersupportlibctest●Whethergeneratefullrandomdatatobasicdatatype
LTPandglibctestsuite●TheClassictestsuiteforkernelandglibc●Cons●Nofuzztest.Testmaypasswhilesomeissuesarehidden
Trinity●Pros●Generatefuzzdatainasetofdatatype●Supportlotsofarchitecture
●Cons●Generaterandomaddressinsteadofbasicdatatypeformostofpointers
●TakestoolongtoproduceanissueandTakesmuchlongertore-produceandanalyzeit
●Donotsupportcoverage(?)
Syzkaller
*Thispictureisbelongtothesyzkallerproject
Syzkaller(Cont.)●Pros●Canrecursivelyrandomizebasedatatype
●Cangeneratereadableshorttestcases●Candothecoverage
●Cons●DoesnottestClibrary
AFLandTriforce●Pros:●BaseontheTriforceAFL●Donotneedthecoveragesupportinkernel
●Cons●Needspecialinstructioninqemu
What'smissing?●Notestsuitecareabouttheportingoflibcandkernel
●Nofullunittestforsyscall
Introducesyscallunittest
Thetestflowofsyscallunittest
kernel
userspace
Dumpfunctionprototypefromkernel
Generatejprobehook
runtestcasewithmodified
trinityDumpfunctionprototype
fromuserspace
Generateparameterfuzzer
analysisresult
Dumptheprototypeoffunctionandstruct
●Scriptbaseonabi-dumper●Generatethefuzzerfromjson.
Thefuzzerforstructsinuserspace
structitimerspec*get_itimerspec(){structitimerspec*p=malloc(sizeof(structitimerspec));
p->it_interval.tv_sec=(unsignedlong)rand64();p->it_interval.tv_nsec=(unsignedlong)rand64();p->it_value.tv_sec=(unsignedlong)rand64();p->it_value.tv_nsec=(unsignedlong)rand64();
//printallthevalueofthisstructreturnp;}
TheJprobehookinkernelmodule
longJC_SyS_getitimer(intwhich,structcompat_itimerval*it){printk("parametervalue:it<%u>,which<%u>",it,which);printk("it->it_interval.tv_sec<%u>,it->it_interval.tv_usec<%u>,it->it_value.tv_sec<%u>,it->it_value.tv_usec<%u>"it->it_interval.tv_sec,it->it_interval.tv_usec,it->it_value.tv_sec,it->it_value.tv_usec);jprobe_return();/*Alwaysendwithacalltojprobe_return().*/return0;}
staticstructjprobemy_jprobe={.entry=JC_SyS_getitimer,.kp={.symbol_name="compat_sys_getitimer",},};
staticint__initjprobe_init(void){intret;
ret=register_jprobe(&my_jprobe);if(ret<0){printk(KERN_INFO"register_jprobefailed,returned%d\n",ret);return-1;}
return0;}
staticvoid__exitjprobe_exit(void){unregister_jprobe(&my_jprobe);printk(KERN_INFO"jprobeat%punregistered\n",my_jprobe.kp.addr);}
Modifytrinity
●CallsyscallthroughClibrary●Addthemissingstructinsyscall●Addjprobehooksforcapturingtheargumentsofsyscall
●AddorChangesomeoutputmessageforscript
Runit!
trinity/scripts/do_test_struct.sh
Foundtwoissuesinaspecificversion●readahead●sync_file_range
Thereturnvaluetestofsyscall●Randomreturnvaluethroughkretprobe
TODOlist●Supportallthesyscallswhicharenotwrappedbylibc
●Fullautomationingeneratingthefuzzcode
Whatisthefutureofsyscallunittest?ContributetoLTPand/orglibctestsuite?
Orkeepitasastandalonetestsuite?
Codepublishedingithubhttps://github.com/bjzhang/trinity/tree/syscall_unittest
https://github.com/bjzhang/abi-dumper/tree/json_output
Thanks
