syzkaller for freebsd

Dmitry Vyukov dvyukov at google.com
Thu Oct 19 12:05:29 UTC 2017 

Hello,

Our team works on kernel testing and in particular on syzkaller system
call fuzzer (https://github.com/google/syzkaller). It started as
Linux-only fuzzer and has found 1000+ bugs in Linux. But we started
evolving towards supporting more OSes recently and added basic FreeBSD
support. I see that FreeBSD https://wiki.freebsd.org/IdeasPage
mentions syzkaller/KASAN, so I am reaching out to you share our
progress and discuss potential collaboration. Our main focus will
probably stay around Linux/Fuchsia and we don't have any experience
around FreeBSD kernel (e.g. implementing code coverage support and
even building). But if there is an active interest on FreeBSD
community side, we are ready to collaborate.

So, I was able to run syzkaller in full setup (including VM
management, console output monitoring, etc) and outlined the process
here:
https://github.com/google/syzkaller/blob/master/docs/freebsd.md

To warm up your interest, here is list of things I've found so far.
This is with off-the-shelf FreeBSD-11.1-RELEASE-amd64.qcow2 image.

panic: ffs_write: type 0xfffff80003eee760 8 (0,0)
https://pastebin.com/raw/Xm80kYSz
This one even comes with a C reproducer (which is surprising, because
syzkaller currently only generates/builds reproducers for Linux, still
it somehow run on FreeBSD and triggered the crash):
https://pastebin.com/raw/EZe8thej

Fatal trap 12: page fault in atrtc_settime
https://pastebin.com/raw/pFzSgNff

Fatal trap 12: page fault in bufdone
https://pastebin.com/raw/amHtWwQS

Fatal trap 12: page fault in sctp_sosend
https://pastebin.com/raw/Zf2hYwi7

Fatal trap 12: page fault in vnet_pf_uninit
https://pastebin.com/raw/0AiJJz7D

Fatal trap 9: general protection fault in udp_close
https://pastebin.com/raw/DzKYRkSm

There was also a bunch of silent crashes/hangs
https://pastebin.com/raw/gp5HDmHZ

But lots of things for full FreeBSD support are still missing. I've
sketched a list here:
https://github.com/google/syzkaller/blob/master/docs/freebsd.md#missing-things

Some are harder to do, some are easier to do. Just running it with a
debug kernel build (with debug info and as many debug checks as
possible) would probably be the simplest one.

Thanks,
Dmitry Vyukov

More information about the freebsd-hackers mailing list