Razzer: Finding kernel race bugs through fuzzing
Environment setup
$ source scripts/envsetup.sh
scripts/envsetup.sh sets up necessary environment variables. One
should select the kernel version during environment setup, for
example, v4.17.
Install
Initialize kernels_repo submodule
Kernel source codes used in this project are in the other reprository
which is included as a submodule. To initialize the submodule one
should execute git submodule update command as a follow.
$ git submodule update --init --depth=1 kernels_repo
Dependencies
$ sudo apt install zlib libglib-dev python-setuptools quilt libssl-dev dwarfdump
Install toolchains / tools
$ scripts/install.sh
scripts/install.sh then installs all the rest necessary toolchains and tools.
Static analysis
The Razzer's static analysis is based on the LLVM toolchain and the
SVF static analysis tool. See documents in docs/static-analysis.md.
Fuzzing
Razzer's two-phases fuzzing is based on Syzkaller. The deterministic
scheduler is implemented using QEMU/KVM. See documents in
docs/fuzzing.md.
Paper
Razzer: Finding Kernel Race Bugs through Fuzzing (IEEE S&P 2019)
Trophies
- KASAN: slab-out-of-bounds write in tty_insert_flip_string_flag
- WARNING in __static_key_slow_dec
- Kernel BUG at net/packet/af_packet.c:LINE!
- WARNING in refcount_dec
- unable to handle kernel paging request in snd_seq_oss_readq_puts
- KASAN: use-after-free Read in loopback_active_get
- KASAN: null-ptr-deref Read in rds_ib_get_mr (assisted Syzkaller)
- KASAN: use-after-free Read in nd_jump_root (discussed more in the linux security mailing list)
- KASAN: use-after-free Read in link_path_walk (discussed in the linux security mailing list)
- WARNING in ip_recv_error
- KASAN: use-after-free Read in vhost_chr_write_iter
- BUG: soft lockup in snd_virmidi_output_trigger (assisted Syzkaller)
- KASAN: null-ptr-deref Read in smc_ioctl
- KASAN: null-ptr-deref Write in binder_update_page_range
- WARNING in port_delete
- KASAN: null-ptr-deref in inode_permission (discussed in the linux security mailing list)
Contributors
- Dae R. Jeong (threeearcat@gmail.com)
- Kyungtae Kim (kim1798@purdue.edu)
- Basavesh Ammanaghatta Shivakumar (bammanag@purdue.edu)
- Byoungyoung Lee (byoungyoung@snu.ac.kr)
- Insik Shin (insik.shin@cs.kaist.ac.kr)