Skip to content

Instantly share code, notes, and snippets.

@HerrSpace

HerrSpace/gist:329d756fe2bdeebeea0f5d7c17c3a542

Last active May 1, 2022 11:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save HerrSpace/329d756fe2bdeebeea0f5d7c17c3a542 to your computer and use it in GitHub Desktop.
Save HerrSpace/329d756fe2bdeebeea0f5d7c17c3a542 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.md

Here is a streamlined explanation of what you need to repro and fix.

Build serenity disk image for syzkaller

  • clone serenity (assumes fixes from SerenityOS/serenity#13846)
  • Meta/serenity.sh rebuild-toolchain
  • cd Ports/openssh and run ./package.sh
  • add sync-local.sh to serenity clone root:
printf "syzkaller modifications... "
pushd "$SERENITY_SOURCE_DIR/Build/$SERENITY_ARCH/"

# add key /root/.ssh/authorized_keys
if [ -z "$PUBKEY" ]; then
    echo "Please set the PUBKEY env var to your ssh pubkey"
    exit 1
fi
mkdir -p mnt/root/.ssh
chmod 700 mnt/root/.ssh/
echo "$PUBKEY" > mnt/root/.ssh/authorized_keys
chmod 600 mnt/root/.ssh/authorized_keys
chown -R 0:0 mnt/root/

# the scp binary from the openssh port ends up here. scp invokes
# another scp on the receiving end, expecting it to be in the path
echo "export PATH=/usr/local/bin/:$PATH" > mnt/root/.shellrc

# enable openssh server
cat <<EOF >> mnt/etc/SystemServer.ini

[SSHServer]
Executable=/usr/local/sbin/sshd
Arguments=-D
KeepAlive=1
SystemModes=text,graphical
EOF

# not sure why these keys are only sometimes go+r
chmod 600 mnt/etc/ssh/*key

# boot into text mode (when booted from grub image)
cat <<EOF > "$SERENITY_SOURCE_DIR"/Meta/grub-mbr.cfg
timeout=0
menuentry 'SerenityOS (text mode)' {
  root=hd0,1
  multiboot /boot/Prekernel fbdev=off root=/dev/hda1
  module /boot/Kernel
}
EOF

popd
echo "done"
  • cd Build/i686 and PUBKEY="<your pubkey>" ninja grub-image

Build syzkaller

  • clone my syzkaller fork
  • checkout the serenityos branch
  • make TARGETOS=serenity TARGETARCH=386 SOURCEDIR=~/repos/serenity/Kernel/
  • create an empty workdir for szkaller to work with in the following file
  • create a config file, swap out workdir, your homedir, ssh key, paths, ...:
{
    "target": "serenity/386",
    "http": "127.0.0.1:56741",
    "sshkey": "/home/space/.ssh/id_ed25519",
    "workdir": "/home/space/sk_serenity/",
    "kernel_obj": "/home/space/repos/serenity/Build/i686/Kernel/",
    "kernel_src": "/home/space/repos/serenity/Kernel/",
    "syzkaller": "/home/space/repos/syzkaller",
    "procs": 2,
    "type": "qemu",
    "cover": false,
    "image": "/home/space/repos/serenity/Build/i686/grub_disk_image",
    "vm": {
        "count": 2,
        "cpu": 2
    }
}
  • ./bin/syz-manager -config=<path to your config file> -debug
  • now go back and undo the last commit in the syzkaller repo and try building syzkaller again.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment