Install debootstrap :
$ apt-get install debootstrap
Minimal Debian distribution with debootstrap :
#!/bin/bash
# Copyright 2016 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
# create-image.sh creates a minimal Debian Linux image suitable for syzkaller.
set -eux
# Create a minimal Debian distribution in a directory.
RELEASE=stretch
DIR=stretch
sudo rm -rf $DIR
mkdir -p $DIR
sudo debootstrap --include=openssh-server,curl,tar,gcc,libc6-dev,time,strace,sudo,less,psmisc,selinux-utils,policycoreutils,checkpolicy,selinux-policy-default $RELEASE $DIR
# Set some defaults and enable promtless ssh to the machine for root.
sudo sed -i '/^root/ { s/:x:/::/ }' $DIR/etc/passwd
echo 'T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100' | sudo tee -a $DIR/etc/inittab
printf '\nauto eth0\niface eth0 inet dhcp\n' | sudo tee -a $DIR/etc/network/interfaces
echo '/dev/root / ext4 defaults 0 0' | sudo tee -a $DIR/etc/fstab
echo 'debugfs /sys/kernel/debug debugfs defaults 0 0' | sudo tee -a $DIR/etc/fstab
echo 'securityfs /sys/kernel/security securityfs defaults 0 0' | sudo tee -a $DIR/etc/fstab
echo 'configfs /sys/kernel/config/ configfs defaults 0 0' | sudo tee -a $DIR/etc/fstab
echo 'binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc defaults 0 0' | sudo tee -a $DIR/etc/fstab
echo "kernel.printk = 7 4 1 3" | sudo tee -a $DIR/etc/sysctl.conf
echo 'debug.exception-trace = 0' | sudo tee -a $DIR/etc/sysctl.conf
echo "net.core.bpf_jit_enable = 1" | sudo tee -a $DIR/etc/sysctl.conf
echo "net.core.bpf_jit_kallsyms = 1" | sudo tee -a $DIR/etc/sysctl.conf
echo "net.core.bpf_jit_harden = 0" | sudo tee -a $DIR/etc/sysctl.conf
echo "kernel.softlockup_all_cpu_backtrace = 1" | sudo tee -a $DIR/etc/sysctl.conf
echo "kernel.kptr_restrict = 0" | sudo tee -a $DIR/etc/sysctl.conf
echo "kernel.watchdog_thresh = 60" | sudo tee -a $DIR/etc/sysctl.conf
echo "net.ipv4.ping_group_range = 0 65535" | sudo tee -a $DIR/etc/sysctl.conf
echo -en "127.0.0.1\tlocalhost\n" | sudo tee $DIR/etc/hosts
echo "nameserver 8.8.8.8" | sudo tee -a $DIR/etc/resolve.conf
echo "syzkaller" | sudo tee $DIR/etc/hostname
ssh-keygen -f $RELEASE.id_rsa -t rsa -N ''
sudo mkdir -p $DIR/root/.ssh/
cat $RELEASE.id_rsa.pub | sudo tee $DIR/root/.ssh/authorized_keys
# Build a disk image
dd if=/dev/zero of=$RELEASE.img bs=1M seek=2047 count=1
sudo mkfs.ext4 -F $RELEASE.img
sudo mkdir -p /mnt/$DIR
sudo mount -o loop $RELEASE.img /mnt/$DIR
sudo cp -a $DIR/. /mnt/$DIR/.
sudo umount /mnt/$DIR
Wating for create image stretch.img :
$ sudo bash create_img.sh
+ RELEASE=stretch
+ DIR=stretch
+ sudo rm -rf stretch
+ mkdir -p stretch
+ sudo debootstrap --include=openssh-server,curl,tar,gcc,libc6-dev,time,strace,sudo,less,psmisc,selinux-utils,policycoreutils,checkpolicy,selinux-policy-default stretch stretch
I: Keyring file not available at /usr/share/keyrings/debian-archive-keyring.gpg; switching to https mirror https://deb.debian.org/debian
I: Retrieving InRelease
I: Retrieving Release
I: Retrieving Packages
I: Validating Packages
....
Now we should set kernel image path : -kernel /boot/vmlinuz-4.14.12-041412-generic and image file : -hda stretch.img
#!/usr/bin/bash
qemu-system-x86_64 \
-hda stretch.img \
-m 2G \
-smp 2 \
-net user,hostfwd=tcp::10021-:22 -net nic \
-nographic \
-kernel /boot/vmlinuz-4.14.12-041412-generic \
-append "console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ"\
-enable-kvm \
-pidfile vm.pid \
2>&1 | tee vm.log
Now we should execute sudo sh kernel.sh:
[ 3.591757] systemd-getty-generator[130]: Automatically adding serial getty for /dev/ttyS0.
[ 3.609099] systemd-fstab-generator[131]: Parsing /etc/fstab
[ 3.729143] systemd-gpt-auto-generator[133]: /dev/sda: parent isn't a raw disk, ignoring.
[ 3.804728] systemd-fstab-generator[131]: Found entry what=/dev/root where=/ type=ext4 nofail=no noauto=no
[ 3.805505] systemd-fstab-generator[131]: Found entry what=debugfs where=/sys/kernel/debug type=debugfs nofail=no noauto=no
[ 3.806341] systemd-fstab-generator[131]: Found entry what=securityfs where=/sys/kernel/security type=securityfs nofail=no noauto=no
[ 3.807167] systemd-fstab-generator[131]: Found entry what=configfs where=/sys/kernel/config type=configfs nofail=no noauto=no
[ 3.817199] systemd-fstab-generator[131]: Found entry what=binfmt_misc where=/proc/sys/fs/binfmt_misc type=binfmt_misc nofail=no noauto=no
[ 3.822480] systemd-sysv-generator[129]: Native unit for procps.service already exists, skipping.
[ 3.823486] systemd-sysv-generator[129]: Native unit for networking.service already exists, skipping.
[ 3.824724] systemd-sysv-generator[129]: Native unit for kmod.service already exists, skipping.
[ 3.827543] systemd-sysv-generator[129]: Native unit for sudo.service already exists, skipping.
[ 3.828332] systemd-sysv-generator[129]: Native unit for udev.service already exists, skipping.
[ 3.828978] systemd-sysv-generator[129]: Native unit for hwclock.service already exists, skipping.
[ 3.829658] systemd-sysv-generator[129]: Native unit for rsyslog.service already exists, skipping.
[ 3.830337] systemd-sysv-generator[129]: Native unit for selinux-autorelabel.service already exists, skipping.
[ 3.831073] systemd-sysv-generator[129]: Native unit for cron.service already exists, skipping.
[ 3.831731] systemd-sysv-generator[129]: Native unit for ssh.service already exists, skipping.
[ 3.874044] systemd-sysv-ge: 12 output lines suppressed due to ratelimiting
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Listening on Syslog Socket.
[ OK ] Listening on Journal Audit Socket.
[ OK ] Listening on udev Control Socket.
[ OK ] Created slice System Slice.
[ OK ] Listening on /dev/initctl Compatibility Named Pipe.
[ OK ] Created slice system-getty.slice.
[ OK ] Created slice system-serial\x2dgetty.slice.
[ OK ] Started Forward Password Requests to Wall Directory Watch.
Mounting Huge Pa[ 4.448433] systemd[137]: dev-hugepages.mount: Executing: /bin/mount hugetlbfs /dev/hugepages -t hugetlbfs
ges File System...
[ OK ] Listening on Journal Socket.
Starting Create Static Device Nodes in /dev...
Starting Remount Root and Kernel File Systems...
Starting Journal Service...
[ OK ] Reached target Remote File Systems.
[ OK ] Listening on udev Kernel Socket.
[ OK ] Reached target Sockets.
Mounting /sys/kernel/debug...
Starting Load Kernel Modules...
[ OK ] Reached target Slices.
Mounting POSIX Message Queue File System...
Mounting /sys/kernel/config...
[ OK ] Reached target Swap.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Reached target Encrypted Volumes.
[UNSUPP] Starting of Arbitrary Executable Fi…tem Automount Point not supported.
[ 4.686523] EXT4-fs (sda): re-mounted. Opts: (null)
[ 4.707844] systemd-journald[142]: Fixed min_use=1.0M max_use=99.4M max_size=12.4M min_size=512.0K keep_free=149.2M n_max_files=100
[ 4.713893] systemd-journald[142]: Reserving 22641 entries in hash table.
[ 4.820773] systemd-journald[142]: Vacuuming...
[ 4.821150] systemd-journald[142]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2bdba1bdd52c4de988df88011c048973.
[ 4.821998] systemd-journald[142]: Flushing /dev/kmsg...
Mounting /proc/sys/fs/binfmt_misc...
[ OK ] Reached target Paths.
[ OK ] Mounted Huge Pages File System.
[ OK ] Mounted POSIX Message Queue File System.
[ OK ] Mounted /sys/kernel/debug.
[ OK ] Mounted /sys/kernel/config.
[ OK ] Started Remount Root and Kernel File Systems.
[ OK ] Started Load Kernel Modules.
Starting Apply Kernel Variables...
[ 5.013314] systemd-journald[142]: systemd-journald running as pid 142
[ 5.032381] systemd-journald[142]: Sent READY=1 notification.
[ 5.032400] systemd-journald[142]: Sent WATCHDOG=1 notification.
[ 5.033045] systemd-journald[142]: Successfully sent stream file descriptor to service manager.
[ 5.033316] systemd-journald[142]: Successfully sent stream file descriptor to service manager.
Mounting FUSE Control File System...
Starting udev Coldplug all Devices...
Starting Load/Save Random Seed...
[ OK ] Mounted FUSE Control File System.
[ OK ] Started Journal Service.
Starting Flush Journal to Persistent Storage...
[ OK ] Started Load/Save Random Seed.
[FAILED] Failed to mount /proc/sys/fs/binfmt_misc.
See 'systemctl status proc-sys-fs-binfmt_misc.mount' for details.
[DEPEND] Dependency failed for Local File Systems.
[DEPEND] Dependency failed for Mark the need to relabel after reboot.
[ OK ] Reached target Timers.
[ OK ] Closed Syslog Socket.
[ OK ] Started Emergency Shell.
[ OK ] Reached target Emergency Mode.
[ OK ] Reached target Login Prompts.
[ OK ] Started Apply Kernel Variables.
Starting Raise network interfaces...
[ OK ] Started Create Static Device Nodes in /dev.
[ OK ] Reached target Local File Systems (Pre).
Starting udev Kernel Device Manager...
[ OK ] Started Flush Journal to Persistent Storage.
Starting Create Volatile Files and Directories...
[ 5.885349] random: crng init done
[ OK ] Started Create Volatile Files and Directories.
Starting Network Time Synchronization...
Starting Update UTMP about System Boot/Shutdown...
[ OK ] Started udev Coldplug all Devices.
[ OK ] Started Update UTMP about System Boot/Shutdown.
Starting Update UTMP about System Runlevel Changes...
[ OK ] Started udev Kernel Device Manager.
[ OK ] Started Update UTMP about System Runlevel Changes.
[ OK ] Started Network Time Synchronization.
[ OK ] Reached target System Time Synchronized.
[ OK ] Found device /dev/ttyS0.
[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
You are in emergency mode. After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" or ^D to
try again to boot into default mode.
Press Enter for maintenance
(or press Control-D to continue):
root@syzkaller:~#
root@syzkaller:~#
root@syzkaller:~# ls /
bin dev home lib64 media opt root sbin sys usr
boot etc lib lost+found mnt proc run srv tmp var