Learn patch analysis techniques from KLAUS :)
FROM ubuntu:22.04
RUN /bin/sh -c apt update
RUN /bin/sh -c apt install -y vim python3 python3-pip unzip libz3-4 git flex bison libssl-dev bc qemu-system
RUN /bin/sh -c pip3 install requests
COPY klaus_fuzzer.zip llvm.zip gcc.zip analyzer.zip image.zip /
RUN /bin/sh -c unzip klaus_fuzzer.zip && \
unzip llvm.zip && \
unzip gcc.zip && \
unzip analyzer.zip && \
unzip image.zip
RUN /bin/sh -c apt-get update
RUN /bin/sh -c apt-get install wget
RUN /bin/sh -c wget https://storage.googleapis.com/syzkaller/stretch.img -O /image/stretch.img
RUN /bin/sh -c wget https://storage.googleapis.com/syzkaller/stretch.img.key -O /image/stretch.id_rsa
RUN /bin/sh -c chmod 0600 /image/stretch.id_rsa
Run with
commitid = "730c5fd42c1e" # The commit id of the buggy patch
syzid = "53b6555b27af2cae74e2fbdac6cadc73f9cb18aa" # The bug report id of the bug that the patch fixedwe got
# proj_dir = /kernels/730c5fd42c1e
# commitid = 730c5fd42c1e3652a065448fd235cb9fafb2bd10
# commit_url = https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
# syzpoc = https://syzkaller.appspot.com/text?tag=ReproSyz&x=10117666600000
# config = https://syzkaller.appspot.com/text?tag=KernelConfig&x=5cbaa3be0b36022f
# patchlink = https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=730c5fd42c1e3652a065448fd235cb9fafb2bd10
mkdir -p ${proj_dir}/linux_bug
# write_env_files
curl ${config} > ${proj_dir}/config
curl ${patchlink} > ${proj_dir}/buggy.patch
# prepare_kernels
cd ${proj_dir}/linux_bug
git init
git remote add origin ${commit_url}
git fetch origin ${commitid}
git reset --hard FETCH_HEAD
cd ${proj_dir}
cp -r linux_bug linux_buggy_patched
cp -r linux_bug linux_buggy_patched_for_fuzz
cd ${proj_dir}/linux_bug
patch -R -p1 < ../buggy.patch
cd ${proj_dir}
cp config ./linux_bug/.config
cp config ./linux_buggy_patched/.config
cp config ./linux_buggy_patched_for_fuzz/.config
cd ${proj_dir}/linux_bug
./scripts/config -d CONFIG_KASAN -d CONFIG_KCOV -d CONFIG_UBSAN -d CONFIG_KTSAN
cd ${proj_dir}/linux_buggy_patched
./scripts/config -d CONFIG_KASAN -d CONFIG_KCOV -d CONFIG_UBSAN -d CONFIG_KTSAN
# compile_bitcodes
cd ${proj_dir}/linux_bug
make clean
yes "" | make CC="/project-10.0.1/build/bin/clang" -j`nproc`
cd ${proj_dir}/linux_buggy_patched
make clean
yes "" | make CC="/llvm-project-10.0.1/build/bin/clang" -j`nproc`
# analyze_patch
timeout 6h python3 /patch_analyzer/analyze_patch.py ${proj_dir}/buggy.patch
# compile_fuzzing_kernel
cd ${proj_dir}/linux_buggy_patched_for_fuzz
make clean
patch ${proj_dir}/linux_buggy_patched_for_fuzz/kernel/kcov.c ./kernel.patch
yes "" | COND_FILE=${proj_dir}/cond.txt PROP_FILE=${proj_dir}/prop.txt make CC="/gcc-bin/bin/gcc" -j`nproc`
# build_fuzzing_env
mkdir -p ./${commitid}
mkdir -p /fuzz_workdir/workdir_${commitid}
curl ${syzpoc} > ./${commitid}/poc
cp ./config ./${commitid}/config
sed -i "s/\[id\]/${commitid}/g" ./${commitid}/config
sed -i "s/\[port\]/$((10000 + RANDOM * 50000 / 32767))/g" ./${commitid}/config
mkdir -p ./${commitid}/db
cp ./${commitid}/poc ./${commitid}/db
/klaus_fuzzer/bin/syz-db pack ./${commitid}/db ./${commitid}/corpus.db
# fuzz_start
cd ./${commitid}
timeout 3d /klaus_fuzzer/bin/syz-manager -config $(pwd)/config -auxiliary $(pwd)/poc-auxiliary 2>&1However
- https://github.com/wupco/KLAUS/blob/main/Docker-env/fuzz_cfgs_dir/build_env.py
- https://github.com/wupco/KLAUS/blob/main/Syzpatch/setup_env/build_env.py
are different in some lines. And the role of
- https://github.com/wupco/KLAUS/blob/main/Docker-env/fuzz_cfgs_dir/clang.patch
- https://github.com/wupco/KLAUS/blob/main/Docker-env/fuzz_cfgs_dir/classmap.patch
is still unclear...
From 730c5fd42c1e3652a065448fd235cb9fafb2bd10 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 9 Aug 2019 15:20:41 +0100
Subject: rxrpc: Fix local endpoint refcounting
The object lifetime management on the rxrpc_local struct is broken in that
the rxrpc_local_processor() function is expected to clean up and remove an
object - but it may get requeued by packets coming in on the backing UDP
socket once it starts running.
This may result in the assertion in rxrpc_local_rcu() firing because the
memory has been scheduled for RCU destruction whilst still queued:
rxrpc: Assertion failed
------------[ cut here ]------------
kernel BUG at net/rxrpc/local_object.c:468!
Note that if the processor comes around before the RCU free function, it
will just do nothing because ->dead is true.
Fix this by adding a separate refcount to count active users of the
endpoint that causes the endpoint to be destroyed when it reaches 0.
The original refcount can then be used to refcount objects through the work
processor and cause the memory to be rcu freed when that reaches 0.
Fixes: 4f95dd78a77e ("rxrpc: Rework local endpoint management")
Reported-by: syzbot+1e0edc4b8b7494c28450@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
---
net/rxrpc/af_rxrpc.c | 4 +--
net/rxrpc/ar-internal.h | 5 ++-
net/rxrpc/input.c | 16 ++++++---
net/rxrpc/local_object.c | 86 ++++++++++++++++++++++++++++++------------------
4 files changed, 72 insertions(+), 39 deletions(-)
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index d09eaf1535441f..8c9bd3ae9edf7b 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -193,7 +193,7 @@ static int rxrpc_bind(struct socket *sock, struct sockaddr *saddr, int len)
service_in_use:
write_unlock(&local->services_lock);
- rxrpc_put_local(local);
+ rxrpc_unuse_local(local);
ret = -EADDRINUSE;
error_unlock:
release_sock(&rx->sk);
@@ -901,7 +901,7 @@ static int rxrpc_release_sock(struct sock *sk)
rxrpc_queue_work(&rxnet->service_conn_reaper);
rxrpc_queue_work(&rxnet->client_conn_reaper);
- rxrpc_put_local(rx->local);
+ rxrpc_unuse_local(rx->local);
rx->local = NULL;
key_put(rx->key);
rx->key = NULL;
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index 822f45386e3116..9796c45d2f6a44 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -254,7 +254,8 @@ struct rxrpc_security {
*/
struct rxrpc_local {
struct rcu_head rcu;
- atomic_t usage;
+ atomic_t active_users; /* Number of users of the local endpoint */
+ atomic_t usage; /* Number of references to the structure */
struct rxrpc_net *rxnet; /* The network ns in which this resides */
struct list_head link;
struct socket *socket; /* my UDP socket */
@@ -1002,6 +1003,8 @@ struct rxrpc_local *rxrpc_lookup_local(struct net *, const struct sockaddr_rxrpc
struct rxrpc_local *rxrpc_get_local(struct rxrpc_local *);
struct rxrpc_local *rxrpc_get_local_maybe(struct rxrpc_local *);
void rxrpc_put_local(struct rxrpc_local *);
+struct rxrpc_local *rxrpc_use_local(struct rxrpc_local *);
+void rxrpc_unuse_local(struct rxrpc_local *);
void rxrpc_queue_local(struct rxrpc_local *);
void rxrpc_destroy_all_locals(struct rxrpc_net *);
diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
index 5bd6f1546e5c6d..ee95d1cd1cdf2c 100644
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -1108,8 +1108,12 @@ static void rxrpc_post_packet_to_local(struct rxrpc_local *local,
{
_enter("%p,%p", local, skb);
- skb_queue_tail(&local->event_queue, skb);
- rxrpc_queue_local(local);
+ if (rxrpc_get_local_maybe(local)) {
+ skb_queue_tail(&local->event_queue, skb);
+ rxrpc_queue_local(local);
+ } else {
+ rxrpc_free_skb(skb, rxrpc_skb_rx_freed);
+ }
}
/*
@@ -1119,8 +1123,12 @@ static void rxrpc_reject_packet(struct rxrpc_local *local, struct sk_buff *skb)
{
CHECK_SLAB_OKAY(&local->usage);
- skb_queue_tail(&local->reject_queue, skb);
- rxrpc_queue_local(local);
+ if (rxrpc_get_local_maybe(local)) {
+ skb_queue_tail(&local->reject_queue, skb);
+ rxrpc_queue_local(local);
+ } else {
+ rxrpc_free_skb(skb, rxrpc_skb_rx_freed);
+ }
}
/*
diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
index b1c71bad510b7c..9798159ee65fad 100644
--- a/net/rxrpc/local_object.c
+++ b/net/rxrpc/local_object.c
@@ -79,6 +79,7 @@ static struct rxrpc_local *rxrpc_alloc_local(struct rxrpc_net *rxnet,
local = kzalloc(sizeof(struct rxrpc_local), GFP_KERNEL);
if (local) {
atomic_set(&local->usage, 1);
+ atomic_set(&local->active_users, 1);
local->rxnet = rxnet;
INIT_LIST_HEAD(&local->link);
INIT_WORK(&local->processor, rxrpc_local_processor);
@@ -266,11 +267,8 @@ struct rxrpc_local *rxrpc_lookup_local(struct net *net,
* bind the transport socket may still fail if we're attempting
* to use a local address that the dying object is still using.
*/
- if (!rxrpc_get_local_maybe(local)) {
- cursor = cursor->next;
- list_del_init(&local->link);
+ if (!rxrpc_use_local(local))
break;
- }
age = "old";
goto found;
@@ -284,7 +282,10 @@ struct rxrpc_local *rxrpc_lookup_local(struct net *net,
if (ret < 0)
goto sock_error;
- list_add_tail(&local->link, cursor);
+ if (cursor != &rxnet->local_endpoints)
+ list_replace(cursor, &local->link);
+ else
+ list_add_tail(&local->link, cursor);
age = "new";
found:
@@ -342,7 +343,8 @@ struct rxrpc_local *rxrpc_get_local_maybe(struct rxrpc_local *local)
}
/*
- * Queue a local endpoint.
+ * Queue a local endpoint unless it has become unreferenced and pass the
+ * caller's reference to the work item.
*/
void rxrpc_queue_local(struct rxrpc_local *local)
{
@@ -351,15 +353,8 @@ void rxrpc_queue_local(struct rxrpc_local *local)
if (rxrpc_queue_work(&local->processor))
trace_rxrpc_local(local, rxrpc_local_queued,
atomic_read(&local->usage), here);
-}
-
-/*
- * A local endpoint reached its end of life.
- */
-static void __rxrpc_put_local(struct rxrpc_local *local)
-{
- _enter("%d", local->debug_id);
- rxrpc_queue_work(&local->processor);
+ else
+ rxrpc_put_local(local);
}
/*
@@ -375,10 +370,45 @@ void rxrpc_put_local(struct rxrpc_local *local)
trace_rxrpc_local(local, rxrpc_local_put, n, here);
if (n == 0)
- __rxrpc_put_local(local);
+ call_rcu(&local->rcu, rxrpc_local_rcu);
}
}
+/*
+ * Start using a local endpoint.
+ */
+struct rxrpc_local *rxrpc_use_local(struct rxrpc_local *local)
+{
+ unsigned int au;
+
+ local = rxrpc_get_local_maybe(local);
+ if (!local)
+ return NULL;
+
+ au = atomic_fetch_add_unless(&local->active_users, 1, 0);
+ if (au == 0) {
+ rxrpc_put_local(local);
+ return NULL;
+ }
+
+ return local;
+}
+
+/*
+ * Cease using a local endpoint. Once the number of active users reaches 0, we
+ * start the closure of the transport in the work processor.
+ */
+void rxrpc_unuse_local(struct rxrpc_local *local)
+{
+ unsigned int au;
+
+ au = atomic_dec_return(&local->active_users);
+ if (au == 0)
+ rxrpc_queue_local(local);
+ else
+ rxrpc_put_local(local);
+}
+
/*
* Destroy a local endpoint's socket and then hand the record to RCU to dispose
* of.
@@ -393,16 +423,6 @@ static void rxrpc_local_destroyer(struct rxrpc_local *local)
_enter("%d", local->debug_id);
- /* We can get a race between an incoming call packet queueing the
- * processor again and the work processor starting the destruction
- * process which will shut down the UDP socket.
- */
- if (local->dead) {
- _leave(" [already dead]");
- return;
- }
- local->dead = true;
-
mutex_lock(&rxnet->local_mutex);
list_del_init(&local->link);
mutex_unlock(&rxnet->local_mutex);
@@ -422,13 +442,11 @@ static void rxrpc_local_destroyer(struct rxrpc_local *local)
*/
rxrpc_purge_queue(&local->reject_queue);
rxrpc_purge_queue(&local->event_queue);
-
- _debug("rcu local %d", local->debug_id);
- call_rcu(&local->rcu, rxrpc_local_rcu);
}
/*
- * Process events on an endpoint
+ * Process events on an endpoint. The work item carries a ref which
+ * we must release.
*/
static void rxrpc_local_processor(struct work_struct *work)
{
@@ -441,8 +459,10 @@ static void rxrpc_local_processor(struct work_struct *work)
do {
again = false;
- if (atomic_read(&local->usage) == 0)
- return rxrpc_local_destroyer(local);
+ if (atomic_read(&local->active_users) == 0) {
+ rxrpc_local_destroyer(local);
+ break;
+ }
if (!skb_queue_empty(&local->reject_queue)) {
rxrpc_reject_packets(local);
@@ -454,6 +474,8 @@ static void rxrpc_local_processor(struct work_struct *work)
again = true;
}
} while (again);
+
+ rxrpc_put_local(local);
}
/*find_changes in analyze_path.py return
{
"net/rxrpc/af_rxrpc.c": [
"rxrpc_release_sock",
"rxrpc_bind"
],
"net/rxrpc/ar-internal.h": [
"rxrpc_lookup_local"
],
"net/rxrpc/input.c": [
"rxrpc_post_packet_to_local",
"rxrpc_reject_packet"
],
"net/rxrpc/local_object.c": [
"rxrpc_put_local",
"rxrpc_local_processor",
"rxrpc_alloc_local",
"rxrpc_queue_local",
"rxrpc_get_local_maybe",
"rxrpc_lookup_local",
"rxrpc_local_destroyer"
]
}then run_analyzer kicks in.
Seems that it's based on llvm-project-10.0.1。
However it's unclear that why llvm toolchain in the docker image
can produce LLVM IR bitcode automatically.
The paper refers to this
[48] Zhenpeng Lin,Yueqi Chen,Dongliang Mu,Chengsheng
Yu, Yuhang Wu, Xinyu Xing, and Kang Li. Grebe: Fa
cilitating security assessment for linux kernel bugs. In
Proceedings of the 43rd IEEE Symposium on Security
and Privacy, 2022.
which has a very similar code structure:
- llvm-10.0.1
- gcc-9.3.0
Ahhhhh!!! Now we can understand TWO papers within ONE code repo :)
Here in README of GREBE/analyzer we got the answer:
Download llvm-10.0.1 source code and build it with this patch applied to get a customized clang, then build kernel with our custimized clang to get unoptimized bitcode.
Patch:
--- llvm-project2/llvm/lib/Transforms/IPO/DeadArgumentElimination.cpp 2020-02-03 20:57:16.473409308 +0000
+++ llvm-project/llvm/lib/Transforms/IPO/DeadArgumentElimination.cpp 2020-02-03 20:44:32.478661999 +0000
@@ -49,6 +49,10 @@
#include <utility>
#include <vector>
+
+#include "llvm/Bitcode/BitcodeWriter.h"
+#include "llvm/Support/ToolOutputFile.h"
+
using namespace llvm;
#define DEBUG_TYPE "deadargelim"
@@ -1084,6 +1088,22 @@
PreservedAnalyses DeadArgumentEliminationPass::run(Module &M,
ModuleAnalysisManager &) {
+
+ // write out bitcode
+
+ //outs() << "DeadArg Elimination on " << M.getName() << "\n";
+ std::string FileName = M.getSourceFileName();
+ if(FileName.find(".c") != FileName.npos){
+ std::string Path = M.getSourceFileName() + ".bc";
+ outs() << "Writing to " << Path << "\n";
+ std::error_code EC;
+ raw_fd_ostream out(Path, EC, sys::fs::F_None);
+ WriteBitcodeToFile(M, out);
+ out.flush();
+ out.close();
+ outs() << "Write Done";
+ }
+
bool Changed = false;
// First pass: Do a simple check to see if any functions can have their "..."It must be a good paper work :)
I think I've found the great-grandfathers of these pupil analyzers:
An great archaeological news for me!!!
As for KLAUS, the two files list here are keys:
ChangeAnalysis.hChangeAnalysis.cc