Razzer: Finding kernel race bugs through fuzzing

Environment setup

$ source scripts/envsetup.sh

scripts/envsetup.sh sets up necessary environment variables. One should select the kernel version during environment setup, for example, v4.17.

Install

Initialize kernels_repo submodule

Kernel source codes used in this project are in the other reprository which is included as a submodule. To initialize the submodule one should execute git submodule update command as a follow.

$ git submodule update --init --depth=1 kernels_repo

Dependencies

$ sudo apt install zlib libglib-dev python-setuptools quilt libssl-dev dwarfdump

Install toolchains / tools

$ scripts/install.sh

scripts/install.sh then installs all the rest necessary toolchains and tools.

Static analysis

The Razzer's static analysis is based on the LLVM toolchain and the SVF static analysis tool. See documents in docs/static-analysis.md.

Fuzzing

Razzer's two-phases fuzzing is based on Syzkaller. The deterministic scheduler is implemented using QEMU/KVM. See documents in docs/fuzzing.md.

Paper

Razzer: Finding Kernel Race Bugs through Fuzzing (IEEE S&P 2019)

Trophies

• KASAN: slab-out-of-bounds write in tty_insert_flip_string_flag
• WARNING in __static_key_slow_dec
• Kernel BUG at net/packet/af_packet.c:LINE!
• WARNING in refcount_dec
• unable to handle kernel paging request in snd_seq_oss_readq_puts
• KASAN: use-after-free Read in loopback_active_get
• KASAN: null-ptr-deref Read in rds_ib_get_mr (assisted Syzkaller)
• KASAN: use-after-free Read in nd_jump_root (discussed more in the linux security mailing list)
• KASAN: use-after-free Read in link_path_walk (discussed in the linux security mailing list)
• WARNING in ip_recv_error
• KASAN: use-after-free Read in vhost_chr_write_iter
• BUG: soft lockup in snd_virmidi_output_trigger (assisted Syzkaller)
• KASAN: null-ptr-deref Read in smc_ioctl
• KASAN: null-ptr-deref Write in binder_update_page_range
• WARNING in port_delete
• KASAN: null-ptr-deref in inode_permission (discussed in the linux security mailing list)

Contributors

• Dae R. Jeong (threeearcat@gmail.com)
• Kyungtae Kim (kim1798@purdue.edu)
• Basavesh Ammanaghatta Shivakumar (bammanag@purdue.edu)
• Byoungyoung Lee (byoungyoung@snu.ac.kr)
• Insik Shin (insik.shin@cs.kaist.ac.kr)