This page documents stuff you may find useful if trying to run syzkaller.

This is very much a work in progress as we're still getting kcov patches merged and setting up a long-term powerpc syzkaller instance. Talk to @ajdlinux if you have questions - he has images etc you can borrow as well.

At the moment we're focusing on PPC64LE using KVM guests for the fuzzing.

kcov is what syzkaller uses for coverage data. Current patches to enable kcov on powerpc are at https://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=91095 - apply this to your guest kernel and ensure CONFIG_KCOV is enabled. If you're using an older gcc you'll need to ensure CONFIG_GCC_PLUGINS is enabled and you have plugin development headers installed.

Alternatively take a look at https://github.com/ajdlinux/linux/tree/kcov - this includes a defconfig called ppc64le_guest_syzkaller_defconfig that switches on a bunch of debug options, as suggested by syzkaller upstream.

To build syzkaller you need a Go toolchain. See the last section of the instructions at https://github.com/google/syzkaller/blob/master/docs/linux/setup.md.

If you're cross-compiling, you need to set HOSTARCH/TARGETVMARCH/TARGETARCH to ppc64le when running make.

You need to create a guest root image, in which syz-fuzzer will run. Easiest way is to use buildroot, and follow the instructions for ARM at https://github.com/google/syzkaller/blob/master/docs/linux/setup_linux-host_qemu-vm_arm64-kernel.md (sections "Create a disk image" and "Set up the QEMU disk").

To boot the machine manually so you can adjust stuff you can use a command line like:

qemu-system-ppc64 -m 2048 -smp 2 -net nic -net "user,host=10.0.2.10,hostfwd=tcp::<SSH FORWARDED PORT>-:22" -display none -no-reboot -vga none -hda <ROOTFS.EXT3> -kernel <KERNEL> -nographic

Use -snapshot if you want to poke around without modifying the disk image.

You may also be able to use a pre-built image from (not tested):

• https://github.com/groeck/linux-build-test/tree/master/rootfs/ppc64
• https://openpower.xyz/job/initramfs/job/buildroot-master/lastSuccessfulBuild/

On your host, you'll need to copy your Go workspace with syzkaller in it, your entire Linux tree (including all the object files, and the vmlinux), your rootfs.ext3 and SSH keys you created, and a config.

A syz-manager config looks like the below.

{
        "target": "linux/ppc64le",
        "http": "0.0.0.0:56741",
        "workdir": "/syz-config/workdir",
        "image": "/syz-config/images/rootfs.ext3",
        "sshkey": "/syz-config/images/stretch.id_rsa",
        "syzkaller": "/root/go/src/github.com/google/syzkaller",
        "procs": 4,
        "type": "qemu",
        "vm": {
                "count": 1,
                "cpu": 2,
                "mem": 2048,
                "kernel": "/syz-config/images/vmlinux"
        }
}

See https://github.com/google/syzkaller/blob/master/docs/configuration.md for more details on config.

To run syz-manager, <GO WORKSPACE>/src/github.com/google/syzkaller/bin/syz-manager -config <CONFIG FILE>. This should spin up a bunch of VMs, and you can see the current status by pointing a web browser at the host with the port specified in your config file under "http".