Skip to content

Latest commit

 

History

History
130 lines (111 loc) · 3.7 KB

kernel_configs.md

File metadata and controls

130 lines (111 loc) · 3.7 KB

Linux kernel configs

List of recommended kernel configs for syzkaller. See syzbot config for a reference config.

Syzkaller features

To enable coverage collection, which is extremely important for effective fuzzing:

CONFIG_KCOV=y
CONFIG_KCOV_INSTRUMENT_ALL=y
CONFIG_KCOV_ENABLE_COMPARISONS=y
CONFIG_DEBUG_FS=y

Note that CONFIG_KCOV_ENABLE_COMPARISONS feature also requires gcc8+ and the following commits if you are testing an old kernel:

    kcov: support comparison operands collection
    kcov: fix comparison callback signature

To detect memory leaks using the Kernel Memory Leak Detector (kmemleak):

CONFIG_DEBUG_KMEMLEAK=y

To show code coverage in web interface:

CONFIG_DEBUG_INFO=y

For detection of enabled syscalls and kernel bitness:

CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y

For better sandboxing:

CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_CGROUP_PIDS=y
CONFIG_MEMCG=y

For namespace sandbox:

CONFIG_USER_NS=y

For running in VMs make kvmconfig is generally required.

Debian images produced by tools/create-image.sh also require:

CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y

It is recommended to disable the following config (and required if your kernel doesn't have commits arm64: setup: introduce kaslr_offset() and kcov: make kcov work properly with KASLR enabled):

# CONFIG_RANDOMIZE_BASE is not set

It is also recommended to disable the Predictable Network Interface Names mechanism. This can be done either via syzkaller configuration (see details here) or by adjusting the following configs:

CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE="net.ifnames=0"

Bug detection configs

Syzkaller is meant to be used with KASAN (available upstream with CONFIG_KASAN=y), KTSAN (prototype available), KMSAN (prototype available), or KUBSAN (available upstream with CONFIG_UBSAN=y).

Enable KASAN for use-after-free and out-of-bounds detection:

CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y

For testing with fault injection enable the following configs (syzkaller will pick it up automatically):

CONFIG_FAULT_INJECTION=y
CONFIG_FAULT_INJECTION_DEBUG_FS=y
CONFIG_FAULT_INJECTION_USERCOPY=y
CONFIG_FAILSLAB=y
CONFIG_FAIL_PAGE_ALLOC=y
CONFIG_FAIL_MAKE_REQUEST=y
CONFIG_FAIL_IO_TIMEOUT=y
CONFIG_FAIL_FUTEX=y

Note: you also need the following commits if you are testing an old kernel:

    fault-inject: support systematic fault injection
    fault-inject: simplify access check for fail-nth
    fault-inject: fix wrong should_fail() decision in task context
    fault-inject: add /proc/<pid>/fail-nth

Any other debugging configs, the more the better, here are some that proved to be especially useful:

CONFIG_LOCKDEP=y
CONFIG_PROVE_LOCKING=y
CONFIG_DEBUG_ATOMIC_SLEEP=y
CONFIG_PROVE_RCU=y
CONFIG_DEBUG_VM=y
CONFIG_REFCOUNT_FULL=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_LOCKUP_DETECTOR=y
CONFIG_SOFTLOCKUP_DETECTOR=y
CONFIG_HARDLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
CONFIG_DETECT_HUNG_TASK=y
CONFIG_WQ_WATCHDOG=y

Increase hung/stall timeout to reduce false positive rate:

CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=140
CONFIG_RCU_CPU_STALL_TIMEOUT=100