List of recommended kernel configs for syzkaller
. See syzbot config for a reference config.
To enable coverage collection, which is extremely important for effective fuzzing:
CONFIG_KCOV=y
CONFIG_KCOV_INSTRUMENT_ALL=y
CONFIG_KCOV_ENABLE_COMPARISONS=y
CONFIG_DEBUG_FS=y
Note that CONFIG_KCOV_ENABLE_COMPARISONS
feature also requires gcc8+
and the following commits if you are testing an old kernel:
kcov: support comparison operands collection
kcov: fix comparison callback signature
To detect memory leaks using the Kernel Memory Leak Detector (kmemleak):
CONFIG_DEBUG_KMEMLEAK=y
To show code coverage in web interface:
CONFIG_DEBUG_INFO=y
For detection of enabled syscalls and kernel bitness:
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
For better sandboxing:
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_CGROUP_PIDS=y
CONFIG_MEMCG=y
For namespace
sandbox:
CONFIG_USER_NS=y
For running in VMs make kvmconfig
is generally required.
Debian images produced by tools/create-image.sh also require:
CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y
It is recommended to disable the following config (and required if your kernel doesn't have commits arm64: setup: introduce kaslr_offset() and kcov: make kcov work properly with KASLR enabled):
# CONFIG_RANDOMIZE_BASE is not set
It is also recommended to disable the Predictable Network Interface Names mechanism. This can be done either via syzkaller configuration (see details here) or by adjusting the following configs:
CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE="net.ifnames=0"
Syzkaller is meant to be used with
KASAN (available upstream with CONFIG_KASAN=y
),
KTSAN (prototype available),
KMSAN (prototype available),
or KUBSAN (available upstream with CONFIG_UBSAN=y
).
Enable KASAN
for use-after-free and out-of-bounds detection:
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
For testing with fault injection enable the following configs (syzkaller will pick it up automatically):
CONFIG_FAULT_INJECTION=y
CONFIG_FAULT_INJECTION_DEBUG_FS=y
CONFIG_FAULT_INJECTION_USERCOPY=y
CONFIG_FAILSLAB=y
CONFIG_FAIL_PAGE_ALLOC=y
CONFIG_FAIL_MAKE_REQUEST=y
CONFIG_FAIL_IO_TIMEOUT=y
CONFIG_FAIL_FUTEX=y
Note: you also need the following commits if you are testing an old kernel:
fault-inject: support systematic fault injection
fault-inject: simplify access check for fail-nth
fault-inject: fix wrong should_fail() decision in task context
fault-inject: add /proc/<pid>/fail-nth
Any other debugging configs, the more the better, here are some that proved to be especially useful:
CONFIG_LOCKDEP=y
CONFIG_PROVE_LOCKING=y
CONFIG_DEBUG_ATOMIC_SLEEP=y
CONFIG_PROVE_RCU=y
CONFIG_DEBUG_VM=y
CONFIG_REFCOUNT_FULL=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_LOCKUP_DETECTOR=y
CONFIG_SOFTLOCKUP_DETECTOR=y
CONFIG_HARDLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
CONFIG_DETECT_HUNG_TASK=y
CONFIG_WQ_WATCHDOG=y
Increase hung/stall timeout to reduce false positive rate:
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=140
CONFIG_RCU_CPU_STALL_TIMEOUT=100