Hi, I get this crash info WARNING in cgroup_apply_control_disable
repeatedly while fuzzing the bug, and part of the console info is as follows:
2023/09/05 15:16:24 vm-0: crash: WARNING in cgroup_apply_control_disable
2023/09/05 15:16:28 vm-1: crash: WARNING in cgroup_apply_control_disable
2023/09/05 15:16:30 VMs 1, executed 114, corpus cover 0, corpus signal 0, object signal 0, max signal 0, crashes 18, repro 0
2023/09/05 15:16:39 vm-2: crash: WARNING in cgroup_apply_control_disable
2023/09/05 15:16:40 VMs 1, executed 121, corpus cover 0, corpus signal 0, object signal 0, max signal 0, crashes 19, repro 0
2023/09/05 15:16:47 vm-3: crash: WARNING in cgroup_apply_control_disable
I have changed the SYZ bug reports (d2c64e2
/09fc5ec
/8eceaff
), and also the Ubuntu version (16.04/20.04), but it doesn't work, I still get the same crash info.
Maybe there's something wrong with the kernel configuration. I configured the kernel of each bug report with the following steps(take the first case in your Google doc, d2c64e2 as an example:
- Get the kernel config in the first line of
Crashes
table below the report page.
- Download the corresponding Linux kernel version shown in the config. (In this case, the kernel version is 5.7.0)
- Unzip the kernel file, and patch it with the command
patch [target_kernel_dir]/kernel/kcov.c -p1 < ./kernel.patch
.
- Set the environment variable with
export OBJ_FILE=[the_absolute_path_to_the_file_containing_critical_objects]
.
- Generate the .config file with
make defconfig
, and fully replace it with the SYZ bug report kernel config. After that, edit some configs as follows:
# Coverage collection.
CONFIG_KCOV=y
# Debug info for symbolization.
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_INFO_DWARF4=y
# Memory bug detector
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
# Required for Debian Stretch
CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y
CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE="net.ifnames=0"
These configs are reqired in the syzkaller setup.
6. Save the config with make olddefconfig
, and compile the kernel with your costomized gcc make CC=[path_to_our_gcc] -j `nproc`
.
7. Run the fuzzer with ./bin/syz-manager -config=config -auxiliary=./crash_report/1_poc.txt
. The config
and poc
file are as follows:
config file:
{
"target": "linux/amd64",
"http": "127.0.0.1:56741",
"workdir": "/opt/GREBE/GREBE/fuzzer/workdir",
"kernel_obj": "/opt/GREBE/linux-kernel/linux-5.7",
"image": "/opt/GREBE/image/bullseye.img",
"sshkey": "/opt/GREBE/image/bullseye.id_rsa",
"syzkaller": "/opt/GREBE/GREBE/fuzzer",
"procs": 8,
"type": "qemu",
"reproduce": false,
"vm": {
"count": 4,
"kernel": "/opt/GREBE/linux-kernel/linux-5.7/arch/x86/boot/bzImage",
"snapshot": true,
"cpu": 2,
"mem": 2048
}
}
poc file: (Syz repro column of the same crash line)
# https://syzkaller.appspot.com/bug?id=d2c64e2d7c308cce1b51fd51addd4284cd825792
# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{"procs":1,"sandbox":"none","fault_call":-1,"close_fds":true}
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6(0xa, 0x80002, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000180)=0xb, 0x4)
bind$inet6(r1, &(0x7f0000f5dfe4)={0xa, 0x4e20, 0x0, @empty}, 0x1c)
connect$pppl2tp(r0, &(0x7f00000001c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x1, 0x0, {0xa, 0x4e20, 0x7, @ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x12}}, 0x3ff}}}, 0x3a)
Could you please help me with this problem? Or even some hints will be helpful, thanks!