List of recommended kernel configs for syzkaller. See syzbot config for a reference config.
To enable coverage collection, which is extremely important for effective fuzzing:
CONFIG_KCOV=y CONFIG_KCOV_INSTRUMENT_ALL=y CONFIG_KCOV_ENABLE_COMPARISONS=y CONFIG_DEBUG_FS=y
Note that CONFIG_KCOV_ENABLE_COMPARISONS feature also requires gcc8+ and the following commits if you are testing an old kernel:
kcov: support comparison operands collection
kcov: fix comparison callback signature
To show code coverage in web interface:
CONFIG_DEBUG_INFO=y
For detection of enabled syscalls and kernel bitness:
CONFIG_KALLSYMS=y CONFIG_KALLSYMS_ALL=y
For better sandboxing:
CONFIG_NAMESPACES=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_CGROUP_PIDS=y CONFIG_MEMCG=y
For namespace sandbox:
CONFIG_USER_NS=y
For running in VMs make kvmconfig is generally required.
Debian images produced by tools/create-image.sh also require:
CONFIG_CONFIGFS_FS=y CONFIG_SECURITYFS=y
It is recommended to disable the following config (and required if your kernel doesn't have commits arm64: setup: introduce kaslr_offset() and kcov: make kcov work properly with KASLR enabled):
# CONFIG_RANDOMIZE_BASE is not set
Syzkaller is meant to be used with KASAN (available upstream with CONFIG_KASAN=y), KTSAN (prototype available), KMSAN (prototype available), or KUBSAN (available upstream with CONFIG_UBSAN=y).
Enable KASAN for use-after-free and out-of-bounds detection:
CONFIG_KASAN=y CONFIG_KASAN_INLINE=y
For testing with fault injection enable the following configs (syzkaller will pick it up automatically):
CONFIG_FAULT_INJECTION=y CONFIG_FAULT_INJECTION_DEBUG_FS=y CONFIG_FAILSLAB=y CONFIG_FAIL_PAGE_ALLOC=y CONFIG_FAIL_MAKE_REQUEST=y CONFIG_FAIL_IO_TIMEOUT=y CONFIG_FAIL_FUTEX=y
Note: you also need the following commits if you are testing an old kernel:
fault-inject: support systematic fault injection
fault-inject: simplify access check for fail-nth
fault-inject: fix wrong should_fail() decision in task context
fault-inject: add /proc/<pid>/fail-nth
Any other debugging configs, the more the better, here are some that proved to be especially useful:
CONFIG_LOCKDEP=y CONFIG_PROVE_LOCKING=y CONFIG_DEBUG_ATOMIC_SLEEP=y CONFIG_PROVE_RCU=y CONFIG_DEBUG_VM=y CONFIG_REFCOUNT_FULL=y CONFIG_FORTIFY_SOURCE=y CONFIG_HARDENED_USERCOPY=y CONFIG_LOCKUP_DETECTOR=y CONFIG_SOFTLOCKUP_DETECTOR=y CONFIG_HARDLOCKUP_DETECTOR=y CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y CONFIG_DETECT_HUNG_TASK=y CONFIG_WQ_WATCHDOG=y
Increase hung/stall timeout to reduce false positive rate:
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=140 CONFIG_RCU_CPU_STALL_TIMEOUT=100