Below are the generic instructions for how to set up syzkaller to fuzz the Linux kernel. Instructions for a particular VM type or kernel arch can be found on these pages:
The following components are needed to use syzkaller:
Generic steps to set up syzkaller are described below.
If you encounter any troubles, check the troubleshooting page.
Syzkaller is a coverage-guided fuzzer and therefore it needs the kernel to be built with coverage support, which requires a recent GCC version. Coverage support was submitted to GCC in revision
231296, released in GCC v6.0.
Besides coverage support in GCC, you also need support for it on the kernel side. KCOV was committed upstream in Linux kernel version 4.6 and can be enabled by configuring the kernel with
CONFIG_KCOV=y. For older kernels you need to backport commit kernel: add kcov code coverage.
To enable more syzkaller features and improve bug detection abilities, it's recommended to use additional config options. See this page for details.
Syzkaller performs kernel fuzzing on slave virtual machines or physical devices. These slave enviroments are referred to as VMs. Out-of-the-box syzkaller supports QEMU, kvmtool and GCE virtual machines, Android devices and Odroid C2 boards.
These are the generic requirements for a syzkaller VM:
syz-manager's configuration. In other words, you should be able to do
ssh -i $SSHID -p $PORT root@localhostwithout being prompted for a password (where
SSHIDis the SSH identification file and
PORTis the port that are specified in the
To use QEMU syzkaller VMs you have to install QEMU on your host system, see QEMU docs for details. The create-image.sh script can be used to create a suitable Linux image. Detailed steps for setting up syzkaller with QEMU on a Linux host are avaialble for x86-64 and arm64 kernels.
The syzkaller tools are written in Go, so a Go compiler (>= 1.8) is needed to build them.
Go distribution can be downloaded from https://golang.org/dl/. Unpack Go into a directory, say,
$HOME/go. Then, set
GOROOT=$HOME/go env var. Then, add Go binaries to
PATH=$HOME/go/bin:$PATH. Then, set
GOPATH env var to some empty dir, say
GOPATH=$HOME/gopath. Then, run
go get -u -d github.com/google/syzkaller/... to checkout syzkaller sources. Then,
cd $GOPATH/src/github.com/google/syzkaller and build with
make, which generates compiled binaries in the
bin/ folder. Note: if you want to do cross-OS/arch testing, you need to specify
TARGETARCH arguments to
make. See the Makefile for details.