Syzkaller内核模糊测试技术详解与实战<\/h1>

一、简介<\/h2>
Syzkaller是Google安全研究人员开发并维护的开源内核Fuzz工具，主要由dvyukov维护。该工具使用Go语言编写，包含少量C代码，具有部署快速、使用简便的特点，支持多种操作系统（Linux、Android、Windows、openbsd、darwin等），其中对Linux系统的支持最为全面。<\/p>
内核通过系统调用进行交互，因此Syzkaller的Fuzzing通过不断构造系统调用序列来驱动内核执行。这些系统调用组合会触发内核中的各种逻辑路径，进而暴露潜在的安全漏洞。为了生成更高效的测试用例，Syzkaller通过内核插桩机制获取覆盖率反馈来引导Fuzzing过程。<\/p>

二、基本架构<\/h2>

2.1 组件构成<\/h3>

Syzkaller主要分为两个核心组件：<\/p>

syz-manager（主控模块）<\/strong>：<\/p>

运行在宿主机上，每个虚拟机对应一个syz-manager启动的管理进程<\/li>
内置fuzzing核心逻辑（包括系统调用生成、变异、语料更新等）<\/li>
收集并记录覆盖率和崩溃信息<\/li>
提供Web UI展示统计信息<\/li> <\/ul>
syz-executor（执行模块）<\/strong>：<\/p>

运行于每个虚拟机内部<\/li>
接收syz-manager下发的系统调用程序（syscall sequence）<\/li>
启动临时子进程执行单一测试输入（一系列系统调用）<\/li>
收集KCOV覆盖率信息，反馈执行结果<\/li>
报告崩溃、挂起或异常状态<\/li>
以C++静态编译方式实现，进程间通过共享内存通信，保证简洁高效<\/li> <\/ul>
2.2 工作流程<\/h3>

syz-manager生成系统调用序列，封装成二进制文件<\/li>
通过SSH将测试程序传输到目标虚拟机<\/li>
syz-executor接收程序，执行系统调用组合以触发内核不同代码路径<\/li>
利用内核的KCOV插桩收集覆盖率信息，作为反馈引导Fuzz<\/li>
syz-manager监控虚拟机运行状态，遇内核panic自动重启虚拟机（借助虚拟机快照和watchdog机制）<\/li>
崩溃和覆盖率数据被收集并持久化，便于后续分析和复现<\/li> <\/ol>
三、环境配置<\/h2>
3.1 硬件要求<\/h3>
CPU虚拟化支持<\/strong>：<\/p>
egrep -wo 'vmx|svm'<\/span> \/proc\/cpuinfo | sort | uniq <\/span><\/span><\/code><\/pre> 输出vmx<\/code>表示Intel CPU支持虚拟化<\/li> 输出svm<\/code>表示AMD CPU支持虚拟化<\/li> 无输出需在BIOS中开启虚拟化功能（Intel VT-x或AMD-V）<\/li> <\/ul> 内核KVM支持<\/strong>：<\/p> sudo modprobe kvm <\/span><\/span>sudo modprobe kvm_intel # Intel CPU<\/span> <\/span><\/span># 或<\/span> <\/span><\/span>sudo modprobe kvm_amd # AMD CPU<\/span> <\/span><\/span><\/code><\/pre>3.2 编译Syzkaller<\/h3> 安装Go编译器<\/strong>：<\/p> # 下载Go 1.23.7<\/span> <\/span><\/span>wget https:\/\/go.dev\/dl\/go1.23.7.linux-amd64.tar.gz <\/span><\/span> <\/span><\/span># 解压到\/usr\/local<\/span> <\/span><\/span>sudo tar -C \/usr\/local -xzf go1.23.7.linux-amd64.tar.gz <\/span><\/span> <\/span><\/span># 设置环境变量<\/span> <\/span><\/span>export GOROOT=<\/span>\/usr\/local\/go <\/span><\/span>export GOPATH=<\/span>$HOME\/go <\/span><\/span>export PATH=<\/span>$GOROOT\/bin:$GOPATH\/bin:$PATH <\/span><\/span> <\/span><\/span>sudo apt install gcc <\/span><\/span> <\/span><\/span># 配置Go国内代理（可选）<\/span> <\/span><\/span>export GOPROXY=<\/span>https:\/\/goproxy.cn,direct <\/span><\/span><\/code><\/pre>安装依赖<\/strong>：<\/p> sudo apt update <\/span><\/span>sudo apt install build-essential clang llvm libncurses5-dev libssl-dev libelf-dev bc <\/span><\/span>sudo apt install make flex bison libncurses-dev libelf-dev libssl-dev <\/span><\/span><\/code><\/pre>编译Syzkaller<\/strong>：<\/p> git clone https:\/\/github.com\/google\/syzkaller <\/span><\/span>cd syzkaller <\/span><\/span>make all <\/span><\/span> <\/span><\/span># 交叉编译（如arm架构）<\/span> <\/span><\/span>make CC=<\/span>aarch64-linux-gnu-g++ TARGETARCH=<\/span>arm64 <\/span><\/span><\/code><\/pre>编译完成后，执行文件位于syzkaller\/bin\/<\/code>目录。<\/p> 3.3 编译Linux内核<\/h3> 下载并配置内核<\/strong>（以6.12.38为例）：<\/p> wget https:\/\/cdn.kernel.org\/pub\/linux\/kernel\/v6.x\/linux-6.12.38.tar.xz <\/span><\/span>tar -xvf linux-6.12.38.tar.xz &&<\/span> cd linux-6.12.38 <\/span><\/span> <\/span><\/span>make defconfig <\/span><\/span>make kvm_guest.config <\/span><\/span><\/code><\/pre>启用必要配置选项<\/strong>：<\/p> scripts\/config --enable CONFIG_KCOV # 启用KCOV<\/span> <\/span><\/span>scripts\/config --enable CONFIG_KASAN # 启用KASAN<\/span> <\/span><\/span>scripts\/config --enable CONFIG_KASAN_INLINE # 允许内联检测代码<\/span> <\/span><\/span>scripts\/config --enable CONFIG_DEBUG_INFO <\/span><\/span>scripts\/config --disable CONFIG_DEBUG_INFO_NONE <\/span><\/span>scripts\/config --enable CONFIG_DEBUG_INFO_DWARF4 # 开启内核调试信息生成<\/span> <\/span><\/span> <\/span><\/span># 网络相关配置<\/span> <\/span><\/span>scripts\/config --enable CONFIG_NET_SCHED <\/span><\/span>scripts\/config --enable CONFIG_NET_CLS_ACT <\/span><\/span>scripts\/config --enable CONFIG_NET_SCH_FQ <\/span><\/span>scripts\/config --enable CONFIG_NET_SCH_NETEM <\/span><\/span>scripts\/config --enable CONFIG_NET_SCH_INGRESS <\/span><\/span>scripts\/config --enable CONFIG_NET_SCH_HTB <\/span><\/span>scripts\/config --enable CONFIG_NET_SCH_PRIO <\/span><\/span> <\/span><\/span>scripts\/config --enable CONFIG_CONFIGFS_FS # 启用configfs文件系统支持<\/span> <\/span><\/span>scripts\/config --enable CONFIG_SECURITYFS # 启用securityfs文件系统<\/span> <\/span><\/span>scripts\/config --enable CONFIG_KCOV_JIT <\/span><\/span>scripts\/config --enable CONFIG_DEBUG_KERNEL <\/span><\/span>scripts\/config --enable CONFIG_LOCKDEP <\/span><\/span><\/code><\/pre>重新生成配置并编译<\/strong>：<\/p> make olddefconfig <\/span><\/span>make -j$(<\/span>nproc)<\/span> <\/span><\/span><\/code><\/pre>编译后生成的关键文件：<\/p> bzImage<\/code>：经过压缩的可启动内核镜像<\/li> vmlinux<\/code>：带有调试符号的未压缩内核镜像<\/li> <\/ul> 3.4 Qemu配置<\/h3> 安装Qemu<\/strong>：<\/p> sudo apt install qemu-system-x86 <\/span><\/span><\/code><\/pre>创建虚拟机镜像<\/strong>：<\/p> sudo apt install debootstrap <\/span><\/span>cd \/linux <\/span><\/span> <\/span><\/span># 下载syzkaller的create-image.sh脚本<\/span> <\/span><\/span>wget https:\/\/raw.githubusercontent.com\/google\/syzkaller\/master\/tools\/create-image.sh -O create-image.sh <\/span><\/span>chmod +x create-image.sh <\/span><\/span> <\/span><\/span># 运行创建镜像脚本（Linux项目不能存在于挂载目录上）<\/span> <\/span><\/span>.\/create-image.sh <\/span><\/span><\/code><\/pre>脚本运行后生成的文件：<\/p> bullseye.img<\/code>：虚拟机硬盘镜像文件<\/li> bullseye.id_rsa<\/code>：SSH私钥<\/li> bullseye.id_rsa.pub<\/code>：SSH公钥<\/li> <\/ul> 启动虚拟机测试<\/strong>：<\/p> qemu-system-x86_64 \ <\/span><\/span><\/span><\/span> -m 2G \ <\/span><\/span><\/span><\/span> -smp 2<\/span> \ <\/span><\/span><\/span><\/span> -kernel \/linux\/arch\/x86\/boot\/bzImage \ <\/span> # 指定bzImage文件<\/span> <\/span><\/span> -append "console=ttyS0 root=\/dev\/sda earlyprintk=serial net.ifnames=0"<\/span> \ <\/span><\/span><\/span><\/span> -drive file=<\/span>\/linux\/bullseye.img,format=<\/span>raw \ <\/span> # 指定文件系统<\/span> <\/span><\/span> -net user,host=<\/span>10.0.2.10,hostfwd=<\/span>tcp:127.0.0.1:10021-:22 \ <\/span><\/span><\/span><\/span> -net nic,model=<\/span>e1000 \ <\/span><\/span><\/span><\/span> -enable-kvm \ <\/span><\/span><\/span><\/span> -nographic \ <\/span><\/span><\/span><\/span> -pidfile vm.pid \ <\/span><\/span><\/span><\/span> 2>&1<\/span> | tee vm.log <\/span><\/span><\/code><\/pre>测试SSH连接<\/strong>：<\/p> ssh -i \/linux\/bullseye.id_rsa -p 10021<\/span> -o "StrictHostKeyChecking no"<\/span> root@localhost <\/span><\/span><\/code><\/pre>四、基本用法<\/h2> 4.1 配置文件<\/h3> 创建Syzkaller配置文件test.cfg<\/code>：<\/p> { <\/span><\/span> "target"<\/span>: "linux\/amd64"<\/span>, \/\/ 目标平台架构 <\/span><\/span><\/span><\/span> "http"<\/span>: "127.0.0.1:56741"<\/span>, \/\/ WebUI接口 <\/span><\/span><\/span><\/span> "workdir"<\/span>: "\/linux\/workdir\/"<\/span>, \/\/ 工作目录 <\/span><\/span><\/span><\/span> "kernel_obj"<\/span>: "\/linux\/"<\/span>, \/\/ 内核路径 <\/span><\/span><\/span><\/span> "image"<\/span>: "\/linux\/bullseye.img"<\/span>, \/\/ QEMU虚拟机镜像 <\/span><\/span><\/span><\/span> "sshkey"<\/span>: "\/linux\/bullseye.id_rsa"<\/span>, \/\/ 连接虚拟机用的私钥 <\/span><\/span><\/span><\/span> "syzkaller"<\/span>: "\/syzkaller\/"<\/span>, \/\/ syzkaller源码路径 <\/span><\/span><\/span><\/span> "procs"<\/span>: 8<\/span>, \/\/ 每个VM中并发fuzz实例数量 <\/span><\/span><\/span><\/span> "type"<\/span>: "qemu"<\/span>, \/\/ 虚拟机类型 <\/span><\/span><\/span><\/span> "vm"<\/span>: { <\/span><\/span> "count"<\/span>: 4<\/span>, \/\/ 启动的VM数量 <\/span><\/span><\/span><\/span> "kernel"<\/span>: "\/linux\/arch\/x86\/boot\/bzImage"<\/span>, \/\/ bzImage路径 <\/span><\/span><\/span><\/span> "cmdline"<\/span>: "net.ifnames=0"<\/span>, \/\/ 内核参数（简化网络设备名） <\/span><\/span><\/span><\/span> "cpu"<\/span>: 2<\/span>, \/\/ 每个VM的CPU数量 <\/span><\/span><\/span><\/span> "mem"<\/span>: 2048<\/span> \/\/ 每个VM的内存（单位：MB） <\/span><\/span><\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>4.2 启动运行<\/h3> 基本启动<\/strong>：<\/p> syz-manager -config test.cfg <\/span><\/span><\/code><\/pre>调试模式<\/strong>：<\/p> syz-manager -config test.cfg --debug <\/span><\/span><\/code><\/pre>启动后可通过http:\/\/localhost:56741<\/code>访问WebUI界面。<\/p> 4.3 KCOV覆盖率分析<\/h3> Syzkaller使用KCOV接口收集代码覆盖信息，可通过以下地址查看覆盖率：<\/p> http:\/\/127.0.0.1:$(PORT)\/cover <\/code><\/pre> 覆盖率颜色标注说明<\/strong>：<\/p> 已覆盖：黑色<\/li> 部分覆盖：橙色<\/li> 函数未执行：暗红色<\/li> 未覆盖：红色<\/li> 未插桩：灰色<\/li> <\/ul> 生成覆盖率报告<\/strong>：<\/p> # 构建syz-cover工具<\/span> <\/span><\/span>make cover <\/span><\/span> <\/span><\/span># 获取原始覆盖率数据<\/span> <\/span><\/span>wget http:\/\/localhost:<syz-manager端口>\/rawcover <\/span><\/span> <\/span><\/span># 生成覆盖率报告<\/span> <\/span><\/span>bin\/syz-cover --config <syzkaller配置文件路径> rawcover <\/span><\/span> <\/span><\/span># 导出函数覆盖率CSV文件<\/span> <\/span><\/span>bin\/syz-cover --config <syzkaller配置文件路径> --csv <输出文件名> rawcover <\/span><\/span> <\/span><\/span># 导出源码行覆盖率JSON文件<\/span> <\/span><\/span>bin\/syz-cover --config <syzkaller配置文件路径> --json <输出文件名> rawcover <\/span><\/span><\/code><\/pre>五、Syzlang系统调用描述语言<\/h2> Syzkaller定义了一套声明式语言syzlang，用于描述系统调用的接口和参数格式。<\/p> 5.1 基本结构<\/h3> syzlang文件包含以下元素：<\/p> 元素<\/th> 示例<\/th> 说明<\/th> <\/tr> <\/thead> include<\/td> include <linux\/fs.h><\/code><\/td> 引用头文件（仅标注）<\/td> <\/tr> syscall<\/td> open(file filename, flags flags[open_flags], mode flags[open_mode]) fd<\/code><\/td> 定义系统调用<\/td> <\/tr> flags<\/td> open_flags = O_RDONLY, O_RDWR, O_CREAT<\/code><\/td> 枚举值集合<\/td> <\/tr> bitmask<\/td> prot_flags = PROT_READ, PROT_WRITE<\/code><\/td> 按位或组合<\/td> <\/tr> struct<\/td> sock_fprog { len len[filter, int16]; filter ptr[in, array[sock_filter]] }<\/code><\/td> 定义结构体<\/td> <\/tr> union<\/td> union u [ type1, type2 ]<\/code><\/td> 定义联合体<\/td> <\/tr> 别名<\/td> type buffer ptr[in, array[int8]]<\/code><\/td> 类型模板\/别名<\/td> <\/tr> 注释<\/td> # comment<\/code><\/td> 单行注释<\/td> <\/tr> <\/tbody> <\/table> 示例<\/strong>：<\/p> open(file filename, flags flags[open_flags], mode flags[open_mode]) fd <\/span><\/span>read(fd fd, buf buffer[out], count len[buf]) <\/span><\/span>close(fd fd) <\/span><\/span> <\/span><\/span>open_flags =<\/span> O_RDONLY, O_WRONLY, O_RDWR, O_APPEND, O_CREAT <\/span><\/span>open_mode =<\/span> S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP <\/span><\/span><\/code><\/pre>5.2 系统调用描述格式<\/h3> 基本格式<\/strong>：<\/p> syscallname(argname1 type1, argname2 type2, ...) return_type <\/code><\/pre> 常用类型<\/strong>：<\/p> intN<\/code> \/ intptr<\/code>：普通整数类型（带有可选范围、对齐）<\/li> flags[flagname]<\/code>：枚举或位标志<\/li> ptr[in, type]<\/code>：指针（方向可选in\/out\/inout）<\/li> array[type, size]<\/code>：数组（长度可选固定\/范围）<\/li> string[filename]<\/code>：字符串（如生成文件路径）<\/li> len[fieldname]<\/code> \/ bytesize[fieldname]<\/code>：指定字段长度<\/li> <\/ul> 类型模板与别名<\/strong>：<\/p> type buffer[DIR] ptr[DIR, array[int8]] <\/span><\/span>type optional[T] [ <\/span><\/span> val T <\/span><\/span> void<\/span> void<\/span> <\/span><\/span>] [varlen] <\/span><\/span><\/code><\/pre>5.3 调用属性<\/h3> 可选关键字修饰系统调用行为：<\/p> no_generate<\/code>：不自动生成调用（用于seed触发）<\/li> no_minimize<\/code>：崩溃最小化时跳过该调用<\/li> ignore_return<\/code>：不使用返回值作为反馈路径<\/li> timeout[N]<\/code>, prog_timeout[N]<\/code>：增加fuzz超时时间<\/li> disabled<\/code>：禁用该系统调用（调试时有用）<\/li> <\/ul> 5.4 类型系统<\/h3> 基本类型<\/strong>：<\/p> int8, int16, int32, int64 <\/span><\/span>const<\/span>[123<\/span>, int32] #<\/span> 常量<\/span> <\/span><\/span>bool8, bool32 #<\/span> 布尔类型<\/span> <\/span><\/span><\/code><\/pre>指针类型<\/strong>：<\/p> ptr[in, struct_name] #<\/span> 输入指针<\/span> <\/span><\/span>ptr[out, buffer] #<\/span> 输出指针<\/span> <\/span><\/span><\/code><\/pre>数组<\/strong>：<\/p> array[int32, 4<\/span>] #<\/span> 固定长度数组<\/span> <\/span><\/span>array[int8, VAR] #<\/span> 动态数组<\/span> <\/span><\/span><\/code><\/pre>联合体(Union)<\/strong>：<\/p> union<\/span> my_union [ <\/span><\/span> type1 <\/span><\/span> type2 <\/span><\/span> type3 <\/span><\/span>] <\/span><\/span><\/code><\/pre>结构体(Struct)<\/strong>：<\/p> my_struct { <\/span><\/span> field1 int32 <\/span><\/span> field2 ptr[in, buffer] <\/span><\/span> ... <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.5 常量和标志<\/h3> 常量定义<\/strong>：<\/p> define SOME_CONST 0x1000<\/span> <\/span><\/span><\/code><\/pre>标志定义<\/strong>：<\/p> flags open_flags =<\/span> O_RDONLY, O_WRONLY, O_CREAT, O_APPEND <\/span><\/span><\/code><\/pre>位掩码<\/strong>：<\/p> bitmask prot_flags =<\/span> PROT_READ, PROT_WRITE, PROT_EXEC <\/span><\/span><\/code><\/pre>5.6 资源类型<\/h3> 用于管理系统资源（如文件描述符、socket等）：<\/p> resource fd[int32]:<\/span> 0xffffffffffffffff<\/span>, AT_FDCWD <\/span><\/span> <\/span><\/span>open(...) fd <\/span><\/span>read(fd fd, ...) <\/span><\/span>close(fd fd) <\/span><\/span><\/code><\/pre>5.7 高级特性<\/h3> 对齐约束<\/strong>：<\/p> my_struct { <\/span><\/span> field1 int32 <\/span><\/span> field2 ptr[in, buffer] <\/span><\/span>} [align[8<\/span>]] <\/span><\/span><\/code><\/pre>修饰符<\/strong>：<\/p> [packed]<\/code>：紧凑布局，取消默认padding<\/li> [varlen]<\/code>：用于描述变长结构体或联合体的尾部<\/li> <\/ul> 5.8 编写技巧<\/h3> 命名规范<\/strong>：遵循内核已有命名，不要创造新名字<\/li> 资源顺序<\/strong>：in\/out\/inout决定调用顺序<\/li> 特殊值<\/strong>：不要随意添加-1、INT_MAX等未声明值<\/li> 标志使用<\/strong>：flag类型可用于枚举、位标志、混合模式<\/li> 声明顺序<\/strong>：不要求先声明后使用，推荐按重要性排序<\/li> <\/ol> 5.9 使用流程<\/h3> 调研接口，了解相关系统调用<\/li> 编写描述文件并放入syzkaller\/sys\/linux<\/code>目录<\/li> 使用syz-extract和syz-gen生成Go描述代码<\/li> <\/ol> 六、Headerparser工具<\/h2> Headerparser是自动化生成syzlang描述的辅助工具，可减轻手动编写工作量。<\/p> 环境配置<\/strong>：<\/p> pip3 install pycparser <\/span><\/span><\/code><\/pre>基本用法<\/strong>：<\/p> python3 headerparser.py --filenames=<\/span>.\/test_headers\/th_b.h <\/span><\/span><\/code><\/pre>输出结果示例：<\/p> B { <\/span><\/span> B1 len|<\/span>fileoff|<\/span>flags|<\/span>intN #<\/span>(unsigned<\/span> long<\/span>) <\/span><\/span> B2 len|<\/span>fileoff|<\/span>flags|<\/span>intN #<\/span>(unsigned<\/span> long<\/span>) <\/span><\/span>} <\/span><\/span> <\/span><\/span>struct_containing_union { <\/span><\/span> something len|<\/span>fileoff|<\/span>flags|<\/span>int32 #<\/span>(int<\/span>) <\/span><\/span> a_union.a_char ptr[in|<\/span>out, string]|<\/span>ptr[in, filename] #<\/span>(char<\/span>*<\/span>) <\/span><\/span> a_union.B_ptr ptr|<\/span>buffer|<\/span>array #<\/span>(struct<\/span> B*<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre>可直接复制Structure Metadata部分内容到syzkaller设备描述文件中。<\/p> 七、实战案例<\/h2> 7.1 漏洞驱动示例<\/h3> 驱动代码<\/strong>（存在堆溢出漏洞）：<\/p> #include<\/span> <linux\/init.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/module.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/proc_fs.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/uaccess.h><\/span> <\/span><\/span><\/span>#include<\/span> <linux\/slab.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>#define MY_DEV_NAME "test" <\/span><\/span><\/span>#define DEBUG_FLAG "PROC_DEV" <\/span><\/span><\/span><\/span> <\/span><\/span>static<\/span> ssize_t proc_read<\/span>(struct<\/span> file *<\/span>proc_file, char<\/span> __user *<\/span>proc_user, size_t n, loff_t *<\/span>loff); <\/span><\/span>static<\/span> ssize_t proc_write<\/span>(struct<\/span> file *<\/span>proc_file, const<\/span> char<\/span> __user *<\/span>proc_user, size_t n, loff_t *<\/span>loff); <\/span><\/span>static<\/span> int<\/span> proc_open<\/span>(struct<\/span> inode *<\/span>proc_inode, struct<\/span> file *<\/span>proc_file); <\/span><\/span> <\/span><\/span>static<\/span> const<\/span> struct<\/span> proc_ops proc_fops =<\/span> { <\/span><\/span> .proc_open =<\/span> proc_open, <\/span><\/span> .proc_read =<\/span> proc_read, <\/span><\/span> .proc_write =<\/span> proc_write, <\/span><\/span>}; <\/span><\/span> <\/span><\/span>static<\/span> int<\/span> __init mod_init<\/span>(void<\/span>) { <\/span><\/span> struct<\/span> proc_dir_entry *<\/span>test_entry; <\/span><\/span> printk(DEBUG_FLAG ": proc init start!<\/span>\n<\/span>"<\/span>); <\/span><\/span> test_entry =<\/span> proc_create(MY_DEV_NAME, 0666<\/span>, NULL, &<\/span>proc_fops); <\/span><\/span> if<\/span> (!<\/span>test_entry) <\/span><\/span> printk(DEBUG_FLAG ": failed to create \/proc entry!<\/span>\n<\/span>"<\/span>); <\/span><\/span> else<\/span> <\/span><\/span> printk(DEBUG_FLAG ": proc init over!<\/span>\n<\/span>"<\/span>); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>在proc_write<\/code>函数中，kmalloc<\/code>分配了n+512字节缓冲区，但copy_from_user<\/code>复制了n+4096字节，导致堆溢出。<\/p> 7.2 编译进内核<\/h3> # 将漏洞驱动文件复制到内核目录<\/span> <\/span><\/span>mv test.c linux\/drivers\/char\/ <\/span><\/span> <\/span><\/span># 修改Makefile<\/span> <\/span><\/span>echo "obj-y += test.o"<\/span> >> linux\/drivers\/char\/Makefile <\/span><\/span> <\/span><\/span># 编译内核<\/span> <\/span><\/span>make -j$(<\/span>nproc)<\/span> <\/span><\/span><\/code><\/pre>7.3 编写Syzlang描述<\/h3> 创建syzkaller\/sys\/linux\/vuln.txt<\/code>：<\/p> include <<\/span>linux\/<\/span>fs.h><\/span> <\/span><\/span> <\/span><\/span>open$<\/span>proc(file ptr[in, string["\/proc\/test"<\/span>]], flags flags[proc_open_flags], mode flags[proc_open_mode]) fd <\/span><\/span>read$<\/span>proc(fd fd, buf buffer[out], count len[buf]) <\/span><\/span>write$<\/span>proc(fd fd, buf buffer[in], count len[buf]) <\/span><\/span>close$<\/span>proc(fd fd) <\/span><\/span> <\/span><\/span>proc_open_flags =<\/span> O_RDONLY, O_WRONLY, O_RDWR, O_APPEND, FASYNC, O_CLOEXEC, O_CREAT, O_DIRECT, O_DIRECTORY, O_EXCL, O_LARGEFILE, O_NOATIME, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK, O_PATH, O_SYNC, O_TRUNC, __O_TMPFILE <\/span><\/span>proc_open_mode =<\/span> S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH <\/span><\/span><\/code><\/pre>生成常量文件<\/strong>：<\/p> bin\/syz-extract -os linux -sourcedir \/root\/linux-6.12.38 -arch amd64 vuln.txt <\/span><\/span><\/code><\/pre>重新构建Syzkaller<\/strong>：<\/p> # 将syscall描述文件转换为go代码结构<\/span> <\/span><\/span>bin\/syz-sysgen <\/span><\/span> <\/span><\/span># 重建syzkaller<\/span> <\/span><\/span>make all <\/span><\/span><\/code><\/pre>7.4 配置和运行Fuzzing<\/h3> 修改test.cfg<\/code>，添加系统调用限制：<\/p> { <\/span><\/span> \/\/ ... 其他配置不变 <\/span><\/span><\/span><\/span> "enable_syscalls"<\/span>: [ <\/span><\/span> "open$proc"<\/span>, <\/span><\/span> "read$proc"<\/span>, <\/span><\/span> "write$proc"<\/span>, <\/span><\/span> "close$proc"<\/span> <\/span><\/span> ] <\/span><\/span>} <\/span><\/span><\/code><\/pre>开始Fuzzing<\/strong>：<\/p> syz-manager -config test.cfg -vv 10<\/span> <\/span><\/span><\/code><\/pre>7.5 崩溃复现工具<\/h3> syz-crush<\/strong>（重复执行崩溃程序）：<\/p> # 构建工具<\/span> <\/span><\/span>make crush <\/span><\/span> <\/span><\/span># 运行崩溃复现<\/span> <\/span><\/span>mkdir workdir <\/span><\/span>bin\/syz-crush -config .\/test.cfg .\/crashes\/736f88e1c13700f40338df50cd9a6364a46963cf\/repro.cprog <\/span><\/span> <\/span><\/span># 可选参数<\/span> <\/span><\/span>bin\/syz-crush -config .\/test.cfg -debug -infinite=<\/span>true -strace .\/crashes\/...\/repro.cprog <\/span><\/span><\/code><\/pre>syz-repro<\/strong>（生成可复现的测试用例）：<\/p> bin\/syz-repro -config=<\/span>test.cfg .\/crashes\/736f88e1c13700f40338df50cd9a6364a46963cf\/repro.prog <\/span><\/span> <\/span><\/span># 生成C语言复现程序<\/span> <\/span><\/span>bin\/syz-repro -config=<\/span>test.cfg -crepro=<\/span>repro.c .\/crashes\/...\/repro.prog <\/span><\/span><\/code><\/pre>八、崩溃分析<\/h2> 8.1 崩溃报告结构<\/h3> Syzkaller为每种唯一的内核崩溃保存专属目录：<\/p> syzkaller_workdir\/crashes\/ ├── 6e512290efa36515a7a27e53623304d20d1c3e\/ │ ├── description # 崩溃简短描述 │ ├── log0 # 原始内核日志及测试输入（第一次崩溃） │ ├── report0 # 后处理符号化报告（第一次崩溃） │ ├── log1 # 原始日志（重复崩溃） │ ├── report1 # 后处理报告（重复崩溃） │ ├── report.prog # 复现crash的程序 │ └── report.cprog # repro.prog的C可执行复现程序 <\/code><\/pre> 8.2 特殊崩溃类型<\/h3> 崩溃类型<\/th> 说明<\/th> <\/tr> <\/thead> no output from test machine<\/td> 测试机无任何输出，通常指内核死锁、严重挂起或崩溃<\/td> <\/tr> lost connection to test machine<\/td> SSH连接中断，可能内核panic或网络故障导致<\/td> <\/tr> test machine is not executing programs<\/td> 测试机看似在线，但长时间未执行测试程序，可能挂起或陷入死循环<\/td> <\/tr> <\/tbody> <\/table> 九、总结<\/h2> Syzkaller不仅是一个内核模糊测试工具，更是一种系统化、闭环化的内核安全研究框架。它通过精心设计的syzlang描述系统调用接口，结合覆盖率驱动（KCOV）和内存检测（KASAN\/KCOV\/UBSAN）形成反馈闭环，使模糊测试从随机尝试升级为"智能探索"。<\/p> 关键优势：<\/p> 自动化程度高<\/strong>：从测试用例生成到崩溃复现全流程自动化<\/li> 反馈驱动<\/strong>：基于覆盖率指导测试方向，提高效率<\/li> 系统化设计<\/strong>：完整的工具链和生态系统支持<\/li> 多平台支持<\/strong>：支持多种操作系统和架构<\/li> <\/ol> 这种方法论强调自动化、反馈驱动和系统化设计，让Fuzzing不再是盲目的尝试，而是有策略、有方向的漏洞探索，对内核安全研究具有深远的启发意义。<\/p>