[Syzkaller II]syz-extract

0x0 TL;DR

In last post , we took a glimpse at the usage of Syzkaller by fuzzing a vulnability kernel module.

we know that a syscall descriptions *.txt will be treated as ipass through a way like:

testxy.txt -----> testxy.txt.const -----> syscalls.h & defs.h
        syz-extract               syz-gen

we found that syz-* tools can be used independently by step

So , this post , we will dive only into source of syz-extract , to work out the dataflow.

suppose that we have typed syslang as proc_testxy.txt

include <linux/fs.h>
open$testxy(file ptr[in, string["/proc/test1"]], flags flags[proc_open_flags], mode flags[proc_open_mode]) fd
read$testxy(fd fd, buf buffer[out], count len[buf])
write$testxy(fd fd, buf buffer[in], count len[buf])

proc_open_flags = O_RDONLY, O_WRONLY, O_RDWR, O_APPEND, FASYNC, O_CLOEXEC, O_CREAT, O_DIRECT, O_DIRECTORY, O_EXCL, O_LARGEFILE, O_NOATIME, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK, O_PATH, O_SYNC, O_TRUNC, __O_TMPFILE
proc_open_mode = S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH

then we call syz-extract to parse the txt

./bin/syz-extract -os linux -arch amd64 -sourcedir "/usr/src/linux-5.14" proc_testxy.txt

after which we got proc_testxy.txt.const as follow

# Code generated by syz-sysgen. DO NOT EDIT.
arches = amd64
FASYNC = amd64:8192
O_APPEND = amd64:1024
O_CLOEXEC = amd64:524288
O_CREAT = amd64:64
O_DIRECT = amd64:16384
O_DIRECTORY = amd64:65536
O_EXCL = amd64:128
O_LARGEFILE = amd64:32768
O_NOATIME = amd64:262144
O_NOCTTY = amd64:256
O_NOFOLLOW = amd64:131072
O_NONBLOCK = amd64:2048
O_PATH = amd64:2097152
O_RDONLY = amd64:0
O_RDWR = amd64:2
O_SYNC = amd64:1052672
O_TRUNC = amd64:512
O_WRONLY = amd64:1
S_IRGRP = amd64:32
S_IROTH = amd64:4
S_IRUSR = amd64:256
S_IWGRP = amd64:16
S_IWOTH = amd64:2
S_IWUSR = amd64:128
S_IXGRP = amd64:8
S_IXOTH = amd64:1
S_IXUSR = amd64:64
__NR_open = amd64:2
__NR_read = amd64:0
__NR_write = amd64:1
__O_TMPFILE = amd64:4194304

we notice that macro definations and their value have been listed out

that means syz-extract plays a role in translate macro definations

main

1.parse cmdline flags , get arch and os type according to cmdline flags

2.choose extractor according to os type

3.call createArches to get arch table

        arch := &Arch{
            target:      target,
            sourceDir:   *flagSourceDir,
            includeDirs: *flagIncludes,
            buildDir:    buildDir,
            build:       *flagBuild,
            done:        make(chan bool),
            configFile:  *flagConfig,
        }

4.call extractor.prepare