安卓mali驱动模拟。

环境配置

  • arm mali_kbase源码
  • linux-kernel 6.12.93 源码
  • busybox
  • qemu-aarch64-system
  • aarch64-linux-gnu-gcc

编译

编译 linux-kernel 源码
编译mali源码

模拟

busybox相关配置参考之前的内容
使用qemu跑起来即可

模糊测试

使用 syzkaller
官方文档

syzkaller 编译

由于是 cross-arch,需要在 syzkaller 构建时进行配置:

1

buildroot构建文件系统

使用 buildroot 进行构建
相关配置如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Target options
    Target Architecture - Aarch64 (little endian)
Toolchain type
    External toolchain - Linaro AArch64
System Configuration
[*] Enable root login with password
        ( ) Root password = set your password using this option
[*] Run a getty (login prompt) after boot  --->
    TTY port - ttyAMA0
Target packages
    [*]   Show packages that are also provided by busybox
    Networking applications
        [*] dhcpcd
        [*] iproute2
        [*] openssh
Filesystem images
	# 这里也可以改成 cpio
    [*] ext2/3/4 root filesystem
        ext2/3/4 variant - ext3
        exact size in blocks - 6000000
    [*] tar the root filesystem

这里我toolchain type 使用 External toolchain 的默认选项。
使用 make 命令编译。

内核编译

linux-kernel 开启 CONFIG_KCOV=y,其他的推荐选项:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# kcov
CONFIG_KCOV=y
CONFIG_KCOV_INSTRUMENT_ALL=y
CONFIG_KCOV_ENABLE_COMPARISONS=y
CONFIG_DEBUG_FS=y
# memory leak
CONFIG_DEBUG_KMEMLEAK=y
CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
# syscalls kernel bitness
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
# better sandboxing
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_CGROUP_PIDS=y
CONFIG_MEMCG=y
# namespace sandbox
CONFIG_USER_NS=y
# disable kaslr
# CONFIG_RANDOMIZE_BASE is not set
# disable predicting network interface
CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE="net.ifnames=0"

# KASAN for UAF and OOB
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
# KUBSAN
COFIG_UBSAN=y
# Fault injection
CONFIG_FAULT_INJECTION=y
CONFIG_FAULT_INJECTION_DEBUG_FS=y
CONFIG_FAULT_INJECTION_USERCOPY=y
CONFIG_FAILSLAB=y
CONFIG_FAIL_PAGE_ALLOC=y
CONFIG_FAIL_MAKE_REQUEST=y
CONFIG_FAIL_IO_TIMEOUT=y
CONFIG_FAIL_FUTEX=y
# Any other configs
CONFIG_LOCKDEP=y
CONFIG_PROVE_LOCKING=y
CONFIG_DEBUG_ATOMIC_SLEEP=y
CONFIG_PROVE_RCU=y
CONFIG_DEBUG_VM=y
CONFIG_REFCOUNT_FULL=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_LOCKUP_DETECTOR=y
CONFIG_SOFTLOCKUP_DETECTOR=y
CONFIG_HARDLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
CONFIG_DETECT_HUNG_TASK=y
CONFIG_WQ_WATCHDOG=y
# increase hung/stall timeout
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=140
CONFIG_RCU_CPU_STALL_TIMEOUT=100

make menuconfig设置以上配置后重新编译即可。

make $(nproc) 似乎会爆内存,减少一点cpu核数即可

虚拟机配置

  • 虚拟机需要支持 ssh 无密码连接
  • 挂载 debugfs 目录

设置虚拟机配置项

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
{
        "target": "linux/amd64",
        "http": "0.0.0.0:56741",
        # !! Replace /syzkaller with the path to the syzkaller checkout.
        # Workdir can be in whatever folder, keeping it in the checkout is just most convenient.
        "workdir": "./testdata/syzkaller/workdir",
        # !! Replace /linux with the path to the kernel checkout.
        # !! The kernel must be already built.
        # Here are the kernel config options that facilitate fuzzing: https://github.com/google/syzkaller/blob/master/docs/linux/kernel_configs.md
        "kernel_obj": "/linux",
        # !! Replace with the path to the disk image file.
        # The Buildroot image used by syzbot can be downloaded here: https://storage.googleapis.com/syzkaller/images/buildroot_amd64_2024.09.gz
        # (Don't forget to uncompress it!).
        "image": "./testdata/wheezy.img",
	# !! Replace with the path to the syzkaller checkout.
        "syzkaller": "./testdata/syzkaller",
        "procs": 4,
        "type": "qemu",
        "vm": {
                "count": 4,
                # !! Adjust this path accordingly.
                "kernel": "/linux/arch/x86/boot/bzImage",
                # Note that syzkaller will use `count` * `cpu` CPUs and `count` * `mem` RAM.
                "cpu": 2,
                "mem": 2048
        }
}