Running scripts/envsetup.sh will set up necessary environment
variables. One should select the kernel version during environment
setup, for example, v4.17
Kernel source codes used in this project are in the other reprository
which is included as a submodule. To initialize the submodule one
should execute git submodule update command as a follow.
git submodule update --init --depth=1 kernels_repo
scripts/install.sh will try to install all toolchains and tools.
The Razzer's static analysis is based on the LLVM toolchain and the
SVF static analysis tool. See documents in docs/static_analysis/.
Razzer's two-phases fuzzing is based on Syzkaller. The deterministic
scheduler is implemented using QEMU/KVM. See documents in
docs/fuzzing/.
Razzer: Finding Kernel Race Bugs through Fuzzing (IEEE S&P 2019)
- KASAN: slab-out-of-bounds write in tty_insert_flip_string_flag
- WARNING in __static_key_slow_dec
- Kernel BUG at net/packet/af_packet.c:LINE!
- WARNING in refcount_dec
- unable to handle kernel paging request in snd_seq_oss_readq_puts
- KASAN: use-after-free Read in loopback_active_get
- KASAN: null-ptr-deref Read in rds_ib_get_mr (assisted Syzkaller)
- KASAN: use-after-free Read in nd_jump_root (discussed more in the linux security mailing list)
- KASAN: use-after-free Read in link_path_walk (discussed in the linux security mailing list)
- WARNING in ip_recv_error
- KASAN: use-after-free Read in vhost_chr_write_iter
- BUG: soft lockup in snd_virmidi_output_trigger (assisted Syzkaller)
- KASAN: null-ptr-deref Read in smc_ioctl
- KASAN: null-ptr-deref Write in binder_update_page_range
- WARNING in port_delete
- KASAN: null-ptr-deref in inode_permission (discussed in the linux security mailing list)
- Dae R. Jeong ([email protected])
- Kyungtae Kim ([email protected])
- Basavesh Ammanaghatta Shivakumar ([email protected])
- Byoungyoung Lee ([email protected])
- Insik Shin ([email protected])