1# FreeBSD 2 3## How to run syzkaller on FreeBSD using qemu 4 5So far the process is tested only on linux/amd64 host. To build Go binaries do: 6``` 7make manager fuzzer execprog TARGETOS=freebsd 8``` 9To build C `syz-executor` binary, copy `executor/*` files to a FreeBSD machine and build there with: 10``` 11c++ executor/executor_freebsd.cc -o syz-executor -O1 -lpthread -DGOOS=\"freebsd\" -DGIT_REVISION=\"CURRENT_GIT_REVISION\" 12``` 13Then, copy out the binary back to host into `bin/freebsd_amd64` dir. 14 15Building/running on a FreeBSD host should work as well, but currently our `Makefile` does not work there, so you will need to do its work manually. 16 17Then, you need a FreeBSD image with root ssh access with a key. General instructions can be found here [qemu instructions](https://wiki.qemu.org/Hosts/BSD). I used `FreeBSD-11.0-RELEASE-amd64.qcow2` image, and it required a freashly built `qemu-system-x86_64` (networking did not work in the system-provided one). After booting add the following to `/boot/loader.conf`: 18``` 19autoboot_delay="-1" 20console="comconsole" 21``` 22and the following to `/etc/rc.conf`: 23``` 24sshd_enable="YES" 25ifconfig_em0="inet 10.0.0.1 netmask 255.255.255.0" 26``` 27Here is `/etc/ssh/sshd_config` that I used: 28``` 29Port 22 30AddressFamily any 31ListenAddress 0.0.0.0 32ListenAddress :: 33Protocol 2 34HostKey /etc/ssh/ssh_host_rsa_key 35SyslogFacility AUTH 36LogLevel INFO 37AuthenticationMethods publickey password 38PermitRootLogin yes 39PubkeyAuthentication yes 40AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 41PasswordAuthentication yes 42PermitEmptyPasswords yes 43Subsystem sftp /usr/libexec/sftp-server 44``` 45 46Check that you can run the VM with: 47``` 48qemu-system-x86_64 -m 2048 -hda FreeBSD-11.0-RELEASE-amd64.qcow2 -enable-kvm -netdev user,id=mynet0,host=10.0.2.10,hostfwd=tcp::10022-:22 -device e1000,netdev=mynet0 -nographic 49``` 50and ssh into it with a key. 51 52If all of the above worked, create `freebsd.cfg` config file with the following contents (alter paths as necessary): 53``` 54{ 55 "name": "freebsd", 56 "target": "freebsd/amd64", 57 "http": ":10000", 58 "workdir": "/workdir", 59 "syzkaller": "/gopath/src/github.com/google/syzkaller", 60 "image": "/FreeBSD-11.1-RELEASE-amd64.qcow2", 61 "sshkey": "/freebsd_id_rsa", 62 "sandbox": "none", 63 "procs": 8, 64 "type": "qemu", 65 "vm": { 66 "qemu": "/qemu/build/x86_64-softmmu/qemu-system-x86_64", 67 "count": 10, 68 "cpu": 4, 69 "mem": 2048 70 } 71} 72``` 73 74Then, start `syz-manager` with: 75``` 76bin/syz-manager -config freebsd.cfg 77``` 78It should start printing output along the lines of: 79``` 80booting test machines... 81wait for the connection from test machine... 82machine check: 253 calls enabled, kcov=true, kleakcheck=false, faultinjection=false, comps=false 83executed 3622, cover 1219, crashes 0, repro 0 84executed 7921, cover 1239, crashes 0, repro 0 85executed 32807, cover 1244, crashes 0, repro 0 86executed 35803, cover 1248, crashes 0, repro 0 87``` 88If something does not work, add `-debug` flag to `syz-manager`. 89 90## Missing things 91 92- Coverage. `executor/executor_freebsd.cc` uses a very primitive fallback for coverage. We need KCOV for FreeBSD. It will also help to assess what's covered and what's missing. 93- System call descriptions. `sys/freebsd/*.txt` is a dirty copy from `sys/linux/*.txt` with everything that does not compile dropped. We need to go through syscalls and verify/fix/extend them, including devices/ioctls/etc. 94- Currently only `amd64` arch is supported. Supporting `386` would be useful, because it should cover compat paths. Also, we could do testing of the linux-compatibility subsystem. 95- `pkg/csource` needs to be taught how to generate/build C reproducers. 96- `pkg/host` needs to be taught how to detect supported syscalls/devices. 97- `pkg/report`/`pkg/symbolizer` need to be taught how to extract/symbolize kernel crash reports. 98- We need to learn how to build/use debug version of kernel. 99- KASAN for FreeBSD would be useful. 100- On Linux we have emission of exernal networking/USB traffic into kernel using tun/gadgetfs. Implementing these for FreeBSD could uncover a number of high-profile bugs. 101- Last but not least, we need to support FreeBSD in `syz-ci` command (including building kernel/image continuously from git). 102