1# Linux kernel configs 2 3List of recommended kernel configs for `syzkaller`: 4 5## Syzkaller features 6 7To enable coverage collection, which is extremely important for effective fuzzing: 8``` 9CONFIG_KCOV=y 10CONFIG_KCOV_INSTRUMENT_ALL=y 11CONFIG_KCOV_ENABLE_COMPARISONS=y 12CONFIG_DEBUG_FS=y 13``` 14Note that `CONFIG_KCOV_ENABLE_COMPARISONS` feature also requires `gcc8+` and the following commits if you are testing an old kernel: 15``` 16 kcov: support comparison operands collection 17 kcov: fix comparison callback signature 18``` 19 20To show code coverage in web interface: 21``` 22CONFIG_DEBUG_INFO=y 23``` 24 25For detection of enabled syscalls and kernel bitness: 26``` 27CONFIG_KALLSYMS=y 28CONFIG_KALLSYMS_ALL=y 29``` 30 31For `namespace` sandbox: 32``` 33CONFIG_NAMESPACES=y 34CONFIG_USER_NS=y 35CONFIG_UTS_NS=y 36CONFIG_IPC_NS=y 37CONFIG_PID_NS=y 38CONFIG_NET_NS=y 39``` 40 41If your kernel doesn't have commits [arm64: setup: introduce kaslr_offset()](https://github.com/torvalds/linux/commit/7ede8665f27cde7da69e8b2fbeaa1ed0664879c5) 42 and [kcov: make kcov work properly with KASLR enabled](https://github.com/torvalds/linux/commit/4983f0ab7ffaad1e534b21975367429736475205), disable the following config: 43``` 44# CONFIG_RANDOMIZE_BASE is not set 45``` 46 47## Bug detection configs 48 49Syzkaller is meant to be used with 50[KASAN](https://kernel.org/doc/html/latest/dev-tools/kasan.html) (available upstream with `CONFIG_KASAN=y`), 51[KTSAN](https://github.com/google/ktsan) (prototype available), 52[KMSAN](https://github.com/google/kmsan) (prototype available), 53or [KUBSAN](https://kernel.org/doc/html/latest/dev-tools/ubsan.html) (available upstream with `CONFIG_UBSAN=y`). 54 55Enable `KASAN` for use-after-free and out-of-bounds detection: 56``` 57CONFIG_KASAN=y 58CONFIG_KASAN_INLINE=y 59``` 60 61For testing with fault injection enable the following configs (syzkaller will pick it up automatically): 62``` 63CONFIG_FAULT_INJECTION=y 64CONFIG_FAULT_INJECTION_DEBUG_FS=y 65CONFIG_FAILSLAB=y 66CONFIG_FAIL_PAGE_ALLOC=y 67CONFIG_FAIL_MAKE_REQUEST=y 68CONFIG_FAIL_IO_TIMEOUT=y 69CONFIG_FAIL_FUTEX=y 70``` 71Note: you also need the following commits if you are testing an old kernel: 72``` 73 fault-inject: support systematic fault injection 74 fault-inject: simplify access check for fail-nth 75 fault-inject: fix wrong should_fail() decision in task context 76 fault-inject: add /proc/<pid>/fail-nth 77``` 78 79Any other debugging configs, the more the better, here are some that proved to be especially useful: 80``` 81CONFIG_LOCKDEP=y 82CONFIG_PROVE_LOCKING=y 83CONFIG_DEBUG_ATOMIC_SLEEP=y 84CONFIG_PROVE_RCU=y 85CONFIG_DEBUG_VM=y 86CONFIG_REFCOUNT_FULL=y 87CONFIG_FORTIFY_SOURCE=y 88CONFIG_HARDENED_USERCOPY=y 89CONFIG_LOCKUP_DETECTOR=y 90CONFIG_SOFTLOCKUP_DETECTOR=y 91CONFIG_HARDLOCKUP_DETECTOR=y 92CONFIG_DETECT_HUNG_TASK=y 93CONFIG_WQ_WATCHDOG=y 94``` 95 96Increase RCU stall timeout to reduce false positive rate: 97``` 98CONFIG_RCU_CPU_STALL_TIMEOUT=60 99``` 100