sys/linux: kernel fuzzing lockdown

[xairy]

A number of cases come up over time where we crash/reboot/corrupt kernel, but it's working-as-intended and it's hard/impossible to filter out such cases statically. The idea is to introduce a "fuzzing lockdown" config that will very selectively disable these bits of kernel logic. Originally proposed by Tetsuo Handa. A proposed patch and a discussion: https://lkml.org/lkml/2019/12/16/212 A lengthy discussion on kernel mailing lists: https://lore.kernel.org/lkml/20190825104858.GA119494@gmail.com/T/ Another one: https://groups.google.com/d/msg/syzkaller-bugs/1rVENJf9P4U/QtGpapRxAgAJ

Here is list of concrete cases:

• k_spec()->fn_boot_it()->ctrl_alt_del() in drivers/tty/vt/keyboard.c can trigger a kernel reboot (detected as lost connection to test machine). Can be reached over a USB connected tty and presumably using evdev as well.
• audit subsystem can be setup to panic on lost audit messages (see audit_panic). syzbot bug and context.
• serial console code can write to random ports after some setup (see serial_port_out_sync). Context is lost, but it's mentioned in the patch.
• disabling of console output, FIFREEZE and other things we filter out during sanitization
• we could disable "unsafe" arguments to perf_event_open; we have full-load of rcu stalls caused by perf_event_open, they multiply by plague; it feels like a real bug, but if it's not fixed, maybe we could at least protect the fuzzer from these
• reboot system call come up here, we don't permit it explicitly, but syzkaller managed to invoke it via some ptrace magic and control flow hijacking

[dvyukov]

Is there any simple way to prevent this? Turn off some config?

[xairy]

I don't see one. We could disable CONFIG_VT, but that will affect fuzzing of virtual terminals.

[dvyukov]

This may be another candidate for the "fuzzing lockdown" feature that Tetsuo proposed on kernel mailing lists. I think we need to start collecting all these cases in a single issue, they are spread across random mailing lists.

[dvyukov]

Let's re-purpose this as a broader issues since we don't have a simple solution anyway.

[dvyukov]

Amusingly this was already discovered before and forgotten. You may see this patch from Tetsuo mentions k_spec: https://lkml.org/lkml/2019/12/16/212

[KumanekoSakura]

@xairy Initial patches for this purpose arrived at linux-next-20200428 . Please add CONFIG_TWIST_KERNEL_BEHAVIOR=y and CONFIG_TWIST_FOR_SYZKALLER_TESTING=y to your kernel config, and let's check whether the frequency of "unexpected kernel reboot (3)" and "lost connection to test machine (5)" on linux-next is reduced.