Golang程序
|
561行
|
14.19 KB
// Copyright 2015 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
package qemu
import (
"fmt"
"io"
"os"
"os/exec"
"path/filepath"
"strconv"
"strings"
"time"
"github.com/google/syzkaller/pkg/config"
"github.com/google/syzkaller/pkg/log"
"github.com/google/syzkaller/pkg/osutil"
"github.com/google/syzkaller/vm/vmimpl"
)
const (
hostAddr = "10.0.2.10"
)
func init() {
vmimpl.Register("qemu", ctor)
}
type Config struct {
Count int `json:"count"` // number of VMs to use
Qemu string `json:"qemu"` // qemu binary name (qemu-system-arch by default)
QemuArgs string `json:"qemu_args"` // additional command line arguments for qemu binary
Kernel string `json:"kernel"` // kernel for injected boot (e.g. arch/x86/boot/bzImage)
Cmdline string `json:"cmdline"` // kernel command line (can only be specified with kernel)
Initrd string `json:"initrd"` // linux initial ramdisk. (optional)
ImageDevice string `json:"image_device"` // qemu image device (hda by default)
CPU int `json:"cpu"` // number of VM CPUs
Mem int `json:"mem"` // amount of VM memory in MBs
}
type Pool struct {
env *vmimpl.Env
cfg *Config
archConfig *archConfig
}
type instance struct {
cfg *Config
archConfig *archConfig
image string
debug bool
os string
workdir string
sshkey string
sshuser string
port int
rpipe io.ReadCloser
wpipe io.WriteCloser
qemu *exec.Cmd
merger *vmimpl.OutputMerger
files map[string]string
diagnose chan bool
}
type archConfig struct {
Qemu string
QemuArgs string
TargetDir string
CmdLine []string
// Weird mode for akaros.
// Currently akaros does not have support for building Go binaries.
// So we will run Go binaries (but not executor on host).
HostFuzzer bool
}
var archConfigs = map[string]*archConfig{
"linux/amd64": {
Qemu: "qemu-system-x86_64",
QemuArgs: "-enable-kvm",
TargetDir: "/",
CmdLine: append(linuxCmdline,
"kvm-intel.nested=1",
"kvm-intel.unrestricted_guest=1",
"kvm-intel.vmm_exclusive=1",
"kvm-intel.fasteoi=1",
"kvm-intel.ept=1",
"kvm-intel.flexpriority=1",
"kvm-intel.vpid=1",
"kvm-intel.emulate_invalid_guest_state=1",
"kvm-intel.eptad=1",
"kvm-intel.enable_shadow_vmcs=1",
"kvm-intel.pml=1",
"kvm-intel.enable_apicv=1",
),
},
"linux/386": {
Qemu: "qemu-system-i386",
TargetDir: "/",
CmdLine: linuxCmdline,
},
"linux/arm64": {
Qemu: "qemu-system-aarch64",
QemuArgs: "-machine virt -cpu cortex-a57",
TargetDir: "/",
CmdLine: linuxCmdline,
},
"linux/arm": {
Qemu: "qemu-system-arm",
TargetDir: "/",
CmdLine: linuxCmdline,
},
"linux/ppc64le": {
Qemu: "qemu-system-ppc64",
TargetDir: "/",
CmdLine: linuxCmdline,
},
"freebsd/amd64": {
Qemu: "qemu-system-x86_64",
TargetDir: "/",
QemuArgs: "-enable-kvm",
},
"netbsd/amd64": {
Qemu: "qemu-system-x86_64",
TargetDir: "/",
QemuArgs: "-enable-kvm",
},
"fuchsia/amd64": {
Qemu: "qemu-system-x86_64",
QemuArgs: "-enable-kvm -machine q35 -cpu host",
TargetDir: "/tmp",
CmdLine: []string{
"kernel.serial=legacy",
"kernel.halt-on-panic=true",
},
},
"akaros/amd64": {
Qemu: "qemu-system-x86_64",
QemuArgs: "-enable-kvm -cpu host",
TargetDir: "/",
HostFuzzer: true,
},
}
var linuxCmdline = []string{
"console=ttyS0",
"earlyprintk=serial",
"oops=panic",
"nmi_watchdog=panic",
"panic_on_warn=1",
"panic=86400",
"ftrace_dump_on_oops=orig_cpu",
"rodata=n",
"vsyscall=native",
"net.ifnames=0",
"biosdevname=0",
}
func ctor(env *vmimpl.Env) (vmimpl.Pool, error) {
archConfig := archConfigs[env.OS+"/"+env.Arch]
cfg := &Config{
Count: 1,
ImageDevice: "hda",
Qemu: archConfig.Qemu,
QemuArgs: archConfig.QemuArgs,
}
if err := config.LoadData(env.Config, cfg); err != nil {
return nil, fmt.Errorf("failed to parse qemu vm config: %v", err)
}
if cfg.Count < 1 || cfg.Count > 1000 {
return nil, fmt.Errorf("invalid config param count: %v, want [1, 1000]", cfg.Count)
}
if env.Debug {
cfg.Count = 1
}
if _, err := exec.LookPath(cfg.Qemu); err != nil {
return nil, err
}
if env.Image == "9p" {
if env.OS != "linux" {
return nil, fmt.Errorf("9p image is supported for linux only")
}
if cfg.Kernel == "" {
return nil, fmt.Errorf("9p image requires kernel")
}
} else {
if !osutil.IsExist(env.Image) {
return nil, fmt.Errorf("image file '%v' does not exist", env.Image)
}
}
if cfg.CPU <= 0 || cfg.CPU > 1024 {
return nil, fmt.Errorf("bad qemu cpu: %v, want [1-1024]", cfg.CPU)
}
if cfg.Mem < 128 || cfg.Mem > 1048576 {
return nil, fmt.Errorf("bad qemu mem: %v, want [128-1048576]", cfg.Mem)
}
cfg.Kernel = osutil.Abs(cfg.Kernel)
cfg.Initrd = osutil.Abs(cfg.Initrd)
pool := &Pool{
cfg: cfg,
env: env,
archConfig: archConfig,
}
return pool, nil
}
func (pool *Pool) Count() int {
return pool.cfg.Count
}
func (pool *Pool) Create(workdir string, index int) (vmimpl.Instance, error) {
sshkey := pool.env.SSHKey
sshuser := pool.env.SSHUser
if pool.env.Image == "9p" {
sshkey = filepath.Join(workdir, "key")
sshuser = "root"
if _, err := osutil.RunCmd(10*time.Minute, "", "ssh-keygen", "-t", "rsa", "-b", "2048",
"-N", "", "-C", "", "-f", sshkey); err != nil {
return nil, err
}
initFile := filepath.Join(workdir, "init.sh")
if err := osutil.WriteExecFile(initFile, []byte(strings.Replace(initScript, "{{KEY}}", sshkey, -1))); err != nil {
return nil, fmt.Errorf("failed to create init file: %v", err)
}
}
for i := 0; ; i++ {
inst, err := pool.ctor(workdir, sshkey, sshuser, index)
if err == nil {
return inst, nil
}
// Older qemu prints "could", newer -- "Could".
if i < 1000 && strings.Contains(err.Error(), "ould not set up host forwarding rule") {
continue
}
return nil, err
}
}
func (pool *Pool) ctor(workdir, sshkey, sshuser string, index int) (vmimpl.Instance, error) {
inst := &instance{
cfg: pool.cfg,
archConfig: pool.archConfig,
image: pool.env.Image,
debug: pool.env.Debug,
os: pool.env.OS,
workdir: workdir,
sshkey: sshkey,
sshuser: sshuser,
diagnose: make(chan bool, 1),
}
if st, err := os.Stat(inst.image); err != nil && st.Size() == 0 {
// Some kernels may not need an image, however caller may still
// want to pass us a fake empty image because the rest of syzkaller
// assumes that an image is mandatory. So if the image is empty, we ignore it.
inst.image = ""
}
closeInst := inst
defer func() {
if closeInst != nil {
closeInst.Close()
}
}()
var err error
inst.rpipe, inst.wpipe, err = osutil.LongPipe()
if err != nil {
return nil, err
}
if err := inst.Boot(); err != nil {
return nil, err
}
closeInst = nil
return inst, nil
}
func (inst *instance) Close() {
if inst.qemu != nil {
inst.qemu.Process.Kill()
inst.qemu.Wait()
}
if inst.merger != nil {
inst.merger.Wait()
}
if inst.rpipe != nil {
inst.rpipe.Close()
}
if inst.wpipe != nil {
inst.wpipe.Close()
}
}
func (inst *instance) Boot() error {
inst.port = vmimpl.UnusedTCPPort()
args := []string{
"-m", strconv.Itoa(inst.cfg.Mem),
"-smp", strconv.Itoa(inst.cfg.CPU),
// e1000e fails on recent Debian distros with:
// Initialization of device e1000e failed: failed to find romfile "efi-e1000e.rom
"-net", "nic,model=e1000",
"-net", fmt.Sprintf("user,host=%v,hostfwd=tcp::%v-:22", hostAddr, inst.port),
"-display", "none",
"-serial", "stdio",
"-no-reboot",
}
args = append(args, strings.Split(inst.cfg.QemuArgs, " ")...)
if inst.image == "9p" {
args = append(args,
"-fsdev", "local,id=fsdev0,path=/,security_model=none,readonly",
"-device", "virtio-9p-pci,fsdev=fsdev0,mount_tag=/dev/root",
)
} else if inst.image != "" {
args = append(args,
"-"+inst.cfg.ImageDevice, inst.image,
"-snapshot",
)
}
if inst.cfg.Initrd != "" {
args = append(args,
"-initrd", inst.cfg.Initrd,
)
}
if inst.cfg.Kernel != "" {
cmdline := append([]string{}, inst.archConfig.CmdLine...)
if inst.image == "9p" {
cmdline = append(cmdline,
"root=/dev/root",
"rootfstype=9p",
"rootflags=trans=virtio,version=9p2000.L,cache=loose",
"init="+filepath.Join(inst.workdir, "init.sh"),
)
} else {
cmdline = append(cmdline, "root=/dev/sda")
}
cmdline = append(cmdline, inst.cfg.Cmdline)
args = append(args,
"-kernel", inst.cfg.Kernel,
"-append", strings.Join(cmdline, " "),
)
}
if inst.debug {
log.Logf(0, "running command: %v %#v", inst.cfg.Qemu, args)
}
qemu := osutil.Command(inst.cfg.Qemu, args...)
qemu.Stdout = inst.wpipe
qemu.Stderr = inst.wpipe
if err := qemu.Start(); err != nil {
return fmt.Errorf("failed to start %v %+v: %v", inst.cfg.Qemu, args, err)
}
inst.wpipe.Close()
inst.wpipe = nil
inst.qemu = qemu
// Qemu has started.
// Start output merger.
var tee io.Writer
if inst.debug {
tee = os.Stdout
}
inst.merger = vmimpl.NewOutputMerger(tee)
inst.merger.Add("qemu", inst.rpipe)
inst.rpipe = nil
var bootOutput []byte
bootOutputStop := make(chan bool)
go func() {
for {
select {
case out := <-inst.merger.Output:
bootOutput = append(bootOutput, out...)
case <-bootOutputStop:
close(bootOutputStop)
return
}
}
}()
if err := vmimpl.WaitForSSH(inst.debug, 10*time.Minute, "localhost",
inst.sshkey, inst.sshuser, inst.os, inst.port); err != nil {
bootOutputStop <- true
<-bootOutputStop
return vmimpl.BootError{Title: err.Error(), Output: bootOutput}
}
bootOutputStop <- true
return nil
}
func (inst *instance) Forward(port int) (string, error) {
addr := hostAddr
if inst.archConfig.HostFuzzer {
addr = "127.0.0.1"
}
return fmt.Sprintf("%v:%v", addr, port), nil
}
func (inst *instance) targetDir() string {
if inst.image == "9p" {
return "/tmp"
}
return inst.archConfig.TargetDir
}
func (inst *instance) Copy(hostSrc string) (string, error) {
base := filepath.Base(hostSrc)
vmDst := filepath.Join(inst.targetDir(), base)
if inst.archConfig.HostFuzzer {
if base == "syz-fuzzer" || base == "syz-execprog" {
return hostSrc, nil // we will run these on host
}
if inst.files == nil {
inst.files = make(map[string]string)
}
inst.files[vmDst] = hostSrc
}
args := append(vmimpl.SCPArgs(inst.debug, inst.sshkey, inst.port),
hostSrc, inst.sshuser+"@localhost:"+vmDst)
if inst.debug {
log.Logf(0, "running command: scp %#v", args)
}
_, err := osutil.RunCmd(3*time.Minute, "", "scp", args...)
if err != nil {
return "", err
}
return vmDst, nil
}
func (inst *instance) Run(timeout time.Duration, stop <-chan bool, command string) (
<-chan []byte, <-chan error, error) {
rpipe, wpipe, err := osutil.LongPipe()
if err != nil {
return nil, nil, err
}
inst.merger.Add("ssh", rpipe)
sshArgs := vmimpl.SSHArgs(inst.debug, inst.sshkey, inst.port)
args := strings.Split(command, " ")
if bin := filepath.Base(args[0]); inst.archConfig.HostFuzzer &&
(bin == "syz-fuzzer" || bin == "syz-execprog") {
// Weird mode for akaros.
// Fuzzer and execprog are on host (we did not copy them), so we will run them as is,
// but we will also wrap executor with ssh invocation.
for i, arg := range args {
if strings.HasPrefix(arg, "-executor=") {
args[i] = "-executor=" + "/usr/bin/ssh " + strings.Join(sshArgs, " ") +
" " + inst.sshuser + "@localhost " + arg[len("-executor="):]
}
if host := inst.files[arg]; host != "" {
args[i] = host
}
}
} else {
args = []string{"ssh"}
args = append(args, sshArgs...)
args = append(args, inst.sshuser+"@localhost", "cd "+inst.targetDir()+" && "+command)
}
if inst.debug {
log.Logf(0, "running command: %#v", args)
}
cmd := osutil.Command(args[0], args[1:]...)
cmd.Dir = inst.workdir
cmd.Stdout = wpipe
cmd.Stderr = wpipe
if err := cmd.Start(); err != nil {
wpipe.Close()
return nil, nil, err
}
wpipe.Close()
errc := make(chan error, 1)
signal := func(err error) {
select {
case errc <- err:
default:
}
}
go func() {
retry:
select {
case <-time.After(timeout):
signal(vmimpl.ErrTimeout)
case <-stop:
signal(vmimpl.ErrTimeout)
case <-inst.diagnose:
cmd.Process.Kill()
goto retry
case err := <-inst.merger.Err:
cmd.Process.Kill()
if cmdErr := cmd.Wait(); cmdErr == nil {
// If the command exited successfully, we got EOF error from merger.
// But in this case no error has happened and the EOF is expected.
err = nil
}
signal(err)
return
}
cmd.Process.Kill()
cmd.Wait()
}()
return inst.merger.Output, errc, nil
}
func (inst *instance) Diagnose() bool {
select {
case inst.diagnose <- true:
default:
}
return false
}
// nolint: lll
const initScript = `#! /bin/bash
set -eux
mount -t proc none /proc
mount -t sysfs none /sys
mount -t debugfs nodev /sys/kernel/debug/
mount -t tmpfs none /tmp
mount -t tmpfs none /var
mount -t tmpfs none /run
mount -t tmpfs none /etc
mount -t tmpfs none /root
touch /etc/fstab
mkdir /etc/network
mkdir /run/network
printf 'auto lo\niface lo inet loopback\n\n' >> /etc/network/interfaces
printf 'auto eth0\niface eth0 inet static\naddress 10.0.2.15\nnetmask 255.255.255.0\nnetwork 10.0.2.0\ngateway 10.0.2.1\nbroadcast 10.0.2.255\n\n' >> /etc/network/interfaces
printf 'auto eth0\niface eth0 inet6 static\naddress fe80::5054:ff:fe12:3456/64\ngateway 2000:da8:203:612:0:3:0:1\n\n' >> /etc/network/interfaces
mkdir -p /etc/network/if-pre-up.d
mkdir -p /etc/network/if-up.d
ifup lo
ifup eth0 || true
echo "root::0:0:root:/root:/bin/bash" > /etc/passwd
mkdir -p /etc/ssh
cp {{KEY}}.pub /root/
chmod 0700 /root
chmod 0600 /root/key.pub
mkdir -p /var/run/sshd/
chmod 700 /var/run/sshd
groupadd -g 33 sshd
useradd -u 33 -g 33 -c sshd -d / sshd
cat > /etc/ssh/sshd_config <<EOF
Port 22
Protocol 2
UsePrivilegeSeparation no
HostKey {{KEY}}
PermitRootLogin yes
AuthenticationMethods publickey
ChallengeResponseAuthentication no
AuthorizedKeysFile /root/key.pub
IgnoreUserKnownHosts yes
AllowUsers root
LogLevel INFO
TCPKeepAlive yes
RSAAuthentication yes
PubkeyAuthentication yes
EOF
/usr/sbin/sshd -e -D
/sbin/halt -f
`