1# NetBSD
2
3## How to run syzkaller on NetBSD using qemu
4
5
61. Steps to set up NetBSD on qemu:
7	* To create a .img file where the OS is stored: ( Here 30G indicates the size of .img file as 30gb. Anything above 10gb is fine)
8```  qemu-img create -f raw NetBSD.img 30G
9```
10	* To install the .iso file in the .img: (Here NetBSD-7.0.2-amd64.iso is the iso file and NetBSD.img is the img file created in the first step)
11```
12	 qemu-system-x86_64 -hda NetBSD.img -cdrom NetBSD-7.0.2-amd64.iso
13```
14	* To boot up every time to the .img file:  (Have to be in the same directory as the .img file)
15```
16	 qemu-system-x86_64 -hda NetBSD.img -redir tcp:10022::22
17```
18Here the -redir flag is redirecting the 10022 on host to 22 port on guest.
19
202. So far the process is tested only on linux/amd64 host. To build Go binaries do:
21```
22make TARGETOS=netbsd
23```
24
253. To build C `syz-executor` binary, copy `executor/*` files to a NetBSD machine and build there with:
26```
27gcc executor/executor_NetBSD.cc -o syz-executor -O1 -lpthread -DGOOS=\"netbsd\" -DGIT_REVISION=\"CURRENT_GIT_REVISION\"
28```
29
30"scp host@ip:/directory-of-source /directory-of-destination" command can be used to copy the files from the host to the guest.
31
324. Then, copy out the binary back to host into `bin/netbsd_amd64` dir.(Inside the syzkaller directory)
33
34Building/running on a NetBSD host should work as well, but currently our `Makefile` does not work there, so you will need to do its work manually.
35
36(Anita steps are optional if the NetBSD OS is  up and running, which it already is..)
37
385. Then, you need a NetBSD image with root ssh access with a key. General instructions can be found here [qemu instructions](https://wiki.qemu.org/Hosts/BSD).
39
406. To prepare the image, use `anita`. (You need the python module `pexpect` installed, for using Anita)
41```
42git clone https://github.com/utkarsh009/anita
43python anita/anita --workdir anitatemp install http://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-8/201710221410Z/amd64/
44```
45NOTE: You can choose your own release tree from here: http://ftp.netbsd.org/pub/NetBSD/
46URL for a daily build might not exist in future and new release trees keep coming out.
47
487. Then spin up an instance from the image generated inside `./anitatemp` directory
49```
50qemu-system-x86_64 -m 1024 -drive file=anitatemp/wd0.img,format=raw,media=disk -netdev user,id=mynet0,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10022-:22 -device e1000,netdev=mynet0 -nographic
51```
52
538. Then create an ssh-keypair without a password and save it by the name, say, `netbsdkey`
54
55(This is done in the host OS until specified otherwise)
56```
57ssh-keygen -t rsa
58```
59
60(This is done in the Guest OS until specified otherwise)
61
629. Then append the following to `/etc/rc.conf`
63```
64sshd=YES
65ifconfig_wm0="inet 10.0.2.15 netmask 255.255.255.0"
66```
67
6810. Append this to `/etc/ssh/sshd_config`
69```
70Port 22
71ListenAddress 10.0.2.15
72```
73
7411. Then add your pubkey to `/root/.ssh/authorized_keys` and `reboot` the VM.
75
76(Switch to host)
77
7812. When you see the login prompt, open up another terminal on host and issue the following command
79```
80ssh -i netbsdkey -p 10022 root@127.0.0.1
81```
82
83If all of the above worked, `poweroff` the VM and create `netbsd.cfg` config file with the following contents (alter paths as necessary):
84```
85{
86	"name": "netbsd",
87	"target": "netbsd/amd64",
88	"http": ":10000",
89	"workdir": "work",
90	"syzkaller": "$GOPATH/src/github.com/google/syzkaller",
91	"image": "anitatemp/wd0.img",
92	"sshkey": "/path/to/netbsdkey",
93	"sandbox": "none",
94	"procs": 2,
95	"type": "qemu",
96	"vm": {
97		"qemu": "qemu-system-x86_64",
98		"count": 2,
99		"cpu": 2,
100		"mem": 2048
101	}
102}
103```
104(Above directories have to be specified to the exact locations and the ssh keys must be in a separate directory with chmod 700 permissions set to that directory and chmod 600 permissions to the files in both the guest and the host.)
105
106
10713. Then, start `syz-manager` with: (Inside the syzkaller folder where the netbsd.cfg file also exists)
108```
109bin/syz-manager -config netbsd.cfg
110```
111Also, append ```PermitRootLogin without-password``` to .ssh/sshd_config in guest.
112
113It should start printing output along the lines of:
114```
115booting test machines...
116wait for the connection from test machine...
117machine check: 253 calls enabled, kcov=true, kleakcheck=false, faultinjection=false, comps=false
118executed 3622, cover 1219, crashes 0, repro 0
119executed 7921, cover 1239, crashes 0, repro 0
120executed 32807, cover 1244, crashes 0, repro 0
121executed 35803, cover 1248, crashes 0, repro 0
122```
123
12414. If something does not work, add `-debug` flag to `syz-manager`.
125
126## Missing things
127
128- Automating the configuation changes (like appending to config files), generating the json config file on the fly (with customizable values to the keys using command line parameters) and calling syz-manager with `anita` using just a single command.
129- Coverage. `executor/executor_netbsd.cc` uses a very primitive fallback for coverage. We need KCOV for NetBSD. It will also help to assess what's covered and what's missing.
130- System call descriptions. `sys/netbsd/*.txt` is a dirty copy from `sys/linux/*.txt` with everything that does not compile dropped. We need to go through syscalls and verify/fix/extend them, including devices/ioctls/etc.
131- Currently only `amd64` arch is supported. Supporting `386` would be useful, because it should cover compat paths. Also, we could do testing of the linux-compatibility subsystem.
132- `pkg/csource` needs to be taught how to generate/build C reproducers.
133- `pkg/host` needs to be taught how to detect supported syscalls/devices.
134- `pkg/report`/`pkg/symbolizer` need to be taught how to extract/symbolize kernel crash reports.
135- We need to learn how to build/use debug version of kernel.
136- KASAN for NetBSD would be useful.
137- On Linux we have emission of exernal networking/USB traffic into kernel using tun/gadgetfs. Implementing these for NetBSD could uncover a number of high-profile bugs.
138- Last but not least, we need to support NetBSD in `syz-ci` command (including building kernel/image continuously from git).
139