tools: Makefile: add check-syzos.sh

[ramosian-glider]

As shown in #5565, SYZOS code in the guest section cannot reference global data, because it is relocated into the guest memory.

While arm64 executor has a dynamic check for data accesses, it is virtually impossible to do the same on x86 without implementing an x86 disassembler. Instead of doing so, introduce a build-time script that will detect instructions referencing global data on a best-effort basis.

---

Before sending a pull request, please review Contribution Guidelines:
https://github.com/google/syzkaller/blob/master/docs/contributing.md

---

[ramosian-glider]

Example script output:

------------------------------------------------------------------
[FAIL] Found problematic data access instructions in 'guest'.
The following instructions are likely to cause crashes in SyzOS:
    1ea326:	48 8d 15 3b 26 04 00 	lea    0x4263b(%rip),%rdx        # 22c968 <_nl_C_name+0x208f>
------------------------------------------------------------------

[ramosian-glider]

And

[OK] No problematic data access instructions found in 'guest'.

[a-nogikh]

I wonder if it'd be better to represent in as one more https://github.com/google/syzkaller/blob/master/executor/style_test.go test.

[ramosian-glider]

style_test.go is checking the source code, whereas here we need to check the compiled binaries, do you think this case is a good fit?

[a-nogikh]

style_test.go is checking the source code, whereas here we need to check the compiled binaries, do you think this case is a good fit?

Ah, right, you need a binary.

Technically, it's quite straightforward to build executor from Go and we do it from multiple tests, e.g.

syzkaller/pkg/fuzzer/fuzzer_test.go

Line 43 in fdeaa69

executor := csource.BuildExecutor(t, target, "../..", "-fsanitize-coverage=trace-pc", "-g")

We also do have tests that build it for every arch (for which there's a compiler):

syzkaller/pkg/runtest/executor_test.go

Line 67 in fdeaa69

func TestExecutor(t *testing.T) {

---

How long does the test currently take? Is it necessarily better to do the check on each syzkaller build rather than make it a presubmit test?

[ramosian-glider]

Technically, it's quite straightforward to build executor from Go and we do it from multiple tests, e.g.

Note that the script does not build the executor, it looks at $TARGETOS and $TARGETARCH and takes the existing executor (the makefile target depends on it).
If we decide to rewrite the script in Go it will still have to parse objdump output and search for the patterns in it. Do you think Go is more preferable for this task?

We also do have tests that build it for every arch (for which there's a compiler):

For now SYZOS is only implemented for arm64 and amd64.

How long does the test currently take? Is it necessarily better to do the check on each syzkaller build rather than make it a presubmit test?

It takes 0.05 seconds, slightly slower than /bin/ls.
I think there is some value in running it for every build, because running the presubmits isn't something people do locally when changing the syzkaller.
This script adds an extra output line to the make invocation - if that will be bothering anyone we can change the script to only report failures.

[a-nogikh]

If we decide to rewrite the script in Go it will still have to parse objdump output and search for the patterns in it. Do you think Go is more preferable for this task?

If it'd be a presubmit test, I think it would be easier to orchestrate the process from Go. If we do it each build, probably doesn't matter much.

It takes 0.05 seconds, slightly slower than /bin/ls.

Cool!

This script adds an extra output line to the make invocation - if that will be bothering anyone we can change the script to only report failures.

If there's no much value in the extra output, I'd suggest we drop it right away.

Otherwise LGTM.

[ramosian-glider]

I changed the happy path to use echoerr instead of echo, so that make does not print anything by default.