Skip to content

executor: support wifi subsystem fuzzing on FreeBSD #5992

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

executor: support wifi subsystem fuzzing on FreeBSD #5992

wants to merge 1 commit into from
+941 −0

Conversation

estarriol43
Copy link

Use wtap devices, a wlan simulator, to inject raw frames into 802.11 stack in FreeBSD to fuzz WiFi subsystem.

Some known issues:
The coverage of this new pseudo syscall for FreeBSD is quite low compared to the Linux one. (~2000 LoC in FreeBSD, while ~20000 LoC in Linux). I think there may be some room for improvement.

Any suggestions are welcom!

@estarriol43 estarriol43 requested review from markjdb and tuexen as code owners May 1, 2025 12:20
@a-nogikh
Copy link
Collaborator

a-nogikh commented May 2, 2025

Please note the CI errors. Specifically,

Error: The file is not formatted/regenerated. Run 'make generate' and include it into the commit.

@estarriol43 estarriol43 force-pushed the freebsd/frame-injection-v2 branch from 4ad952e to 9a8d225 Compare May 2, 2025 15:53
@estarriol43
Copy link
Author

Thanks for your reviewing. I've fixed the formatting error according to the presubmit hook.

@a-nogikh
Copy link
Collaborator

a-nogikh commented May 2, 2025

It's still not happy.

executor/common_bsd.h:1:1: The file is not formatted/regenerated. Run 'make generate' and include it into the commit.
Error: The file is not formatted/regenerated. Run 'make generate' and include it into the commit.

FWIW it's better to run the command from under the syz-env container to ensure that it formats the files using the same tool versions. E.g. ./tools/syz-env make generate.

executor: support wifi subsystem fuzzing on FreeBSD
789c22c 
Use a wtap device to inject raw frames into 802.11 stack
@estarriol43 estarriol43 force-pushed the freebsd/frame-injection-v2 branch from 9a8d225 to 789c22c Compare May 3, 2025 02:19
@estarriol43
Copy link
Author

I re-checked the format using syz-env on Linux. The FreeBSD toolchain somehow produces a different result than Linux.

@markjdb
Copy link
Collaborator

markjdb commented May 3, 2025

Thanks, I'll try to test this in the coming days.

Has this produced any results (i.e., kernel crashes) for you? Do you have some evidence that it's sufficient to get decent code coverage in the net80211 stack?

@estarriol43
Copy link
Author

I haven't found any bugs related to the net80211 stack with this patch. The coverage of this new pseudo syscall for FreeBSD is quite low compared to Linux. (~2000 LoC in FreeBSD, while ~20000 LoC in Linux).

However, Syzkaller doesn't fully support all coverage features on FreeBSD yet. It can only check how many lines of code, not which part of the code, so it would be difficult to debug this new pseudo syscall.

@khanzf
Copy link

khanzf commented May 14, 2025

Hi,
Is there an order of how we want to test this? For example, frames get injected into ieee80211_input_*(), are we targetting a specific parser? Or list of sub-functions?

I think enumerating what to target might be useful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markjdb markjdb Awaiting requested review from markjdb markjdb is a code owner

@tuexen tuexen Awaiting requested review from tuexen tuexen is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@estarriol43 @a-nogikh @markjdb @khanzf