lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Oct 2020 20:53:35 +0200 From: Andrey Konovalov <andreyknvl@...gle.com> To: Johannes Berg <johannes@...solutions.net>, Aleksandr Nogikh <a.nogikh@...il.com> Cc: "David S. Miller" <davem@...emloft.net>, kuba@...nel.org, Andrew Morton <akpm@...ux-foundation.org>, Eric Dumazet <edumazet@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, Marco Elver <elver@...gle.com>, LKML <linux-kernel@...r.kernel.org>, netdev <netdev@...r.kernel.org>, linux-wireless@...r.kernel.org, Aleksandr Nogikh <nogikh@...gle.com> Subject: Re: [PATCH v2 0/3] [PATCH v2 0/3] [PATCH v2 0/3] net, mac80211, kernel: enable KCOV remote coverage collection for 802.11 frame handling On Sun, Oct 11, 2020 at 8:50 PM Johannes Berg <johannes@...solutions.net> wrote: > > On Fri, 2020-10-09 at 17:01 +0000, Aleksandr Nogikh wrote: > > From: Aleksandr Nogikh <nogikh@...gle.com> > > > > This patch series enables remote KCOV coverage collection during > > 802.11 frames processing. These changes make it possible to perform > > coverage-guided fuzzing in search of remotely triggerable bugs. > > Btw, it occurred to me that I don't know at all - is this related to > syzkaller? Or is there some other fuzzing you're working on? Can we get > the bug reports from it if it's different? :) Yes, all this is for syzkaller :) > > Also, unrelated to that (but I see Dmitry CC'ed), I started wondering if > it'd be helpful to have an easier raw 802.11 inject path on top of say > hwsim0; I noticed some syzbot reports where it created raw sockets, but > that only gets you into the *data* plane of the wifi stack, not into the > *management* plane. Theoretically you could add a monitor interface, but > right now the wifi setup (according to the current docs on github) is > using two IBSS interfaces. > > Perhaps an inject path on the mac80211-hwsim "hwsim0" interface would be > something to consider? Or simply adding a third radio that's in > "monitor" mode, so that a raw socket bound to *that* interface can > inject with a radiotap header followed by an 802.11 frame, getting to > arbitrary frame handling code, not just data frames. I'll let Aleksandr address this part.
Powered by blists - more mailing lists