Hi Farhan Khan, The idea is to use Syzkaller, a kernel fuzzer, to fuzz the WiFi stack. Syzkaller will randomly generate 802.11 frames and inject them using the syz_80211_inject_frame syscall.
You can follow the write-up to set up the environment. https://hackmd.io/byPgVrEwRWSA5LKc56-30Q ------ Best Regards, Jian-Lin Li > On May 14, 2025, at 10:39 PM, Farhan Khan <farhan@farhan.codes> wrote: > > On Wed, May 14, 2025, at 10:27 AM, Jian-Lin Li wrote: >> Hi Tom, >> >> I think we can start by improving the coverage information, so we can >> identify which parts of the code have been fuzzed. Currently, Syzkaller >> can only report how many lines of code are covered, but not which >> specific parts. >> >> The coverage functionality is implemented by the make function in >> pkg/cover/backend/backend.go in Syzkaller. We can port this >> functionality from Linux to FreeBSD to enable more detailed coverage >> information. >> >> Best Regards, >> >> Jian-Lin Li >> ljianli...@gmail.com >> > > To add to this question, is the idea to target specific functions with a > frame that we know will "get through" to the net80211 stack via > ieee80211_input_*(), and try to fuzz the handling? > > I would love to see an example an example, if you could point me to the right > direction within the code. > > Also, should this be considered a test within the src tree, rather than a > stand-alone package? >
