On Fri, 2020-10-09 at 17:01 +0000, Aleksandr Nogikh wrote: > From: Aleksandr Nogikh <nogikh@xxxxxxxxxx> > > This patch series enables remote KCOV coverage collection during > 802.11 frames processing. These changes make it possible to perform > coverage-guided fuzzing in search of remotely triggerable bugs. Btw, it occurred to me that I don't know at all - is this related to syzkaller? Or is there some other fuzzing you're working on? Can we get the bug reports from it if it's different? :) Also, unrelated to that (but I see Dmitry CC'ed), I started wondering if it'd be helpful to have an easier raw 802.11 inject path on top of say hwsim0; I noticed some syzbot reports where it created raw sockets, but that only gets you into the *data* plane of the wifi stack, not into the *management* plane. Theoretically you could add a monitor interface, but right now the wifi setup (according to the current docs on github) is using two IBSS interfaces. Perhaps an inject path on the mac80211-hwsim "hwsim0" interface would be something to consider? Or simply adding a third radio that's in "monitor" mode, so that a raw socket bound to *that* interface can inject with a radiotap header followed by an 802.11 frame, getting to arbitrary frame handling code, not just data frames. Any thoughts? johannes
