On Sun, Oct 11, 2020 at 8:50 PM Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote: > > On Fri, 2020-10-09 at 17:01 +0000, Aleksandr Nogikh wrote: > > From: Aleksandr Nogikh <nogikh@xxxxxxxxxx> > > > > This patch series enables remote KCOV coverage collection during > > 802.11 frames processing. These changes make it possible to perform > > coverage-guided fuzzing in search of remotely triggerable bugs. > > Btw, it occurred to me that I don't know at all - is this related to > syzkaller? Or is there some other fuzzing you're working on? Can we get > the bug reports from it if it's different? :) Yes, all this is for syzkaller :) > > Also, unrelated to that (but I see Dmitry CC'ed), I started wondering if > it'd be helpful to have an easier raw 802.11 inject path on top of say > hwsim0; I noticed some syzbot reports where it created raw sockets, but > that only gets you into the *data* plane of the wifi stack, not into the > *management* plane. Theoretically you could add a monitor interface, but > right now the wifi setup (according to the current docs on github) is > using two IBSS interfaces. > > Perhaps an inject path on the mac80211-hwsim "hwsim0" interface would be > something to consider? Or simply adding a third radio that's in > "monitor" mode, so that a raw socket bound to *that* interface can > inject with a radiotap header followed by an 802.11 frame, getting to > arbitrary frame handling code, not just data frames. I'll let Aleksandr address this part.
