Using syzkaller, part 4: Driver fuzzing
Using syzkaller, part 4: Driver fuzzing
Ricardo Cañuelo Navarro describes
the challenges associated with fuzzing complex device drivers with Syzkaller — and
some solutions. "V4L2, however, is only supported in the sense that
the involved system calls (including the myriad V4L2 ioctls) and data
structures are described. This is already useful and, equipped with those
descriptions, Syzkaller has been able to find many V4L2 bugs. But the
fuzzing process contains a lot of randomness and, while that's a good thing
in many cases when it comes to fuzzing, due to the complexity of the V4L2
API, simply randomizing the system calls and its inputs may not be enough
to reach most of the code in some drivers, especially in drivers with
complicated interfaces such as those based on the Request API, including
stateless drivers.
"