github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/linux/wifi_fuzzing.md (about) 1 # Wifi fuzzing 2 3 Syzkaller supports fuzzing Linux's 802.11 (WiFi) subsystem. 4 Currently it focuses on the following two targets. 5 - Configuration and management functionality. It is exposed via the nl80211 interface of the Linux kernel. 6 - Incoming wireless frames processing. Syzkaller reaches the corresponding code by injecting 802.11 frames. This functionality is under development at the moment. 7 8 This document describes the internals of the approach and keeps track of the progress towards its complete implementation. 9 10 ## General approach 11 12 Syzkaller uses [mac80211_hwsim](https://wireless.wiki.kernel.org/en/users/drivers/mac80211_hwsim) module to emulate wifi devices. 13 14 In order to simplify reproducer generation and to have an operable 802.11 network from the very beginning, syzkaller performs the following at executor initialization. If `wifi` feature is enabled (it is enabled by default), then: 15 1. Two virtual wifi devices are created and assigned predefined MAC addresses (08:02:11:00:00:00 and 08:02:11:00:00:01). 16 2. These devices are put into `IBSS` mode. 17 3. These devices form an IBSS network. Network parameters are predefined: BSSID (50:50:50:50:50:50), SSID('\x10\x10\x10\x10\x10\x10'), channel (2412 MHz). After this step, the network is operable and 802.11 frame injection is possible. 18 19 These steps happen inside the `initialize_wifi_devices` function of `executor/common_linux.h`. 20 21 In order to facilitate 802.11 fuzzing, two pseudo syscalls are also introduced. 22 1. `syz_80211_inject_frame(mac_addr, buf, buf_len)` performs 802.11 frame injection. The frame will appear to be received at the specified network interface. 23 2. `syz_80211_join_ibss(network_interface, ssid, ssid_len, wait_mode)` puts the corresponding network interface into IBSS mode and joins the specified ad-hoc network. Although an IBSS network is already formed at the very beginning, the fuzzer can quickly take interfaces out of operational state (e.g. by deleting and re-adding it), and it will be very problematic for the fuzzer to restore the operational state. Similar syscalls might be added for other wifi modes as well. 24 25 ## nl80211 commands list 26 27 | Command | In descriptions | Comment | 28 | ------- | --------------- | ------- | 29 | `NL80211_CMD_ABORT_SCAN` | yes | | 30 | `NL80211_CMD_ADD_NAN_FUNCTION` | yes | Not supported by `mac80211_hwsim` | 31 | `NL80211_CMD_ADD_TX_TS` | yes | | 32 | `NL80211_CMD_ASSOCIATE` | yes | | 33 | `NL80211_CMD_AUTHENTICATE` | yes | | 34 | `NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL` | yes | | 35 | `NL80211_CMD_CHANGE_NAN_CONFIG` | yes | Not supported by `mac80211_hwsim` | 36 | `NL80211_CMD_CHANNEL_SWITCH` | yes | | 37 | `NL80211_CMD_CONNECT` | yes | | 38 | `NL80211_CMD_CONTROL_PORT_FRAME` | yes | | 39 | `NL80211_CMD_CRIT_PROTOCOL_START` | yes | | 40 | `NL80211_CMD_CRIT_PROTOCOL_STOP` | yes | | 41 | `NL80211_CMD_DEAUTHENTICATE` | yes | | 42 | `NL80211_CMD_DEL_INTERFACE` | yes | | 43 | `NL80211_CMD_DEL_KEY` | yes | | 44 | `NL80211_CMD_DEL_MPATH` | yes | | 45 | `NL80211_CMD_DEL_NAN_FUNCTION` | yes | Not supported by `mac80211_hwsim` | 46 | `NL80211_CMD_DEL_PMK` | yes | | 47 | `NL80211_CMD_DEL_PMKSA` | yes | | 48 | `NL80211_CMD_DEL_STATION` | yes | | 49 | `NL80211_CMD_DEL_TX_TS` | yes | | 50 | `NL80211_CMD_DISASSOCIATE` | yes | | 51 | `NL80211_CMD_DISCONNECT` | yes | | 52 | `NL80211_CMD_EXTERNAL_AUTH` | yes | | 53 | `NL80211_CMD_FLUSH_PMKSA` | yes | | 54 | `NL80211_CMD_FRAME` | yes | | 55 | `NL80211_CMD_FRAME_WAIT_CANCEL` | yes | | 56 | `NL80211_CMD_GET_COALESCE` | yes | | 57 | `NL80211_CMD_GET_FTM_RESPONDER_STATS` | yes | | 58 | `NL80211_CMD_GET_INTERFACE` | yes | | 59 | `NL80211_CMD_GET_KEY` | yes | | 60 | `NL80211_CMD_GET_MESH_CONFIG` | yes | | 61 | `NL80211_CMD_GET_MPATH` | yes | | 62 | `NL80211_CMD_GET_MPP` | yes | | 63 | `NL80211_CMD_GET_POWER_SAVE` | yes | | 64 | `NL80211_CMD_GET_PROTOCOL_FEATURES` | yes | | 65 | `NL80211_CMD_GET_REG` | yes | | 66 | `NL80211_CMD_GET_SCAN` | yes | | 67 | `NL80211_CMD_GET_STATION` | yes | | 68 | `NL80211_CMD_GET_SURVEY` | yes | | 69 | `NL80211_CMD_GET_WIPHY` | yes | | 70 | `NL80211_CMD_GET_WOWLAN` | yes | Requires `CONFIG_PM` | 71 | `NL80211_CMD_JOIN_IBSS` | yes | | 72 | `NL80211_CMD_JOIN_MESH` | yes | | 73 | `NL80211_CMD_JOIN_OCB` | yes | | 74 | `NL80211_CMD_LEAVE_IBSS` | yes | | 75 | `NL80211_CMD_LEAVE_MESH` | yes | | 76 | `NL80211_CMD_LEAVE_OCB` | yes | | 77 | `NL80211_CMD_NEW_INTERFACE` | yes | | 78 | `NL80211_CMD_NEW_KEY` | yes | | 79 | `NL80211_CMD_NEW_MPATH` | yes | | 80 | `NL80211_CMD_NEW_STATION` | yes | | 81 | `NL80211_CMD_NOTIFY_RADAR` | yes | | 82 | `NL80211_CMD_PEER_MEASUREMENT_START` | yes | | 83 | `NL80211_CMD_PROBE_CLIENT` | yes | | 84 | `NL80211_CMD_PROBE_MESH_LINK` | yes | | 85 | `NL80211_CMD_RADAR_DETECT` | yes | | 86 | `NL80211_CMD_REGISTER_BEACONS` | yes | | 87 | `NL80211_CMD_REGISTER_FRAME` | yes | | 88 | `NL80211_CMD_RELOAD_REGDB` | yes | | 89 | `NL80211_CMD_REMAIN_ON_CHANNEL` | yes | | 90 | `NL80211_CMD_REQ_SET_REG` | yes | | 91 | `NL80211_CMD_SET_BEACON` | yes | | 92 | `NL80211_CMD_SET_BSS` | yes | | 93 | `NL80211_CMD_SET_CHANNEL` | yes | | 94 | `NL80211_CMD_SET_COALESCE` | yes | | 95 | `NL80211_CMD_SET_CQM` | yes | | 96 | `NL80211_CMD_SET_INTERFACE` | yes | | 97 | `NL80211_CMD_SET_KEY` | yes | | 98 | `NL80211_CMD_SET_MAC_ACL` | yes | | 99 | `NL80211_CMD_SET_MCAST_RATE` | yes | | 100 | `NL80211_CMD_SET_MESH_CONFIG` | yes | | 101 | `NL80211_CMD_SET_MPATH` | yes | | 102 | `NL80211_CMD_SET_MULTICAST_TO_UNICAST` | yes | | 103 | `NL80211_CMD_SET_NOACK_MAP` | yes | | 104 | `NL80211_CMD_SET_PMK` | yes | | 105 | `NL80211_CMD_SET_PMKSA` | yes | | 106 | `NL80211_CMD_SET_POWER_SAVE` | yes | | 107 | `NL80211_CMD_SET_QOS_MAP` | yes | | 108 | `NL80211_CMD_SET_REG` | yes | Requires `CONFIG_CFG80211_CRDA_SUPPORT`| 109 | `NL80211_CMD_SET_REKEY_OFFLOAD` | yes | | 110 | `NL80211_CMD_SET_STATION` | yes | | 111 | `NL80211_CMD_SET_TID_CONFIG` | yes | | 112 | `NL80211_CMD_SET_TX_BITRATE_MASK` | yes | | 113 | `NL80211_CMD_SET_WDS_PEER` | yes | | 114 | `NL80211_CMD_SET_WIPHY` | yes | | 115 | `NL80211_CMD_SET_WIPHY_NETNS` | yes | | 116 | `NL80211_CMD_SET_WOWLAN` | yes | Requires `CONFIG_PM` | 117 | `NL80211_CMD_START_AP` | yes | | 118 | `NL80211_CMD_START_NAN` | yes | Not supported by `mac80211_hwsim` | 119 | `NL80211_CMD_START_P2P_DEVICE` | yes | | 120 | `NL80211_CMD_START_SCHED_SCAN` | yes | | 121 | `NL80211_CMD_STOP_AP` | yes | | 122 | `NL80211_CMD_STOP_NAN` | yes | Not supported by `mac80211_hwsim` | 123 | `NL80211_CMD_STOP_P2P_DEVICE` | yes | | 124 | `NL80211_CMD_STOP_SCHED_SCAN` | yes | | 125 | `NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH` | yes | | 126 | `NL80211_CMD_TDLS_CHANNEL_SWITCH` | yes | | 127 | `NL80211_CMD_TDLS_MGMT` | yes | | 128 | `NL80211_CMD_TDLS_OPER` | yes | | 129 | `NL80211_CMD_TESTMODE` | yes | Requires `CONFIG_NL80211_TESTMODE` | 130 | `NL80211_CMD_TRIGGER_SCAN` | yes | | 131 | `NL80211_CMD_UNEXPECTED_FRAME` | yes | | 132 | `NL80211_CMD_UPDATE_CONNECT_PARAMS` | yes | | 133 | `NL80211_CMD_UPDATE_FT_IES` | yes | | 134 | `NL80211_CMD_UPDATE_OWE_INFO` | yes | | 135 | `NL80211_CMD_VENDOR` | yes | | 136 137 ## 802.11 frames 138 This is not an exhaustive list as it does not include all frames/commands that are defined by 802.11 standards. However, it aims to include all frames supported by mac80211. 139 140 ### Data frames 141 142 | Feature | In descriptions | Supported by mac80211 | 143 | ------- | --------------- | --------------------- | 144 | QoS control | yes | yes | 145 | HT control | yes | yes | 146 | A-MSDU | yes | yes | 147 | Short A-MSDU | no | no? | 148 | Frame encryption | no | yes | 149 150 ### Management frames 151 | Command | In descriptions | Supported by mac80211 | 152 | ------- | --------------- | --------------------- | 153 | Association Request | yes | yes | 154 | Association Response | yes | yes | 155 | Reassociation Request | yes | yes | 156 | Reassociation Response | yes | yes | 157 | Probe Request | yes | yes | 158 | Probe Response | yes | yes | 159 | Timing Advertisement | not yes | no | 160 | Beacon | yes | yes | 161 | ATIM | not yes | no | 162 | Disassociation | yes | yes | 163 | Authentication | yes | yes | 164 | Deauthentication | yes | yes | 165 | Action | see below | yes | 166 | Action No Ack | see below | no | 167 168 ### Management Actions 169 | Category | Command | In descriptions | Supported by mac80211 | 170 | -------- | ------- | --------------- | --------------------- | 171 | Spectrum Management | Measurement Request | partially | receives and refuses | 172 | Spectrum Management | Measurement Report | no | no | 173 | Spectrum Management | TPC Request | no | no | 174 | Spectrum Management | TPC Report | no | no | 175 | Spectrum Management | Channel Switch Announcement | yes | yes | 176 | Block ACK | ADDBA Request | yes | yes | 177 | Block ACK | ADDBA Response | yes | yes | 178 | Block ACK | DELBA | yes | yes | 179 | Public | Extended Channel Switch Announcement | yes | yes | 180 | HT | Notify Channel Width | yes | yes | 181 | HT | SM Power Save | yes | yes | 182 | HT | PMSP | no | no | 183 | HT | Set PCO Phase | no | no | 184 | HT | CSI | no | no | 185 | SA Query | SA Query Request | yes | yes | 186 | SA Query | SA Query Response | no | no | 187 | TLDS | Setup Request | yes | yes | 188 | TLDS | Setup Response | yes | yes | 189 | TLDS | Setup Confirm | yes | yes | 190 | TLDS | Teardown | yes | yes | 191 | TLDS | Discover Request | yes | yes | 192 | TLDS | Channel Switch Request | yes | yes | 193 | TLDS | Channel Switch Response | yes | yes | 194 | Mesh | HWMP Mesh Path Selection | yes | yes | 195 | Self Protected | Mesh Peering Open | yes | yes | 196 | Self Protected | Mesh Peering Close | yes | yes | 197 | Self Protected | Mesh Peering Confirm | yes | yes | 198 | VHT | Operating Mode Notification | yes | yes | 199 | VHT | Group ID Management | yes | yes | 200 201 ### Control frames 202 | Command | In descriptions | Supported by mac80211 | 203 | ------- | --------------- | --------------------- | 204 | Trigger | no | no | 205 | Beamforming Report Poll | no | no | 206 | VHT/HE NDP Announcement | no | no | 207 | Control Frame Extension | no | no | 208 | Control Wrapper | no | no | 209 | Block Ack Request (BAR) | yes (802.11n) | yes | 210 | Block Ack (BA) | yes (802.11n) | ? | 211 | PS-Poll | yes | ? | 212 | RTS | yes | no | 213 | CTS | yes | no | 214 | ACK | yes | no | 215 | CF-End | yes | ? | 216 | CF-End + CF-ACK | yes | ? | 217 218 ### Information Elements 219 220 | ID | IE | In descriptions | Supported by mac80211 | 221 | -- | -- | ----- | --------------------- | 222 | 0 | SSID | yes | yes | 223 | 1 | Supported Rates | yes | yes | 224 | 3 | DS | yes | yes | 225 | 4 | CF | yes | yes | 226 | 5 | Traffic Indication Map | yes | yes | 227 | 6 | IBSS | yes | yes | 228 | 7 | HT Capabilities | yes | ? | 229 | 10 | Request | no | no | 230 | 37 | Channel Switch Announcement | yes | yes | 231 | 38 | Measurement Request | yes | yes | 232 | 42 | Extended Rate PHY (ERP) | yes | yes? | 233 | 55 | Fast BSS Transition element | yes | yes | 234 | 60 | Extended Channel Switch Announcement | yes | ? | 235 | 62 | Secondary Channel Offset | yes | yes | 236 | 101 | Link Identifier | yes | ? | 237 | 104 | Channel Switch Timing Information | yes | ? | 238 | 113 | Mesh Config | yes | yes | 239 | 114 | Mesh ID | yes | yes | 240 | 117 | Mesh Peering Management | yes | yes | 241 | 118 | MESH Channel Switch | yes | yes | 242 | 126 | RANN | yes | yes | 243 | 130 | PREQ | yes | yes | 244 | 131 | PREP | yes | yes | 245 | 132 | PERR | yes | yes | 246 | 140 | MIC | yes | yes | 247 | 189 | GCR Group Address | yes | no |