Wifi fuzzing

Syzkaller supports fuzzing Linux's 802.11 (WiFi) subsystem. Currently it focuses on the following two targets.

  • Configuration and management functionality. It is exposed via the nl80211 interface of the Linux kernel.
  • Incoming wireless frames processing. Syzkaller reaches the corresponding code by injecting 802.11 frames. This functionality is under development at the moment.

This document describes the internals of the approach and keeps track of the progress towards its complete implementation.

General approach

Syzkaller uses mac80211_hwsim module to emulate wifi devices.

In order to simplify reproducer generation and to have an operable 802.11 network from the very beginning, syzkaller performs the following at executor initialization. If wifi feature is enabled (it is enabled by default), then:

  1. Two virtual wifi devices are created and assigned predefined MAC addresses (08:02:11:00:00:00 and 08:02:11:00:00:01).
  2. These devices are put into IBSS mode.
  3. These devices form an IBSS network. Network parameters are predefined: BSSID (50:50:50:50:50:50), SSID(‘\x10\x10\x10\x10\x10\x10’), channel (2412 MHz). After this step, the network is operable and 802.11 frame injection is possible.

These steps happen inside the initialize_wifi_devices function of executor/common_linux.h.

In order to facilitate 802.11 fuzzing, two pseudo syscalls are also introduced.

  1. syz_80211_inject_frame(mac_addr, buf, buf_len) performs 802.11 frame injection. The frame will appear to be received at the specified network interface.
  2. syz_80211_join_ibss(network_interface, ssid, ssid_len, wait_mode) puts the corresponding network interface into IBSS mode and joins the specified ad-hoc network. Although an IBSS network is already formed at the very beginning, the fuzzer can quickly take interfaces out of operational state (e.g. by deleting and re-adding it), and it will be very problematic for the fuzzer to restore the operational state. Similar syscalls might be added for other wifi modes as well.

nl80211 commands list

CommandIn descriptionsComment
NL80211_CMD_ABORT_SCANyes
NL80211_CMD_ADD_NAN_FUNCTIONyesNot supported by mac80211_hwsim
NL80211_CMD_ADD_TX_TSyes
NL80211_CMD_ASSOCIATEyes
NL80211_CMD_AUTHENTICATEyes
NL80211_CMD_CANCEL_REMAIN_ON_CHANNELyes
NL80211_CMD_CHANGE_NAN_CONFIGyesNot supported by mac80211_hwsim
NL80211_CMD_CHANNEL_SWITCHyes
NL80211_CMD_CONNECTyes
NL80211_CMD_CONTROL_PORT_FRAMEyes
NL80211_CMD_CRIT_PROTOCOL_STARTyes
NL80211_CMD_CRIT_PROTOCOL_STOPyes
NL80211_CMD_DEAUTHENTICATEyes
NL80211_CMD_DEL_INTERFACEyes
NL80211_CMD_DEL_KEYyes
NL80211_CMD_DEL_MPATHyes
NL80211_CMD_DEL_NAN_FUNCTIONyesNot supported by mac80211_hwsim
NL80211_CMD_DEL_PMKyes
NL80211_CMD_DEL_PMKSAyes
NL80211_CMD_DEL_STATIONyes
NL80211_CMD_DEL_TX_TSyes
NL80211_CMD_DISASSOCIATEyes
NL80211_CMD_DISCONNECTyes
NL80211_CMD_EXTERNAL_AUTHyes
NL80211_CMD_FLUSH_PMKSAyes
NL80211_CMD_FRAMEyes
NL80211_CMD_FRAME_WAIT_CANCELyes
NL80211_CMD_GET_COALESCEyes
NL80211_CMD_GET_FTM_RESPONDER_STATSyes
NL80211_CMD_GET_INTERFACEyes
NL80211_CMD_GET_KEYyes
NL80211_CMD_GET_MESH_CONFIGyes
NL80211_CMD_GET_MPATHyes
NL80211_CMD_GET_MPPyes
NL80211_CMD_GET_POWER_SAVEyes
NL80211_CMD_GET_PROTOCOL_FEATURESyes
NL80211_CMD_GET_REGyes
NL80211_CMD_GET_SCANyes
NL80211_CMD_GET_STATIONyes
NL80211_CMD_GET_SURVEYyes
NL80211_CMD_GET_WIPHYyes
NL80211_CMD_GET_WOWLANyesRequires CONFIG_PM
NL80211_CMD_JOIN_IBSSyes
NL80211_CMD_JOIN_MESHyes
NL80211_CMD_JOIN_OCByes
NL80211_CMD_LEAVE_IBSSyes
NL80211_CMD_LEAVE_MESHyes
NL80211_CMD_LEAVE_OCByes
NL80211_CMD_NEW_INTERFACEyes
NL80211_CMD_NEW_KEYyes
NL80211_CMD_NEW_MPATHyes
NL80211_CMD_NEW_STATIONyes
NL80211_CMD_NOTIFY_RADARyes
NL80211_CMD_PEER_MEASUREMENT_STARTyes
NL80211_CMD_PROBE_CLIENTyes
NL80211_CMD_PROBE_MESH_LINKyes
NL80211_CMD_RADAR_DETECTyes
NL80211_CMD_REGISTER_BEACONSyes
NL80211_CMD_REGISTER_FRAMEyes
NL80211_CMD_RELOAD_REGDByes
NL80211_CMD_REMAIN_ON_CHANNELyes
NL80211_CMD_REQ_SET_REGyes
NL80211_CMD_SET_BEACONyes
NL80211_CMD_SET_BSSyes
NL80211_CMD_SET_CHANNELyes
NL80211_CMD_SET_COALESCEyes
NL80211_CMD_SET_CQMyes
NL80211_CMD_SET_INTERFACEyes
NL80211_CMD_SET_KEYyes
NL80211_CMD_SET_MAC_ACLyes
NL80211_CMD_SET_MCAST_RATEyes
NL80211_CMD_SET_MESH_CONFIGyes
NL80211_CMD_SET_MPATHyes
NL80211_CMD_SET_MULTICAST_TO_UNICASTyes
NL80211_CMD_SET_NOACK_MAPyes
NL80211_CMD_SET_PMKyes
NL80211_CMD_SET_PMKSAyes
NL80211_CMD_SET_POWER_SAVEyes
NL80211_CMD_SET_QOS_MAPyes
NL80211_CMD_SET_REGyesRequires CONFIG_CFG80211_CRDA_SUPPORT
NL80211_CMD_SET_REKEY_OFFLOADyes
NL80211_CMD_SET_STATIONyes
NL80211_CMD_SET_TID_CONFIGyes
NL80211_CMD_SET_TX_BITRATE_MASKyes
NL80211_CMD_SET_WDS_PEERyes
NL80211_CMD_SET_WIPHYyes
NL80211_CMD_SET_WIPHY_NETNSyes
NL80211_CMD_SET_WOWLANyesRequires CONFIG_PM
NL80211_CMD_START_APyes
NL80211_CMD_START_NANyesNot supported by mac80211_hwsim
NL80211_CMD_START_P2P_DEVICEyes
NL80211_CMD_START_SCHED_SCANyes
NL80211_CMD_STOP_APyes
NL80211_CMD_STOP_NANyesNot supported by mac80211_hwsim
NL80211_CMD_STOP_P2P_DEVICEyes
NL80211_CMD_STOP_SCHED_SCANyes
NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCHyes
NL80211_CMD_TDLS_CHANNEL_SWITCHyes
NL80211_CMD_TDLS_MGMTyes
NL80211_CMD_TDLS_OPERyes
NL80211_CMD_TESTMODEyesRequires CONFIG_NL80211_TESTMODE
NL80211_CMD_TRIGGER_SCANyes
NL80211_CMD_UNEXPECTED_FRAMEyes
NL80211_CMD_UPDATE_CONNECT_PARAMSyes
NL80211_CMD_UPDATE_FT_IESyes
NL80211_CMD_UPDATE_OWE_INFOyes
NL80211_CMD_VENDORyes

802.11 frames

This is not an exhaustive list as it does not include all frames/commands that are defined by 802.11 standards. However, it aims to include all frames supported by mac80211.

Data frames

FeatureIn descriptionsSupported by mac80211
QoS controlyesyes
HT controlyesyes
A-MSDUyesyes
Short A-MSDUnono?
Frame encryptionnoyes

Management frames

CommandIn descriptionsSupported by mac80211
Association Requestyesyes
Association Responseyesyes
Reassociation Requestyesyes
Reassociation Responseyesyes
Probe Requestyesyes
Probe Responseyesyes
Timing Advertisementnot yesno
Beaconyesyes
ATIMnot yesno
Disassociationyesyes
Authenticationyesyes
Deauthenticationyesyes
Actionsee belowyes
Action No Acksee belowno

Management Actions

CategoryCommandIn descriptionsSupported by mac80211
Spectrum ManagementMeasurement Requestpartiallyreceives and refuses
Spectrum ManagementMeasurement Reportnono
Spectrum ManagementTPC Requestnono
Spectrum ManagementTPC Reportnono
Spectrum ManagementChannel Switch Announcementyesyes
Block ACKADDBA Requestyesyes
Block ACKADDBA Responseyesyes
Block ACKDELBAyesyes
PublicExtended Channel Switch Announcementyesyes
HTNotify Channel Widthyesyes
HTSM Power Saveyesyes
HTPMSPnono
HTSet PCO Phasenono
HTCSInono
SA QuerySA Query Requestyesyes
SA QuerySA Query Responsenono
TLDSSetup Requestyesyes
TLDSSetup Responseyesyes
TLDSSetup Confirmyesyes
TLDSTeardownyesyes
TLDSDiscover Requestyesyes
TLDSChannel Switch Requestyesyes
TLDSChannel Switch Responseyesyes
MeshHWMP Mesh Path Selectionyesyes
Self ProtectedMesh Peering Openyesyes
Self ProtectedMesh Peering Closeyesyes
Self ProtectedMesh Peering Confirmyesyes
VHTOperating Mode Notificationyesyes
VHTGroup ID Managementyesyes

Control frames

CommandIn descriptionsSupported by mac80211
Triggernono
Beamforming Report Pollnono
VHT/HE NDP Announcementnono
Control Frame Extensionnono
Control Wrappernono
Block Ack Request (BAR)yes (802.11n)yes
Block Ack (BA)yes (802.11n)?
PS-Pollyes?
RTSyesno
CTSyesno
ACKyesno
CF-Endyes?
CF-End + CF-ACKyes?

Information Elements

IDIEIn descriptionsSupported by mac80211
0SSIDyesyes
1Supported Ratesyesyes
3DSyesyes
4CFyesyes
5Traffic Indication Mapyesyes
6IBSSyesyes
7HT Capabilitiesyes?
10Requestnono
37Channel Switch Announcementyesyes
38Measurement Requestyesyes
42Extended Rate PHY (ERP)yesyes?
55Fast BSS Transition elementyesyes
60Extended Channel Switch Announcementyes?
62Secondary Channel Offsetyesyes
101Link Identifieryes?
104Channel Switch Timing Informationyes?
113Mesh Configyesyes
114Mesh IDyesyes
117Mesh Peering Managementyesyes
118MESH Channel Switchyesyes
126RANNyesyes
130PREQyesyes
131PREPyesyes
132PERRyesyes
140MICyesyes
189GCR Group Addressyesno