Skip to content

sl4v/hfsplus-kernel-fuzzing-demo

BranchesTags

Repository files navigation

HFS+ Kernel Fuzzer Demo

A minimal Linux kernel fuzzer demo targeting the HFS+ filesystem, built for an Off by One Security stream. This project demonstrates the evolution of the fuzzer through three progressively more sophisticated stages.

This fuzzer is built to be capable of potentially rediscovering CVE-2025-0927 (HFS+ OOB write exploitable on Ubuntu). mount() is included in the attack surface because on Ubuntu a low-privileged user can mount FS images.

Overview

At each stage, this fuzzer:

  • Creates/mounts HFS+ filesystem images
  • Executes syscalls on the mounted image

Architecture

The fuzzer is organized into three stages, each building upon the previous one:

Stage 1: Dumb Fuzzer (fuzzer_stage_1_dumb/)

  • Generates purely random HFS+ image or can mount a reference image
  • Executes random filesystem syscalls with random data
  • No feedback mechanism

Stage 1.5: Dumb Fuzzer with Coverage (fuzzer_stage_1_dumb_kcov/)

  • Adds KCOV support (for demo purposes, doesn't use it for feedback yet)

Stage 2: Seed Generation (fuzzer_stage_2_generate_seeds/)

  • Introduces seed generator to create a diverse seed corpus

Stage 3: Mutation-Based Fuzzer (fuzzer_stage_3_mutations/)

  • Uses seed corpus
  • Implements seed mutation
  • Uses KCOV for feedback: inputs that produced new coverage are added to the corpus

Building

Dependencies

# Ubuntu/Debian
sudo apt-get install gcc make linux-headers-$(uname -r)

Compilation

Each stage includes a Makefile with support for both local and remote builds:

# Local build 
cd fuzzer_stage_X/
make

# Remote build 
make remote-build

Usage

Prerequisites

  • Linux kernel with built-in HFS+ kernel module and KCOV support (see Linux-fuzzing.pdf slides for kernel building instructions)
  • Root privileges (required for mounting filesystems)

Running Each Stage

Stage 1: Dumb Fuzzer

cd fuzzer_stage_1_dumb/
make
# Run with auto-generated random image
sudo ./fuzzer_stage_1_dumb
# Run with a specific HFS+ image
sudo ./fuzzer_stage_1_dumb /path/to/hfsplus.img

Stage 1.5: Dumb Fuzzer with Coverage

cd fuzzer_stage_1_dumb_kcov/
make
# Run with auto-generated random image
sudo ./fuzzer_stage_1_dumb_kcov
# Run with a specific HFS+ image
sudo ./fuzzer_stage_1_dumb_kcov /path/to/hfsplus.img

Stage 2: Seed Generation

cd fuzzer_stage_2_generate_seeds/
make

# First, create a reference HFS+ image (empty filesystem)
dd if=/dev/zero of=reference.img bs=1K count=512
sudo mkfs.hfsplus reference.img

# Generate diverse seed corpus using the reference image
# Usage: ./generate_seed <reference_image> <output_dir> <num_iterations>
sudo ./generate_seed reference.img ./seeds 10

Stage 3: Mutation-Based Fuzzer

cd fuzzer_stage_3_mutations/
make
# Run advanced mutation fuzzer with coverage feedback
sudo ./fuzzer_stage_3_mutations
# Or with specific seed image
sudo ./fuzzer_stage_3_mutations /path/to/hfsplus.img

About

Minimal Linux kernel fuzzer demo targeting HFS+

Resources

Readme
Activity

Stars

12 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages