You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A minimal Linux kernel fuzzer demo targeting the HFS+ filesystem, built for an Off by One Security stream. This project demonstrates the evolution of the fuzzer through three progressively more sophisticated stages.
This fuzzer is built to be capable of potentially rediscovering CVE-2025-0927 (HFS+ OOB write exploitable on Ubuntu). mount() is included in the attack surface because on Ubuntu a low-privileged user can mount FS images.
Overview
At each stage, this fuzzer:
Creates/mounts HFS+ filesystem images
Executes syscalls on the mounted image
Architecture
The fuzzer is organized into three stages, each building upon the previous one:
Stage 1: Dumb Fuzzer (fuzzer_stage_1_dumb/)
Generates purely random HFS+ image or can mount a reference image
Executes random filesystem syscalls with random data
No feedback mechanism
Stage 1.5: Dumb Fuzzer with Coverage (fuzzer_stage_1_dumb_kcov/)
Adds KCOV support (for demo purposes, doesn't use it for feedback yet)
Uses KCOV for feedback: inputs that produced new coverage are added to the corpus
Building
Dependencies
# Ubuntu/Debian
sudo apt-get install gcc make linux-headers-$(uname -r)
Compilation
Each stage includes a Makefile with support for both local and remote builds:
# Local build cd fuzzer_stage_X/
make
# Remote build
make remote-build
Usage
Prerequisites
Linux kernel with built-in HFS+ kernel module and KCOV support (see Linux-fuzzing.pdf slides for kernel building instructions)
Root privileges (required for mounting filesystems)
Running Each Stage
Stage 1: Dumb Fuzzer
cd fuzzer_stage_1_dumb/
make
# Run with auto-generated random image
sudo ./fuzzer_stage_1_dumb
# Run with a specific HFS+ image
sudo ./fuzzer_stage_1_dumb /path/to/hfsplus.img
Stage 1.5: Dumb Fuzzer with Coverage
cd fuzzer_stage_1_dumb_kcov/
make
# Run with auto-generated random image
sudo ./fuzzer_stage_1_dumb_kcov
# Run with a specific HFS+ image
sudo ./fuzzer_stage_1_dumb_kcov /path/to/hfsplus.img
Stage 2: Seed Generation
cd fuzzer_stage_2_generate_seeds/
make
# First, create a reference HFS+ image (empty filesystem)
dd if=/dev/zero of=reference.img bs=1K count=512
sudo mkfs.hfsplus reference.img
# Generate diverse seed corpus using the reference image# Usage: ./generate_seed <reference_image> <output_dir> <num_iterations>
sudo ./generate_seed reference.img ./seeds 10
Stage 3: Mutation-Based Fuzzer
cd fuzzer_stage_3_mutations/
make
# Run advanced mutation fuzzer with coverage feedback
sudo ./fuzzer_stage_3_mutations
# Or with specific seed image
sudo ./fuzzer_stage_3_mutations /path/to/hfsplus.img
