{"id":24655047,"url":"https://github.com/pawbud/fuzzing-gpu-drivers-using-syzkaller","last_synced_at":"2026-05-17T18:33:57.673Z","repository":{"id":273904228,"uuid":"898024074","full_name":"PawBud/Fuzzing-GPU-drivers-using-Syzkaller","owner":"PawBud","description":"This repository is part of my master's thesis at Universiteit Van Amsterdam","archived":false,"fork":false,"pushed_at":"2025-01-23T17:35:34.000Z","size":57468,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-03-21T02:16:11.476Z","etag":null,"topics":["kernel-fuzzing","operating-system-security"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PawBud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-03T16:47:41.000Z","updated_at":"2025-01-23T17:35:38.000Z","dependencies_parsed_at":"2025-01-23T17:42:45.398Z","dependency_job_id":null,"html_url":"https://github.com/PawBud/Fuzzing-GPU-drivers-using-Syzkaller","commit_stats":null,"previous_names":["pawbud/fuzzing-gpu-drivers-using-syzkaller"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/PawBud/Fuzzing-GPU-drivers-using-Syzkaller","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PawBud%2FFuzzing-GPU-drivers-using-Syzkaller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PawBud%2FFuzzing-GPU-drivers-using-Syzkaller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PawBud%2FFuzzing-GPU-drivers-using-Syzkaller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PawBud%2FFuzzing-GPU-drivers-using-Syzkaller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PawBud","download_url":"https://codeload.github.com/PawBud/Fuzzing-GPU-drivers-using-Syzkaller/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PawBud%2FFuzzing-GPU-drivers-using-Syzkaller/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33149648,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-17T09:28:26.183Z","status":"ssl_error","status_checked_at":"2026-05-17T09:27:52.702Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kernel-fuzzing","operating-system-security"],"created_at":"2025-01-25T22:35:57.745Z","updated_at":"2026-05-17T18:33:57.650Z","avatar_url":"https://github.com/PawBud.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fuzzing GPU drivers using Syzkaller\nFuzzing provides a target computer program with a bunch of random or unexpected inputs to \nsee if it crashes or behaves abnormally. [Syzkaller](https://github.com/google/syzkaller) \nis a popular kernel fuzzer that uses  input programs written in a declarative language \nand dynamically tests target kernel modules to find bugs.\n\n## Aim of this project\nThis repository aims to create a blueprint for users who want to fuzz graphics \ndrivers on Linux.\n\n## Fuzzing\nTo illustrate fuzzing, let’s start with an example. \nThe following program illustrates a C program where one specific input to the \nfunction introduces a potential memory leak vulnerability, depending on the input size.\n\n```C\nvoid process_input(const char *input) {\n    if (strcmp(input, \"safe1\") == 0) {\n        // Path 1: Safe path\n        char buffer[20]; // Sufficiently large buffer\n        strcpy(buffer, \"This is safe\");\n        printf(\"Safe1 buffer content: %s\", buffer);\n\n    } else if (strcmp(input, \"safe2\") == 0) {\n        // Path 2: Safe path\n        char buffer[20]; // Sufficiently large buffer\n        snprintf(buffer, sizeof(buffer), \"Safe2 input\");\n        printf(\"Safe2 buffer content: %s\", buffer);\n    } \n    else {\n        // Path 3: Potentially unsafe path\n        char *buffer = (char *)malloc(30);\n        if (buffer == NULL) {\n            printf(\"Memory allocation failed\");\n            return;\n        }\n\n        strcpy(buffer, \"Memory might be leaked\");\n        printf(\"Potentially leaked buffer content: %s\", buffer);\n\n        // Potential memory leak: Memory might not be freed\n        if (strlen(input) \u003e 10) {\n            // Free memory conditionally\n            free(buffer);\n        }\n    }\n    \n    printf(\"it worked :)\");\n}\n```\n\nThe program evaluates input to determine the execution path: if input is \"safe1\" or \"safe2\", \nit performs safe operations with stack-allocated buffers. \nFor any other input, the program allocates and utilizes memory using malloc. \nHowever, memory is only conditionally freed if the length of the input exceeds 10 characters,\nwhich may result in a memory leak for inputs shorter than this threshold. \nEach unique input results in following a unique execution path which contributes to _coverage_.\n\n\nIn the context of kernel fuzzing, applications in userland provide the input to the target. \nUserland applications interact with the kernel through system calls and interfaces provided \nby the kernel. For example, when a user application opens a file, sends a network packet, \nor allocates memory, these operations go through system calls that invoke kernel code to handle \nthe requested action. Identifying such issues through static analysis can be challenging due to \nthe complexity and the sheer size of kernel code. However, fuzzing dynamically tests various \ninputs by generating and executing them, which increases the likelihood of uncovering such vulnerabilities. \nA fuzzer would repeatedly run the program with different inputs (7), improving the chances of\ndetecting the memory leak. The set of inputs is referred to as corpus. Fuzzing is usually done in a \nVM as it provides reproducibility, environment management, and isolation.\n\n## Understanding the target\n![DRI Stack](media/DRI%20Overview%20Master's%20Thesis.png)\n\nThe figure shows [DRI](https://dri.freedesktop.org/wiki/) (Direct Rendering Infrastructure) on Linux, which is a software architecture \ndesigned to coordinate interactions between the Linux kernel, the X Window System, 3D graphics hardware, \nand an OpenGL-based rendering engine, enabling efficient 3D rendering on Linux platforms.\n\nIt is essential to understand the Graphics stack in order to succesfully fuzz the GPU drivers. This helps\nan analyst to understand the kind of data that should be passed to the Graphics Driver.\n\nWe aimed to fuzz the **proprietary Nvidia graphics driver** \\\u0026 the **Nouveau Drivers** on Linux.\n\n## Our Experimental Setup\n![Environment Setup](media/System%20Specs.png)\n\nThe host system ran Syzkaller alongside QEMU in userland, with KVM operating in kernel land. \nThe QEMU virtual machine (VM) was launched dynamically based on Syzkaller’s configuration file.\nThe fuzzing process inside the VM required direct access \nto the Nvidia GPU, which was facilitated through IOMMU and the VFIO driver. \nKVM enabled the guest operating system, running inside the VM, to execute instructions directly \non the physical CPU. Additionally, it allocated memory to the guest OS via standard malloc() and \nmmap() calls.\n\n\n### About this repository\nThis repository contains the supplementary information related to my Master’s Thesis, \nwhich I completed under the supervision of [**Andrés Goens**](https://goens.org/) with \nthe [Parallel Computing Systems](https://pcs-research.nl/) Group at the\n[University of Amsterdam](https://www.uva.nl/).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpawbud%2Ffuzzing-gpu-drivers-using-syzkaller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpawbud%2Ffuzzing-gpu-drivers-using-syzkaller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpawbud%2Ffuzzing-gpu-drivers-using-syzkaller/lists"}