syzkaller wireguard key situation [was: Re: [PATCH net-next v2] net: WireGuard secure network tunnel]

Jason A. Donenfeld Jason at zx2c4.com
Mon Feb 17 12:44:06 CET 2020


Observation:

It seems to be starting to synthesize packets sent to the wireguard
socket. These aren't the proper handshake packets generated internally
by that triangle commit, but rather ones that syzkaller creates
itself. That's why we have coverage on wg_receive, which otherwise
wouldn't be called from a userspace process, since syzbot is sending
its own packets to that function.

However, the packets it generates aren't getting very far, failing all
of the tests in validate_header_len. None of those checks are at all
cryptographic, which means it should be able to hit those eventually.
Anything we should be doing to help it out? After it gets past that
check, it'll wind up in the handshake queue or the data queue, and
then (in theory) it should be rejected on a cryptographic basis. But
maybe syzbot will figure out how to crash it instead :-P.


More information about the WireGuard mailing list