HFS+ Kernel Fuzzer Demo
May 29, 2025 ยท View on GitHub
A minimal Linux kernel fuzzer demo targeting the HFS+ filesystem, built for an Off by One Security stream. This project demonstrates the evolution of the fuzzer through three progressively more sophisticated stages.
This fuzzer is built to be capable of potentially rediscovering CVE-2025-0927 (HFS+ OOB write exploitable on Ubuntu). mount() is included in the attack surface because on Ubuntu a low-privileged user can mount FS images.
Overview
At each stage, this fuzzer:
- Creates/mounts HFS+ filesystem images
- Executes syscalls on the mounted image
Architecture
The fuzzer is organized into three stages, each building upon the previous one:
Stage 1: Dumb Fuzzer (fuzzer_stage_1_dumb/)
- Generates purely random HFS+ image or can mount a reference image
- Executes random filesystem syscalls with random data
- No feedback mechanism
Stage 1.5: Dumb Fuzzer with Coverage (fuzzer_stage_1_dumb_kcov/)
- Adds KCOV support (for demo purposes, doesn't use it for feedback yet)
Stage 2: Seed Generation (fuzzer_stage_2_generate_seeds/)
- Introduces seed generator to create a diverse seed corpus
Stage 3: Mutation-Based Fuzzer (fuzzer_stage_3_mutations/)
- Uses seed corpus
- Implements seed mutation
- Uses KCOV for feedback: inputs that produced new coverage are added to the corpus
Building
Dependencies
# Ubuntu/Debian
sudo apt-get install gcc make linux-headers-$(uname -r)
Compilation
Each stage includes a Makefile with support for both local and remote builds:
# Local build
cd fuzzer_stage_X/
make
# Remote build
make remote-build
Usage
Prerequisites
- Linux kernel with built-in HFS+ kernel module and KCOV support (see
Linux-fuzzing.pdfslides for kernel building instructions) - Root privileges (required for mounting filesystems)
Running Each Stage
Stage 1: Dumb Fuzzer
cd fuzzer_stage_1_dumb/
make
# Run with auto-generated random image
sudo ./fuzzer_stage_1_dumb
# Run with a specific HFS+ image
sudo ./fuzzer_stage_1_dumb /path/to/hfsplus.img
Stage 1.5: Dumb Fuzzer with Coverage
cd fuzzer_stage_1_dumb_kcov/
make
# Run with auto-generated random image
sudo ./fuzzer_stage_1_dumb_kcov
# Run with a specific HFS+ image
sudo ./fuzzer_stage_1_dumb_kcov /path/to/hfsplus.img
Stage 2: Seed Generation
cd fuzzer_stage_2_generate_seeds/
make
# First, create a reference HFS+ image (empty filesystem)
dd if=/dev/zero of=reference.img bs=1K count=512
sudo mkfs.hfsplus reference.img
# Generate diverse seed corpus using the reference image
# Usage: ./generate_seed <reference_image> <output_dir> <num_iterations>
sudo ./generate_seed reference.img ./seeds 10
Stage 3: Mutation-Based Fuzzer
cd fuzzer_stage_3_mutations/
make
# Run advanced mutation fuzzer with coverage feedback
sudo ./fuzzer_stage_3_mutations
# Or with specific seed image
sudo ./fuzzer_stage_3_mutations /path/to/hfsplus.img