Using syzkaller, part 4: Driver fuzzing

Ricardo Canuelo Navarro describesthe challenges associated with fuzzing complex device drivers with Syzkaller - andsome solutions. "V4L2, however, is only supported in the sense thatthe involved system calls (including the myriad V4L2 ioctls) and datastructures are described. This is already useful and, equipped with thosedescriptions, Syzkaller has been able to find many V4L2 bugs. But thefuzzing process contains a lot of randomness and, while that's a good thingin many cases when it comes to fuzzing, due to the complexity of the V4L2API, simply randomizing the system calls and its inputs may not be enoughto reach most of the code in some drivers, especially in drivers withcomplicated interfaces such as those based on the Request API, includingstateless drivers."