Finding Device Driver Bugs with Fuzzing PCIe Configuration Input

Device drivers play a vital role in enabling communication between the operating system and hardware, yet their elevated privileges and interaction with untrusted inputs make them a frequent source of security vulnerabilities. While numerous studies have explored fuzzing and static analysis techniques to identify such flaws in device drivers, relatively less attention has been given to PCIe configuration space inputs, which are often treated as constant values, more focusing on post-initialization interactions with MMIO and DMA. This paper introduces PCIconfuzz, a device input fuzzer designed to uncover security vulnerabilities in device drivers by targeting the initialization phase, with particular emphasis on PCIe configuration space inputs. Leveraging the insight that drivers predominantly interact with configuration space during initialization, we developed a virtual PCI device capable of supplying fuzzed configuration space values to exercise a broader range of driver setup behaviors. Our evaluation on PCIe device drivers in the Linux kernel(v6.9-rc3) uncovered seven previously unknown bugs, two of which have since been acknowledged and patched by upstream maintainers. To the best of our knowledge, this is the first work to dynamically test PCIe configuration space inputs for security vulnerabilities in device drivers.