[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250901164212.460229-1-ethan.w.s.graham@gmail.com>
Date: Mon, 1 Sep 2025 16:42:05 +0000
From: Ethan Graham <ethan.w.s.graham@...il.com>
To: ethangraham@...gle.com,
glider@...gle.com
Cc: andreyknvl@...il.com,
brendan.higgins@...ux.dev,
davidgow@...gle.com,
dvyukov@...gle.com,
jannh@...gle.com,
elver@...gle.com,
rmoar@...gle.com,
shuah@...nel.org,
tarasmadan@...gle.com,
kasan-dev@...glegroups.com,
kunit-dev@...glegroups.com,
linux-kernel@...r.kernel.org,
linux-mm@...ck.org,
dhowells@...hat.com,
lukas@...ner.de,
ignat@...udflare.com,
herbert@...dor.apana.org.au,
davem@...emloft.net,
linux-crypto@...r.kernel.org
Subject: [PATCH v2 RFC 0/7] KFuzzTest: a new kernel fuzzing framework
From: Ethan Graham <ethangraham@...gle.com>
This patch series introduces KFuzzTest, a lightweight framework for
creating in-kernel fuzz targets for internal kernel functions.
The primary motivation for KFuzzTest is to simplify the fuzzing of
low-level, relatively stateless functions (e.g., data parsers, format
converters) that are difficult to exercise effectively from the syscall
boundary. It is intended for in-situ fuzzing of kernel code without
requiring that it be built as a separate userspace library or that its
dependencies be stubbed out. Using a simple macro-based API, developers
can add a new fuzz target with minimal boilerplate code.
The core design consists of three main parts:
1. A `FUZZ_TEST(name, struct_type)` macro that allows developers to
easily define a fuzz test.
2. A binary input format that allows a userspace fuzzer to serialize
complex, pointer-rich C structures into a single buffer.
3. Metadata for test targets, constraints, and annotations, which is
emitted into dedicated ELF sections to allow for discovery and
inspection by userspace tools. These are found in
".kfuzztest_{targets, constraints, annotations}".
To demonstrate this framework's viability, support for KFuzzTest has been
prototyped in a development fork of syzkaller, enabling coverage-guided
fuzzing. To validate its end-to-end effectiveness, we performed an
experiment by manually introducing an off-by-one buffer over-read into
pkcs7_parse_message, like so:
-ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
+ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1);
A syzkaller instance fuzzing the new test_pkcs7_parse_message target
introduced in patch 7 successfully triggered the bug inside of
asn1_ber_decoder in under a 30 seconds from a cold start.
This RFC continues to seek feedback on the overall design of KFuzzTest
and the minor changes made in V2. We are particularly interested in
comments on:
- The ergonomics of the API for defining fuzz targets.
- The overall workflow and usability for a developer adding and running
a new in-kernel fuzz target.
- The high-level architecture.
The patch series is structured as follows:
- Patch 1 adds and exposes a new KASAN function needed by KFuzzTest.
- Patch 2 introduces the core KFuzzTest API and data structures.
- Patch 3 adds the runtime implementation for the framework.
- Patch 4 adds a tool for sending structured inputs into a fuzz target.
- Patch 5 adds documentation.
- Patch 6 provides example fuzz targets.
- Patch 7 defines fuzz targets for real kernel functions.
Changes in v2:
- Per feedback from Eric Biggers and Ignat Korchagin, move the /crypto
fuzz target samples into a new /crypto/tests directory to separate
them from the functional source code.
- Per feedback from David Gow and Marco Elver, add the kfuzztest-bridge
tool to generate structured inputs for fuzz targets. The tool can
populate parts of the input structure with data from a file, enabling
both simple randomized fuzzing (e.g, using /dev/urandom) and
targeted testing with file-based inputs.
We would like to thank David Gow for his detailed feedback regarding the
potential integration with KUnit. The v1 discussion highlighted three
potential paths: making KFuzzTests a special case of KUnit tests, sharing
implementation details in a common library, or keeping the frameworks
separate while ensuring API familiarity.
Following a productive conversation with David, we are moving forward
with the third option for now. While tighter integration is an
attractive long-term goal, we believe the most practical first step is
to establish KFuzzTest as a valuable, standalone framework. This avoids
premature abstraction (e.g., creating a shared library with only one
user) and allows KFuzzTest's design to stabilize based on its specific
focus: fuzzing with complex, structured inputs.
Ethan Graham (7):
mm/kasan: implement kasan_poison_range
kfuzztest: add user-facing API and data structures
kfuzztest: implement core module and input processing
tools: add kfuzztest-bridge utility
kfuzztest: add ReST documentation
kfuzztest: add KFuzzTest sample fuzz targets
crypto: implement KFuzzTest targets for PKCS7 and RSA parsing
Documentation/dev-tools/index.rst | 1 +
Documentation/dev-tools/kfuzztest.rst | 371 +++++++++++++
arch/x86/kernel/vmlinux.lds.S | 22 +
crypto/asymmetric_keys/Kconfig | 15 +
crypto/asymmetric_keys/Makefile | 2 +
crypto/asymmetric_keys/tests/Makefile | 2 +
crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 22 +
.../asymmetric_keys/tests/rsa_helper_kfuzz.c | 38 ++
include/linux/kasan.h | 16 +
include/linux/kfuzztest.h | 508 ++++++++++++++++++
lib/Kconfig.debug | 1 +
lib/Makefile | 2 +
lib/kfuzztest/Kconfig | 20 +
lib/kfuzztest/Makefile | 4 +
lib/kfuzztest/main.c | 163 ++++++
lib/kfuzztest/parse.c | 208 +++++++
mm/kasan/shadow.c | 31 ++
samples/Kconfig | 7 +
samples/Makefile | 1 +
samples/kfuzztest/Makefile | 3 +
samples/kfuzztest/overflow_on_nested_buffer.c | 52 ++
samples/kfuzztest/underflow_on_buffer.c | 41 ++
tools/Makefile | 15 +-
tools/kfuzztest-bridge/.gitignore | 2 +
tools/kfuzztest-bridge/Build | 6 +
tools/kfuzztest-bridge/Makefile | 48 ++
tools/kfuzztest-bridge/bridge.c | 93 ++++
tools/kfuzztest-bridge/byte_buffer.c | 87 +++
tools/kfuzztest-bridge/byte_buffer.h | 31 ++
tools/kfuzztest-bridge/encoder.c | 356 ++++++++++++
tools/kfuzztest-bridge/encoder.h | 16 +
tools/kfuzztest-bridge/input_lexer.c | 243 +++++++++
tools/kfuzztest-bridge/input_lexer.h | 57 ++
tools/kfuzztest-bridge/input_parser.c | 373 +++++++++++++
tools/kfuzztest-bridge/input_parser.h | 79 +++
tools/kfuzztest-bridge/rand_stream.c | 61 +++
tools/kfuzztest-bridge/rand_stream.h | 46 ++
37 files changed, 3037 insertions(+), 6 deletions(-)
create mode 100644 Documentation/dev-tools/kfuzztest.rst
create mode 100644 crypto/asymmetric_keys/tests/Makefile
create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
create mode 100644 include/linux/kfuzztest.h
create mode 100644 lib/kfuzztest/Kconfig
create mode 100644 lib/kfuzztest/Makefile
create mode 100644 lib/kfuzztest/main.c
create mode 100644 lib/kfuzztest/parse.c
create mode 100644 samples/kfuzztest/Makefile
create mode 100644 samples/kfuzztest/overflow_on_nested_buffer.c
create mode 100644 samples/kfuzztest/underflow_on_buffer.c
create mode 100644 tools/kfuzztest-bridge/.gitignore
create mode 100644 tools/kfuzztest-bridge/Build
create mode 100644 tools/kfuzztest-bridge/Makefile
create mode 100644 tools/kfuzztest-bridge/bridge.c
create mode 100644 tools/kfuzztest-bridge/byte_buffer.c
create mode 100644 tools/kfuzztest-bridge/byte_buffer.h
create mode 100644 tools/kfuzztest-bridge/encoder.c
create mode 100644 tools/kfuzztest-bridge/encoder.h
create mode 100644 tools/kfuzztest-bridge/input_lexer.c
create mode 100644 tools/kfuzztest-bridge/input_lexer.h
create mode 100644 tools/kfuzztest-bridge/input_parser.c
create mode 100644 tools/kfuzztest-bridge/input_parser.h
create mode 100644 tools/kfuzztest-bridge/rand_stream.c
create mode 100644 tools/kfuzztest-bridge/rand_stream.h
--
2.51.0.318.gd7df087d1a-goog
Powered by blists - more mailing lists