[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAG_fn=VXxaGd4QC0jHzwFg88HuaOFV4K+_tdzrhqW+UoTk-L6Q@mail.gmail.com>
Date: Fri, 5 Sep 2025 12:43:45 +0200
From: Alexander Potapenko <glider@...gle.com>
To: Ethan Graham <ethan.w.s.graham@...il.com>
Cc: ethangraham@...gle.com, andreyknvl@...il.com, brendan.higgins@...ux.dev,
davidgow@...gle.com, dvyukov@...gle.com, jannh@...gle.com, elver@...gle.com,
rmoar@...gle.com, shuah@...nel.org, tarasmadan@...gle.com,
kasan-dev@...glegroups.com, kunit-dev@...glegroups.com,
linux-kernel@...r.kernel.org, linux-mm@...ck.org, dhowells@...hat.com,
lukas@...ner.de, ignat@...udflare.com, herbert@...dor.apana.org.au,
davem@...emloft.net, linux-crypto@...r.kernel.org
Subject: Re: [PATCH v2 RFC 4/7] tools: add kfuzztest-bridge utility
> +static int invoke_kfuzztest_target(const char *target_name, const char *data, size_t data_size)
> +{
> + ssize_t bytes_written;
> + char buf[256];
I think malloc() is better here.
> + int ret;
> + int fd;
> +
> + ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", target_name);
> + if (ret < 0)
> + return ret;
Please also check that the file name wasn't truncated (ret >= sizeof(buf)).
> +
> + fd = openat(AT_FDCWD, buf, O_WRONLY, 0);
> + if (fd < 0)
> + return fd;
> +
> + bytes_written = write(fd, (void *)data, data_size);
Not casting data to void * should be just as fine.
> +static int invoke_one(const char *input_fmt, const char *fuzz_target, const char *input_filepath)
> +{
> + struct ast_node *ast_prog;
> + struct byte_buffer *bb;
> + struct rand_stream *rs;
> + struct token **tokens;
> + size_t num_tokens;
> + size_t num_bytes;
> + int err;
> +
> + err = tokenize(input_fmt, &tokens, &num_tokens);
> + if (err) {
> + printf("tokenization failed: %s\n", strerror(-err));
Please use fprintf(stderr) for errors.
> +static int refill(struct rand_stream *rs)
> +{
> + size_t ret = fread(rs->buffer, sizeof(char), rs->buffer_size, rs->source);
> + rs->buffer_pos = 0;
> + if (ret != rs->buffer_size)
> + return -1;
> + return 0;
Note that ret may be less than rs->buffer_size if there's an EOF.
Keeping in mind the possibility to pass files on disk to the tool, you
should probably handle EOF here (e.g. introduce another variable for
the actual data size).
Powered by blists - more mailing lists