| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260112192827.25989-1-ethan.w.s.graham@gmail.com> Date: Mon, 12 Jan 2026 20:28:21 +0100 From: Ethan Graham <ethan.w.s.graham@...il.com> To: ethan.w.s.graham@...il.com, glider@...gle.com Cc: akpm@...ux-foundation.org, andreyknvl@...il.com, andy@...nel.org, andy.shevchenko@...il.com, brauner@...nel.org, brendan.higgins@...ux.dev, davem@...emloft.net, davidgow@...gle.com, dhowells@...hat.com, dvyukov@...gle.com, ebiggers@...nel.org, elver@...gle.com, gregkh@...uxfoundation.org, herbert@...dor.apana.org.au, ignat@...udflare.com, jack@...e.cz, jannh@...gle.com, johannes@...solutions.net, kasan-dev@...glegroups.com, kees@...nel.org, kunit-dev@...glegroups.com, linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, lukas@...ner.de, mcgrof@...nel.org, rmoar@...gle.com, shuah@...nel.org, sj@...nel.org, skhan@...uxfoundation.org, tarasmadan@...gle.com, wentaoz5@...inois.edu Subject: [PATCH v4 0/6] KFuzzTest: a new kernel fuzzing framework This patch series introduces KFuzzTest, a lightweight framework for creating in-kernel fuzz targets for internal kernel functions. The primary motivation for KFuzzTest is to simplify the fuzzing of low-level, relatively stateless functions (e.g., data parsers, format converters) that are difficult to exercise effectively from the syscall boundary. It is intended for in-situ fuzzing of kernel code without requiring that it be built as a separate userspace library or that its dependencies be stubbed out. Following feedback from the Linux Plumbers Conference and mailing list discussions, this version of the framework has been significantly simplified. It now focuses exclusively on handling raw binary inputs, removing the complexity of the custom serialization format and DWARF parsing found in previous iterations. The core design consists of two main parts: 1. The `FUZZ_TEST_SIMPLE(name)` macro, which allows developers to define a fuzz test that accepts a buffer and its length. 2. A simplified debugfs interface that allows userspace fuzzers (or simple command-line tools) to pass raw binary blobs directly to the target function. To validate the framework's end-to-end effectiveness, we performed an experiment by manually introducing an off-by-one buffer over-read into pkcs7_parse_message, like so: - ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen); + ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1); A syzkaller instance fuzzing the new test_pkcs7_parse_message target introduced in patch 7 successfully triggered the bug inside of asn1_ber_decoder in under 30 seconds from a cold start. Similar experiments on the other new fuzz targets (patches 8-9) also successfully identified injected bugs, proving that KFuzzTest is effective when paired with a coverage-guided fuzzing engine. This patch series is structured as follows: - Patch 1 introduces the core KFuzzTest API, including the main FUZZ_TEST_SIMPLE macro. - Patch 2 adds the runtime implementation for the framework - Patch 3 adds documentation. - Patch 4 provides sample fuzz targets. - Patch 5 defines fuzz targets for several functions in crypto/. - Patch 6 adds maintainer information for KFuzzTest. Changes since PR v3: - Major simplification of the architecture, removing the complex `FUZZ_TEST` macro, the custom serialization format, domain constraints, annotations, and associated DWARF metadata regions. - The framework now only supports `FUZZ_TEST_SIMPLE` targets, which accept raw binary data. - Removed the userspace bridge tool as it is no longer required for serializing inputs. - Updated documentation and samples to reflect the "simple-only" approach. Ethan Graham (6): kfuzztest: add user-facing API and data structures kfuzztest: implement core module and input processing kfuzztest: add ReST documentation kfuzztest: add KFuzzTest sample fuzz targets crypto: implement KFuzzTest targets for PKCS7 and RSA parsing MAINTAINERS: add maintainer information for KFuzzTest Documentation/dev-tools/index.rst | 1 + Documentation/dev-tools/kfuzztest.rst | 152 ++++++++++++++++++ MAINTAINERS | 7 + crypto/asymmetric_keys/Makefile | 2 + crypto/asymmetric_keys/tests/Makefile | 4 + crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 18 +++ .../asymmetric_keys/tests/rsa_helper_kfuzz.c | 24 +++ include/asm-generic/vmlinux.lds.h | 14 +- include/linux/kfuzztest.h | 90 +++++++++++ lib/Kconfig.debug | 1 + lib/Makefile | 2 + lib/kfuzztest/Kconfig | 16 ++ lib/kfuzztest/Makefile | 4 + lib/kfuzztest/input.c | 47 ++++++ lib/kfuzztest/main.c | 142 ++++++++++++++++ samples/Kconfig | 7 + samples/Makefile | 1 + samples/kfuzztest/Makefile | 3 + samples/kfuzztest/underflow_on_buffer.c | 52 ++++++ 19 files changed, 586 insertions(+), 1 deletion(-) create mode 100644 Documentation/dev-tools/kfuzztest.rst create mode 100644 crypto/asymmetric_keys/tests/Makefile create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c create mode 100644 include/linux/kfuzztest.h create mode 100644 lib/kfuzztest/Kconfig create mode 100644 lib/kfuzztest/Makefile create mode 100644 lib/kfuzztest/input.c create mode 100644 lib/kfuzztest/main.c create mode 100644 samples/kfuzztest/Makefile create mode 100644 samples/kfuzztest/underflow_on_buffer.c -- 2.51.0
Powered by blists - more mailing lists