| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260112192827.25989-5-ethan.w.s.graham@gmail.com>
Date: Mon, 12 Jan 2026 20:28:25 +0100
From: Ethan Graham <ethan.w.s.graham@...il.com>
To: ethan.w.s.graham@...il.com,
glider@...gle.com
Cc: akpm@...ux-foundation.org,
andreyknvl@...il.com,
andy@...nel.org,
andy.shevchenko@...il.com,
brauner@...nel.org,
brendan.higgins@...ux.dev,
davem@...emloft.net,
davidgow@...gle.com,
dhowells@...hat.com,
dvyukov@...gle.com,
ebiggers@...nel.org,
elver@...gle.com,
gregkh@...uxfoundation.org,
herbert@...dor.apana.org.au,
ignat@...udflare.com,
jack@...e.cz,
jannh@...gle.com,
johannes@...solutions.net,
kasan-dev@...glegroups.com,
kees@...nel.org,
kunit-dev@...glegroups.com,
linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-mm@...ck.org,
lukas@...ner.de,
mcgrof@...nel.org,
rmoar@...gle.com,
shuah@...nel.org,
sj@...nel.org,
skhan@...uxfoundation.org,
tarasmadan@...gle.com,
wentaoz5@...inois.edu
Subject: [PATCH v4 4/6] kfuzztest: add KFuzzTest sample fuzz targets
Add two simple fuzz target samples to demonstrate the KFuzzTest API and
provide basic self-tests for the framework.
These examples showcase how a developer can define a fuzz target using
the FUZZ_TEST_SIMPLE() macro. It also serves as a runtime sanity check,
ensuring that the framework correctly passes the input buffer and that
KASAN correctly detects out-of-bounds memory accesses (in this case, a
buffer underflow) on the allocated test data.
This target can be fuzzed naively by writing random data into the
debugfs 'input_simple' file and verifying that the KASAN report is
triggered.
Signed-off-by: Ethan Graham <ethan.w.s.graham@...il.com>
Acked-by: Alexander Potapenko <glider@...gle.com>
---
PR v4:
- Remove the `test_underflow_on_nested_buffer` sample target which
relied on the now removed `FUZZ_TEST` macro.
- Update the sample comment to demonstrate naive fuzzing (using `head`)
instead of the removed bridge tool.
- Fix stale comments referencing internal layout structures.
PR v3:
- Use the FUZZ_TEST_SIMPLE macro in the `underflow_on_buffer` sample
fuzz target instead of FUZZ_TEST.
PR v2:
- Fix build issues pointed out by the kernel test robot <lkp@...el.com>.
---
---
samples/Kconfig | 7 ++++
samples/Makefile | 1 +
samples/kfuzztest/Makefile | 3 ++
samples/kfuzztest/underflow_on_buffer.c | 52 +++++++++++++++++++++++++
4 files changed, 63 insertions(+)
create mode 100644 samples/kfuzztest/Makefile
create mode 100644 samples/kfuzztest/underflow_on_buffer.c
diff --git a/samples/Kconfig b/samples/Kconfig
index 6e072a5f1ed8..303a9831d404 100644
--- a/samples/Kconfig
+++ b/samples/Kconfig
@@ -320,6 +320,13 @@ config SAMPLE_HUNG_TASK
Reading these files with multiple processes triggers hung task
detection by holding locks for a long time (256 seconds).
+config SAMPLE_KFUZZTEST
+ bool "Build KFuzzTest sample targets"
+ depends on KFUZZTEST
+ help
+ Build KFuzzTest sample targets that serve as selftests for raw input
+ delivery and KASAN out-of-bounds detection.
+
source "samples/rust/Kconfig"
source "samples/damon/Kconfig"
diff --git a/samples/Makefile b/samples/Makefile
index 07641e177bd8..3a0e7f744f44 100644
--- a/samples/Makefile
+++ b/samples/Makefile
@@ -44,4 +44,5 @@ obj-$(CONFIG_SAMPLE_DAMON_WSSE) += damon/
obj-$(CONFIG_SAMPLE_DAMON_PRCL) += damon/
obj-$(CONFIG_SAMPLE_DAMON_MTIER) += damon/
obj-$(CONFIG_SAMPLE_HUNG_TASK) += hung_task/
+obj-$(CONFIG_SAMPLE_KFUZZTEST) += kfuzztest/
obj-$(CONFIG_SAMPLE_TSM_MR) += tsm-mr/
diff --git a/samples/kfuzztest/Makefile b/samples/kfuzztest/Makefile
new file mode 100644
index 000000000000..2dc5d424824d
--- /dev/null
+++ b/samples/kfuzztest/Makefile
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+obj-$(CONFIG_SAMPLE_KFUZZTEST) += underflow_on_buffer.o
diff --git a/samples/kfuzztest/underflow_on_buffer.c b/samples/kfuzztest/underflow_on_buffer.c
new file mode 100644
index 000000000000..5568c5e6be7a
--- /dev/null
+++ b/samples/kfuzztest/underflow_on_buffer.c
@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * This file contains a KFuzzTest example target that ensures that a buffer
+ * underflow on a region triggers a KASAN OOB access report.
+ *
+ * Copyright 2025 Google LLC
+ */
+
+/**
+ * test_underflow_on_buffer - a sample fuzz target
+ *
+ * This sample fuzz target serves to illustrate the usage of the
+ * FUZZ_TEST_SIMPLE macro, as well as provide a sort of self-test that KFuzzTest
+ * functions correctly for trivial fuzz targets. In KASAN builds, fuzzing this
+ * harness should trigger a report for every input (provided that its length is
+ * greater than 0 and less than KFUZZTEST_MAX_INPUT_SIZE).
+ *
+ * This harness can be invoked (naively) like so:
+ * head -c 128 /dev/urandom > \
+ * /sys/kernel/debug/kfuzztest/test_underflow_on_buffer/input_simple
+ */
+#include <linux/kfuzztest.h>
+
+static void underflow_on_buffer(char *buf, size_t buflen)
+{
+ size_t i;
+
+ /*
+ * Print the address range of `buf` to allow correlation with the
+ * subsequent KASAN report.
+ */
+ pr_info("buf = [%px, %px)", buf, buf + buflen);
+
+ /* First ensure that all bytes in `buf` are accessible. */
+ for (i = 0; i < buflen; i++)
+ READ_ONCE(buf[i]);
+ /*
+ * Provoke a buffer underflow on the first byte preceding `buf`,
+ * triggering a KASAN report.
+ */
+ READ_ONCE(*((char *)buf - 1));
+}
+
+/**
+ * Define the fuzz target. This wrapper ensures that the `underflow_on_buffer`
+ * function is invoked with the data provided from userspace.
+ */
+FUZZ_TEST_SIMPLE(test_underflow_on_buffer)
+{
+ underflow_on_buffer(data, datalen);
+ return 0;
+}
--
2.51.0
Powered by blists - more mailing lists