| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG_fn=VWpu6eDgumX7KV1LuRu+qYJjQzKqqYyapwyzPFWrAYXw@mail.gmail.com>
Date: Tue, 20 Jan 2026 14:39:17 +0100
From: Alexander Potapenko <glider@...gle.com>
To: Ethan Graham <ethan.w.s.graham@...il.com>
Cc: akpm@...ux-foundation.org, andreyknvl@...il.com, andy@...nel.org,
andy.shevchenko@...il.com, brauner@...nel.org, brendan.higgins@...ux.dev,
davem@...emloft.net, davidgow@...gle.com, dhowells@...hat.com,
dvyukov@...gle.com, ebiggers@...nel.org, elver@...gle.com,
gregkh@...uxfoundation.org, herbert@...dor.apana.org.au, ignat@...udflare.com,
jack@...e.cz, jannh@...gle.com, johannes@...solutions.net,
kasan-dev@...glegroups.com, kees@...nel.org, kunit-dev@...glegroups.com,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, lukas@...ner.de, mcgrof@...nel.org, rmoar@...gle.com,
shuah@...nel.org, sj@...nel.org, skhan@...uxfoundation.org,
tarasmadan@...gle.com, wentaoz5@...inois.edu
Subject: Re: [PATCH v4 2/6] kfuzztest: implement core module and input processing
On Mon, Jan 12, 2026 at 8:28 PM Ethan Graham <ethan.w.s.graham@...il.com> wrote:
> + * Copyright 2025 Google LLC
> + */
> +#include <linux/kfuzztest.h>
General comment: please include what you use.
Make sure there are headers for e.g. add_taint(), pr_warn(), kzalloc().
> + * Taint the kernel on the first fuzzing invocation. The debugfs
> + * interface provides a high-risk entry point for userspace to
> + * call kernel functions with untrusted input.
> + */
> + if (!test_taint(TAINT_TEST))
> + add_taint(TAINT_TEST, LOCKDEP_STILL_OK);
> +
> + if (len > KFUZZTEST_MAX_INPUT_SIZE) {
> + pr_warn("kfuzztest: user input of size %zu is too large", len);
Let's change it to pr_warn_ratelimited() to avoid log spamming.
Or maybe -EINVAL is enough for the userspace even without a log message?
> + return -EINVAL;
> + }
> +
> + buffer = kzalloc(len, GFP_KERNEL);
> + if (!buffer)
> + return -ENOMEM;
> +
> + ret = simple_write_to_buffer(buffer, len, off, buf, len);
> + if (ret != len) {
> + kfree(buffer);
> + return -EFAULT;
I suggest returning `ret` here if it is < 0, and -EFAULT otherwise.
> +#include <linux/atomic.h>
> +#include <linux/debugfs.h>
> +#include <linux/err.h>
> +#include <linux/fs.h>
> +#include <linux/kasan.h>
> +#include <linux/kfuzztest.h>
> +#include <linux/module.h>
> +#include <linux/printk.h>
Missing <linux/slab.h> for the allocation functions.
> + /* Create the main "kfuzztest" directory in /sys/kernel/debug. */
> + state.kfuzztest_dir = debugfs_create_dir("kfuzztest", NULL);
> + if (!state.kfuzztest_dir) {
> + pr_warn("kfuzztest: could not create 'kfuzztest' debugfs directory");
> + return -ENOMEM;
Note: leaking state.target_fops here.
> + for (targ = __kfuzztest_simple_targets_start; targ < __kfuzztest_simple_targets_end; targ++, i++) {
> + state.target_fops[i].target_simple = (struct file_operations){
> + .owner = THIS_MODULE,
> + .write = targ->write_input_cb,
> + };
> + err = initialize_target_dir(&state, targ, &state.target_fops[i]);
> + /*
> + * Bail out if a single target fails to initialize. This avoids
> + * partial setup, and a failure here likely indicates an issue
> + * with debugfs.
> + */
An initialization failure could result from something as simple as a
name collision.
Do we want to bail out in such cases?
Powered by blists - more mailing lists