From: Ethan Graham <ethan.w.s.graham@gmail.com>
To: ethangraham@google.com, glider@google.com
Cc: andreyknvl@gmail.com, andy@kernel.org, brauner@kernel.org,
brendan.higgins@linux.dev, davem@davemloft.net,
davidgow@google.com, dhowells@redhat.com, dvyukov@google.com,
elver@google.com, herbert@gondor.apana.org.au,
ignat@cloudflare.com, jack@suse.cz, jannh@google.com,
johannes@sipsolutions.net, kasan-dev@googlegroups.com,
kees@kernel.org, kunit-dev@googlegroups.com,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, lukas@wunner.de, rmoar@google.com,
shuah@kernel.org, sj@kernel.org, tarasmadan@google.com
Subject: [PATCH v2 0/10] KFuzzTest: a new kernel fuzzing framework
Date: Fri, 19 Sep 2025 14:57:40 +0000 [thread overview]
Message-ID: <20250919145750.3448393-1-ethan.w.s.graham@gmail.com> (raw)
From: Ethan Graham <ethangraham@google.com>
This patch series introduces KFuzzTest, a lightweight framework for
creating in-kernel fuzz targets for internal kernel functions.
The primary motivation for KFuzzTest is to simplify the fuzzing of
low-level, relatively stateless functions (e.g., data parsers, format
converters) that are difficult to exercise effectively from the syscall
boundary. It is intended for in-situ fuzzing of kernel code without
requiring that it be built as a separate userspace library or that its
dependencies be stubbed out. Using a simple macro-based API, developers
can add a new fuzz target with minimal boilerplate code.
The core design consists of three main parts:
1. A `FUZZ_TEST(name, struct_type)` macro that allows developers to
easily define a fuzz test.
2. A binary input format that allows a userspace fuzzer to serialize
complex, pointer-rich C structures into a single buffer.
3. Metadata for test targets, constraints, and annotations, which is
emitted into dedicated ELF sections to allow for discovery and
inspection by userspace tools. These are found in
".kfuzztest_{targets, constraints, annotations}".
To demonstrate this framework's viability, support for KFuzzTest has been
prototyped in a development fork of syzkaller, enabling coverage-guided
fuzzing. To validate its end-to-end effectiveness, we performed an
experiment by manually introducing an off-by-one buffer over-read into
pkcs7_parse_message, like so:
- ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
+ ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1);
A syzkaller instance fuzzing the new test_pkcs7_parse_message target
introduced in patch 7 successfully triggered the bug inside of
asn1_ber_decoder in under 30 seconds from a cold start. Similar
experiements on the other new fuzz targets (patches 8-9) also
successfully identified injected bugs, proving that KFuzzTest is
effective when paired with a coverage-guided fuzzing engine.
A note on build system integration: several new fuzz targets (patches
7-9) are included by conditionally importing a .c file when
CONFIG_KFUZZTEST=y. While this may seem unusual, it follows a pattern
used by some KUnit tests (e.g., in /fs/binfmt_elf.c). We considered
defining macros like VISIBLE_IF_KFUZZTEST, but believe the final
integration approach is best decided by subsystem maintainers. This
avoids creating a one-size-fits-all abstraction prematurely.
The patch series is structured as follows:
- Patch 1 adds and exposes kasan_poison_range for poisoning memory
ranges with an unaligned start address and KASAN_GRANULE_SIZE aligned
end address.
- Patch 2 introduces the core KFuzzTest API and data structures.
- Patch 3 adds the runtime implementation for the framework.
- Patch 4 adds a tool for sending structured inputs into a fuzz target.
- Patch 5 adds documentation.
- Patch 6 provides sample fuzz targets.
- Patch 7 defines fuzz targets for several functions in /crypto.
- Patch 8 defines a fuzz target for parse_xy in /drivers/auxdisplay.
- Patch 9 defines a fuzz target for load_script in /fs.
- Patch 10 adds maintainer information for KFuzzTest.
Changes since PR v1:
- Per feedback from SeongJae Park, move kfuzztest-bridge into the
testing/tools directory, and update the Makefile accordingly.
- Per review from Alexander Potapenko, address some cleanup issues and
nits.
- Fix build issues identified by the kernel test robot <lkp@intel.com>.
Ethan Graham (10):
mm/kasan: implement kasan_poison_range
kfuzztest: add user-facing API and data structures
kfuzztest: implement core module and input processing
tools: add kfuzztest-bridge utility
kfuzztest: add ReST documentation
kfuzztest: add KFuzzTest sample fuzz targets
crypto: implement KFuzzTest targets for PKCS7 and RSA parsing
drivers/auxdisplay: add a KFuzzTest for parse_xy()
fs/binfmt_script: add KFuzzTest target for load_script
MAINTAINERS: add maintainer information for KFuzzTest
Documentation/dev-tools/index.rst | 1 +
Documentation/dev-tools/kfuzztest.rst | 385 ++++++++++++++
MAINTAINERS | 8 +
crypto/asymmetric_keys/Makefile | 2 +
crypto/asymmetric_keys/tests/Makefile | 4 +
crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 26 +
.../asymmetric_keys/tests/rsa_helper_kfuzz.c | 38 ++
drivers/auxdisplay/charlcd.c | 8 +
drivers/auxdisplay/tests/charlcd_kfuzz.c | 20 +
fs/binfmt_script.c | 8 +
fs/tests/binfmt_script_kfuzz.c | 58 ++
include/asm-generic/vmlinux.lds.h | 22 +-
include/linux/kasan.h | 11 +
include/linux/kfuzztest.h | 497 ++++++++++++++++++
lib/Kconfig.debug | 1 +
lib/Makefile | 2 +
lib/kfuzztest/Kconfig | 20 +
lib/kfuzztest/Makefile | 4 +
lib/kfuzztest/main.c | 242 +++++++++
lib/kfuzztest/parse.c | 204 +++++++
mm/kasan/shadow.c | 34 ++
samples/Kconfig | 7 +
samples/Makefile | 1 +
samples/kfuzztest/Makefile | 3 +
samples/kfuzztest/overflow_on_nested_buffer.c | 71 +++
samples/kfuzztest/underflow_on_buffer.c | 59 +++
tools/Makefile | 18 +-
tools/testing/kfuzztest-bridge/.gitignore | 2 +
tools/testing/kfuzztest-bridge/Build | 6 +
tools/testing/kfuzztest-bridge/Makefile | 49 ++
tools/testing/kfuzztest-bridge/bridge.c | 115 ++++
tools/testing/kfuzztest-bridge/byte_buffer.c | 85 +++
tools/testing/kfuzztest-bridge/byte_buffer.h | 31 ++
tools/testing/kfuzztest-bridge/encoder.c | 390 ++++++++++++++
tools/testing/kfuzztest-bridge/encoder.h | 16 +
tools/testing/kfuzztest-bridge/input_lexer.c | 256 +++++++++
tools/testing/kfuzztest-bridge/input_lexer.h | 58 ++
tools/testing/kfuzztest-bridge/input_parser.c | 425 +++++++++++++++
tools/testing/kfuzztest-bridge/input_parser.h | 82 +++
tools/testing/kfuzztest-bridge/rand_stream.c | 77 +++
tools/testing/kfuzztest-bridge/rand_stream.h | 57 ++
41 files changed, 3399 insertions(+), 4 deletions(-)
create mode 100644 Documentation/dev-tools/kfuzztest.rst
create mode 100644 crypto/asymmetric_keys/tests/Makefile
create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
create mode 100644 drivers/auxdisplay/tests/charlcd_kfuzz.c
create mode 100644 fs/tests/binfmt_script_kfuzz.c
create mode 100644 include/linux/kfuzztest.h
create mode 100644 lib/kfuzztest/Kconfig
create mode 100644 lib/kfuzztest/Makefile
create mode 100644 lib/kfuzztest/main.c
create mode 100644 lib/kfuzztest/parse.c
create mode 100644 samples/kfuzztest/Makefile
create mode 100644 samples/kfuzztest/overflow_on_nested_buffer.c
create mode 100644 samples/kfuzztest/underflow_on_buffer.c
create mode 100644 tools/testing/kfuzztest-bridge/.gitignore
create mode 100644 tools/testing/kfuzztest-bridge/Build
create mode 100644 tools/testing/kfuzztest-bridge/Makefile
create mode 100644 tools/testing/kfuzztest-bridge/bridge.c
create mode 100644 tools/testing/kfuzztest-bridge/byte_buffer.c
create mode 100644 tools/testing/kfuzztest-bridge/byte_buffer.h
create mode 100644 tools/testing/kfuzztest-bridge/encoder.c
create mode 100644 tools/testing/kfuzztest-bridge/encoder.h
create mode 100644 tools/testing/kfuzztest-bridge/input_lexer.c
create mode 100644 tools/testing/kfuzztest-bridge/input_lexer.h
create mode 100644 tools/testing/kfuzztest-bridge/input_parser.c
create mode 100644 tools/testing/kfuzztest-bridge/input_parser.h
create mode 100644 tools/testing/kfuzztest-bridge/rand_stream.c
create mode 100644 tools/testing/kfuzztest-bridge/rand_stream.h
--
2.51.0.470.ga7dc726c21-goog
next reply other threads:[~2025-09-19 14:58 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-19 14:57 Ethan Graham [this message]
2025-09-19 14:57 ` [PATCH v2 01/10] mm/kasan: implement kasan_poison_range Ethan Graham
2025-09-23 16:46 ` Andrey Konovalov
2025-09-19 14:57 ` [PATCH v2 02/10] kfuzztest: add user-facing API and data structures Ethan Graham
2025-09-19 15:05 ` Alexander Potapenko
2025-09-24 8:44 ` Johannes Berg
2025-09-19 14:57 ` [PATCH v2 03/10] kfuzztest: implement core module and input processing Ethan Graham
2025-09-19 15:05 ` Alexander Potapenko
2025-09-19 14:57 ` [PATCH v2 04/10] tools: add kfuzztest-bridge utility Ethan Graham
2025-09-19 15:05 ` Alexander Potapenko
2025-09-19 14:57 ` [PATCH v2 05/10] kfuzztest: add ReST documentation Ethan Graham
2025-09-19 14:57 ` [PATCH v2 06/10] kfuzztest: add KFuzzTest sample fuzz targets Ethan Graham
2025-09-19 14:57 ` [PATCH v2 07/10] crypto: implement KFuzzTest targets for PKCS7 and RSA parsing Ethan Graham
2025-09-19 14:57 ` [PATCH v2 08/10] drivers/auxdisplay: add a KFuzzTest for parse_xy() Ethan Graham
2025-09-19 15:07 ` Alexander Potapenko
2025-09-20 10:53 ` Andy Shevchenko
2025-09-20 12:08 ` Alexander Potapenko
2025-09-20 12:47 ` Lukas Wunner
2025-09-21 18:25 ` Andy Shevchenko
2025-09-24 9:28 ` kernel test robot
2025-09-19 14:57 ` [PATCH v2 09/10] fs/binfmt_script: add KFuzzTest target for load_script Ethan Graham
2025-09-19 15:07 ` Alexander Potapenko
2025-09-19 19:19 ` Kees Cook
2025-09-19 14:57 ` [PATCH v2 10/10] MAINTAINERS: add maintainer information for KFuzzTest Ethan Graham
2025-09-24 8:32 ` SeongJae Park
2025-09-19 15:04 ` [PATCH v2 0/10] KFuzzTest: a new kernel fuzzing framework Alexander Potapenko
2025-09-24 12:52 ` Johannes Berg
2025-09-25 8:35 ` Ethan Graham
2025-10-24 8:37 ` Johannes Berg
2025-10-28 17:38 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250919145750.3448393-1-ethan.w.s.graham@gmail.com \
--to=ethan.w.s.graham@gmail.com \
--cc=andreyknvl@gmail.com \
--cc=andy@kernel.org \
--cc=brauner@kernel.org \
--cc=brendan.higgins@linux.dev \
--cc=davem@davemloft.net \
--cc=davidgow@google.com \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=ethangraham@google.com \
--cc=glider@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=johannes@sipsolutions.net \
--cc=kasan-dev@googlegroups.com \
--cc=kees@kernel.org \
--cc=kunit-dev@googlegroups.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lukas@wunner.de \
--cc=rmoar@google.com \
--cc=shuah@kernel.org \
--cc=sj@kernel.org \
--cc=tarasmadan@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox