From: Ethan Graham <ethan.w.s.graham@gmail.com>
To: ethan.w.s.graham@gmail.com, glider@google.com
Cc: akpm@linux-foundation.org, andreyknvl@gmail.com, andy@kernel.org,
andy.shevchenko@gmail.com, brauner@kernel.org,
brendan.higgins@linux.dev, davem@davemloft.net,
davidgow@google.com, dhowells@redhat.com, dvyukov@google.com,
ebiggers@kernel.org, elver@google.com,
gregkh@linuxfoundation.org, herbert@gondor.apana.org.au,
ignat@cloudflare.com, jack@suse.cz, jannh@google.com,
johannes@sipsolutions.net, kasan-dev@googlegroups.com,
kees@kernel.org, kunit-dev@googlegroups.com,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, lukas@wunner.de, mcgrof@kernel.org,
rmoar@google.com, shuah@kernel.org, sj@kernel.org,
skhan@linuxfoundation.org, tarasmadan@google.com,
wentaoz5@illinois.edu
Subject: [PATCH v4 0/6] KFuzzTest: a new kernel fuzzing framework
Date: Mon, 12 Jan 2026 20:28:21 +0100 [thread overview]
Message-ID: <20260112192827.25989-1-ethan.w.s.graham@gmail.com> (raw)
This patch series introduces KFuzzTest, a lightweight framework for
creating in-kernel fuzz targets for internal kernel functions.
The primary motivation for KFuzzTest is to simplify the fuzzing of
low-level, relatively stateless functions (e.g., data parsers, format
converters) that are difficult to exercise effectively from the syscall
boundary. It is intended for in-situ fuzzing of kernel code without
requiring that it be built as a separate userspace library or that its
dependencies be stubbed out.
Following feedback from the Linux Plumbers Conference and mailing list
discussions, this version of the framework has been significantly
simplified. It now focuses exclusively on handling raw binary inputs,
removing the complexity of the custom serialization format and DWARF
parsing found in previous iterations.
The core design consists of two main parts:
1. The `FUZZ_TEST_SIMPLE(name)` macro, which allows developers to define
a fuzz test that accepts a buffer and its length.
2. A simplified debugfs interface that allows userspace fuzzers (or
simple command-line tools) to pass raw binary blobs directly to the
target function.
To validate the framework's end-to-end effectiveness, we performed an
experiment by manually introducing an off-by-one buffer over-read into
pkcs7_parse_message, like so:
- ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
+ ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1);
A syzkaller instance fuzzing the new test_pkcs7_parse_message target
introduced in patch 7 successfully triggered the bug inside of
asn1_ber_decoder in under 30 seconds from a cold start. Similar
experiments on the other new fuzz targets (patches 8-9) also
successfully identified injected bugs, proving that KFuzzTest is
effective when paired with a coverage-guided fuzzing engine.
This patch series is structured as follows:
- Patch 1 introduces the core KFuzzTest API, including the main
FUZZ_TEST_SIMPLE macro.
- Patch 2 adds the runtime implementation for the framework
- Patch 3 adds documentation.
- Patch 4 provides sample fuzz targets.
- Patch 5 defines fuzz targets for several functions in crypto/.
- Patch 6 adds maintainer information for KFuzzTest.
Changes since PR v3:
- Major simplification of the architecture, removing the complex
`FUZZ_TEST` macro, the custom serialization format, domain
constraints, annotations, and associated DWARF metadata regions.
- The framework now only supports `FUZZ_TEST_SIMPLE` targets, which
accept raw binary data.
- Removed the userspace bridge tool as it is no longer required for
serializing inputs.
- Updated documentation and samples to reflect the "simple-only"
approach.
Ethan Graham (6):
kfuzztest: add user-facing API and data structures
kfuzztest: implement core module and input processing
kfuzztest: add ReST documentation
kfuzztest: add KFuzzTest sample fuzz targets
crypto: implement KFuzzTest targets for PKCS7 and RSA parsing
MAINTAINERS: add maintainer information for KFuzzTest
Documentation/dev-tools/index.rst | 1 +
Documentation/dev-tools/kfuzztest.rst | 152 ++++++++++++++++++
MAINTAINERS | 7 +
crypto/asymmetric_keys/Makefile | 2 +
crypto/asymmetric_keys/tests/Makefile | 4 +
crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 18 +++
.../asymmetric_keys/tests/rsa_helper_kfuzz.c | 24 +++
include/asm-generic/vmlinux.lds.h | 14 +-
include/linux/kfuzztest.h | 90 +++++++++++
lib/Kconfig.debug | 1 +
lib/Makefile | 2 +
lib/kfuzztest/Kconfig | 16 ++
lib/kfuzztest/Makefile | 4 +
lib/kfuzztest/input.c | 47 ++++++
lib/kfuzztest/main.c | 142 ++++++++++++++++
samples/Kconfig | 7 +
samples/Makefile | 1 +
samples/kfuzztest/Makefile | 3 +
samples/kfuzztest/underflow_on_buffer.c | 52 ++++++
19 files changed, 586 insertions(+), 1 deletion(-)
create mode 100644 Documentation/dev-tools/kfuzztest.rst
create mode 100644 crypto/asymmetric_keys/tests/Makefile
create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
create mode 100644 include/linux/kfuzztest.h
create mode 100644 lib/kfuzztest/Kconfig
create mode 100644 lib/kfuzztest/Makefile
create mode 100644 lib/kfuzztest/input.c
create mode 100644 lib/kfuzztest/main.c
create mode 100644 samples/kfuzztest/Makefile
create mode 100644 samples/kfuzztest/underflow_on_buffer.c
--
2.51.0
next reply other threads:[~2026-01-12 19:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-12 19:28 Ethan Graham [this message]
2026-01-12 19:28 ` [PATCH v4 1/6] kfuzztest: add user-facing API and data structures Ethan Graham
2026-01-12 19:28 ` [PATCH v4 2/6] kfuzztest: implement core module and input processing Ethan Graham
2026-01-12 19:28 ` [PATCH v4 3/6] kfuzztest: add ReST documentation Ethan Graham
2026-01-12 19:28 ` [PATCH v4 4/6] kfuzztest: add KFuzzTest sample fuzz targets Ethan Graham
2026-01-12 19:28 ` [PATCH v4 5/6] crypto: implement KFuzzTest targets for PKCS7 and RSA parsing Ethan Graham
2026-01-12 19:28 ` [PATCH v4 6/6] MAINTAINERS: add maintainer information for KFuzzTest Ethan Graham
2026-01-12 19:43 ` [PATCH v4 0/6] KFuzzTest: a new kernel fuzzing framework Ethan Graham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260112192827.25989-1-ethan.w.s.graham@gmail.com \
--to=ethan.w.s.graham@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=andy.shevchenko@gmail.com \
--cc=andy@kernel.org \
--cc=brauner@kernel.org \
--cc=brendan.higgins@linux.dev \
--cc=davem@davemloft.net \
--cc=davidgow@google.com \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=ebiggers@kernel.org \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=johannes@sipsolutions.net \
--cc=kasan-dev@googlegroups.com \
--cc=kees@kernel.org \
--cc=kunit-dev@googlegroups.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lukas@wunner.de \
--cc=mcgrof@kernel.org \
--cc=rmoar@google.com \
--cc=shuah@kernel.org \
--cc=sj@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=tarasmadan@google.com \
--cc=wentaoz5@illinois.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox