From: Johannes Berg <johannes@sipsolutions.net>
To: Ethan Graham <ethan.w.s.graham@gmail.com>,
ethangraham@google.com, glider@google.com
Cc: andreyknvl@gmail.com, andy@kernel.org, brauner@kernel.org,
brendan.higgins@linux.dev, davem@davemloft.net,
davidgow@google.com, dhowells@redhat.com, dvyukov@google.com,
elver@google.com, herbert@gondor.apana.org.au,
ignat@cloudflare.com, jack@suse.cz, jannh@google.com,
kasan-dev@googlegroups.com, kees@kernel.org,
kunit-dev@googlegroups.com, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
lukas@wunner.de, rmoar@google.com, shuah@kernel.org,
sj@kernel.org, tarasmadan@google.com
Subject: Re: [PATCH v2 0/10] KFuzzTest: a new kernel fuzzing framework
Date: Wed, 24 Sep 2025 14:52:32 +0200 [thread overview]
Message-ID: <3562eeeb276dc9cc5f3b238a3f597baebfa56bad.camel@sipsolutions.net> (raw)
In-Reply-To: <20250919145750.3448393-1-ethan.w.s.graham@gmail.com> (sfid-20250919_165801_647339_D5FEA55B)
On Fri, 2025-09-19 at 14:57 +0000, Ethan Graham wrote:
>
> This patch series introduces KFuzzTest, a lightweight framework for
> creating in-kernel fuzz targets for internal kernel functions.
>
> The primary motivation for KFuzzTest is to simplify the fuzzing of
> low-level, relatively stateless functions (e.g., data parsers, format
> converters) that are difficult to exercise effectively from the syscall
> boundary. It is intended for in-situ fuzzing of kernel code without
> requiring that it be built as a separate userspace library or that its
> dependencies be stubbed out. Using a simple macro-based API, developers
> can add a new fuzz target with minimal boilerplate code.
So ... I guess I understand the motivation to make this easy for
developers, but I'm not sure I'm happy to have all of this effectively
depend on syzkaller.
You spelled out the process to actually declare a fuzz test, but you
never spelled out the process to actually run fuzzing against it. For
the record, and everyone else who might be reading, here's my
understanding:
- the FUZZ_TEST() macro declares some magic in the Linux binary,
including the name of the struct that describes the necessary input
- there's a parser in syzkaller (and not really usable standalone) that
can parse the vmlinux binary (and doesn't handle modules) and
generates descriptions for the input from it
- I _think_ that the bridge tool uses these descriptions, though the
example you have in the documentation just says "use this command for
this test" and makes no representation as to how the first argument
to the bridge tool is created, it just appears out of thin air
- the bridge tool will then parse the description and use some random
data to create the serialised data that's deserialized in the kernel
and then passed to the test
- side note: did that really have to be a custom serialization
format? I don't see any discussion on that, there are different
formats that exist already, I'd think?
- the test runs now, and may or may not crash, as you'd expect
I was really hoping to integrate this with ARCH=um and other fuzzers[1],
but ... I don't really think it's entirely feasible. I can basically
only require hard-coding the input description like the bridge tool
does, but that doesn't scale, or attempt to extract a few thousand lines
of code from syzkaller to extract the data...
[1] in particular honggfuzz as I wrote earlier, due to the coverage
feedback format issues with afl++, but if I were able to use clang
right now I could probably also make afl++ work in a similar way
by adding support for --fsanitize-coverage=trace-pc-guard first.
I'm not even saying that you had many choices here, but it's definitely
annoying, at least to me, that all this infrastructure is effectively
dependent on syzkaller due to all of this. At the same time, yes, I get
that parsing dwarf and getting a description out is not an easy feat,
and without the infrastructure already in syzkaller it'd take more than
the ~1.1kLOC (and even that is not small) it has now.
I guess the biggest question to me is ultimately why all that is
necessary? Right now, there's only the single example kfuzztest that
even uses this infrastructure beyond a single linear buffer [2]. Where
is all that complexity even worth it? It's expressly intended for
simpler pieces of code that parse something ("data parsers, format
converters").
[2] admittedly the auxdisplay one is slightly different and uses a
string, but that's pretty much equivalent
johannes
next prev parent reply other threads:[~2025-09-24 12:52 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-19 14:57 Ethan Graham
2025-09-19 14:57 ` [PATCH v2 01/10] mm/kasan: implement kasan_poison_range Ethan Graham
2025-09-23 16:46 ` Andrey Konovalov
2025-09-19 14:57 ` [PATCH v2 02/10] kfuzztest: add user-facing API and data structures Ethan Graham
2025-09-19 15:05 ` Alexander Potapenko
2025-09-24 8:44 ` Johannes Berg
2025-09-19 14:57 ` [PATCH v2 03/10] kfuzztest: implement core module and input processing Ethan Graham
2025-09-19 15:05 ` Alexander Potapenko
2025-09-19 14:57 ` [PATCH v2 04/10] tools: add kfuzztest-bridge utility Ethan Graham
2025-09-19 15:05 ` Alexander Potapenko
2025-09-19 14:57 ` [PATCH v2 05/10] kfuzztest: add ReST documentation Ethan Graham
2025-09-19 14:57 ` [PATCH v2 06/10] kfuzztest: add KFuzzTest sample fuzz targets Ethan Graham
2025-09-19 14:57 ` [PATCH v2 07/10] crypto: implement KFuzzTest targets for PKCS7 and RSA parsing Ethan Graham
2025-09-19 14:57 ` [PATCH v2 08/10] drivers/auxdisplay: add a KFuzzTest for parse_xy() Ethan Graham
2025-09-19 15:07 ` Alexander Potapenko
2025-09-20 10:53 ` Andy Shevchenko
2025-09-20 12:08 ` Alexander Potapenko
2025-09-20 12:47 ` Lukas Wunner
2025-09-21 18:25 ` Andy Shevchenko
2025-09-24 9:28 ` kernel test robot
2025-09-19 14:57 ` [PATCH v2 09/10] fs/binfmt_script: add KFuzzTest target for load_script Ethan Graham
2025-09-19 15:07 ` Alexander Potapenko
2025-09-19 19:19 ` Kees Cook
2025-09-19 14:57 ` [PATCH v2 10/10] MAINTAINERS: add maintainer information for KFuzzTest Ethan Graham
2025-09-24 8:32 ` SeongJae Park
2025-09-19 15:04 ` [PATCH v2 0/10] KFuzzTest: a new kernel fuzzing framework Alexander Potapenko
2025-09-24 12:52 ` Johannes Berg [this message]
2025-09-25 8:35 ` Ethan Graham
2025-10-24 8:37 ` Johannes Berg
2025-10-28 17:38 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3562eeeb276dc9cc5f3b238a3f597baebfa56bad.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=andreyknvl@gmail.com \
--cc=andy@kernel.org \
--cc=brauner@kernel.org \
--cc=brendan.higgins@linux.dev \
--cc=davem@davemloft.net \
--cc=davidgow@google.com \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=ethan.w.s.graham@gmail.com \
--cc=ethangraham@google.com \
--cc=glider@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kees@kernel.org \
--cc=kunit-dev@googlegroups.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lukas@wunner.de \
--cc=rmoar@google.com \
--cc=shuah@kernel.org \
--cc=sj@kernel.org \
--cc=tarasmadan@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox