From: Alexander Potapenko <glider@google.com>
To: Ethan Graham <ethan.w.s.graham@gmail.com>, ignat@cloudflare.com
Cc: ethangraham@google.com, andreyknvl@gmail.com, andy@kernel.org,
brauner@kernel.org, brendan.higgins@linux.dev,
davem@davemloft.net, davidgow@google.com, dhowells@redhat.com,
dvyukov@google.com, elver@google.com,
herbert@gondor.apana.org.au, jack@suse.cz, jannh@google.com,
johannes@sipsolutions.net, kasan-dev@googlegroups.com,
kees@kernel.org, kunit-dev@googlegroups.com,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, lukas@wunner.de, rmoar@google.com,
shuah@kernel.org, tarasmadan@google.com
Subject: Re: [PATCH v1 07/10] crypto: implement KFuzzTest targets for PKCS7 and RSA parsing
Date: Thu, 18 Sep 2025 16:15:27 +0200 [thread overview]
Message-ID: <CAG_fn=Xkig71cn1xCUP1t=OLAbk+YYLsec0HhciROuiTD6AELg@mail.gmail.com> (raw)
In-Reply-To: <20250916090109.91132-8-ethan.w.s.graham@gmail.com>
On Tue, Sep 16, 2025 at 11:01 AM Ethan Graham
<ethan.w.s.graham@gmail.com> wrote:
>
> From: Ethan Graham <ethangraham@google.com>
>
> Add KFuzzTest targets for pkcs7_parse_message, rsa_parse_pub_key, and
> rsa_parse_priv_key to serve as real-world examples of how the framework
> is used.
>
> These functions are ideal candidates for KFuzzTest as they perform
> complex parsing of user-controlled data but are not directly exposed at
> the syscall boundary. This makes them difficult to exercise with
> traditional fuzzing tools and showcases the primary strength of the
> KFuzzTest framework: providing an interface to fuzz internal functions.
>
> To validate the effectiveness of the framework on these new targets, we
> injected two artificial bugs and let syzkaller fuzz the targets in an
> attempt to catch them.
>
> The first of these was calling the asn1 decoder with an incorrect input
> from pkcs7_parse_message, like so:
>
> - ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
> + ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1);
>
> The second was bug deeper inside of asn1_ber_decoder itself, like so:
>
> - for (len = 0; n > 0; n--)
> + for (len = 0; n >= 0; n--)
>
> syzkaller was able to trigger these bugs, and the associated KASAN
> slab-out-of-bounds reports, within seconds.
>
> The targets are defined within /lib/tests, alongside existing KUnit
> tests.
>
> Signed-off-by: Ethan Graham <ethangraham@google.com>
>
> ---
> v3:
> - Change the fuzz target build to depend on CONFIG_KFUZZTEST=y,
> eliminating the need for a separate config option for each individual
> file as suggested by Ignat Korchagin.
> - Remove KFUZZTEST_EXPECT_LE on the length of the `key` field inside of
> the fuzz targets. A maximum length is now set inside of the core input
> parsing logic.
> v2:
> - Move KFuzzTest targets outside of the source files into dedicated
> _kfuzz.c files under /crypto/asymmetric_keys/tests/ as suggested by
> Ignat Korchagin and Eric Biggers.
> ---
> ---
> crypto/asymmetric_keys/Makefile | 2 +
> crypto/asymmetric_keys/tests/Makefile | 2 +
> crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 22 +++++++++++
> .../asymmetric_keys/tests/rsa_helper_kfuzz.c | 38 +++++++++++++++++++
> 4 files changed, 64 insertions(+)
> create mode 100644 crypto/asymmetric_keys/tests/Makefile
> create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
> create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
>
> diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
> index bc65d3b98dcb..77b825aee6b2 100644
> --- a/crypto/asymmetric_keys/Makefile
> +++ b/crypto/asymmetric_keys/Makefile
> @@ -67,6 +67,8 @@ obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
> pkcs7_test_key-y := \
> pkcs7_key_type.o
>
> +obj-y += tests/
> +
> #
> # Signed PE binary-wrapped key handling
> #
> diff --git a/crypto/asymmetric_keys/tests/Makefile b/crypto/asymmetric_keys/tests/Makefile
> new file mode 100644
> index 000000000000..4ffe0bbe9530
> --- /dev/null
> +++ b/crypto/asymmetric_keys/tests/Makefile
> @@ -0,0 +1,2 @@
> +obj-$(CONFIG_KFUZZTEST) += pkcs7_kfuzz.o
> +obj-$(CONFIG_KFUZZTEST) += rsa_helper_kfuzz.o
> diff --git a/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c b/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
> new file mode 100644
> index 000000000000..37e02ba517d8
> --- /dev/null
> +++ b/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
> @@ -0,0 +1,22 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * PKCS#7 parser KFuzzTest target
> + *
> + * Copyright 2025 Google LLC
> + */
> +#include <crypto/pkcs7.h>
> +#include <linux/kfuzztest.h>
> +
> +struct pkcs7_parse_message_arg {
> + const void *data;
> + size_t datalen;
> +};
> +
> +FUZZ_TEST(test_pkcs7_parse_message, struct pkcs7_parse_message_arg)
> +{
> + KFUZZTEST_EXPECT_NOT_NULL(pkcs7_parse_message_arg, data);
> + KFUZZTEST_ANNOTATE_ARRAY(pkcs7_parse_message_arg, data);
> + KFUZZTEST_ANNOTATE_LEN(pkcs7_parse_message_arg, datalen, data);
> +
> + pkcs7_parse_message(arg->data, arg->datalen);
As far as I understand, this function creates an allocation, so the
fuzz test will need to free it using pkcs7_free_message() to avoid
leaking memory.
What do you think, Ignat?
> + struct rsa_key out;
> + rsa_parse_pub_key(&out, arg->key, arg->key_len);
> +}
Do we need to deallocate anything here?
next prev parent reply other threads:[~2025-09-18 14:16 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-16 9:00 [PATCH v1 0/10] KFuzzTest: a new kernel fuzzing framework Ethan Graham
2025-09-16 9:01 ` [PATCH v1 01/10] mm/kasan: implement kasan_poison_range Ethan Graham
2025-09-16 9:34 ` Alexander Potapenko
2025-09-16 9:01 ` [PATCH v1 02/10] kfuzztest: add user-facing API and data structures Ethan Graham
2025-09-16 9:58 ` Alexander Potapenko
2025-09-16 9:01 ` [PATCH v1 03/10] kfuzztest: implement core module and input processing Ethan Graham
2025-09-16 10:21 ` Alexander Potapenko
2025-09-17 3:59 ` kernel test robot
2025-09-18 1:21 ` kernel test robot
2025-09-16 9:01 ` [PATCH v1 04/10] tools: add kfuzztest-bridge utility Ethan Graham
2025-09-16 13:42 ` Alexander Potapenko
2025-09-17 13:26 ` SeongJae Park
2025-09-16 9:01 ` [PATCH v1 05/10] kfuzztest: add ReST documentation Ethan Graham
2025-09-16 9:01 ` [PATCH v1 06/10] kfuzztest: add KFuzzTest sample fuzz targets Ethan Graham
2025-09-18 3:17 ` kernel test robot
2025-09-16 9:01 ` [PATCH v1 07/10] crypto: implement KFuzzTest targets for PKCS7 and RSA parsing Ethan Graham
2025-09-16 10:28 ` Ignat Korchagin
2025-09-17 23:37 ` kernel test robot
2025-09-18 6:52 ` kernel test robot
2025-09-18 14:15 ` Alexander Potapenko [this message]
2025-09-16 9:01 ` [PATCH v1 08/10] drivers/auxdisplay: add a KFuzzTest for parse_xy() Ethan Graham
2025-09-16 9:01 ` [PATCH v1 09/10] fs/binfmt_script: add KFuzzTest target for load_script Ethan Graham
2025-09-17 5:04 ` kernel test robot
2025-09-16 9:01 ` [PATCH v1 10/10] MAINTAINERS: add maintainer information for KFuzzTest Ethan Graham
2025-09-16 9:38 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG_fn=Xkig71cn1xCUP1t=OLAbk+YYLsec0HhciROuiTD6AELg@mail.gmail.com' \
--to=glider@google.com \
--cc=andreyknvl@gmail.com \
--cc=andy@kernel.org \
--cc=brauner@kernel.org \
--cc=brendan.higgins@linux.dev \
--cc=davem@davemloft.net \
--cc=davidgow@google.com \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=ethan.w.s.graham@gmail.com \
--cc=ethangraham@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=johannes@sipsolutions.net \
--cc=kasan-dev@googlegroups.com \
--cc=kees@kernel.org \
--cc=kunit-dev@googlegroups.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lukas@wunner.de \
--cc=rmoar@google.com \
--cc=shuah@kernel.org \
--cc=tarasmadan@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox