KFuzzTest: macros for defining fuzz tests #1
Conversation
binary representation down. Correctly causes a KASAN repot when passing a buggy input to it.
Added support for this for x86 arch, but it is probably fragile because we aren't guarding with a #ifdef yet
lib/kftf/kftf_main.c
Outdated
|
|
||
| static struct kftf_simple_fuzzer_state st; | ||
|
|
||
| // XXX: allows everyone to write - correct flags? |
There was a problem hiding this comment.
Single-line C-style comments are discouraged in the kernel.
Unfortunately this is never mentioned in https://www.kernel.org/doc/html/latest/process/coding-style.html.
There was a problem hiding this comment.
Regarding the flags, this is a good question.
We are letting the developers expose arbitrary kernel functions to the user, so the security of the kernel under test is already severely compromised.
We can probably start with only allowing root access for now, although no one should be enabling fuzz tests on production machines anyway.
| #define KEXEC_RELOCATE_KERNEL | ||
| #endif | ||
|
|
||
| #define KFTF_TABLE \ |
There was a problem hiding this comment.
I think it's more or less up to you to pick a name for this subsystem, and it's not too late to change it if you prefer something different from "KFTF" :)
include/linux/kftf.h
Outdated
| .write_callback = _write_callback_##func, \ | ||
| }; \ | ||
| /* user-defined write callback */ \ | ||
| static ssize_t _write_callback_##func(struct file *filp, \ |
There was a problem hiding this comment.
The common part of the write callback that is handling writes probably doesn't need to be duplicated for each test case.
the argument type that the function takes so that the user can use tools like pahole to generate a syzkaller definition of the argument and thus fuzz the function more easily.
files. It works, and the function is exposed correctly!
has a line separator between it and the common linux includes, as per https://elixir.bootlin.com/linux/v6.12.5/source/mm/kfence/core.c
| * { | ||
| * // arg is provided by the macro, and is of type `struct func_arg_type` | ||
| * ret = func(arg.arg1, ..., arg.argn); | ||
| * validate(ret); |
There was a problem hiding this comment.
TODO
I think it would be great to have some kind of KFTF_BUG_ON(condition) or similar so that a bug is reported in a consistent way in the case that a fuzz tests fails.
There was a problem hiding this comment.
It could look something like
#define KFTF_BUG_ON(condition) if (condition) pr_warn("some output to indicate failure")Or perhaps ASSERT_TRUE(condition) as is the case in libFuzzer
There was a problem hiding this comment.
Good point, some sort of an assertion would be good to have.
ethangraham2001
force-pushed
the
kftf_step1
branch
from
329e538 to
0bddc3f
Compare
| extern const struct kftf_test_case __kftf_start[]; | ||
| extern const struct kftf_test_case __kftf_end[]; |
There was a problem hiding this comment.
NOTE: these aren't being linked against properly if we build with CONFIG_KFTF=M (I.e. as a module). It seems a little too restrictive to enforce that the fuzz test targets always be exposed as a built-in.
That being said, not sure how to link against the fuzz targets if the module is built separately from the kernel.
pointer to function argument type. This should remove the need for a mutex guarding a shared buffer entirely, and ultimately will likely perform better.
variable, and extract common input reading functionality into a separate function.
| @@ -0,0 +1,130 @@ | |||
| #ifndef KFTF_H | |||
There was a problem hiding this comment.
In addition to the include guard, every kernel file should contain an SPDX license header (/* SPDX-License-Identifier: GPL-2.0 */) and a short comment explaining what it is doing.
Check include/linux/kfence.h for an example (drop (C) per go/copyright).
| * - A mutex to protect the input buffer | ||
| * - A `struct kftf_test_case` instance | ||
| * | ||
| * Example usagea: |
| * TN argn; | ||
| * }; | ||
| * | ||
| * // Define the test case |
There was a problem hiding this comment.
Nit: single-line comments should end with a period.
There was a problem hiding this comment.
By the way, maybe change them to C-style? I don't insist though, as they are inside a comment anyway.
include/linux/kftf.h
Outdated
| * } | ||
| */ | ||
| #define FUZZ_TEST(func, func_arg_type) \ | ||
| /* input buffer. Size 2 for now, but we may support batching */ \ |
There was a problem hiding this comment.
Nit: single-line comments should start with a capital letter (unless that's a name of an identifier) and end with a period.
include/linux/kftf.h
Outdated
| */ | ||
| #define FUZZ_TEST(func, func_arg_type) \ | ||
| /* input buffer. Size 2 for now, but we may support batching */ \ | ||
| static func_arg_type input_buf_##func[2]; \ |
There was a problem hiding this comment.
Why do you need two elements, do you use them?
| source "lib/Kconfig.kasan" | ||
| source "lib/Kconfig.kfence" | ||
| source "lib/Kconfig.kmsan" | ||
| source "lib/Kconfig.kftf" |
There was a problem hiding this comment.
I suggest moving it one line above, so that the source directive are sorted.
| @@ -0,0 +1,151 @@ | |||
| #include <linux/debugfs.h> | |||
There was a problem hiding this comment.
This file also needs an SPDX header
| * @func_arg_type: the input type of func. If func takes multiple arguments, | ||
| * then one should wrap that inside of a multi-fielded struct. See usage | ||
| * example below. | ||
| * |
lib/kftf/kftf_main.c
Outdated
| size_t num_test_cases; | ||
|
|
||
| /* | ||
| * To avoid kmalloc entirely, we enforce a maximum number of fuzz tests |
There was a problem hiding this comment.
Why do we want to avoid kmalloc?
| * { | ||
| * // arg is provided by the macro, and is of type `struct func_arg_type` | ||
| * ret = func(arg.arg1, ..., arg.argn); | ||
| * validate(ret); |
There was a problem hiding this comment.
Good point, some sort of an assertion would be good to have.
WIP
This PR adds a macro for defining a KFuzztest case, which is exposed as a debufs entry under
/sys/kernel/debug/kftf/<test-case>. Usage of this is demonstrated in this syzkaller PR ethangraham2001/syzkaller#1 that leverages it to fuzz the two simple test cases exposed here.