Skip to content

KfuzzTest RFC. #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ethangraham2001 wants to merge 5 commits into
base: master
Choose a base branch
from
Open

KfuzzTest RFC. #10

ethangraham2001 wants to merge 5 commits into from

Conversation

@ethangraham2001
Copy link
Owner

@ethangraham2001 ethangraham2001 commented Aug 11, 2025

Cover letter:

Subject: [PATCH v1 RFC 0/5] kfuzztest: a new framework for fuzzing
kernel functions

This patch series introduces KFuzzTest, a lightweight framework for creating
in-kernel fuzz targets for internal kernel functions.

The primary motivation for KFuzzTest is to simplify the fuzzing of low-level,
relatively stateless functions (e.g., data parsers, format converters) that are
difficult to exercise effectively from the syscall boundary. It is intended for
in-situ fuzzing of kernel code without requiring that it be built as a separate
userspace library or that its dependencies be stubbed out. Using a simple
macro-based API, developers can add a new fuzz target with minimal boilerplate
code.

The core design consists of three main parts:
1. A `FUZZ_TEST(name, struct_type)` macro that allows developers to
   easily define a fuzz test.
2. A binary input format that allows a userspace fuzzer to serialize
   complex, pointer-rich C structures into a single buffer.
3. Metadata for test targets, constraints, and annotations, which is
   emitted into dedicated ELF sections to allow for discovery and
   inspection by userspace tools.

To prove its viability, KFuzzTest has already been integrated with Syzkaller
for coverage-guided fuzzing. We have also developed a standalone, in-VM tool
to provide a low-friction path for developers to immediately begin writing and
running fuzz targets.

This series is an RFC to gather early feedback on the overall design and
approach. We are particularly interested in feedback on:
- The general utility of such a framework.
- The design of the binary serialization format.
- The use of ELF sections for metadata and discovery.

A known issue in this version is the redefinition of two KASAN constants.
This is a temporary measure to facilitate this RFC, as a proper refactoring
causes build issues that we feel are best addressed separately from the initial
design discussion of KFuzzTest.

The patch series is structured as follows:
- Patch 1 refactors KASAN to expose functions needed by KFuzzTest.
- Patch 2 introduces the core KFuzzTest API and data structures.
- Patch 3 adds the runtime implementation for the framework.
- Patch 4 adds documentation.
- Patch 5 provides example fuzz targets.

Ethan Graham (5):
  mm/kasan: expose poisoning functions for external modules
  kfuzztest: add user-facing API and data structures
  kfuzztest: implement core module and input processing
  kfuzztest: add ReST documentation
  kfuzztest: add example fuzz targets

 Documentation/dev-tools/index.rst     |   1 +
 Documentation/dev-tools/kfuzztest.rst | 187 +++++++++
 arch/x86/kernel/vmlinux.lds.S         |  22 ++
 include/linux/kasan.h                 |  28 ++
 include/linux/kfuzztest.h             | 537 ++++++++++++++++++++++++++
 lib/Kconfig.debug                     |   1 +
 lib/Kconfig.kfuzztest                 |  20 +
 lib/Makefile                          |   2 +
 lib/kfuzztest/Makefile                |   4 +
 lib/kfuzztest/examples.c              |  75 ++++
 lib/kfuzztest/main.c                  | 161 ++++++++
 lib/kfuzztest/parse.c                 | 131 +++++++
 lib/kfuzztest/relocations.c           | 104 +++++
 mm/kasan/kasan.h                      |  28 --
 14 files changed, 1273 insertions(+), 28 deletions(-)
 create mode 100644 Documentation/dev-tools/kfuzztest.rst
 create mode 100644 include/linux/kfuzztest.h
 create mode 100644 lib/Kconfig.kfuzztest
 create mode 100644 lib/kfuzztest/Makefile
 create mode 100644 lib/kfuzztest/examples.c
 create mode 100644 lib/kfuzztest/main.c
 create mode 100644 lib/kfuzztest/parse.c
 create mode 100644 lib/kfuzztest/relocations.c

Ethan Graham and others added 5 commits August 8, 2025 15:28
@ethangraham2001
mm/kasan: expose poisoning functions for external modules
f44cc6c 
Move the function declarations for kasan_poison and
kasan_poison_last_granule from the internal mm/kasan/kasan.h to
<linux/kasan.h>.

This refactoring makes these KASAN primitives available to other kernel
subsystems that may require fine-grained memory poisoning capabilities.

This is a preparatory patch for the upcoming KFuzzTest framework which
relies on these functions for detecting out-of-bounds memory accesses
from within the bounds of a single kmalloc'd buffer.

No functional change is introduced by this commit.

Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com>
@ethangraham2001
kfuzztest: add user-facing API and data structures
8fdc2e6 
Add the foundational user-facing components for the KFuzzTest framework.
This includes the main API header <linux/kfuzztest.h>, the KConfig
option to enable the feature, and the required linker script changes
which introduce three new ELF sections in vmlinux.

Note that KFuzzTest is intended strictly for debug builds only, and
should never be enabled in a production build. The fact that it exposes
internal kernel functions and state directly to userspace may constitute
a serious security vulnerability if used for any reason other than
testing.

The header defines:
- The FUZZ_TEST() macro for creating test targets.
- The data structures required for the binary serialization format,
  which allows passing complex inputs from userspace.
- The metadata structures for test targets, constraints and annotations,
  which are placed in dedicated ELF sections (.kfuzztest_*) for discovery.

This patch only adds the public interface and build integration; no
runtime logic is included.

Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com>
@ethangraham2001
kfuzztest: implement core module and input processing
27b335e 
Add the core runtime implementation for KFuzzTest. This includes the
module initialization, and the logic for receiving and processing
user-provided inputs through debugfs.

On module load, the framework discovers all test targets by iterating
over the .kfuzztest_target section, creating a corresponding debugfs
directory with a write-only 'input' file for each of them.

Writing to an 'input' file triggers the main fuzzing sequence:
1. The serialized input is copied from userspace into a kernel buffer.
2. The buffer is parsed to validate the region array and relocation
   table.
3. Pointers are patched based on the relocation entries, and in KASAN
   builds the inter-region padding is poisoned.
4. The resulting struct is passed to the user-defined test logic.

Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com>
@ethangraham2001
kfuzztest: add ReST documentation
67b5651 
Add Documentation/dev-tools/kfuzztest.rst and reference it in the
dev-tools index.

Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com>
@ethangraham2001
kfuzztest: add example fuzz targets
90aaeb0 
Add two simple fuzz target examples to demonstrate the KFuzzTest API and
provide basic self-tests for the framework.

These examples showcase how a developer can define a fuzz target using
the FUZZ_TEST(), constrain, and annotation macros, and serve as runtime
sanity checks for the core logic. For example, they test that out-of-bounds
memory accesses into poisoned padding regions are correctly detected in a
KASAN build.

These have been tested by writing syzkaller-generated inputs into their
debugfs 'input' files and verifying that the correct KASAN reports were
triggered.

Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ethangraham2001