KFuzzTest PR v3 #16
Open
KFuzzTest PR v3 #16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ethangraham2001
force-pushed
the
kfuzztest_pr_v3
branch
2 times, most recently
from
24086a0 to
ab7cb2b
Compare
ethangraham2001
force-pushed
the
kfuzztest_pr_v3
branch
2 times, most recently
from
c47c9fd to
288f674
Compare
Introduce a new helper function, kasan_poison_range(), to encapsulate the logic for poisoning an arbitrary memory range of a given size, and expose it publically in <include/linux/kasan.h>. This is a preparatory change for the upcoming KFuzzTest patches, which requires the ability to poison the inter-region padding in its input buffers. No functional change to any other subsystem is intended by this commit. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Reviewed-by: Alexander Potapenko <glider@google.com> --- PR v3: - Move kasan_poison_range into mm/kasan/common.c so that it is built with HW_TAGS mode enabled. - Add a runtime check for kasan_enabled() in kasan_poison_range. - Add two WARN_ON()s in kasan_poison_range when the input is invalid. PR v1: - Enforce KASAN_GRANULE_SIZE alignment for the end of the range in kasan_poison_range(), and return -EINVAL when this isn't respected. ---
ethangraham2001
force-pushed
the
kfuzztest_pr_v3
branch
from
288f674 to
27d1965
Compare
Add the foundational user-facing components for the KFuzzTest framework. This includes the main API header <linux/kfuzztest.h>, the Kconfig option to enable the feature, and the required linker script changes which introduce three new ELF sections in vmlinux. Note that KFuzzTest is intended strictly for debug builds only, and should never be enabled in a production build. The fact that it exposes internal kernel functions and state directly to userspace may constitute a serious security vulnerability if used for any reason other than testing. The header defines: - The FUZZ_TEST() macro for creating test targets. - The data structures required for the binary serialization format, which allows passing complex inputs from userspace. - The metadata structures for test targets, constraints and annotations, which are placed in dedicated ELF sections (.kfuzztest_*) for discovery. This patch only adds the public interface and build integration; no runtime logic is included. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Reviewed-by: Alexander Potapenko <glider@google.com> --- PR v3: - Reorder definitions in kfuzztest.h for better flow and readability. - Introduce __KFUZZTEST_CONSTRAINT macro in preparation for the introduction of the FUZZ_TEST_SIMPLE macro in the following patch, which uses it for manually emitting constraint metadata. PR v1: - Move KFuzzTest metadata definitions to generic vmlinux linkage so that the framework isn't bound to x86_64. - Return -EFAULT when simple_write_to_buffer returns a value not equal to the input length in the main FUZZ_TEST macro. - Enforce a maximum input size of 64KiB in the main FUZZ_TEST macro, returning -EINVAL when it isn't respected. - Refactor KFUZZTEST_ANNOTATION_* macros. - Taint the kernel with TAINT_TEST inside the FUZZ_TEST macro when a fuzz target is invoked for the first time. ---
ethangraham2001
force-pushed
the
kfuzztest_pr_v3
branch
2 times, most recently
from
782bb24 to
545cf69
Compare
The serialization format required by a KFuzzTest target defined with the FUZZ_TEST macro is overkill for simpler cases, in particular the very common pattern of kernel interfaces taking a (data, datalen) pair. Introduce the FUZZ_TEST_SIMPLE for defining simple targets that accepts a simpler binary interface without any required serialization. The aim is to make simple targets compatible with a wide variety of userspace fuzzing engines out of the box. A FUZZ_TEST_SIMPLE target also defines an equivalent FUZZ_TEST macro in its expansion maintaining compatibility with the default KFuzzTest interface, using a shared `struct kfuzztest_simple_arg` as input type. In essence, the following equivalence holds: FUZZ_TEST_SIMPLE(test) === FUZZ_TEST(test, struct kfuzztest_simple_arg) Constraints and annotation metadata for `struct kfuzztest_simple_arg` is defined statically in the header file to avoid duplicate definitions in the compiled vmlinux image. Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com>
Add the core runtime implementation for KFuzzTest. This includes the module initialization, and the logic for receiving and processing user-provided inputs through debugfs. On module load, the framework discovers all test targets (FUZZ_TEST) by iterating over the .kfuzztest_target section, creating a corresponding debugfs directory with a write-only 'input' file for each of them. If an equivalent simple fuzz target (FUZZ_TEST_SIMPLE) is also defined, a write-only `input_simple` file is created under the same directory, accepting raw blobs of binary. Writing to an 'input' file triggers the main fuzzing sequence: 1. The serialized input is copied from userspace into a kernel buffer. 2. The buffer is parsed to validate the region array and relocation table. 3. Pointers are patched based on the relocation entries, and in KASAN builds the inter-region padding is poisoned. 4. The resulting struct is passed to the user-defined test logic. Writing to an 'input_simple' file triggers the following fuzzing sequence: 1. The binary input is copied from userspace into a kernel buffer. 2. The buffer and its length are passed into the user-defined test logic. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Reviewed-by: Alexander Potapenko <glider@google.com> --- PR v3: - Handle FUZZ_TEST_SIMPLE targets by creating a write-only 'input_simple' under the fuzz target's directory. - Add implementation for `kfuzztest_write_input_cb`. PR v2: - Fix build issues identified by the kernel test robot <lkp@intel.com>. - Address some nits pointed out by Alexander Potapenko. PR v1: - Update kfuzztest/parse.c interfaces to take `unsigned char *` instead of `void *`, reducing the number of pointer casts. - Expose minimum region alignment via a new debugfs file. - Expose number of successful invocations via a new debugfs file. - Refactor module init function, add _config directory with entries containing KFuzzTest state information. - Account for kasan_poison_range() return value in input parsing logic. - Validate alignment of payload end. - Move static sizeof assertions into /lib/kfuzztest/main.c. - Remove the taint in kfuzztest/main.c. We instead taint the kernel as soon as a fuzz test is invoked for the first time, which is done in the primary FUZZ_TEST macro. RFC v2: - The module's init function now taints the kernel with TAINT_TEST. ---
Introduce the kfuzztest-bridge tool, a userspace utility for sending structured inputs to KFuzzTest harnesses via debugfs. The bridge takes a textual description of the expected input format, a file containing random bytes, and the name of the target fuzz test. It parses the description, encodes the random data into the binary format expected by the kernel, and writes the result to the corresponding debugfs entry. This allows for both simple manual testing and integration with userspace fuzzing engines. For example, it can be used for smoke testing by providing data from /dev/urandom, or act as a bridge for blob-based fuzzers (e.g., AFL) to target KFuzzTest harnesses. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Reviewed-by: Alexander Potapenko <glider@google.com> --- PR v2: - Move kfuzztest-bridge tool under tools/testing, as suggested by SeongJae Park. - Cleanup several resource leaks that were pointed out by Alexander Potapenko. PR v1: - Add additional context in header comment of kfuzztest-bridge/parser.c. - Add some missing NULL checks. - Refactor skip_whitespace() function in input_lexer.c. - Use ctx->minalign to compute correct region alignment, which is read from /sys/kernel/debug/kfuzztest/_config/minalign. ---
Add Documentation/dev-tools/kfuzztest.rst and reference it in the dev-tools index. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Acked-by: Alexander Potapenko <glider@google.com> --- PR v3: - Document newly introduced FUZZ_TEST_SIMPLE targets. - Rework the flow in several sections. PR v2: - Update documentation to reflect new location of kfuzztest-bridge, under tools/testing. PR v1: - Fix some typos and reword some sections. - Correct kfuzztest-bridge grammar description. - Reference documentation in kfuzztest-bridge/input_parser.c header comment. RFC v2: - Add documentation for kfuzztest-bridge tool introduced in patch 4. ---
Add two simple fuzz target samples to demonstrate the KFuzzTest API and provide basic self-tests for the framework. These examples showcase how a developer can define a fuzz target using the FUZZ_TEST(), constraint, and annotation macros, and serve as runtime sanity checks for the core logic. For example, they test that out-of-bounds memory accesses into poisoned padding regions are correctly detected in a KASAN build. These have been tested by writing syzkaller-generated inputs into their debugfs 'input' files and verifying that the correct KASAN reports were triggered. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Acked-by: Alexander Potapenko <glider@google.com> --- PR v3: - Use the FUZZ_TEST_SIMPLE macro in the `underflow_on_buffer` sample fuzz target instead of FUZZ_TEST. PR v2: - Fix build issues pointed out by the kernel test robot <lkp@intel.com>. ---
Add KFuzzTest targets for pkcs7_parse_message, rsa_parse_pub_key, and rsa_parse_priv_key to serve as real-world examples of how the framework is used. These functions are ideal candidates for KFuzzTest as they perform complex parsing of user-controlled data but are not directly exposed at the syscall boundary. This makes them difficult to exercise with traditional fuzzing tools and showcases the primary strength of the KFuzzTest framework: providing an interface to fuzz internal functions. To validate the effectiveness of the framework on these new targets, we injected two artificial bugs and let syzkaller fuzz the targets in an attempt to catch them. The first of these was calling the asn1 decoder with an incorrect input from pkcs7_parse_message, like so: - ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen); + ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1); The second was bug deeper inside of asn1_ber_decoder itself, like so: - for (len = 0; n > 0; n--) + for (len = 0; n >= 0; n--) syzkaller was able to trigger these bugs, and the associated KASAN slab-out-of-bounds reports, within seconds. The targets are defined within crypto/asymmetric-keys/tests. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Reviewed-by: Ignat Korchagin <ignat@cloudflare.com> --- PR v3: - Use the FUZZ_TEST_SIMPLE macro for all introduced fuzz targets as they each take `(data, datalen)` pairs. This also removes the need for explicit constraints and annotations which become implicit. PR v2: - Make fuzz targets also depend on the KConfig options needed for the functions they are fuzzing, CONFIG_PKCS7_MESSAGE_PARSER and CONFIG_CRYPTO_RSA respectively. - Fix build issues pointed out by the kernel test robot <lkp@intel.com>. - Account for return value of pkcs7_parse_message, and free resources if the function call succeeds. PR v1: - Change the fuzz target build to depend on CONFIG_KFUZZTEST=y, eliminating the need for a separate config option for each individual file as suggested by Ignat Korchagin. - Remove KFUZZTEST_EXPECT_LE on the length of the `key` field inside of the fuzz targets. A maximum length is now set inside of the core input parsing logic. RFC v2: - Move KFuzzTest targets outside of the source files into dedicated _kfuzz.c files under /crypto/asymmetric_keys/tests/ as suggested by Ignat Korchagin and Eric Biggers. ---
Add a KFuzzTest fuzzer for the parse_xy() function, located in a new file under /drivers/auxdisplay/tests. To validate the correctness and effectiveness of this KFuzzTest target, a bug was injected into parse_xy() like so: drivers/auxdisplay/charlcd.c:179 - s = p; + s = p + 1; Although a simple off-by-one bug, it requires a specific input sequence in order to trigger it, thus demonstrating the power of pairing KFuzzTest with a coverage-guided fuzzer like syzkaller. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Acked-by: Alexander Potapenko <glider@google.com> --- PR v3: - Remove conditional inclusion of charlcd_kfuzz.c from charlcd.c, as requested by Andy Shevchenko. - Update auxdisplay Makefile to conditionally build charlcd_kfuzz.c when CONFIG_KFUZZTEST=y, as suggested by Lukas Wunner and Andy Shevchenko. - Foward declare parse_xy in charlcd_kfuzz.c. ---
Add a KFuzzTest target for the load_script function to serve as a real-world example of the framework's usage. The load_script function is responsible for parsing the shebang line (`#!`) of script files. This makes it an excellent candidate for KFuzzTest, as it involves parsing user-controlled data within the binary loading path, which is not directly exposed as a system call. The provided fuzz target in fs/tests/binfmt_script_kfuzz.c illustrates how to fuzz a function that requires more involved setup - here, we only let the fuzzer generate input for the `buf` field of struct linux_bprm, and manually set the other fields with sensible values inside of the FUZZ_TEST body. To demonstrate the effectiveness of the fuzz target, a buffer overflow bug was injected in the load_script function like so: - buf_end = bprm->buf + sizeof(bprm->buf) - 1; + buf_end = bprm->buf + sizeof(bprm->buf) + 1; Which was caught in around 40 seconds by syzkaller simultaneously fuzzing four other targets, a realistic use case where targets are continuously fuzzed. It also requires that the fuzzer be smart enough to generate an input starting with `#!`. While this bug is shallow, the fact that the bug is caught quickly and with minimal additional code can potentially be a source of confidence when modifying existing implementations or writing new functions. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Acked-by: Alexander Potapenko <glider@google.com> --- PR v2: - Introduce cleanup logic in the load_script fuzz target. ---
Add myself as maintainer and Alexander Potapenko as reviewer for KFuzzTest. Signed-off-by: Ethan Graham <ethangraham@google.com> Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com> Acked-by: Alexander Potapenko <glider@google.com> --- PR v3: - Update MAINTAINERS to reflect the correct location of kfuzztest-bridge under tools/testing. ---
ethangraham2001
force-pushed
the
kfuzztest_pr_v3
branch
from
545cf69 to
f6b6828
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds few changes over PR v2.
In particular though, we introduce simple KFuzzTest targets that take a buffer and length
as input via the
FUZZ_TEST_SIMPLEmacro.This separate commit will be squashed into patch 2 of the series https://lore.kernel.org/all/20250919145750.3448393-1-ethan.w.s.graham@gmail.com/for the next iteration.
We also make some requested changes to KASAN and the build system.