Skip to content

KFuzzTest: all the changes made. #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ethangraham2001 wants to merge 73 commits into
base: master
Choose a base branch
from
Open

KFuzzTest: all the changes made. #9

ethangraham2001 wants to merge 73 commits into from

Conversation

@ethangraham2001
Copy link
Owner

@ethangraham2001 ethangraham2001 commented Aug 6, 2025

This is a big diff of all of the changes made by KFuzzTest. This will need to be
chunked up before sending an RFC.

Ethan Graham added 30 commits June 18, 2025 10:02
Add simple configuration for kftf module that is built with kernel
1e0587e 
into a .ko file.
kftf: Add init and exit functions to module
43dc893
kftf: simple sysfs that accepts a struct for a single function and the
42d6acc 
binary representation down. Correctly causes a KASAN repot when passing a
buggy input to it.
kftf: allow tests with macro definitions in .kftf section of binary.
4a35a64 
Added support for this for x86 arch, but it is probably fragile because
we aren't guarding with a #ifdef yet
kftf: fixx sizeof check so that it checks against the provided type.
e8992cb
kftf: add metadata file per fuzzed function - this contains the name of
d7adb90 
the argument type that the function takes so that the user can use tools
like pahole to generate a syzkaller definition of the argument and thus
fuzz the function more easily.
move int_sqrt test out of kftf_tests file and into the math source
ca5ba48 
files. It works, and the function is exposed correctly!
kftf: address PR comments and make the FUZZ_TEST interface a lot more
96ae8d5 
user friendly.
kftf: update include block so that the relative include (kftf_tests.h)
ece3042 
has a line separator between it and the common linux includes, as per
https://elixir.bootlin.com/linux/v6.12.5/source/mm/kfence/core.c
delete unused file kftf_simple_fuzzer
07bfafa
kftf: per test-case input buffer with mutex
0c5cd7e
kftf: update kftf_fuzzable test
a4bb002
kftf: add some comments to module main file and kftf header file
0bddc3f
kftf: replace static test cases buffer with kmalloc'd one.
5971467
kftf: replace input buffers for callback with dynamically allocated
d799f5c 
pointer to function argument type. This should remove the need for a
mutex guarding a shared buffer entirely, and ultimately will likely
perform better.
kftf: replace heap allocated input buffer with function-local stack
aae72ff 
variable, and extract common input reading functionality into a separate
function.
kftf: fix bug in input reading logic.
72e3dec
kftf: work in progress on domain constraints. Need to see about exposing
6673d6f 
these via sysfs, and how they can be parsed from the vmlinux binary as
well.
kftf: allow for range constraints by expanding constraint struct.
95a0a01
kftf: move some stuff around and enforce 64 byte alignment of KFuzzTest
581f240 
constraints to avoid weird errors occurring during parsing.
kftf: add annotations macros to express field types (for example
a83dee7 
strings) and a field being the length of another.
kfuzztest: add array annotation
8e1f787 
There was not any mechanism in place in the KFuzzTest for distinguishing
between value pointers and array pointers in fuzz test inputs. This
information is difficult to parse without additional semantic
information on the context.

We introduce a new KFTF_ANNOTATE_ARRAY macro that annotates a field in a
KFuzzTest input struct as an array, removing this ambiguity.
kftf: remove int_sqrt test which is no longer really needed, added
c74d33a 
relocation parsing code.
kftf: remove some prints from write_input_callback, update test case to
6b03486 
remove copying from userspace
kftf: introduce new buffer for payload that provides alignment
ba24eb3 
guarantees for encoded structures.
kftf: harden binary input parsing
799cdcd
kfuzztest: update naming from "kftf" to "kfuzztest"
51cadf2
kfuzztest: cleanup code and update documentation
e328953
kfuzztest: remove dummy test file
8cb9faa
kfuzztest: update header comment in kfuzztest_main.c
aeeb29f
ramosian-glider
ramosian-glider reviewed Aug 7, 2025
View reviewed changes
@ethangraham2001 ethangraham2001 force-pushed the kfuzztest/relocations-revisited branch from d286890 to 45f4942 Compare August 7, 2025 13:16
Ethan Graham added 15 commits August 7, 2025 19:32
kfuzztest: start documentation
bd5d833 
kfuzztest: update documentation
kfuzztest: add Google copyright notice, remove ifdefs in .c file
f39fd77
kfuzztest: fix parsing logic that didn't account for padding
af9d76f
kfuzztest: update examples file
1a286cb
kfuzztest: update state name from st to state
b25969f
kfuzztest: remove extraneous braces, prints, and add a check in poison
3f96f02 
Checks that KASAN is enabled before poisoning a region.
kfuzztest: add a debug helper function
1cba6b1
kfuzztest: poison region preceding payload to catch underflows
c85f16b
kfuzztest: update overflow example, add underflow example
4820368
kfuzztest: define macros for granule size and slab redzone
366d8bb
kfuzztest: fix example so that it actually overflows
1f0ea22
kfuzztest: add stricter input parsing and validation, fix nits
7b6ff73 
We now check for overflows a lot more carefully, and validate the input
so that regions don't point out of bounds.

Fix some nits etc...
kfuzztest: more validation.
f1cd01f
kfuzztest: assume at 8 bytes of padding before payload
be3ba18 
We now assume that there is at least 8 bytes of padding before the
payload. This means that we never poison the relocation table, which
isn't a bad thing in my opinion.
kfuzztest: add GE and LT domain constraints for completeness
eab275f
@ethangraham2001 ethangraham2001 force-pushed the kfuzztest/relocations-revisited branch from 611f62f to eab275f Compare August 7, 2025 19:33
ramosian-glider
ramosian-glider reviewed Aug 8, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ramosian-glider ramosian-glider ramosian-glider left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ethangraham2001 @ramosian-glider