From: Ethan Graham <ethangraham@google.com>
This patch series introduces KFuzzTest, a lightweight framework for
creating in-kernel fuzz targets for internal kernel functions.
The primary motivation for KFuzzTest is to simplify the fuzzing of
low-level, relatively stateless functions (e.g., data parsers, format
converters) that are difficult to exercise effectively from the syscall
boundary. It is intended for in-situ fuzzing of kernel code without
requiring that it be built as a separate userspace library or that its
dependencies be stubbed out. Using a simple macro-based API, developers
can add a new fuzz target with minimal boilerplate code.
The core design consists of three main parts:
1. A `FUZZ_TEST(name, struct_type)` macro that allows developers to
easily define a fuzz test.
2. A binary input format that allows a userspace fuzzer to serialize
complex, pointer-rich C structures into a single buffer.
3. Metadata for test targets, constraints, and annotations, which is
emitted into dedicated ELF sections to allow for discovery and
inspection by userspace tools. These are found in
".kfuzztest_{targets, constraints, annotations}".
To demonstrate this framework's viability, support for KFuzzTest has been
prototyped in a development fork of syzkaller, enabling coverage-guided
fuzzing. To validate its end-to-end effectiveness, we performed an
experiment by manually introducing an off-by-one buffer over-read into
pkcs7_parse_message, like so:
-ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
+ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1);
A syzkaller instance fuzzing the new test_pkcs7_parse_message target
introduced in patch 6 successfully triggered the bug inside of
asn1_ber_decoder in under a 30 seconds from a cold start.
This series is an RFC to gather early feedback on the overall design and
approach. We are particularly interested in feedback on:
- The general utility of such a framework.
- The design of the binary serialization format.
- The use of ELF sections for metadata and discovery.
The patch series is structured as follows:
- Patch 1 adds and exposes a new KASAN function needed by KFuzzTest.
- Patch 2 introduces the core KFuzzTest API and data structures.
- Patch 3 adds the runtime implementation for the framework.
- Patch 4 adds documentation.
- Patch 5 provides example fuzz targets.
- Patch 6 defines fuzz targets for real kernel functions.
Ethan Graham (6):
mm/kasan: implement kasan_poison_range
kfuzztest: add user-facing API and data structures
kfuzztest: implement core module and input processing
kfuzztest: add ReST documentation
kfuzztest: add KFuzzTest sample fuzz targets
crypto: implement KFuzzTest targets for PKCS7 and RSA parsing
Documentation/dev-tools/index.rst | 1 +
Documentation/dev-tools/kfuzztest.rst | 279 ++++++++++
arch/x86/kernel/vmlinux.lds.S | 22 +
crypto/asymmetric_keys/pkcs7_parser.c | 15 +
crypto/rsa_helper.c | 29 +
include/linux/kasan.h | 16 +
include/linux/kfuzztest.h | 508 ++++++++++++++++++
lib/Kconfig.debug | 1 +
lib/Makefile | 2 +
lib/kfuzztest/Kconfig | 20 +
lib/kfuzztest/Makefile | 4 +
lib/kfuzztest/main.c | 161 ++++++
lib/kfuzztest/parse.c | 208 +++++++
mm/kasan/shadow.c | 31 ++
samples/Kconfig | 7 +
samples/Makefile | 1 +
samples/kfuzztest/Makefile | 3 +
samples/kfuzztest/overflow_on_nested_buffer.c | 52 ++
samples/kfuzztest/underflow_on_buffer.c | 41 ++
19 files changed, 1401 insertions(+)
create mode 100644 Documentation/dev-tools/kfuzztest.rst
create mode 100644 include/linux/kfuzztest.h
create mode 100644 lib/kfuzztest/Kconfig
create mode 100644 lib/kfuzztest/Makefile
create mode 100644 lib/kfuzztest/main.c
create mode 100644 lib/kfuzztest/parse.c
create mode 100644 samples/kfuzztest/Makefile
create mode 100644 samples/kfuzztest/overflow_on_nested_buffer.c
create mode 100644 samples/kfuzztest/underflow_on_buffer.c
--
2.51.0.rc0.205.g4a044479a3-goog