From: Ethan Graham <ethangraham@google.com>
Add KFuzzTest targets for pkcs7_parse_message, rsa_parse_pub_key, and
rsa_parse_priv_key to serve as real-world examples of how the framework is used.
These functions are ideal candidates for KFuzzTest as they perform complex
parsing of user-controlled data but are not directly exposed at the syscall
boundary. This makes them difficult to exercise with traditional fuzzing tools
and showcases the primary strength of the KFuzzTest framework: providing an
interface to fuzz internal functions.
The targets are defined within /lib/tests, alongside existing KUnit
tests.
Signed-off-by: Ethan Graham <ethangraham@google.com>
---
v2:
- Move KFuzzTest targets outside of the source files into dedicated
_kfuzz.c files under /crypto/asymmetric_keys/tests/ as suggested by
Ignat Korchagin and Eric Biggers.
---
---
crypto/asymmetric_keys/Kconfig | 15 ++++++++
crypto/asymmetric_keys/Makefile | 2 +
crypto/asymmetric_keys/tests/Makefile | 2 +
crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 22 +++++++++++
.../asymmetric_keys/tests/rsa_helper_kfuzz.c | 38 +++++++++++++++++++
5 files changed, 79 insertions(+)
create mode 100644 crypto/asymmetric_keys/tests/Makefile
create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index e1345b8f39f1..7a4c5eb18624 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -104,3 +104,18 @@ config FIPS_SIGNATURE_SELFTEST_ECDSA
depends on CRYPTO_ECDSA=y || CRYPTO_ECDSA=FIPS_SIGNATURE_SELFTEST
endif # ASYMMETRIC_KEY_TYPE
+
+config PKCS7_MESSAGE_PARSER_KFUZZ
+ bool "Build fuzz target for PKCS#7 parser"
+ depends on KFUZZTEST
+ depends on PKCS7_MESSAGE_PARSER
+ default y
+ help
+ Builds the KFuzzTest targets for PKCS#7.
+
+config RSA_HELPER_KFUZZ
+ bool "Build fuzz targets for RSA helpers"
+ depends on KFUZZTEST
+ default y
+ help
+ Builds the KFuzzTest targets for RSA helper functions.
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index bc65d3b98dcb..77b825aee6b2 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -67,6 +67,8 @@ obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
pkcs7_test_key-y := \
pkcs7_key_type.o
+obj-y += tests/
+
#
# Signed PE binary-wrapped key handling
#
diff --git a/crypto/asymmetric_keys/tests/Makefile b/crypto/asymmetric_keys/tests/Makefile
new file mode 100644
index 000000000000..42a779c9042a
--- /dev/null
+++ b/crypto/asymmetric_keys/tests/Makefile
@@ -0,0 +1,2 @@
+obj-$(CONFIG_PKCS7_MESSAGE_PARSER_KFUZZ) += pkcs7_kfuzz.o
+obj-$(CONFIG_RSA_HELPER_KFUZZ) += rsa_helper_kfuzz.o
diff --git a/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c b/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
new file mode 100644
index 000000000000..84d0b0d8d0eb
--- /dev/null
+++ b/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * PKCS#7 parser KFuzzTest target
+ *
+ * Copyright 2025 Google LLC
+ */
+#include <crypto/pkcs7.h>
+#include <linux/kfuzztest.h>
+
+struct pkcs7_parse_message_arg {
+ const void *data;
+ size_t datalen;
+};
+
+FUZZ_TEST(test_pkcs7_parse_message, struct pkcs7_parse_message_arg)
+{
+ KFUZZTEST_EXPECT_NOT_NULL(pkcs7_parse_message_arg, data);
+ KFUZZTEST_ANNOTATE_LEN(pkcs7_parse_message_arg, datalen, data);
+ KFUZZTEST_EXPECT_LE(pkcs7_parse_message_arg, datalen, 16 * PAGE_SIZE);
+
+ pkcs7_parse_message(arg->data, arg->datalen);
+}
diff --git a/crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c b/crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
new file mode 100644
index 000000000000..5877e54cb75a
--- /dev/null
+++ b/crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * RSA key extract helper KFuzzTest targets
+ *
+ * Copyright 2025 Google LLC
+ */
+#include <linux/kfuzztest.h>
+#include <crypto/internal/rsa.h>
+
+struct rsa_parse_pub_key_arg {
+ const void *key;
+ size_t key_len;
+};
+
+FUZZ_TEST(test_rsa_parse_pub_key, struct rsa_parse_pub_key_arg)
+{
+ KFUZZTEST_EXPECT_NOT_NULL(rsa_parse_pub_key_arg, key);
+ KFUZZTEST_ANNOTATE_LEN(rsa_parse_pub_key_arg, key_len, key);
+ KFUZZTEST_EXPECT_LE(rsa_parse_pub_key_arg, key_len, 16 * PAGE_SIZE);
+
+ struct rsa_key out;
+ rsa_parse_pub_key(&out, arg->key, arg->key_len);
+}
+
+struct rsa_parse_priv_key_arg {
+ const void *key;
+ size_t key_len;
+};
+
+FUZZ_TEST(test_rsa_parse_priv_key, struct rsa_parse_priv_key_arg)
+{
+ KFUZZTEST_EXPECT_NOT_NULL(rsa_parse_priv_key_arg, key);
+ KFUZZTEST_ANNOTATE_LEN(rsa_parse_priv_key_arg, key_len, key);
+ KFUZZTEST_EXPECT_LE(rsa_parse_priv_key_arg, key_len, 16 * PAGE_SIZE);
+
+ struct rsa_key out;
+ rsa_parse_priv_key(&out, arg->key, arg->key_len);
+}
--
2.51.0.318.gd7df087d1a-googOn Mon, Sep 1, 2025 at 5:43 PM Ethan Graham <ethan.w.s.graham@gmail.com> wrote:
>
> From: Ethan Graham <ethangraham@google.com>
>
> Add KFuzzTest targets for pkcs7_parse_message, rsa_parse_pub_key, and
> rsa_parse_priv_key to serve as real-world examples of how the framework is used.
>
> These functions are ideal candidates for KFuzzTest as they perform complex
> parsing of user-controlled data but are not directly exposed at the syscall
> boundary. This makes them difficult to exercise with traditional fuzzing tools
> and showcases the primary strength of the KFuzzTest framework: providing an
> interface to fuzz internal functions.
nit: can I ask for another real example? AFAIK this subsystem is
rarely used (at least directly by users). However, one user-controlled
widely used parser terrifies me: load_script() function from
binfmt_script.c, which parses the shebang line for scripts. I would
really like to see what this framework can do to fuzz that.
> The targets are defined within /lib/tests, alongside existing KUnit
> tests.
>
> Signed-off-by: Ethan Graham <ethangraham@google.com>
>
> ---
> v2:
> - Move KFuzzTest targets outside of the source files into dedicated
> _kfuzz.c files under /crypto/asymmetric_keys/tests/ as suggested by
> Ignat Korchagin and Eric Biggers.
> ---
> ---
> crypto/asymmetric_keys/Kconfig | 15 ++++++++
> crypto/asymmetric_keys/Makefile | 2 +
> crypto/asymmetric_keys/tests/Makefile | 2 +
> crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 22 +++++++++++
> .../asymmetric_keys/tests/rsa_helper_kfuzz.c | 38 +++++++++++++++++++
> 5 files changed, 79 insertions(+)
> create mode 100644 crypto/asymmetric_keys/tests/Makefile
> create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
> create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
>
> diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
> index e1345b8f39f1..7a4c5eb18624 100644
> --- a/crypto/asymmetric_keys/Kconfig
> +++ b/crypto/asymmetric_keys/Kconfig
> @@ -104,3 +104,18 @@ config FIPS_SIGNATURE_SELFTEST_ECDSA
> depends on CRYPTO_ECDSA=y || CRYPTO_ECDSA=FIPS_SIGNATURE_SELFTEST
>
> endif # ASYMMETRIC_KEY_TYPE
> +
> +config PKCS7_MESSAGE_PARSER_KFUZZ
I'm a bit worried about the scalability of defining one (visible)
config option per fuzz file/module. Is there a use-case, where a user
would want to enable some targets, but not the others? Can it be
unconditionally enabled and compiled only if CONFIG_KFUZZTEST=y?
> + bool "Build fuzz target for PKCS#7 parser"
> + depends on KFUZZTEST
> + depends on PKCS7_MESSAGE_PARSER
> + default y
> + help
> + Builds the KFuzzTest targets for PKCS#7.
> +
> +config RSA_HELPER_KFUZZ
> + bool "Build fuzz targets for RSA helpers"
> + depends on KFUZZTEST
> + default y
> + help
> + Builds the KFuzzTest targets for RSA helper functions.
> diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
> index bc65d3b98dcb..77b825aee6b2 100644
> --- a/crypto/asymmetric_keys/Makefile
> +++ b/crypto/asymmetric_keys/Makefile
> @@ -67,6 +67,8 @@ obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
> pkcs7_test_key-y := \
> pkcs7_key_type.o
>
> +obj-y += tests/
> +
> #
> # Signed PE binary-wrapped key handling
> #
> diff --git a/crypto/asymmetric_keys/tests/Makefile b/crypto/asymmetric_keys/tests/Makefile
> new file mode 100644
> index 000000000000..42a779c9042a
> --- /dev/null
> +++ b/crypto/asymmetric_keys/tests/Makefile
> @@ -0,0 +1,2 @@
> +obj-$(CONFIG_PKCS7_MESSAGE_PARSER_KFUZZ) += pkcs7_kfuzz.o
> +obj-$(CONFIG_RSA_HELPER_KFUZZ) += rsa_helper_kfuzz.o
> diff --git a/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c b/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
> new file mode 100644
> index 000000000000..84d0b0d8d0eb
> --- /dev/null
> +++ b/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
> @@ -0,0 +1,22 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * PKCS#7 parser KFuzzTest target
> + *
> + * Copyright 2025 Google LLC
> + */
> +#include <crypto/pkcs7.h>
> +#include <linux/kfuzztest.h>
> +
> +struct pkcs7_parse_message_arg {
> + const void *data;
> + size_t datalen;
> +};
> +
> +FUZZ_TEST(test_pkcs7_parse_message, struct pkcs7_parse_message_arg)
> +{
> + KFUZZTEST_EXPECT_NOT_NULL(pkcs7_parse_message_arg, data);
> + KFUZZTEST_ANNOTATE_LEN(pkcs7_parse_message_arg, datalen, data);
> + KFUZZTEST_EXPECT_LE(pkcs7_parse_message_arg, datalen, 16 * PAGE_SIZE);
> +
> + pkcs7_parse_message(arg->data, arg->datalen);
> +}
> diff --git a/crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c b/crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
> new file mode 100644
> index 000000000000..5877e54cb75a
> --- /dev/null
> +++ b/crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
> @@ -0,0 +1,38 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * RSA key extract helper KFuzzTest targets
> + *
> + * Copyright 2025 Google LLC
> + */
> +#include <linux/kfuzztest.h>
> +#include <crypto/internal/rsa.h>
> +
> +struct rsa_parse_pub_key_arg {
> + const void *key;
> + size_t key_len;
> +};
> +
> +FUZZ_TEST(test_rsa_parse_pub_key, struct rsa_parse_pub_key_arg)
> +{
> + KFUZZTEST_EXPECT_NOT_NULL(rsa_parse_pub_key_arg, key);
> + KFUZZTEST_ANNOTATE_LEN(rsa_parse_pub_key_arg, key_len, key);
> + KFUZZTEST_EXPECT_LE(rsa_parse_pub_key_arg, key_len, 16 * PAGE_SIZE);
> +
> + struct rsa_key out;
> + rsa_parse_pub_key(&out, arg->key, arg->key_len);
> +}
> +
> +struct rsa_parse_priv_key_arg {
> + const void *key;
> + size_t key_len;
> +};
> +
> +FUZZ_TEST(test_rsa_parse_priv_key, struct rsa_parse_priv_key_arg)
> +{
> + KFUZZTEST_EXPECT_NOT_NULL(rsa_parse_priv_key_arg, key);
> + KFUZZTEST_ANNOTATE_LEN(rsa_parse_priv_key_arg, key_len, key);
> + KFUZZTEST_EXPECT_LE(rsa_parse_priv_key_arg, key_len, 16 * PAGE_SIZE);
> +
> + struct rsa_key out;
> + rsa_parse_priv_key(&out, arg->key, arg->key_len);
> +}
> --
> 2.51.0.318.gd7df087d1a-goog
>
Ignat
On Wed, Sep 3, 2025 at 10:58 AM Ignat Korchagin <ignat@cloudflare.com> wrote: > nit: can I ask for another real example? AFAIK this subsystem is > rarely used (at least directly by users). However, one user-controlled > widely used parser terrifies me: load_script() function from > binfmt_script.c, which parses the shebang line for scripts. I would > really like to see what this framework can do to fuzz that. Thanks for the suggestion! It looks like a promising target. > I'm a bit worried about the scalability of defining one (visible) > config option per fuzz file/module. Is there a use-case, where a user > would want to enable some targets, but not the others? Can it be > unconditionally enabled and compiled only if CONFIG_KFUZZTEST=y? That's a good point. I agree it's best to enable them all by default if CONFIG_KFUZZTEST=y. A fuzzer can pick and choose which targets it wants to fuzz so there's no downside there. My original thought was to maintain consistency with how KUnit tests are built, but since KFuzzTest targets aren't executed directly it makes sense to diverge here.
© 2016 - 2025 Red Hat, Inc.