From nobody Thu Oct 2 07:46:28 2025 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 83B7A246BD5 for ; Fri, 19 Sep 2025 14:58:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758293886; cv=none; b=D+x+030BFeNwUYlQUdcgxLbwNinsUm8k9QoEu03A3P2xM1YgQpu9XQbWcpLULNralPNbtZbWXyE/FWnZdUVoyCNUXfh6VmKAJPRdBH9goKbR2hBhPpwU0tnKWCD6pnDanmzf4n42hjTYukX0fjet3yTVPDliGFxdIU5RLOPH/ZQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758293886; c=relaxed/simple; bh=YgdUCAzQWh6LJ77x1D0s9gnC5Gfnb8ZCJX0mdS2EBP0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LFTmGOVjC/e7xU4sb12aVvrGpjeAn2ajnGio0I69uGPo/pZf/EKQVvTtoXG7aCznkgB8doHN4UvIeZJ9S0OrSFM414cRZ2pLCD+Q4nAUs0Db91XxlsDwoqRESW1Y8WRByyTgTznUK5tT4hJXM5ftnti2zywHM+YhqL6j2NxjoQU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GOt7qiek; arc=none smtp.client-ip=209.85.221.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GOt7qiek" Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-3ed20bdfdffso2277307f8f.2 for ; Fri, 19 Sep 2025 07:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1758293882; x=1758898682; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sfh1bNw7MLcAN8E4ek/ZR2D+Z9BQxSpA6YNYJoSqpiw=; b=GOt7qiekicoX0uRxn4sdsRdFUpaxdLtirZuxoHmsIBaG7PR4NDcY+gUbRP+AoIgD7f R+PlxYOTv1tZZ9l7YvAzqZ4UHiYmXIUGwTYYOyCbe9ewSbYXYjldsCQ2ab54HeMsqVbY 61+wNG2a2fOZV0xbjaFEiLfjwZgupQyu3G1BPjnwoLMsH5FY9vYYXCMgKMpzyj2E/u1l qyFrN1CP52I7oGYOFG5tE+67tvmxDZKBD47y2dmi9FTnW6+u0ap14/LCvuPrswwXe0u5 sE29GzB9xYyd4nN2agFN4T3aR7UAqXd1tEWdIrQqoJ45+QPjgfYrs38WXgemyQm+o43E pmQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758293882; x=1758898682; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sfh1bNw7MLcAN8E4ek/ZR2D+Z9BQxSpA6YNYJoSqpiw=; b=fwXB2cJJHF1ispTxYdV1YtGruMIdyAsu1aiGEmMr0D4lsUmGMEAUAsv8E8pqtywiFn vwQwVFWd1Ly8s17cXDaTlxUnvW+wk6mvLy6tUIzavK4QFAzSpaK5q/0AS5cLY7To8IAl uBwr3b69sd0DbDV1Gb5NxQhg81Al6wrn4MkCUKoeNG3AjCGNelrhz1vOc8NBzfl7WUkD 8zFJ48E5KVl5G6LMocy2oetodUN5cugwhGTl2quvu6oOKLkpWHrKB17+D6CLcfkocqxL vUL4yqh8gZ7oC379HukzO1tX1atQmdrbhKpyqayJm1rO5GiRkbV2FKBLIHYbx7WoHe+c cN+w== X-Forwarded-Encrypted: i=1; AJvYcCUuja57uOll9jgYutgwcx/ra5xIGH+a3Z0h/LBqS0Q7hw3Iilhi0acU/fk9EM3+Jqdbxw6Vuz0RKiQ9N5I=@vger.kernel.org X-Gm-Message-State: AOJu0Yxgf1yBsViwkfg3p9rV1KN9Tddoe52Bpuhq3zfRfDnV06eRI1Bz Th9bmWu+qnKPErGMkdDA1aDySBVDkaE8UoGc/zZxAux0ZXPY6lzLQ2FD X-Gm-Gg: ASbGncsFCiAUYT3x3T/fHMR1yfrv8aTOODDabh0HWr2H3Seo8RHAoU1YlZLK+U5RMG8 7ru86UVV/Ddq2SZfLclI17nosyON4R2D0bqxndn1uUKXuAdHJZ0nsOtQRfVjYN1Dj69iKMQMDE8 Vy1hizVS/876exERFSAiqRIJZwswXROicIIhEP5QbHwtsKiPgM5Cbzexezrhm0qNr3Cv74OPqT9 pbCSqKBWT7sXyTTzdxpW5bbGYqaKvI8HVJzABjXPxAU1uuhm0gLdR5cwoO80IfP6gd2jeT7Tjix s78ANVrke1bXi44GQ5yK8XgJ9aziDn0V6jw71Pj8w1O7f7FRvuF3A8PL2L6AQ/Arg1QE36qYgXF rUPqQB+yKxZ4loLwykH4c28znsayeP7T9xpxmBSf1NBRBM66dYIwaYmCDlLomNT6cIAdbXyrRPZ wgGVwSCkWSaLNE5eA= X-Google-Smtp-Source: AGHT+IHBcA/sW1R7VOxqGoXPReKDC15y2kiVaWDthtwRe5Vqcoa4dhIFYkBLfxKu+/GZppZceHWgEw== X-Received: by 2002:a05:6000:24c9:b0:3ec:ce37:3a6d with SMTP id ffacd0b85a97d-3ee857699acmr2826209f8f.47.1758293881422; Fri, 19 Sep 2025 07:58:01 -0700 (PDT) Received: from xl-nested.c.googlers.com.com (124.62.78.34.bc.googleusercontent.com. [34.78.62.124]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3ee0fbc7188sm8551386f8f.37.2025.09.19.07.58.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Sep 2025 07:58:00 -0700 (PDT) From: Ethan Graham To: ethangraham@google.com, glider@google.com Cc: andreyknvl@gmail.com, andy@kernel.org, brauner@kernel.org, brendan.higgins@linux.dev, davem@davemloft.net, davidgow@google.com, dhowells@redhat.com, dvyukov@google.com, elver@google.com, herbert@gondor.apana.org.au, ignat@cloudflare.com, jack@suse.cz, jannh@google.com, johannes@sipsolutions.net, kasan-dev@googlegroups.com, kees@kernel.org, kunit-dev@googlegroups.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lukas@wunner.de, rmoar@google.com, shuah@kernel.org, sj@kernel.org, tarasmadan@google.com Subject: [PATCH v2 03/10] kfuzztest: implement core module and input processing Date: Fri, 19 Sep 2025 14:57:43 +0000 Message-ID: <20250919145750.3448393-4-ethan.w.s.graham@gmail.com> X-Mailer: git-send-email 2.51.0.470.ga7dc726c21-goog In-Reply-To: <20250919145750.3448393-1-ethan.w.s.graham@gmail.com> References: <20250919145750.3448393-1-ethan.w.s.graham@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Ethan Graham Add the core runtime implementation for KFuzzTest. This includes the module initialization, and the logic for receiving and processing user-provided inputs through debugfs. On module load, the framework discovers all test targets by iterating over the .kfuzztest_target section, creating a corresponding debugfs directory with a write-only 'input' file for each of them. Writing to an 'input' file triggers the main fuzzing sequence: 1. The serialized input is copied from userspace into a kernel buffer. 2. The buffer is parsed to validate the region array and relocation table. 3. Pointers are patched based on the relocation entries, and in KASAN builds the inter-region padding is poisoned. 4. The resulting struct is passed to the user-defined test logic. Signed-off-by: Ethan Graham Reviewed-by: Alexander Potapenko --- PR v2: - Fix build issues identified by the kernel test robot . - Address some nits pointed out by Alexander Potapenko. PR v1: - Update kfuzztest/parse.c interfaces to take `unsigned char *` instead of `void *`, reducing the number of pointer casts. - Expose minimum region alignment via a new debugfs file. - Expose number of successful invocations via a new debugfs file. - Refactor module init function, add _config directory with entries containing KFuzzTest state information. - Account for kasan_poison_range() return value in input parsing logic. - Validate alignment of payload end. - Move static sizeof assertions into /lib/kfuzztest/main.c. - Remove the taint in kfuzztest/main.c. We instead taint the kernel as soon as a fuzz test is invoked for the first time, which is done in the primary FUZZ_TEST macro. RFC v2: - The module's init function now taints the kernel with TAINT_TEST. --- --- include/linux/kfuzztest.h | 4 + lib/Makefile | 2 + lib/kfuzztest/Makefile | 4 + lib/kfuzztest/main.c | 242 ++++++++++++++++++++++++++++++++++++++ lib/kfuzztest/parse.c | 204 ++++++++++++++++++++++++++++++++ 5 files changed, 456 insertions(+) create mode 100644 lib/kfuzztest/Makefile create mode 100644 lib/kfuzztest/main.c create mode 100644 lib/kfuzztest/parse.c diff --git a/include/linux/kfuzztest.h b/include/linux/kfuzztest.h index 38970dea8fa5..2620e48bb620 100644 --- a/include/linux/kfuzztest.h +++ b/include/linux/kfuzztest.h @@ -150,6 +150,9 @@ struct kfuzztest_target { =20 #define KFUZZTEST_MAX_INPUT_SIZE (PAGE_SIZE * 16) =20 +/* Increments a global counter after a successful invocation. */ +void record_invocation(void); + /** * FUZZ_TEST - defines a KFuzzTest target * @@ -243,6 +246,7 @@ struct kfuzztest_target { if (ret < 0) \ goto out; \ kfuzztest_logic_##test_name(arg); \ + record_invocation(); \ ret =3D len; \ out: \ kfree(buffer); \ diff --git a/lib/Makefile b/lib/Makefile index 392ff808c9b9..02789bf88499 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -325,6 +325,8 @@ obj-$(CONFIG_GENERIC_LIB_CMPDI2) +=3D cmpdi2.o obj-$(CONFIG_GENERIC_LIB_UCMPDI2) +=3D ucmpdi2.o obj-$(CONFIG_OBJAGG) +=3D objagg.o =20 +obj-$(CONFIG_KFUZZTEST) +=3D kfuzztest/ + # pldmfw library obj-$(CONFIG_PLDMFW) +=3D pldmfw/ =20 diff --git a/lib/kfuzztest/Makefile b/lib/kfuzztest/Makefile new file mode 100644 index 000000000000..142d16007eea --- /dev/null +++ b/lib/kfuzztest/Makefile @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: GPL-2.0 + +obj-$(CONFIG_KFUZZTEST) +=3D kfuzztest.o +kfuzztest-objs :=3D main.o parse.o diff --git a/lib/kfuzztest/main.c b/lib/kfuzztest/main.c new file mode 100644 index 000000000000..c36a7a0b7602 --- /dev/null +++ b/lib/kfuzztest/main.c @@ -0,0 +1,242 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * KFuzzTest core module initialization and debugfs interface. + * + * Copyright 2025 Google LLC + */ +#include +#include +#include +#include +#include +#include +#include + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Ethan Graham "); +MODULE_DESCRIPTION("Kernel Fuzz Testing Framework (KFuzzTest)"); + +/* + * Enforce a fixed struct size to ensure a consistent stride when iteratin= g over + * the array of these structs in the dedicated ELF section. + */ +static_assert(sizeof(struct kfuzztest_target) =3D=3D 32, "struct kfuzztest= _target should have size 32"); +static_assert(sizeof(struct kfuzztest_constraint) =3D=3D 64, "struct kfuzz= test_constraint should have size 64"); +static_assert(sizeof(struct kfuzztest_annotation) =3D=3D 32, "struct kfuzz= test_annotation should have size 32"); + +extern const struct kfuzztest_target __kfuzztest_targets_start[]; +extern const struct kfuzztest_target __kfuzztest_targets_end[]; + +/** + * struct kfuzztest_state - global state for the KFuzzTest module + * + * @kfuzztest_dir: The root debugfs directory, /sys/kernel/debug/kfuzztest= /. + * @num_invocations: total number of target invocations. + * @num_targets: number of registered targets. + * @target_fops: array of file operations for each registered target. + * @minalign_fops: file operations for the /_config/minalign file. + * @num_invocations_fops: file operations for the /_config/num_invocations= file. + */ +struct kfuzztest_state { + struct dentry *kfuzztest_dir; + atomic_t num_invocations; + size_t num_targets; + + struct file_operations *target_fops; + struct file_operations minalign_fops; + struct file_operations num_invocations_fops; +}; + +static struct kfuzztest_state state; + +void record_invocation(void) +{ + atomic_inc(&state.num_invocations); +} + +static void cleanup_kfuzztest_state(struct kfuzztest_state *st) +{ + debugfs_remove_recursive(st->kfuzztest_dir); + st->num_targets =3D 0; + st->num_invocations =3D (atomic_t)ATOMIC_INIT(0); + kfree(st->target_fops); + st->target_fops =3D NULL; +} + +static const umode_t KFUZZTEST_INPUT_PERMS =3D 0222; +static const umode_t KFUZZTEST_MINALIGN_PERMS =3D 0444; + +static ssize_t read_cb_integer(struct file *filp, char __user *buf, size_t= count, loff_t *f_pos, size_t value) +{ + char buffer[64]; + int len; + + len =3D scnprintf(buffer, sizeof(buffer), "%zu\n", value); + return simple_read_from_buffer(buf, count, f_pos, buffer, len); +} + +/* + * Callback for /sys/kernel/debug/kfuzztest/_config/minalign. Minalign + * corresponds to the minimum alignment that regions in a KFuzzTest input = must + * satisfy. This callback returns that value in string format. + */ +static ssize_t minalign_read_cb(struct file *filp, char __user *buf, size_= t count, loff_t *f_pos) +{ + int minalign =3D MAX(KFUZZTEST_POISON_SIZE, ARCH_KMALLOC_MINALIGN); + return read_cb_integer(filp, buf, count, f_pos, minalign); +} + +/* + * Callback for /sys/kernel/debug/kfuzztest/_config/num_invocations, which + * returns the value in string format. + */ +static ssize_t num_invocations_read_cb(struct file *filp, char __user *buf= , size_t count, loff_t *f_pos) +{ + return read_cb_integer(filp, buf, count, f_pos, atomic_read(&state.num_in= vocations)); +} + +static int create_read_only_file(struct dentry *parent, const char *name, = struct file_operations *fops) +{ + struct dentry *file; + int err =3D 0; + + file =3D debugfs_create_file(name, KFUZZTEST_MINALIGN_PERMS, parent, NULL= , fops); + if (!file) + err =3D -ENOMEM; + else if (IS_ERR(file)) + err =3D PTR_ERR(file); + return err; +} + +static int initialize_config_dir(struct kfuzztest_state *st) +{ + struct dentry *dir; + int err =3D 0; + + dir =3D debugfs_create_dir("_config", st->kfuzztest_dir); + if (!dir) + err =3D -ENOMEM; + else if (IS_ERR(dir)) + err =3D PTR_ERR(dir); + if (err) { + pr_info("kfuzztest: failed to create /_config dir"); + goto out; + } + + st->minalign_fops =3D (struct file_operations){ + .owner =3D THIS_MODULE, + .read =3D minalign_read_cb, + }; + err =3D create_read_only_file(dir, "minalign", &st->minalign_fops); + if (err) { + pr_info("kfuzztest: failed to create /_config/minalign"); + goto out; + } + + st->num_invocations_fops =3D (struct file_operations){ + .owner =3D THIS_MODULE, + .read =3D num_invocations_read_cb, + }; + err =3D create_read_only_file(dir, "num_invocations", &st->num_invocation= s_fops); + if (err) + pr_info("kfuzztest: failed to create /_config/num_invocations"); +out: + return err; +} + +static int initialize_target_dir(struct kfuzztest_state *st, const struct = kfuzztest_target *targ, + struct file_operations *fops) +{ + struct dentry *dir, *input; + int err =3D 0; + + dir =3D debugfs_create_dir(targ->name, st->kfuzztest_dir); + if (!dir) + err =3D -ENOMEM; + else if (IS_ERR(dir)) + err =3D PTR_ERR(dir); + if (err) { + pr_info("kfuzztest: failed to create /kfuzztest/%s dir", targ->name); + goto out; + } + + input =3D debugfs_create_file("input", KFUZZTEST_INPUT_PERMS, dir, NULL, = fops); + if (!input) + err =3D -ENOMEM; + else if (IS_ERR(input)) + err =3D PTR_ERR(input); + if (err) + pr_info("kfuzztest: failed to create /kfuzztest/%s/input", targ->name); +out: + return err; +} + +/** + * kfuzztest_init - initializes the debug filesystem for KFuzzTest + * + * Each registered target in the ".kfuzztest_targets" section gets its own + * subdirectory under "/sys/kernel/debug/kfuzztest/" containing= one + * write-only "input" file used for receiving inputs from userspace. + * Furthermore, a directory "/sys/kernel/debug/kfuzztest/_config" is creat= ed, + * containing two read-only files "minalign" and "num_invocations", that r= eturn + * the minimum required region alignment and number of target invocations + * respectively. + * + * @return 0 on success or an error + */ +static int __init kfuzztest_init(void) +{ + const struct kfuzztest_target *targ; + int err =3D 0; + int i =3D 0; + + state.num_targets =3D __kfuzztest_targets_end - __kfuzztest_targets_start; + state.target_fops =3D kzalloc(sizeof(struct file_operations) * state.num_= targets, GFP_KERNEL); + if (!state.target_fops) + return -ENOMEM; + + /* Create the main "kfuzztest" directory in /sys/kernel/debug. */ + state.kfuzztest_dir =3D debugfs_create_dir("kfuzztest", NULL); + if (!state.kfuzztest_dir) { + pr_warn("kfuzztest: could not create 'kfuzztest' debugfs directory"); + return -ENOMEM; + } + if (IS_ERR(state.kfuzztest_dir)) { + pr_warn("kfuzztest: could not create 'kfuzztest' debugfs directory"); + err =3D PTR_ERR(state.kfuzztest_dir); + state.kfuzztest_dir =3D NULL; + return err; + } + + err =3D initialize_config_dir(&state); + if (err) + goto cleanup_failure; + + for (targ =3D __kfuzztest_targets_start; targ < __kfuzztest_targets_end; = targ++, i++) { + state.target_fops[i] =3D (struct file_operations){ + .owner =3D THIS_MODULE, + .write =3D targ->write_input_cb, + }; + err =3D initialize_target_dir(&state, targ, &state.target_fops[i]); + /* Bail out if a single target fails to initialize. This avoids + * partial setup, and a failure here likely indicates an issue + * with debugfs. */ + if (err) + goto cleanup_failure; + pr_info("kfuzztest: registered target %s", targ->name); + } + return 0; + +cleanup_failure: + cleanup_kfuzztest_state(&state); + return err; +} + +static void __exit kfuzztest_exit(void) +{ + pr_info("kfuzztest: exiting"); + cleanup_kfuzztest_state(&state); +} + +module_init(kfuzztest_init); +module_exit(kfuzztest_exit); diff --git a/lib/kfuzztest/parse.c b/lib/kfuzztest/parse.c new file mode 100644 index 000000000000..5aaeca6a7fde --- /dev/null +++ b/lib/kfuzztest/parse.c @@ -0,0 +1,204 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * KFuzzTest input parsing and validation. + * + * Copyright 2025 Google LLC + */ +#include +#include + +static int kfuzztest_relocate_v0(struct reloc_region_array *regions, struc= t reloc_table *rt, + unsigned char *payload_start, unsigned char *payload_end) +{ + unsigned char *poison_start, *poison_end; + struct reloc_region reg, src, dst; + uintptr_t *ptr_location; + struct reloc_entry re; + size_t i; + int ret; + + /* Patch pointers. */ + for (i =3D 0; i < rt->num_entries; i++) { + re =3D rt->entries[i]; + src =3D regions->regions[re.region_id]; + ptr_location =3D (uintptr_t *)(payload_start + src.offset + re.region_of= fset); + if (re.value =3D=3D KFUZZTEST_REGIONID_NULL) + *ptr_location =3D (uintptr_t)NULL; + else if (re.value < regions->num_regions) { + dst =3D regions->regions[re.value]; + *ptr_location =3D (uintptr_t)(payload_start + dst.offset); + } else { + return -EINVAL; + } + } + + /* Poison the padding between regions. */ + for (i =3D 0; i < regions->num_regions; i++) { + reg =3D regions->regions[i]; + + /* Points to the beginning of the inter-region padding */ + poison_start =3D payload_start + reg.offset + reg.size; + if (i < regions->num_regions - 1) + poison_end =3D payload_start + regions->regions[i + 1].offset; + else + poison_end =3D payload_end; + + if (poison_end > payload_end) + return -EINVAL; + + ret =3D kasan_poison_range(poison_start, poison_end - poison_start); + if (ret) + return ret; + } + + /* Poison the padded area preceding the payload. */ + return kasan_poison_range(payload_start - rt->padding_size, rt->padding_s= ize); +} + +static bool kfuzztest_input_is_valid(struct reloc_region_array *regions, s= truct reloc_table *rt, + unsigned char *payload_start, unsigned char *payload_end) +{ + size_t payload_size =3D payload_end - payload_start; + struct reloc_region reg, next_reg; + size_t usable_payload_size; + uint32_t region_end_offset; + struct reloc_entry reloc; + uint32_t i; + + if (payload_start > payload_end) + return false; + if (payload_size < KFUZZTEST_POISON_SIZE) + return false; + if ((uintptr_t)payload_end % KFUZZTEST_POISON_SIZE) + return false; + usable_payload_size =3D payload_size - KFUZZTEST_POISON_SIZE; + + for (i =3D 0; i < regions->num_regions; i++) { + reg =3D regions->regions[i]; + if (check_add_overflow(reg.offset, reg.size, ®ion_end_offset)) + return false; + if ((size_t)region_end_offset > usable_payload_size) + return false; + + if (i < regions->num_regions - 1) { + next_reg =3D regions->regions[i + 1]; + if (reg.offset > next_reg.offset) + return false; + /* Enforce the minimum poisonable gap between + * consecutive regions. */ + if (reg.offset + reg.size + KFUZZTEST_POISON_SIZE > next_reg.offset) + return false; + } + } + + if (rt->padding_size < KFUZZTEST_POISON_SIZE) { + pr_info("validation failed because rt->padding_size =3D %u", rt->padding= _size); + return false; + } + + for (i =3D 0; i < rt->num_entries; i++) { + reloc =3D rt->entries[i]; + if (reloc.region_id >=3D regions->num_regions) + return false; + if (reloc.value !=3D KFUZZTEST_REGIONID_NULL && reloc.value >=3D regions= ->num_regions) + return false; + + reg =3D regions->regions[reloc.region_id]; + if (reloc.region_offset % (sizeof(uintptr_t)) || reloc.region_offset + s= izeof(uintptr_t) > reg.size) + return false; + } + + return true; +} + +static int kfuzztest_parse_input_v0(unsigned char *input, size_t input_siz= e, struct reloc_region_array **ret_regions, + struct reloc_table **ret_reloc_table, unsigned char **ret_payload_= start, + unsigned char **ret_payload_end) +{ + size_t reloc_entries_size, reloc_regions_size; + unsigned char *payload_end, *payload_start; + size_t reloc_table_size, regions_size; + struct reloc_region_array *regions; + struct reloc_table *rt; + size_t curr_offset =3D 0; + + if (input_size < sizeof(struct reloc_region_array) + sizeof(struct reloc_= table)) + return -EINVAL; + + regions =3D (struct reloc_region_array *)input; + if (check_mul_overflow(regions->num_regions, sizeof(struct reloc_region),= &reloc_regions_size)) + return -EINVAL; + if (check_add_overflow(sizeof(*regions), reloc_regions_size, ®ions_siz= e)) + return -EINVAL; + + curr_offset =3D regions_size; + if (curr_offset > input_size) + return -EINVAL; + if (input_size - curr_offset < sizeof(struct reloc_table)) + return -EINVAL; + + rt =3D (struct reloc_table *)(input + curr_offset); + + if (check_mul_overflow((size_t)rt->num_entries, sizeof(struct reloc_entry= ), &reloc_entries_size)) + return -EINVAL; + if (check_add_overflow(sizeof(*rt), reloc_entries_size, &reloc_table_size= )) + return -EINVAL; + if (check_add_overflow(reloc_table_size, rt->padding_size, &reloc_table_s= ize)) + return -EINVAL; + + if (check_add_overflow(curr_offset, reloc_table_size, &curr_offset)) + return -EINVAL; + if (curr_offset > input_size) + return -EINVAL; + + payload_start =3D input + curr_offset; + payload_end =3D input + input_size; + + if (!kfuzztest_input_is_valid(regions, rt, payload_start, payload_end)) + return -EINVAL; + + *ret_regions =3D regions; + *ret_reloc_table =3D rt; + *ret_payload_start =3D payload_start; + *ret_payload_end =3D payload_end; + return 0; +} + +static int kfuzztest_parse_and_relocate_v0(unsigned char *input, size_t in= put_size, void **arg_ret) +{ + unsigned char *payload_start, *payload_end; + struct reloc_region_array *regions; + struct reloc_table *reloc_table; + int ret; + + ret =3D kfuzztest_parse_input_v0(input, input_size, ®ions, &reloc_tabl= e, &payload_start, &payload_end); + if (ret < 0) + return ret; + + ret =3D kfuzztest_relocate_v0(regions, reloc_table, payload_start, payloa= d_end); + if (ret < 0) + return ret; + *arg_ret =3D (void *)payload_start; + return 0; +} + +int kfuzztest_parse_and_relocate(void *input, size_t input_size, void **ar= g_ret) +{ + size_t header_size =3D 2 * sizeof(u32); + u32 version, magic; + + if (input_size < sizeof(u32) + sizeof(u32)) + return -EINVAL; + + magic =3D *(u32 *)input; + if (magic !=3D KFUZZTEST_HEADER_MAGIC) + return -EINVAL; + + version =3D *(u32 *)(input + sizeof(u32)); + switch (version) { + case KFUZZTEST_V0: + return kfuzztest_parse_and_relocate_v0(input + header_size, input_size -= header_size, arg_ret); + } + + return -EINVAL; +} --=20 2.51.0.470.ga7dc726c21-goog