From nobody Sun Dec 14 21:52:55 2025
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com
 [209.85.221.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE6E834403C
	for <linux-kernel@vger.kernel.org>; Thu,  4 Dec 2025 14:13:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764857602; cv=none;
 b=g6q0u0HJ29k9ZJzqZBuKHMAnB2+OHlTx/i7F+zYZdwI1EqVhjiTJJJYzTdoQIBkAPxVqd8eyY8fNNC5z3IUFBL7PJTPurRQmOLGtfZb6npnHFJHibTTSwyLjO6ofZ5LjUMqj0RGMO0iX7QONIFSQ3FRCniAQB2vr6YmkyN3ApKU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764857602; c=relaxed/simple;
	bh=TnJsqKSnzKIC0iSPoujmB0qizXCqm6TL46n3TvXH0Io=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=JSm9nI12LPQewotLq4AJzHVGQt7z1qi5mhbOKLsh9MzEY7afE1RQx+cdJ24DVa1Q2H14+/r0OqOJSUDfJBRWX04WgwzhGfzUPbodXMtkcNAHvg4bmsRbvmTOS3iXndrrDM2uj6PZXlArKiY48dmllWpf2Wfz0AJ2ObZLlkUzvvE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=EjzNgMOr; arc=none smtp.client-ip=209.85.221.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="EjzNgMOr"
Received: by mail-wr1-f45.google.com with SMTP id
 ffacd0b85a97d-42b38de7940so564607f8f.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 04 Dec 2025 06:13:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764857596; x=1765462396;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=RabXc9ZxWPd5N856tl6EMMSdBPz7PelUrbPrIKztc18=;
        b=EjzNgMOrXM32j0zQjTcDbpsZPHyd1lrvWD4NN3/4aWetz0z4L8mg6qmDWB1pEhaHaY
         kcnCaVmx4OhUH9xoN35jj54HHeiFQdLkZzoHYQ06ttDXzxOGRymU5SjSLU7KcU6oJsiA
         zt6wdV/xvIFlBNId3P+P/ERdCc8weseOUImH5E5JyvpD1qKujw0kEM6oO3wxQMOwfeQP
         UTqr5BU67JkRkdSXj83aCxFIwlLi+wldYyyZlOtN7zljx5qZqRWdwi9tC0a13CTWgLq5
         9gJjwMVEal3vVzF5ZALnoCwFimoq0fhWeP9tkzqWO1o0QgZum2Ww314Re+ilmWms4w7j
         teUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764857596; x=1765462396;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=RabXc9ZxWPd5N856tl6EMMSdBPz7PelUrbPrIKztc18=;
        b=ulwcaX7NNBXNLsGEBNKdYM/d9IU1LISYYzemmIafJqUtGtcFynG+Vf/hYpi/SR/OAP
         rfEVwznKk6pjRi4wetHmuPP/qiFbD12LffQV2Dg+1jDEC7397cWBCtvGD1jPlyHE6NMb
         FpzUl/RKHq3BChNtQ0mNZ+cs3llb9vCWxibDp4qTfgorBFuEnfwH8a1jE/R1FP/DY4AB
         4TZ3up3kcTO6ewhmdHM7x88sh8/fMDqcsEYiTTDDTFTw9DoQJhHMnBK5Nd/2g+2QtNi4
         8tVpe2s0A7xTpNlNsnULKS8NGRCbiLGnS6mornrFtsjYZAAoMpGe1ABtQTtk1pIp/vDq
         CQSA==
X-Forwarded-Encrypted: i=1;
 AJvYcCUo77HsKM/GxuQMqyqslVftcTzDFrA+PfQEp3hd7rqGc96g9PLVjImAkK6qsd+VYgDTvagDNgSnfXb/9Ao=@vger.kernel.org
X-Gm-Message-State: AOJu0YykCjJ3psViTsStHZeTpdSP5HZvo4QPxE84bC7ahjly+HTC+IzF
	7s8NPMboIM7pJ8imXSVU9h7iHcPGyuyyT63oQcUZ6oLewH3rkUbP256f
X-Gm-Gg: ASbGncuDypdFp8zvJjjbeXC8W8HhdR++8WYwGVmKptyRvlXZCEoxm3cp3zn3rMCUDw2
	womFOG503k38zkSeH+1dEe4/fRQZPIAYC7+CJ4/b/jW5pjVDswz1lELvnqZabaCZeefECfEPHzZ
	UySanPxQggLz8nrHjp7cuheYJFDVE1+KxAWhJUcCvX0lI6FeZNaPaM7SUfc7JtkJNHmIdlX/3jq
	GjJz26r2rEahA37dcBfPU3WrIPmTZqJlr7H0uJjevPKUMPzfYohGQNhwQ/zdwar66PyENdLv57h
	aVFQqC6B2Hu7VvyWXhT1h5NznB6xH3gROuze5UJRm5ZrlrVbm/pklVSbky1+2xOYzvvsLpU4KON
	s6mTGFqNFSLgJBbyS/natwTFaCq4lYvkapo2NmsyNLOJitU7E1DauOJWTca1ITy7MI1jLLYLbSv
	13pgIrQ/vkw4St7PVVDWxxICl0Sog3gx3Znxw+T6t5nQugXgrP+TlbXIUhJSi643zQUg==
X-Google-Smtp-Source: 
 AGHT+IERDnLFLwOhzCzxM3fAOB4m9Q5P8T4LaKuBCRN+Nt+F4adsNxaxUHUrlib3xIGvfpKFuuE84A==
X-Received: by 2002:a05:6000:2306:b0:42b:3963:d08e with SMTP id
 ffacd0b85a97d-42f731967f8mr6489489f8f.22.1764857595783;
        Thu, 04 Dec 2025 06:13:15 -0800 (PST)
Received: from ethan-tp.d.ethz.ch (2001-67c-10ec-5744-8000--626.net6.ethz.ch.
 [2001:67c:10ec:5744:8000::626])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-42f7cbfeae9sm3605808f8f.13.2025.12.04.06.13.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 04 Dec 2025 06:13:15 -0800 (PST)
From: Ethan Graham <ethan.w.s.graham@gmail.com>
To: ethan.w.s.graham@gmail.com,
	glider@google.com
Cc: andreyknvl@gmail.com,
	andy@kernel.org,
	andy.shevchenko@gmail.com,
	brauner@kernel.org,
	brendan.higgins@linux.dev,
	davem@davemloft.net,
	davidgow@google.com,
	dhowells@redhat.com,
	dvyukov@google.com,
	elver@google.com,
	herbert@gondor.apana.org.au,
	ignat@cloudflare.com,
	jack@suse.cz,
	jannh@google.com,
	johannes@sipsolutions.net,
	kasan-dev@googlegroups.com,
	kees@kernel.org,
	kunit-dev@googlegroups.com,
	linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-mm@kvack.org,
	lukas@wunner.de,
	rmoar@google.com,
	shuah@kernel.org,
	sj@kernel.org,
	tarasmadan@google.com,
	Ethan Graham <ethangraham@google.com>
Subject: [PATCH 08/10] crypto: implement KFuzzTest targets for PKCS7 and RSA
 parsing
Date: Thu,  4 Dec 2025 15:12:47 +0100
Message-ID: <20251204141250.21114-9-ethan.w.s.graham@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251204141250.21114-1-ethan.w.s.graham@gmail.com>
References: <20251204141250.21114-1-ethan.w.s.graham@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Ethan Graham <ethangraham@google.com>

Add KFuzzTest targets for pkcs7_parse_message, rsa_parse_pub_key, and
rsa_parse_priv_key to serve as real-world examples of how the framework
is used.

These functions are ideal candidates for KFuzzTest as they perform
complex parsing of user-controlled data but are not directly exposed at
the syscall boundary. This makes them difficult to exercise with
traditional fuzzing tools and showcases the primary strength of the
KFuzzTest framework: providing an interface to fuzz internal functions.

To validate the effectiveness of the framework on these new targets, we
injected two artificial bugs and let syzkaller fuzz the targets in an
attempt to catch them.

The first of these was calling the asn1 decoder with an incorrect input
from pkcs7_parse_message, like so:

- ret =3D asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
+ ret =3D asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1);

The second was bug deeper inside of asn1_ber_decoder itself, like so:

- for (len =3D 0; n > 0; n--)
+ for (len =3D 0; n >=3D 0; n--)

syzkaller was able to trigger these bugs, and the associated KASAN
slab-out-of-bounds reports, within seconds.

The targets are defined within crypto/asymmetric-keys/tests.

Signed-off-by: Ethan Graham <ethangraham@google.com>
Signed-off-by: Ethan Graham <ethan.w.s.graham@gmail.com>
Reviewed-by: Ignat Korchagin <ignat@cloudflare.com>

---
PR v3:
- Use the FUZZ_TEST_SIMPLE macro for all introduced fuzz targets as
  they each take `(data, datalen)` pairs. This also removes the need for
  explicit constraints and annotations which become implicit.
PR v2:
- Make fuzz targets also depend on the KConfig options needed for the
  functions they are fuzzing, CONFIG_PKCS7_MESSAGE_PARSER and
  CONFIG_CRYPTO_RSA respectively.
- Fix build issues pointed out by the kernel test robot <lkp@intel.com>.
- Account for return value of pkcs7_parse_message, and free resources if
  the function call succeeds.
PR v1:
- Change the fuzz target build to depend on CONFIG_KFUZZTEST=3Dy,
  eliminating the need for a separate config option for each individual
  file as suggested by Ignat Korchagin.
- Remove KFUZZTEST_EXPECT_LE on the length of the `key` field inside of
  the fuzz targets. A maximum length is now set inside of the core input
  parsing logic.
RFC v2:
- Move KFuzzTest targets outside of the source files into dedicated
  _kfuzz.c files under /crypto/asymmetric_keys/tests/ as suggested by
  Ignat Korchagin and Eric Biggers.
---
---
 crypto/asymmetric_keys/Makefile               |  2 ++
 crypto/asymmetric_keys/tests/Makefile         |  4 ++++
 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c    | 17 ++++++++++++++++
 .../asymmetric_keys/tests/rsa_helper_kfuzz.c  | 20 +++++++++++++++++++
 4 files changed, 43 insertions(+)
 create mode 100644 crypto/asymmetric_keys/tests/Makefile
 create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
 create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c

diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makef=
ile
index bc65d3b98dcb..77b825aee6b2 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -67,6 +67,8 @@ obj-$(CONFIG_PKCS7_TEST_KEY) +=3D pkcs7_test_key.o
 pkcs7_test_key-y :=3D \
 	pkcs7_key_type.o
=20
+obj-y +=3D tests/
+
 #
 # Signed PE binary-wrapped key handling
 #
diff --git a/crypto/asymmetric_keys/tests/Makefile b/crypto/asymmetric_keys=
/tests/Makefile
new file mode 100644
index 000000000000..023d6a65fb89
--- /dev/null
+++ b/crypto/asymmetric_keys/tests/Makefile
@@ -0,0 +1,4 @@
+pkcs7-kfuzz-y :=3D $(and $(CONFIG_KFUZZTEST),$(CONFIG_PKCS7_MESSAGE_PARSER=
))
+rsa-helper-kfuzz-y :=3D $(and $(CONFIG_KFUZZTEST),$(CONFIG_CRYPTO_RSA))
+obj-$(pkcs7-kfuzz-y) +=3D pkcs7_kfuzz.o
+obj-$(rsa-helper-kfuzz-y) +=3D rsa_helper_kfuzz.o
diff --git a/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c b/crypto/asymmetric=
_keys/tests/pkcs7_kfuzz.c
new file mode 100644
index 000000000000..345f99990653
--- /dev/null
+++ b/crypto/asymmetric_keys/tests/pkcs7_kfuzz.c
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * PKCS#7 parser KFuzzTest target
+ *
+ * Copyright 2025 Google LLC
+ */
+#include <crypto/pkcs7.h>
+#include <linux/kfuzztest.h>
+
+FUZZ_TEST_SIMPLE(test_pkcs7_parse_message)
+{
+	struct pkcs7_message *msg;
+
+	msg =3D pkcs7_parse_message(data, datalen);
+	if (msg && !IS_ERR(msg))
+		kfree(msg);
+}
diff --git a/crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c b/crypto/asymm=
etric_keys/tests/rsa_helper_kfuzz.c
new file mode 100644
index 000000000000..dd434f1a21ed
--- /dev/null
+++ b/crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c
@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * RSA key extract helper KFuzzTest targets
+ *
+ * Copyright 2025 Google LLC
+ */
+#include <linux/kfuzztest.h>
+#include <crypto/internal/rsa.h>
+
+FUZZ_TEST_SIMPLE(test_rsa_parse_pub_key)
+{
+	struct rsa_key out;
+	rsa_parse_pub_key(&out, data, datalen);
+}
+
+FUZZ_TEST_SIMPLE(test_rsa_parse_priv_key)
+{
+	struct rsa_key out;
+	rsa_parse_priv_key(&out, data, datalen);
+}
--=20
2.51.0