Documentation/dev-tools/index.rst | 1 + Documentation/dev-tools/kfuzztest.rst | 152 ++++++++++++++++++ MAINTAINERS | 7 + crypto/asymmetric_keys/Makefile | 2 + crypto/asymmetric_keys/tests/Makefile | 4 + crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 18 +++ .../asymmetric_keys/tests/rsa_helper_kfuzz.c | 24 +++ include/asm-generic/vmlinux.lds.h | 14 +- include/linux/kfuzztest.h | 90 +++++++++++ lib/Kconfig.debug | 1 + lib/Makefile | 2 + lib/kfuzztest/Kconfig | 16 ++ lib/kfuzztest/Makefile | 4 + lib/kfuzztest/input.c | 47 ++++++ lib/kfuzztest/main.c | 142 ++++++++++++++++ samples/Kconfig | 7 + samples/Makefile | 1 + samples/kfuzztest/Makefile | 3 + samples/kfuzztest/underflow_on_buffer.c | 52 ++++++ 19 files changed, 586 insertions(+), 1 deletion(-) create mode 100644 Documentation/dev-tools/kfuzztest.rst create mode 100644 crypto/asymmetric_keys/tests/Makefile create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c create mode 100644 include/linux/kfuzztest.h create mode 100644 lib/kfuzztest/Kconfig create mode 100644 lib/kfuzztest/Makefile create mode 100644 lib/kfuzztest/input.c create mode 100644 lib/kfuzztest/main.c create mode 100644 samples/kfuzztest/Makefile create mode 100644 samples/kfuzztest/underflow_on_buffer.c
This patch series introduces KFuzzTest, a lightweight framework for creating in-kernel fuzz targets for internal kernel functions. The primary motivation for KFuzzTest is to simplify the fuzzing of low-level, relatively stateless functions (e.g., data parsers, format converters) that are difficult to exercise effectively from the syscall boundary. It is intended for in-situ fuzzing of kernel code without requiring that it be built as a separate userspace library or that its dependencies be stubbed out. Following feedback from the Linux Plumbers Conference and mailing list discussions, this version of the framework has been significantly simplified. It now focuses exclusively on handling raw binary inputs, removing the complexity of the custom serialization format and DWARF parsing found in previous iterations. The core design consists of two main parts: 1. The `FUZZ_TEST_SIMPLE(name)` macro, which allows developers to define a fuzz test that accepts a buffer and its length. 2. A simplified debugfs interface that allows userspace fuzzers (or simple command-line tools) to pass raw binary blobs directly to the target function. To validate the framework's end-to-end effectiveness, we performed an experiment by manually introducing an off-by-one buffer over-read into pkcs7_parse_message, like so: - ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen); + ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1); A syzkaller instance fuzzing the new test_pkcs7_parse_message target introduced in patch 7 successfully triggered the bug inside of asn1_ber_decoder in under 30 seconds from a cold start. Similar experiments on the other new fuzz targets (patches 8-9) also successfully identified injected bugs, proving that KFuzzTest is effective when paired with a coverage-guided fuzzing engine. This patch series is structured as follows: - Patch 1 introduces the core KFuzzTest API, including the main FUZZ_TEST_SIMPLE macro. - Patch 2 adds the runtime implementation for the framework - Patch 3 adds documentation. - Patch 4 provides sample fuzz targets. - Patch 5 defines fuzz targets for several functions in crypto/. - Patch 6 adds maintainer information for KFuzzTest. Changes since PR v3: - Major simplification of the architecture, removing the complex `FUZZ_TEST` macro, the custom serialization format, domain constraints, annotations, and associated DWARF metadata regions. - The framework now only supports `FUZZ_TEST_SIMPLE` targets, which accept raw binary data. - Removed the userspace bridge tool as it is no longer required for serializing inputs. - Updated documentation and samples to reflect the "simple-only" approach. Ethan Graham (6): kfuzztest: add user-facing API and data structures kfuzztest: implement core module and input processing kfuzztest: add ReST documentation kfuzztest: add KFuzzTest sample fuzz targets crypto: implement KFuzzTest targets for PKCS7 and RSA parsing MAINTAINERS: add maintainer information for KFuzzTest Documentation/dev-tools/index.rst | 1 + Documentation/dev-tools/kfuzztest.rst | 152 ++++++++++++++++++ MAINTAINERS | 7 + crypto/asymmetric_keys/Makefile | 2 + crypto/asymmetric_keys/tests/Makefile | 4 + crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 18 +++ .../asymmetric_keys/tests/rsa_helper_kfuzz.c | 24 +++ include/asm-generic/vmlinux.lds.h | 14 +- include/linux/kfuzztest.h | 90 +++++++++++ lib/Kconfig.debug | 1 + lib/Makefile | 2 + lib/kfuzztest/Kconfig | 16 ++ lib/kfuzztest/Makefile | 4 + lib/kfuzztest/input.c | 47 ++++++ lib/kfuzztest/main.c | 142 ++++++++++++++++ samples/Kconfig | 7 + samples/Makefile | 1 + samples/kfuzztest/Makefile | 3 + samples/kfuzztest/underflow_on_buffer.c | 52 ++++++ 19 files changed, 586 insertions(+), 1 deletion(-) create mode 100644 Documentation/dev-tools/kfuzztest.rst create mode 100644 crypto/asymmetric_keys/tests/Makefile create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c create mode 100644 include/linux/kfuzztest.h create mode 100644 lib/kfuzztest/Kconfig create mode 100644 lib/kfuzztest/Makefile create mode 100644 lib/kfuzztest/input.c create mode 100644 lib/kfuzztest/main.c create mode 100644 samples/kfuzztest/Makefile create mode 100644 samples/kfuzztest/underflow_on_buffer.c -- 2.51.0
Johannes, I wanted to check if this v4 aligns with your previous feedback regarding the tight coupling with userspace tools. The custom serialization has been removed entirely along with the bridge tool. This series now focuses exclusively on passing raw binary inputs via debugfs with the FUZZ_TEST_SIMPLE macro. The decoupling eliminates any dependency on syzkaller and should help remove some of the blockers that you previously encountered when considering integration with other fuzzing engines. Does this simplified design look closer to what you need? Thanks, Ethan On Mon, Jan 12, 2026 at 8:28 PM Ethan Graham <ethan.w.s.graham@gmail.com> wrote: > > This patch series introduces KFuzzTest, a lightweight framework for > creating in-kernel fuzz targets for internal kernel functions. > > The primary motivation for KFuzzTest is to simplify the fuzzing of > low-level, relatively stateless functions (e.g., data parsers, format > converters) that are difficult to exercise effectively from the syscall > boundary. It is intended for in-situ fuzzing of kernel code without > requiring that it be built as a separate userspace library or that its > dependencies be stubbed out. > > Following feedback from the Linux Plumbers Conference and mailing list > discussions, this version of the framework has been significantly > simplified. It now focuses exclusively on handling raw binary inputs, > removing the complexity of the custom serialization format and DWARF > parsing found in previous iterations. > > The core design consists of two main parts: > 1. The `FUZZ_TEST_SIMPLE(name)` macro, which allows developers to define > a fuzz test that accepts a buffer and its length. > 2. A simplified debugfs interface that allows userspace fuzzers (or > simple command-line tools) to pass raw binary blobs directly to the > target function. > > To validate the framework's end-to-end effectiveness, we performed an > experiment by manually introducing an off-by-one buffer over-read into > pkcs7_parse_message, like so: > > - ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen); > + ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen + 1); > > A syzkaller instance fuzzing the new test_pkcs7_parse_message target > introduced in patch 7 successfully triggered the bug inside of > asn1_ber_decoder in under 30 seconds from a cold start. Similar > experiments on the other new fuzz targets (patches 8-9) also > successfully identified injected bugs, proving that KFuzzTest is > effective when paired with a coverage-guided fuzzing engine. > > This patch series is structured as follows: > - Patch 1 introduces the core KFuzzTest API, including the main > FUZZ_TEST_SIMPLE macro. > - Patch 2 adds the runtime implementation for the framework > - Patch 3 adds documentation. > - Patch 4 provides sample fuzz targets. > - Patch 5 defines fuzz targets for several functions in crypto/. > - Patch 6 adds maintainer information for KFuzzTest. > > Changes since PR v3: > - Major simplification of the architecture, removing the complex > `FUZZ_TEST` macro, the custom serialization format, domain > constraints, annotations, and associated DWARF metadata regions. > - The framework now only supports `FUZZ_TEST_SIMPLE` targets, which > accept raw binary data. > - Removed the userspace bridge tool as it is no longer required for > serializing inputs. > - Updated documentation and samples to reflect the "simple-only" > approach. > > Ethan Graham (6): > kfuzztest: add user-facing API and data structures > kfuzztest: implement core module and input processing > kfuzztest: add ReST documentation > kfuzztest: add KFuzzTest sample fuzz targets > crypto: implement KFuzzTest targets for PKCS7 and RSA parsing > MAINTAINERS: add maintainer information for KFuzzTest > > Documentation/dev-tools/index.rst | 1 + > Documentation/dev-tools/kfuzztest.rst | 152 ++++++++++++++++++ > MAINTAINERS | 7 + > crypto/asymmetric_keys/Makefile | 2 + > crypto/asymmetric_keys/tests/Makefile | 4 + > crypto/asymmetric_keys/tests/pkcs7_kfuzz.c | 18 +++ > .../asymmetric_keys/tests/rsa_helper_kfuzz.c | 24 +++ > include/asm-generic/vmlinux.lds.h | 14 +- > include/linux/kfuzztest.h | 90 +++++++++++ > lib/Kconfig.debug | 1 + > lib/Makefile | 2 + > lib/kfuzztest/Kconfig | 16 ++ > lib/kfuzztest/Makefile | 4 + > lib/kfuzztest/input.c | 47 ++++++ > lib/kfuzztest/main.c | 142 ++++++++++++++++ > samples/Kconfig | 7 + > samples/Makefile | 1 + > samples/kfuzztest/Makefile | 3 + > samples/kfuzztest/underflow_on_buffer.c | 52 ++++++ > 19 files changed, 586 insertions(+), 1 deletion(-) > create mode 100644 Documentation/dev-tools/kfuzztest.rst > create mode 100644 crypto/asymmetric_keys/tests/Makefile > create mode 100644 crypto/asymmetric_keys/tests/pkcs7_kfuzz.c > create mode 100644 crypto/asymmetric_keys/tests/rsa_helper_kfuzz.c > create mode 100644 include/linux/kfuzztest.h > create mode 100644 lib/kfuzztest/Kconfig > create mode 100644 lib/kfuzztest/Makefile > create mode 100644 lib/kfuzztest/input.c > create mode 100644 lib/kfuzztest/main.c > create mode 100644 samples/kfuzztest/Makefile > create mode 100644 samples/kfuzztest/underflow_on_buffer.c > > -- > 2.51.0 >
Hi Ethan, > I wanted to check if this v4 aligns with your previous feedback regarding > the tight coupling with userspace tools. > > The custom serialization has been removed entirely along with the bridge > tool. This series now focuses exclusively on passing raw binary inputs > via debugfs with the FUZZ_TEST_SIMPLE macro. > > The decoupling eliminates any dependency on syzkaller and should help > remove some of the blockers that you previously encountered when > considering integration with other fuzzing engines. > > Does this simplified design look closer to what you need? Thanks for reaching out! We're doing some changes here and I also need to focus on some WiFi features, so I don't really know when (if?) I'll continue working on this, but yes, this definitely aligns much better with what I had in mind. FWIW, maybe for new people on the thread, last time I was considering building ARCH=um in a way that it would run into a (selectable) fuzz test, fork, and then feed it fuzzer input coming from honggfuzz [1]. I'm handwaving a bit [2], but this would basically bypass userspace completely and let us fuzz any of the tests in the kernel with "reset" for each fuzzing round. [1] selected because it's compatible with what the kernel does now with kcov for coverage feedback, afl++ currently cannot deal with this for some reason [2] because I hadn't quite figured out how to make UML a single thread only and get rid of the userspace running inside of it Regardless, definitely yes, I think the design is much simpler and even if I don't end up integrating honggfuzz this specific way, I do believe it will make it much simpler (and more performant) to integrate with other fuzzers. johannes
On Mon, Jan 12, 2026 at 8:28 PM Ethan Graham <ethan.w.s.graham@gmail.com> wrote: > > This patch series introduces KFuzzTest, a lightweight framework for > creating in-kernel fuzz targets for internal kernel functions. > Adding Rae Moar to the thread (rmoar@google.com bounced).
On Mon, Jan 12, 2026 at 8:28 PM Ethan Graham <ethan.w.s.graham@gmail.com> wrote: > > This patch series introduces KFuzzTest, a lightweight framework for > creating in-kernel fuzz targets for internal kernel functions. > > The primary motivation for KFuzzTest is to simplify the fuzzing of > low-level, relatively stateless functions (e.g., data parsers, format > converters) that are difficult to exercise effectively from the syscall > boundary. It is intended for in-situ fuzzing of kernel code without > requiring that it be built as a separate userspace library or that its > dependencies be stubbed out. > > Following feedback from the Linux Plumbers Conference and mailing list > discussions, this version of the framework has been significantly > simplified. It now focuses exclusively on handling raw binary inputs, > removing the complexity of the custom serialization format and DWARF > parsing found in previous iterations. Thanks, Ethan! I left some comments, but overall I think we are almost there :) A remaining open question is how to handle concurrent attempts to write data to debugfs. Some kernel functions may not support reentrancy, so we'll need to either document this limitation or implement proper per-test case locking.
On Tue, Jan 20, 2026 at 3:26 PM Alexander Potapenko <glider@google.com> wrote: > > On Mon, Jan 12, 2026 at 8:28 PM Ethan Graham <ethan.w.s.graham@gmail.com> wrote: > > > > This patch series introduces KFuzzTest, a lightweight framework for > > creating in-kernel fuzz targets for internal kernel functions. > > > > The primary motivation for KFuzzTest is to simplify the fuzzing of > > low-level, relatively stateless functions (e.g., data parsers, format > > converters) that are difficult to exercise effectively from the syscall > > boundary. It is intended for in-situ fuzzing of kernel code without > > requiring that it be built as a separate userspace library or that its > > dependencies be stubbed out. > > > > Following feedback from the Linux Plumbers Conference and mailing list > > discussions, this version of the framework has been significantly > > simplified. It now focuses exclusively on handling raw binary inputs, > > removing the complexity of the custom serialization format and DWARF > > parsing found in previous iterations. > > Thanks, Ethan! > I left some comments, but overall I think we are almost there :) > > A remaining open question is how to handle concurrent attempts to > write data to debugfs. > Some kernel functions may not support reentrancy, so we'll need to > either document this limitation or implement proper per-test case > locking. Hi Shuah, I wanted to bring this series to your attention. There are some comments to be addressed in v5, but overall, do you think the code qualifies as "having no dependency on syzkaller"? Thanks!
© 2016 - 2026 Red Hat, Inc.