From nobody Sat Feb 7 08:23:11 2026 Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com [209.85.218.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 825B631B131 for ; Mon, 12 Jan 2026 19:28:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768246130; cv=none; b=ltfQhY9uQ+xvSMhJZ9js/hOPPZTToUcoJmMl2B7ssFb37kz3NNGIr63on6t5W+VHHQ8Mnkd+3mtj0quLv+WBHP9Vw3ufGwQS2vbVDstYB4v3GOJw9EnfOIV9gXjlieralQgasxVFDwr/X5j9a7RcpJQiXx2NvQIMoG9I+AyZfjU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768246130; c=relaxed/simple; bh=wMDRutPxox6hkPyPznb4TybXdAVmmts7fn8xxj+1g5E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nGlNIGniXsWCzSrf5lPXQS/1fHoZiY1Cr/sYFO4RUyzd40sbiJ92vfUaHK5iS2/2lY4OBil1Hy/fNlHNGb5ir2zzCv/XTshVFFnypz/xG8rInnHxM3815ZI1rK63IYCN794R4wY2sExkeuS8ldXFSKtp39yzzrUolCAs0c96ouE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=A72aTiFZ; arc=none smtp.client-ip=209.85.218.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="A72aTiFZ" Received: by mail-ej1-f52.google.com with SMTP id a640c23a62f3a-b8715a4d9fdso186075666b.0 for ; Mon, 12 Jan 2026 11:28:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768246127; x=1768850927; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lYn/cfzIUiLg8O0jmeN0oIUjcH6e7FhIiA9EkVEqfyc=; b=A72aTiFZspKlLlgZYax1P8HDpOEO2xHOiGMYgnPRbYrNSHj3vKsdHpmtr3xm5D3JSL 9H9K4tKuGImpsJro5mPs68y1uNQYdVpAK5G/3F2Yp9QyIEZxt9OQl6YraVyAqCgf95Wu mIzAdj6At6bh8mWmHsCIzINhu7lo6ml7WHbA8RF1JGPgfVXF499NTk/SQh8Vpsm4Qztq IXqmLza+Tr9wIr7w9WGy9+6NHdvMm7CrJA/di54Eo3ZqKpBI9XBbSf1YuOYXr0pNrd/c BVlXw4bCMp48l61QVRNLlDNhtVfn68lI9vrHawc13zCWeIB6hiIKbFT2XDXBzmzcSKM1 YV8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768246127; x=1768850927; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=lYn/cfzIUiLg8O0jmeN0oIUjcH6e7FhIiA9EkVEqfyc=; b=irkMnFHgmpNpR6U6SOdHgbP51KYzN8frt2TQkl7mOOiJeC/lC4banOA4Xkp08LF7on N7NfFD1WnuvX83UhkupijyANIuPXeW1OSvxz9vzOeT//AkC0DFgzmmqFn/2naUHJKAs0 g2UVqEfWvGVvgEix7EykG849RR4R3i0sKKj7imvb9bYjs+im8OWsPbvKqWA3WFjf7A/b AQ3BnmbxHfx9Fio+TJG64xXo9/0MOT3voJyd92susqcVjLK1Duf0yq2YF5ucgX43ar9c CkcLTGdy4f20xtkYPiH9DhRwYApVKTgebTAXHICJh+0u0HaZyKkDLkwYFT0Oov4nar4U Hshg== X-Forwarded-Encrypted: i=1; AJvYcCXCZ6q79ZnxA78iiSWLmNfsOP46bmrgNvnqn+fKhvzpSIkr0RWus4BQiZrdqpdMw+3RpTElKWzzjwoRjsg=@vger.kernel.org X-Gm-Message-State: AOJu0Ywb5lBfbg7tiRiWC5vdxNQIqpK6QiFjZVQefq5olPSldByGjbzd 3e3jWqEB9lzzJXMxmo9Pr1crNo7ZpJjLJ4XDVA/s6P/Pd9CiYWAFoy32 X-Gm-Gg: AY/fxX4Jj05uEBAeMRd1rdtyec2XALj43nqXffz3yaLeTlfTymV4BPquYTWafg3xvwb fApIQz1Q8CyTLgqeDh5gxjKcjtLmG4vJ+ipb9LRMSYwXyMM6K61sDYyk1+GIDZFPGQWMxzCJ8/J gPheHRYyXIhXbrk0vtjBq0uJF4SqPswJQmSx5ZKeQwOffhHk0JQRftLVgLlMo+yQ6UAkvFEolZL UX9xTXogFqPUWndHOmsWxPYJFJWhalt5Zh47KYZCuDz2p5z8UCFTP6oIr7AD+3IsjZcc9TkD6vO EolCGesH0NtZwrazUd0/ZJV+GHwUscmFjbUVuiZmqdBdCiwlK0Wx5DjpP901VfifNj3gU6dr170 9YOrjZPyRQ+QKixRK6zIqkZlGlg2vtI16/EG6QZTKxKL01DtXSSrCAXEW5qMg7Jrl+SZPkTbI7M fAZs8viscEz1wvRjPFsBtLaByexCl2SLoV77xKpfb9i4XWgp53Bw== X-Google-Smtp-Source: AGHT+IF4pPwfnNX2FK6K6VgQD0pVFZdgZJNgLaaNTxNX+cYNIN/F+0YErplY46SPSS0fwiEVEMONCQ== X-Received: by 2002:a17:906:9f87:b0:b73:2b08:ac70 with SMTP id a640c23a62f3a-b844539fc4fmr1937923066b.49.1768246126219; Mon, 12 Jan 2026 11:28:46 -0800 (PST) Received: from ethan-tp (xdsl-31-164-106-179.adslplus.ch. [31.164.106.179]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-6507bf667fcsm18108959a12.29.2026.01.12.11.28.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Jan 2026 11:28:45 -0800 (PST) From: Ethan Graham To: ethan.w.s.graham@gmail.com, glider@google.com Cc: akpm@linux-foundation.org, andreyknvl@gmail.com, andy@kernel.org, andy.shevchenko@gmail.com, brauner@kernel.org, brendan.higgins@linux.dev, davem@davemloft.net, davidgow@google.com, dhowells@redhat.com, dvyukov@google.com, ebiggers@kernel.org, elver@google.com, gregkh@linuxfoundation.org, herbert@gondor.apana.org.au, ignat@cloudflare.com, jack@suse.cz, jannh@google.com, johannes@sipsolutions.net, kasan-dev@googlegroups.com, kees@kernel.org, kunit-dev@googlegroups.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lukas@wunner.de, mcgrof@kernel.org, rmoar@google.com, shuah@kernel.org, sj@kernel.org, skhan@linuxfoundation.org, tarasmadan@google.com, wentaoz5@illinois.edu Subject: [PATCH v4 4/6] kfuzztest: add KFuzzTest sample fuzz targets Date: Mon, 12 Jan 2026 20:28:25 +0100 Message-ID: <20260112192827.25989-5-ethan.w.s.graham@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260112192827.25989-1-ethan.w.s.graham@gmail.com> References: <20260112192827.25989-1-ethan.w.s.graham@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add two simple fuzz target samples to demonstrate the KFuzzTest API and provide basic self-tests for the framework. These examples showcase how a developer can define a fuzz target using the FUZZ_TEST_SIMPLE() macro. It also serves as a runtime sanity check, ensuring that the framework correctly passes the input buffer and that KASAN correctly detects out-of-bounds memory accesses (in this case, a buffer underflow) on the allocated test data. This target can be fuzzed naively by writing random data into the debugfs 'input_simple' file and verifying that the KASAN report is triggered. Signed-off-by: Ethan Graham Acked-by: Alexander Potapenko --- PR v4: - Remove the `test_underflow_on_nested_buffer` sample target which relied on the now removed `FUZZ_TEST` macro. - Update the sample comment to demonstrate naive fuzzing (using `head`) instead of the removed bridge tool. - Fix stale comments referencing internal layout structures. PR v3: - Use the FUZZ_TEST_SIMPLE macro in the `underflow_on_buffer` sample fuzz target instead of FUZZ_TEST. PR v2: - Fix build issues pointed out by the kernel test robot . --- --- samples/Kconfig | 7 ++++ samples/Makefile | 1 + samples/kfuzztest/Makefile | 3 ++ samples/kfuzztest/underflow_on_buffer.c | 52 +++++++++++++++++++++++++ 4 files changed, 63 insertions(+) create mode 100644 samples/kfuzztest/Makefile create mode 100644 samples/kfuzztest/underflow_on_buffer.c diff --git a/samples/Kconfig b/samples/Kconfig index 6e072a5f1ed8..303a9831d404 100644 --- a/samples/Kconfig +++ b/samples/Kconfig @@ -320,6 +320,13 @@ config SAMPLE_HUNG_TASK Reading these files with multiple processes triggers hung task detection by holding locks for a long time (256 seconds). =20 +config SAMPLE_KFUZZTEST + bool "Build KFuzzTest sample targets" + depends on KFUZZTEST + help + Build KFuzzTest sample targets that serve as selftests for raw input + delivery and KASAN out-of-bounds detection. + source "samples/rust/Kconfig" =20 source "samples/damon/Kconfig" diff --git a/samples/Makefile b/samples/Makefile index 07641e177bd8..3a0e7f744f44 100644 --- a/samples/Makefile +++ b/samples/Makefile @@ -44,4 +44,5 @@ obj-$(CONFIG_SAMPLE_DAMON_WSSE) +=3D damon/ obj-$(CONFIG_SAMPLE_DAMON_PRCL) +=3D damon/ obj-$(CONFIG_SAMPLE_DAMON_MTIER) +=3D damon/ obj-$(CONFIG_SAMPLE_HUNG_TASK) +=3D hung_task/ +obj-$(CONFIG_SAMPLE_KFUZZTEST) +=3D kfuzztest/ obj-$(CONFIG_SAMPLE_TSM_MR) +=3D tsm-mr/ diff --git a/samples/kfuzztest/Makefile b/samples/kfuzztest/Makefile new file mode 100644 index 000000000000..2dc5d424824d --- /dev/null +++ b/samples/kfuzztest/Makefile @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: GPL-2.0-only + +obj-$(CONFIG_SAMPLE_KFUZZTEST) +=3D underflow_on_buffer.o diff --git a/samples/kfuzztest/underflow_on_buffer.c b/samples/kfuzztest/un= derflow_on_buffer.c new file mode 100644 index 000000000000..5568c5e6be7a --- /dev/null +++ b/samples/kfuzztest/underflow_on_buffer.c @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * This file contains a KFuzzTest example target that ensures that a buffer + * underflow on a region triggers a KASAN OOB access report. + * + * Copyright 2025 Google LLC + */ + +/** + * test_underflow_on_buffer - a sample fuzz target + * + * This sample fuzz target serves to illustrate the usage of the + * FUZZ_TEST_SIMPLE macro, as well as provide a sort of self-test that KFu= zzTest + * functions correctly for trivial fuzz targets. In KASAN builds, fuzzing = this + * harness should trigger a report for every input (provided that its leng= th is + * greater than 0 and less than KFUZZTEST_MAX_INPUT_SIZE). + * + * This harness can be invoked (naively) like so: + * head -c 128 /dev/urandom > \ + * /sys/kernel/debug/kfuzztest/test_underflow_on_buffer/input_simple + */ +#include + +static void underflow_on_buffer(char *buf, size_t buflen) +{ + size_t i; + + /* + * Print the address range of `buf` to allow correlation with the + * subsequent KASAN report. + */ + pr_info("buf =3D [%px, %px)", buf, buf + buflen); + + /* First ensure that all bytes in `buf` are accessible. */ + for (i =3D 0; i < buflen; i++) + READ_ONCE(buf[i]); + /* + * Provoke a buffer underflow on the first byte preceding `buf`, + * triggering a KASAN report. + */ + READ_ONCE(*((char *)buf - 1)); +} + +/** + * Define the fuzz target. This wrapper ensures that the `underflow_on_buf= fer` + * function is invoked with the data provided from userspace. + */ +FUZZ_TEST_SIMPLE(test_underflow_on_buffer) +{ + underflow_on_buffer(data, datalen); + return 0; +} --=20 2.51.0