Kfuzztest/alloc buffer #10
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 17 commits
September 17, 2025 14:33
Add a Go-native KCOV package, with a helper functions for tracing a a function. This is in preparation for a standalone KFuzzTest tool, which should be written in Go in order to take advantage of existing fuzzing infrastructure. The hard-coded coverage buffer size is the same as the executor program, defined as `512 << 10` in `executor/executor.cc`. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add syz_kfuzztest_run pseudo-syscall, KFuzzTest attribute, and encoding logic. KFuzzTest targets, which are invoked in the executor with the new syz_kfuzztest_run pseudo-syscall, require specialized encoding. To differentiate KFuzzTest calls from standard syzkaller calls, we introduce a new attribute called KFuzzTest or "kfuzz_test" in syzkaller descriptions that can be used to annotate calls. Signed-off-by: Ethan Graham <ethangraham@google.com>
As KFuzzTest targets are discovered at boot, we need a mechanism for adding these to the array of enabled system calls. This is implemented by the new Extend method, which performs this setup. Signed-off-by: Ethan Graham <ethangraham@google.com>
All non-base variants of syz_kfuzztest_run (i.e., those that are discovered dynamically) are encoded so that they map onto the base variant which is defined in kfuzztest.txt, and known by the executor. We add a function for fetching this, that is wrapped in a sync.once block to avoid repeated iteration over the target's array of syscalls. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add a new package, pkg/kfuzztest, that implements dynamic discovery of KFuzzTest targets by parsing a vmlinux kernel binary. Signed-off-by: Ethan Graham <ethangraham@google.com>
Internal kernel functions (and as a result KFuzzTest) have stricter contracts than system calls. For this reason, we must avoid mutating the following cases: - Length arguments not matching the length of the related buffer. - Strings not being null-terminated. Add special cases for KFuzzTest calls that avoids these situations. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add logic for dynamic KFuzzTest target discovery in syz-manager. By default, all KFuzzTest targets are enabled when the enable_kfuzztest config option is set to true.
Signed-off-by: Ethan Graham <ethangraham@google.com>
syz-kfuzztest is a new standalone designed for fuzzing KFuzzTest on a live kernel VM (e.g., inside QEMU). It has no dependencies on the executor program, instead directly writing into a KFuzzTest target's debugfs entry. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add a tool for generating a syscaller description for every KFuzzTest target discovered in a vmlinux binary and outputting it to stdout. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add documentation for syzkaller's KFuzzTest integration, and a separate documentation file for the syz-kfuzztest program. Signed-off-by: Ethan Graham <ethangraham@google.com>
Introduce a KFuzzTest mode for the fuzzer so that a smaller number of recommended calls can be used if we are fuzzing KFuzzTest targets. Signed-off-by: Ethan Graham <ethangraham@google.com>
If vmlinux is specified as a flag, we perform a setup stage where we parse vmlinux for KFuzzTest targets. Signed-off-by: Ethan Graham <ethangraham@google.com>
a-nogikh
reviewed
Sep 19, 2025
| return -1; | ||
| } | ||
| if (!input_data || input_data_size == 0) { | ||
| debug("syz_kfuzztest_run: input data was NULL\n"); |
There was a problem hiding this comment.
No reason to check input_data anymore - you don't need it here.
b755cbe to
849f9ff
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before sending a pull request, please review Contribution Guidelines:
https://github.com/google/syzkaller/blob/master/docs/contributing.md