KFuzzTest integration #6280
Merged
KFuzzTest integration #6280
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
tarasmadan
reviewed
Aug 14, 2025
Collaborator
tarasmadan
left a comment
tarasmadan
left a comment
There was a problem hiding this comment.
I'll do more batches later.
a-nogikh
reviewed
Aug 14, 2025
ethangraham2001
force-pushed
the
kfuzztest/proof-of-concept
branch
from
1e61119 to
d15ea9d
Compare
Collaborator
|
@gemini /review |
Collaborator
|
@gemini-cli /review |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
📋 Review Summary
This pull request is a solid proof-of-concept for integrating KFuzzTest into syzkaller. The overall structure is well-thought-out, with clear separation of concerns between extracting KFuzzTest definitions, building syzlang descriptions, and executing the tests.
🔍 General Feedback
- The main point of feedback is the extensive use of
panicthroughout the new code. While this might be acceptable for a proof-of-concept, it should be replaced with proper error handling to make the code more robust and suitable for production use, especially in library code. - There are a few places where constants are hardcoded (e.g., file paths, syscall IDs). It would be better to define these in a central place to improve maintainability.
- The code is generally well-written and easy to follow. The addition of documentation and a standalone tool for generating descriptions is a great touch.
Overall, this is a great start, and with some improvements to error handling and configuration, it will be a valuable addition to syzkaller.
ethangraham2001
force-pushed
the
kfuzztest/proof-of-concept
branch
3 times, most recently
from
89b70a6 to
444f025
Compare
a-nogikh
reviewed
Aug 25, 2025
a-nogikh
reviewed
Aug 25, 2025
ethangraham2001
force-pushed
the
kfuzztest/proof-of-concept
branch
from
ff828c0 to
f533625
Compare
tarasmadan
force-pushed
the
kfuzztest/proof-of-concept
branch
from
944e267 to
2184b15
Compare
tarasmadan
reviewed
Aug 27, 2025
a-nogikh
reviewed
Sep 1, 2025
ethangraham2001
force-pushed
the
kfuzztest/proof-of-concept
branch
from
497948e to
aed938f
Compare
ethangraham2001
force-pushed
the
kfuzztest/proof-of-concept
branch
from
8997cd1 to
81f2154
Compare
a-nogikh
reviewed
Sep 18, 2025
ethangraham2001
force-pushed
the
kfuzztest/proof-of-concept
branch
2 times, most recently
from
7c1b377 to
6d82ba9
Compare
added 14 commits
September 19, 2025 15:44
Add a Go-native KCOV package, with a helper functions for tracing a a function. This is in preparation for a standalone KFuzzTest tool, which should be written in Go in order to take advantage of existing fuzzing infrastructure. The hard-coded coverage buffer size is the same as the executor program, defined as `512 << 10` in `executor/executor.cc`. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add syz_kfuzztest_run pseudo-syscall, KFuzzTest attribute, and encoding logic. KFuzzTest targets, which are invoked in the executor with the new syz_kfuzztest_run pseudo-syscall, require specialized encoding. To differentiate KFuzzTest calls from standard syzkaller calls, we introduce a new attribute called KFuzzTest or "kfuzz_test" in syzkaller descriptions that can be used to annotate calls. Signed-off-by: Ethan Graham <ethangraham@google.com>
As KFuzzTest targets are discovered at boot, we need a mechanism for adding these to the array of enabled system calls. This is implemented by the new Extend method, which performs this setup. Signed-off-by: Ethan Graham <ethangraham@google.com>
All non-base variants of syz_kfuzztest_run (i.e., those that are discovered dynamically) are encoded so that they map onto the base variant which is defined in kfuzztest.txt, and known by the executor. We add a function for fetching this, that is wrapped in a sync.once block to avoid repeated iteration over the target's array of syscalls. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add a new package, pkg/kfuzztest, that implements dynamic discovery of KFuzzTest targets by parsing a vmlinux kernel binary. Signed-off-by: Ethan Graham <ethangraham@google.com>
Internal kernel functions (and as a result KFuzzTest) have stricter contracts than system calls. For this reason, we must avoid mutating the following cases: - Length arguments not matching the length of the related buffer. - Strings not being null-terminated. Add special cases for KFuzzTest calls that avoids these situations. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add logic for dynamic KFuzzTest target discovery in syz-manager. By default, all KFuzzTest targets are enabled when the enable_kfuzztest config option is set to true.
Signed-off-by: Ethan Graham <ethangraham@google.com>
syz-kfuzztest is a new standalone designed for fuzzing KFuzzTest on a live kernel VM (e.g., inside QEMU). It has no dependencies on the executor program, instead directly writing into a KFuzzTest target's debugfs entry. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add a tool for generating a syscaller description for every KFuzzTest target discovered in a vmlinux binary and outputting it to stdout. Signed-off-by: Ethan Graham <ethangraham@google.com>
Add documentation for syzkaller's KFuzzTest integration, and a separate documentation file for the syz-kfuzztest program. Signed-off-by: Ethan Graham <ethangraham@google.com>
Introduce a KFuzzTest mode for the fuzzer so that a smaller number of recommended calls can be used if we are fuzzing KFuzzTest targets. Signed-off-by: Ethan Graham <ethangraham@google.com>
If vmlinux is specified as a flag, we perform a setup stage where we parse vmlinux for KFuzzTest targets. Signed-off-by: Ethan Graham <ethangraham@google.com>
ethangraham2001
force-pushed
the
kfuzztest/proof-of-concept
branch
from
6d82ba9 to
b755cbe
Compare
Previously, the generated KFuzzTest programs were reusing the address of the top-level input struct. A problem could arise when the encoded blob is large and overflows into another allocated region - this certainly happens in the case where the input struct points to some large char buffer, for example. While this wasn't directly a problem, it could lead to racy behavior when running KFuzzTest targets concurrently. To fix this, we now introduce an additional buffer parameter into syz_kfuzztest_run that is as big as the maximum accepted input size in the KFuzzTest kernel code. When this buffer is allocated, we ensure that we have some allocated space in the program that can hold the entire encoded input. This works in practice, but has not been tested with concurrent KFuzzTest executions yet.
ethangraham2001
force-pushed
the
kfuzztest/proof-of-concept
branch
from
b755cbe to
849f9ff
Compare
a-nogikh
approved these changes
Sep 22, 2025
Collaborator
Collaborator
|
Oh, I didn't notice it, thanks for reporting. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
KFuzzTest integration in syzkaller.
Readme in
docs/kfuzztest.md,syz-kfuzztest-specific documentation indocs/syz-kfuzztest.md.Additions
syz-kfuzztest.syz-managerfor dynamic discovery and continuous fuzzing ofof KFuzzTest targets.
for KFuzzTest targets discovered from a
vmlinuxbinary.syz_kfuzztest_run's ID from a target (cached)Modifications
target.lazyInit()fetches KFuzzTest run's ID