diff options
| author | Ethan Graham <ethangraham@google.com> | 2025-09-19 15:44:59 +0000 |
|---|---|---|
| committer | Aleksandr Nogikh <nogikh@google.com> | 2025-09-22 09:11:54 +0000 |
| commit | 490f32238051336d5a498cbc3ecc47140052b502 (patch) | |
| tree | b2baa30374181952a39000373a0cf1c5952d21fe /executor | |
| parent | c9f0a99247f6d9a6df877720609cbce3dca73b55 (diff) | |
kfuzztest: introduce syz_kfuzztest_run pseudo-syscall
Add syz_kfuzztest_run pseudo-syscall, KFuzzTest attribute, and encoding
logic.
KFuzzTest targets, which are invoked in the executor with the new
syz_kfuzztest_run pseudo-syscall, require specialized encoding. To
differentiate KFuzzTest calls from standard syzkaller calls, we
introduce a new attribute called KFuzzTest or "kfuzz_test" in syzkaller
descriptions that can be used to annotate calls.
Signed-off-by: Ethan Graham <ethangraham@google.com>
Diffstat (limited to 'executor')
| -rw-r--r-- | executor/common_linux.h | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/executor/common_linux.h b/executor/common_linux.h index 31ce14dc3..76325ff6d 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -5852,3 +5852,57 @@ static long syz_pidfd_open(volatile long pid, volatile long flags) } #endif + +#if SYZ_EXECUTOR || __NR_syz_kfuzztest_run + +#include <fcntl.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> + +static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, + volatile long input_data_size) +{ + const char* test_name = (const char*)test_name_ptr; + if (!test_name) { + debug("syz_kfuzztest_run: test name was NULL\n"); + return -1; + } + if (!input_data || input_data_size == 0) { + debug("syz_kfuzztest_run: input data was NULL\n"); + return -1; + } + + char buf[256]; + int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); + if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { + debug("syz_kfuzztest_run: constructed path is too long or snprintf failed\n"); + return -1; + } + + int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); + if (fd < 0) { + debug("syz_kfuzztest_run: failed to open %s\n", buf); + return -1; + } + + ssize_t bytes_written = write(fd, (void*)input_data, (size_t)input_data_size); + if (bytes_written != input_data_size) { + debug("syz_kfuzztest_run: failed to write to %s, reason: %s\n", buf, strerror(errno)); + close(fd); + return -1; + } + + if (close(fd) != 0) { + debug("syz_kfuzztest_run: failed to close file\n"); + return -1; + } + + return 0; +} + +#endif |