From 0ac7291ca51f87df8022da0f66178546e855701a Mon Sep 17 00:00:00 2001 From: Ethan Graham Date: Thu, 18 Sep 2025 14:13:45 +0000 Subject: prog: fix syz_kfuzztest_run allocation strategy Previously, the generated KFuzzTest programs were reusing the address of the top-level input struct. A problem could arise when the encoded blob is large and overflows into another allocated region - this certainly happens in the case where the input struct points to some large char buffer, for example. While this wasn't directly a problem, it could lead to racy behavior when running KFuzzTest targets concurrently. To fix this, we now introduce an additional buffer parameter into syz_kfuzztest_run that is as big as the maximum accepted input size in the KFuzzTest kernel code. When this buffer is allocated, we ensure that we have some allocated space in the program that can hold the entire encoded input. This works in practice, but has not been tested with concurrent KFuzzTest executions yet. --- pkg/kfuzztest/testdata/2/desc.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pkg/kfuzztest/testdata/2') diff --git a/pkg/kfuzztest/testdata/2/desc.txt b/pkg/kfuzztest/testdata/2/desc.txt index 2705252dd..55ee03f8f 100644 --- a/pkg/kfuzztest/testdata/2/desc.txt +++ b/pkg/kfuzztest/testdata/2/desc.txt @@ -12,4 +12,4 @@ foo { numbers ptr[in, array[int64]] } -syz_kfuzztest_run$some_target(name ptr[in, string["some_target"]], data ptr[in, foo], len bytesize[data]) (kfuzz_test) +syz_kfuzztest_run$some_target(name ptr[in, string["some_target"]], data ptr[in, foo], len bytesize[data], buf ptr[in, array[int8, 65536]]) (kfuzz_test) -- cgit mrf-deployment