From 6c7b65699dcfc2e93d2e7917f6b0e7bab99f2a26 Mon Sep 17 00:00:00 2001 From: Ethan Graham Date: Mon, 15 Sep 2025 13:05:17 +0000 Subject: prog: add specialized mutation for KFuzzTest calls Internal kernel functions (and as a result KFuzzTest) have stricter contracts than system calls. For this reason, we must avoid mutating the following cases: - Length arguments not matching the length of the related buffer. - Strings not being null-terminated. Add special cases for KFuzzTest calls that avoids these situations. Signed-off-by: Ethan Graham --- prog/rand.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'prog/rand.go') diff --git a/prog/rand.go b/prog/rand.go index 957cf7112..b06cc1a90 100644 --- a/prog/rand.go +++ b/prog/rand.go @@ -28,6 +28,7 @@ type randGen struct { target *Target inGenerateResource bool patchConditionalDepth int + genKFuzzTest bool recDepth map[string]int } @@ -354,7 +355,9 @@ func (r *randGen) randString(s *state, t *BufferType) []byte { buf.Write([]byte{byte(r.Intn(256))}) } } - if r.oneOf(100) == t.NoZ { + // We always null-terminate strings that are inputs to KFuzzTest calls to + // avoid false-positive buffer overflow reports. + if r.oneOf(100) == t.NoZ || r.genKFuzzTest { buf.Write([]byte{0}) } return buf.Bytes() @@ -609,6 +612,16 @@ func (r *randGen) generateParticularCall(s *state, meta *Syscall) (calls []*Call panic(fmt.Sprintf("generating no_generate call: %v", meta.Name)) } c := MakeCall(meta, nil) + // KFuzzTest calls restrict mutation and generation. Since calls to + // generateParticularCall can be recursive, we save the previous value, and + // set it true. + if c.Meta.Attrs.KFuzzTest { + tmp := r.genKFuzzTest + r.genKFuzzTest = true + defer func() { + r.genKFuzzTest = tmp + }() + } c.Args, calls = r.generateArgs(s, meta.Args, DirIn) moreCalls, _ := r.patchConditionalFields(c, s) r.target.assignSizesCall(c) -- cgit mrf-deployment