[PATCH 19/21] fit: add fuzz test

Thu Jun 5 04:35:28 PDT 2025

We require FIT images on non-EFI systems to implement verified boot
chains. Unfortunately, FIT is a relatively complex format for that use
case, so a fuzz test exercising the parser is pretty much in order.

Co-developed-by: Abdelrahman Youssef <abdelrahmanyossef12 at gmail.com>
Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12 at gmail.com>
Co-developed-by: Steffen Trumtrar <s.trumtrar at pengutronix.de>
Signed-off-by: Steffen Trumtrar <s.trumtrar at pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 common/image-fit.c      | 76 +++++++++++++++++++++++++++++++++++++++--
 images/Makefile.sandbox |  1 +
 2 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index 0cc0425284c5..5006394eb7bb 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -23,6 +23,7 @@
 #include <crypto/public_key.h>
 #include <uncompress.h>
 #include <image-fit.h>
+#include <fuzz.h>
 
 #define FDT_MAX_DEPTH 32
 #define FDT_MAX_PATH_LEN 200
@@ -825,6 +826,26 @@ static int fit_find_compatible_unit(struct fit_handle *handle,
 	return -ENOENT;
 }
 
+static int fit_find_last_unit(struct fit_handle *handle,
+			      const char **out_unit)
+{
+	struct device_node *conf_node = handle->configurations;
+	struct device_node *child;
+	const char *unit = NULL;
+
+	if (!conf_node)
+		return 0;
+
+	for_each_child_of_node(conf_node, child)
+		unit = child->name;
+
+	if (!unit)
+		return -ENOENT;
+
+	*out_unit = unit;
+	return 0;
+}
+
 /**
  * fit_open_configuration - open a FIT configuration
  * @handle: The FIT image handle
@@ -970,12 +991,16 @@ struct fit_handle *fit_open(const char *filename, bool verbose,
 	return handle;
 }
 
-void fit_close(struct fit_handle *handle)
+static void __fit_close(struct fit_handle *handle)
 {
 	if (handle->root)
 		of_delete_node(handle->root);
-
 	free(handle->fit_alloc);
+}
+
+void fit_close(struct fit_handle *handle)
+{
+	__fit_close(handle);
 	free(handle);
 }
 
@@ -997,3 +1022,50 @@ static int bootm_fit_register(void)
 	return register_image_handler(&fit_handler);
 }
 late_initcall(bootm_fit_register);
+
+static int fuzz_fit(const u8 *data, size_t size)
+{
+	const char *unit, *imgname = "kernel";
+	struct fit_handle handle = {};
+	const void *outdata;
+	unsigned long outsize, addr;
+	int ret;
+	void *config;
+
+	handle.verbose = false;
+	handle.verify = BOOTM_VERIFY_AVAILABLE;
+
+	handle.size = size;
+	handle.fit = data;
+	handle.fit_alloc = NULL;
+
+	ret = fit_do_open(&handle);
+	if (ret)
+		goto out;
+
+	config = fit_open_configuration(&handle, NULL);
+	if (IS_ERR(config)) {
+		ret = fit_find_last_unit(&handle, &unit);
+		if (ret)
+			goto out;
+		config = fit_open_configuration(&handle, unit);
+	}
+	if (IS_ERR(config)) {
+		ret = PTR_ERR(config);
+		goto out;
+	}
+
+	ret = fit_open_image(&handle, config, imgname, &outdata, &outsize);
+	if (ret)
+		goto out;
+
+	fit_get_image_address(&handle, config, imgname, "load", &addr);
+	fit_get_image_address(&handle, config, imgname, "entry", &addr);
+
+	ret = fit_open_image(&handle, NULL, imgname, &outdata, &outsize);
+out:
+	__fit_close(&handle);
+
+	return 0;
+}
+fuzz_test("fit", fuzz_fit);
diff --git a/images/Makefile.sandbox b/images/Makefile.sandbox
index 87963e2f432f..b235a1195a7f 100644
--- a/images/Makefile.sandbox
+++ b/images/Makefile.sandbox
@@ -4,6 +4,7 @@ SYMLINK_TARGET_barebox = sandbox_main.elf
 symlink-$(CONFIG_SANDBOX) += barebox
 
 fuzzer-$(CONFIG_FILETYPE)	+= filetype
+fuzzer-$(CONFIG_FITIMAGE)	+= fit
 fuzzer-$(CONFIG_OFTREE)		+= dtb
 fuzzer-$(CONFIG_OFTREE)		+= fdt-compatible
 fuzzer-$(CONFIG_PARTITION)	+= partitions
-- 
2.39.5


