From be2618fc12b6e22193c0044c01e5156a491c7552 Mon Sep 17 00:00:00 2001
From: Tomasz Leman <tomasz.m.leman@intel.com>
Date: Fri, 29 May 2026 16:12:08 +0200
Subject: [PATCH 1/2] fuzz: Enable heap protection option

IPC fuzzer is built with Zephyr sys_heap. Because we have a custom
allocator, the compiler sanitizers alone are not able to detect all
errors related to memory allocation. Enabling heap hardening aims to
increase the number of potentially detectable errors in fuzz builds.

CONFIG_SYS_HEAP_HARDENING_EXTREME: adds per-chunk canary trailers
(catching buffer overflows that spill even a single byte into the next
chunk), double-free detection, free-list pointer validation, and
a full heap structure walk after every alloc/free operation. This last
check catches external corruption (e.g. a wild write from an unrelated
component damaging heap metadata) before the allocator acts on it,
rather than letting the damage propagate silently to the next allocation
that happens to touch the corrupted region. The measured cost is ~7%
throughput (288k -> 280k execs/30s), negligible given the class of bugs
it surfaces.

Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
---
 app/boards/native_sim_libfuzzer.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/boards/native_sim_libfuzzer.conf b/app/boards/native_sim_libfuzzer.conf
index ece1e35845c9..8f03377b0ed2 100644
--- a/app/boards/native_sim_libfuzzer.conf
+++ b/app/boards/native_sim_libfuzzer.conf
@@ -5,6 +5,7 @@ CONFIG_ASSERT=y
 CONFIG_EXCEPTION_DEBUG=y
 CONFIG_ARCH_POSIX_TRAP_ON_FATAL=y
 CONFIG_SYS_HEAP_BIG_ONLY=y
+CONFIG_SYS_HEAP_HARDENING_EXTREME=y
 CONFIG_ZEPHYR_NATIVE_DRIVERS=y
 CONFIG_ARCH_POSIX_LIBFUZZER=y
 CONFIG_ZEPHYR_POSIX_FUZZ_TICKS=100

From 55bf4d8871b4652a22766cdb3a04305ada2ee736 Mon Sep 17 00:00:00 2001
From: Tomasz Leman <tomasz.m.leman@intel.com>
Date: Mon, 1 Jun 2026 15:42:12 +0200
Subject: [PATCH 2/2] fuzz: Enable stack sentinel for fuzz builds

Enable Zephyr stack sentinel checks for the native libFuzzer build.
This complements the heap hardening option by catching Zephyr thread
stack overflows closer to the corrupting input.

CONFIG_STACK_SENTINEL: stores a magic value at the lowest addresses of
each thread stack and checks it on context switch, interrupt return,
k_yield(), and thread exit. When the sentinel is corrupted the system
traps immediately, giving the fuzzer a clear crash signal instead of
allowing silent corruption that manifests later in an unrelated path.
This is particularly useful in UBSan-only fuzz runs where ASan stack
redzones are not available.

Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
---
 app/boards/native_sim_libfuzzer.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/boards/native_sim_libfuzzer.conf b/app/boards/native_sim_libfuzzer.conf
index 8f03377b0ed2..ba17224424cf 100644
--- a/app/boards/native_sim_libfuzzer.conf
+++ b/app/boards/native_sim_libfuzzer.conf
@@ -6,6 +6,7 @@ CONFIG_EXCEPTION_DEBUG=y
 CONFIG_ARCH_POSIX_TRAP_ON_FATAL=y
 CONFIG_SYS_HEAP_BIG_ONLY=y
 CONFIG_SYS_HEAP_HARDENING_EXTREME=y
+CONFIG_STACK_SENTINEL=y
 CONFIG_ZEPHYR_NATIVE_DRIVERS=y
 CONFIG_ARCH_POSIX_LIBFUZZER=y
 CONFIG_ZEPHYR_POSIX_FUZZ_TICKS=100