Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp4557098ybg; Mon, 8 Jun 2020 10:47:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwZgm5hzVF+lT5RNkEclio3GMN3/5zRbXRnXK5U1VL5HJHZF7kTbrZYoQ9LmJXpoeGQ7gWo X-Received: by 2002:a50:a418:: with SMTP id u24mr23982252edb.141.1591638469260; Mon, 08 Jun 2020 10:47:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591638469; cv=none; d=google.com; s=arc-20160816; b=ZCxn/4ZublvCgQgmIn8wIoye7vERL3J5XNiddsUm+ahsWlRw/52RqmyBgBjy/d1v6m OLqnGhNFeDaD9pnAZWamLZJYxO68hHFYAXJthsGFyjvH1r/QUFhB8tg/u8+G3niSYw7e rTZC9Rkf73IpbUS+MuXXrCDrDx8RmIxAZIgwo09EZOnetnvDItQBcE2JHrm4IApgNvJm ty2fo/VDXhV84twJZUnZweQA4LZHPmQCfU/P79Je2ti0k1VyIacJ0f/sfBg8p3n9aVgm 1se7DXzUAhIGMo2wjx/C0If9/TfLvHQM0Br5puhUcm1QoIKVVeVyLHRCagmGrLIqGCiq U2zA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=DoIk7M+/dfkd1qsEjTLJ/qJxq8wwgYvyA9updsNoufY=; b=VpfCtH8ISRzxh0Otd1DT90sUqF3L4v7XW56zWGqwg5EyVywxgXxhVsIrVNIkV/Oizy XKpTS6YQcZfcT8g8wtazeSc+txcfDVkbW8iL6RpwrCh/tnzK2RsAoiwdrhROMq1cFVoV Z7QUc8vedIzuwv+Nf3JMKLN7jTFsJCOOaQC/0S0gj4CPdmNRWZ8pe9XV8ac+HfjLCmx9 dyssapFI9nG34j5IXxIDMXfvGN6ee7A/MZAyTYJ+sAgQA/Y6BeZ4sXbs0NuWzyMVmsDG QzYjZJRsn47cMAqa+SsBX2XNr2ZnjRvu+zZ5FjghDOIp8uyp+b3ZRaveaKr2z21zDahX TnVw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w11si9811900edl.171.2020.06.08.10.47.26; Mon, 08 Jun 2020 10:47:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730560AbgFHQkG (ORCPT + 99 others); Mon, 8 Jun 2020 12:40:06 -0400 Received: from mail-ot1-f67.google.com ([209.85.210.67]:47042 "EHLO mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730333AbgFHQkF (ORCPT ); Mon, 8 Jun 2020 12:40:05 -0400 Received: by mail-ot1-f67.google.com with SMTP id g7so13084971oti.13 for ; Mon, 08 Jun 2020 09:40:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DoIk7M+/dfkd1qsEjTLJ/qJxq8wwgYvyA9updsNoufY=; b=glChjZY7wYCodDDola73n/Pe7woFyACC1rdtowOSD7+/wNKYr+uPnlMja7s0pPUbX0 Jt1ViZcj+vySe4vKU5KxzldfGjnt8yEX5gWA6Q1DMO6h8BAF49suOvBJ+ZujMRyTngYG 655mFGHv+TEla/kOTvj7MkvkAJY56ddoAcVCX4MHo0vZq0llxKaIcy2c3cWaHDzyOyP7 cloXH1pW5rUHW8vEJKljKHZkHDiu8DiYdDnZ9+gFJZL+wd3RiiM9L+XahK5jqY+NSRoH B6P3cSSl9T0u1y+FAl52LruU343iax9vs/AfnKMMJi0+ydLPsmdbWRdA5O6q1/ggWr5v 5oLg== X-Gm-Message-State: AOAM532sGUlVD20P4XHFHwno0KUtsVsUawJ+SiKdvh71/2Bh7Q9ycYFv ubyFe7KEajqR9EzVvJzI0exK/NVz0Xnfpu0vwTk= X-Received: by 2002:a9d:c29:: with SMTP id 38mr17145170otr.107.1591634404626; Mon, 08 Jun 2020 09:40:04 -0700 (PDT) MIME-Version: 1.0 References: <20200528065603.3596-1-penguin-kernel@I-love.SAKURA.ne.jp> In-Reply-To: <20200528065603.3596-1-penguin-kernel@I-love.SAKURA.ne.jp> From: Geert Uytterhoeven Date: Mon, 8 Jun 2020 18:39:53 +0200 Message-ID: Subject: Re: [PATCH v2] twist: allow converting pr_devel()/pr_debug() into snprintf() To: Tetsuo Handa Cc: Andrew Morton , Linux Kernel Mailing List , Dmitry Vyukov , Ondrej Mosnacek , Petr Mladek , Sergey Senozhatsky , Steven Rostedt Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Tetsuo, On Thu, May 28, 2020 at 8:57 AM Tetsuo Handa wrote: > syzbot found a NULL pointer dereference bug inside mptcp_recvmsg() due to > ssock == NULL, but this bug manifested inside selinux_socket_recvmsg() > because pr_debug() was no-op [1]. > > pr_debug("fallback-read subflow=%p", > mptcp_subflow_ctx(ssock->sk)); > copied = sock_recvmsg(ssock, msg, flags); > > Thus, let's allow fuzzers to always evaluate pr_devel()/pr_debug() > messages, by redirecting no-op pr_devel()/pr_debug() calls to snprintf(). > > [1] https://syzkaller.appspot.com/bug?id=12be9aa373be9d8727cdd172f190de39528a413a > > Signed-off-by: Tetsuo Handa Thanks for your patch! > --- a/lib/Kconfig.twist > +++ b/lib/Kconfig.twist > @@ -12,10 +12,22 @@ if TWIST_KERNEL_BEHAVIOR > > config TWIST_FOR_SYZKALLER_TESTING > bool "Select all twist options suitable for syzkaller testing" > + select TWIST_ALWAYS_EVALUATE_PRINTK_ARGUMENTS > select TWIST_DISABLE_KBD_K_SPEC_HANDLER > help > Say N unless you are building kernels for syzkaller's testing. > > +config TWIST_ALWAYS_EVALUATE_PRINTK_ARGUMENTS > + bool "Always evaluate printk() arguments" > + help > + Currently, only format string of printk() arguments is checked > + by compiler if pr_devel()/pr_debug() are disabled. Therefore, > + fuzz testing cannot catch runtime bugs (e.g. NULL pointer > + dereference, use-after-free/out-of-bounds/uninitialized read) > + in disabled printk() calls. This option redirects disabled > + printk(...) to snprintf(NULL, 0, ...) in order to evaluate > + arguments without printing. > + > config TWIST_DISABLE_KBD_K_SPEC_HANDLER > bool "Disable k_spec() function in drivers/tty/vt/keyboard.c" > help Can't you just enable CONFIG_DYNAMIC_DEBUG in your fuzzer config instead? Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds