Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
calls, so remote KCOV coverage is collected while processing the rx_q
queue which is the main incoming Bluetooth packet queue.
Coverage is associated with the thread which created the packet skb.
The collected extra coverage helps kernel fuzzing efforts in finding
vulnerabilities.
Signed-off-by: Tamas Koczka <[email protected]>
---
Changelog since v1:
- add comment about why kcov_remote functions are called
v1: https://lore.kernel.org/all/[email protected]/
net/bluetooth/hci_core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 45c2dd2e1590..0af43844c55a 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -29,6 +29,7 @@
#include <linux/rfkill.h>
#include <linux/debugfs.h>
#include <linux/crypto.h>
+#include <linux/kcov.h>
#include <linux/property.h>
#include <linux/suspend.h>
#include <linux/wait.h>
@@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
BT_DBG("%s", hdev->name);
- while ((skb = skb_dequeue(&hdev->rx_q))) {
+ /* The kcov_remote functions used for collecting packet parsing
+ * coverage information from this background thread and associate
+ * the coverage with the syscall's thread which originally injected
+ * the packet. This helps fuzzing the kernel.
+ */
+ for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
+ kcov_remote_start_common(skb_get_kcov_handle(skb));
+
/* Send copy to monitor */
hci_send_to_monitor(hdev, skb);
--
2.36.1.255.ge46751e96f-goog
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=647954
---Test result---
Test Summary:
CheckPatch PASS 1.24 seconds
GitLint PASS 0.84 seconds
SubjectPrefix PASS 0.62 seconds
BuildKernel PASS 30.66 seconds
BuildKernel32 PASS 27.33 seconds
Incremental Build with patchesPASS 37.37 seconds
TestRunner: Setup PASS 467.41 seconds
TestRunner: l2cap-tester PASS 17.70 seconds
TestRunner: bnep-tester PASS 5.98 seconds
TestRunner: mgmt-tester PASS 100.14 seconds
TestRunner: rfcomm-tester PASS 9.56 seconds
TestRunner: sco-tester PASS 9.27 seconds
TestRunner: smp-tester PASS 9.32 seconds
TestRunner: userchan-tester PASS 6.25 seconds
---
Regards,
Linux Bluetooth
Hello Marcel,
I added some comments into the code about what the kcov_remote calls do and
why they were implemented and I also added some reasoning to the commit
message.
I did not mention in the commit but these functions only run if the kernel
is compiled with CONFIG_KCOV.
Thank you again for reviewing the patch!
--
Tamas
On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <[email protected]> wrote:
>
> Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> calls, so remote KCOV coverage is collected while processing the rx_q
> queue which is the main incoming Bluetooth packet queue.
>
> Coverage is associated with the thread which created the packet skb.
>
> The collected extra coverage helps kernel fuzzing efforts in finding
> vulnerabilities.
>
> Signed-off-by: Tamas Koczka <[email protected]>
> ---
> Changelog since v1:
> - add comment about why kcov_remote functions are called
>
> v1: https://lore.kernel.org/all/[email protected]/
>
> net/bluetooth/hci_core.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 45c2dd2e1590..0af43844c55a 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -29,6 +29,7 @@
> #include <linux/rfkill.h>
> #include <linux/debugfs.h>
> #include <linux/crypto.h>
> +#include <linux/kcov.h>
> #include <linux/property.h>
> #include <linux/suspend.h>
> #include <linux/wait.h>
> @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
>
> BT_DBG("%s", hdev->name);
>
> - while ((skb = skb_dequeue(&hdev->rx_q))) {
> + /* The kcov_remote functions used for collecting packet parsing
> + * coverage information from this background thread and associate
> + * the coverage with the syscall's thread which originally injected
> + * the packet. This helps fuzzing the kernel.
> + */
> + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> + kcov_remote_start_common(skb_get_kcov_handle(skb));
> +
> /* Send copy to monitor */
> hci_send_to_monitor(hdev, skb);
>
> --
> 2.36.1.255.ge46751e96f-goog
>
Hello Marcel,
I hope this was the change you originally requested, and I did not
misunderstand anything, but if you need any additional modification to
the code or the commit, please feel free to let me know!
Thank you,
Tamas
On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <[email protected]> wrote:
>
> Hello Marcel,
>
> I added some comments into the code about what the kcov_remote calls do and
> why they were implemented and I also added some reasoning to the commit
> message.
>
> I did not mention in the commit but these functions only run if the kernel
> is compiled with CONFIG_KCOV.
>
> Thank you again for reviewing the patch!
>
> --
> Tamas
>
> On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <[email protected]> wrote:
> >
> > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > calls, so remote KCOV coverage is collected while processing the rx_q
> > queue which is the main incoming Bluetooth packet queue.
> >
> > Coverage is associated with the thread which created the packet skb.
> >
> > The collected extra coverage helps kernel fuzzing efforts in finding
> > vulnerabilities.
> >
> > Signed-off-by: Tamas Koczka <[email protected]>
> > ---
> > Changelog since v1:
> > - add comment about why kcov_remote functions are called
> >
> > v1: https://lore.kernel.org/all/[email protected]/
> >
> > net/bluetooth/hci_core.c | 10 +++++++++-
> > 1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > index 45c2dd2e1590..0af43844c55a 100644
> > --- a/net/bluetooth/hci_core.c
> > +++ b/net/bluetooth/hci_core.c
> > @@ -29,6 +29,7 @@
> > #include <linux/rfkill.h>
> > #include <linux/debugfs.h>
> > #include <linux/crypto.h>
> > +#include <linux/kcov.h>
> > #include <linux/property.h>
> > #include <linux/suspend.h>
> > #include <linux/wait.h>
> > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> >
> > BT_DBG("%s", hdev->name);
> >
> > - while ((skb = skb_dequeue(&hdev->rx_q))) {
> > + /* The kcov_remote functions used for collecting packet parsing
> > + * coverage information from this background thread and associate
> > + * the coverage with the syscall's thread which originally injected
> > + * the packet. This helps fuzzing the kernel.
> > + */
> > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > + kcov_remote_start_common(skb_get_kcov_handle(skb));
> > +
> > /* Send copy to monitor */
> > hci_send_to_monitor(hdev, skb);
> >
> > --
> > 2.36.1.255.ge46751e96f-goog
> >
(Resending the reply I sent to the v1 of the patch. I sent it by
mistake with HTML content, so it did not reach lore.)
I checked out v5.18.1, applied this patch and fuzzed it with syzkaller
for a day. The fuzzer was indeed able to find and report more coverage
of the BT subsystem than without the patch.
Tested-by: Aleksandr Nogikh <[email protected]>
On Tue, Jun 14, 2022 at 3:34 PM Tamás Koczka <[email protected]> wrote:
>
> Hello Marcel,
>
> I hope this was the change you originally requested, and I did not
> misunderstand anything, but if you need any additional modification to
> the code or the commit, please feel free to let me know!
>
> Thank you,
> Tamas
>
> On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <[email protected]> wrote:
> >
> > Hello Marcel,
> >
> > I added some comments into the code about what the kcov_remote calls do and
> > why they were implemented and I also added some reasoning to the commit
> > message.
> >
> > I did not mention in the commit but these functions only run if the kernel
> > is compiled with CONFIG_KCOV.
> >
> > Thank you again for reviewing the patch!
> >
> > --
> > Tamas
> >
> > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <[email protected]> wrote:
> > >
> > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > > calls, so remote KCOV coverage is collected while processing the rx_q
> > > queue which is the main incoming Bluetooth packet queue.
> > >
> > > Coverage is associated with the thread which created the packet skb.
> > >
> > > The collected extra coverage helps kernel fuzzing efforts in finding
> > > vulnerabilities.
> > >
> > > Signed-off-by: Tamas Koczka <[email protected]>
> > > ---
> > > Changelog since v1:
> > > - add comment about why kcov_remote functions are called
> > >
> > > v1: https://lore.kernel.org/all/[email protected]/
> > >
> > > net/bluetooth/hci_core.c | 10 +++++++++-
> > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > index 45c2dd2e1590..0af43844c55a 100644
> > > --- a/net/bluetooth/hci_core.c
> > > +++ b/net/bluetooth/hci_core.c
> > > @@ -29,6 +29,7 @@
> > > #include <linux/rfkill.h>
> > > #include <linux/debugfs.h>
> > > #include <linux/crypto.h>
> > > +#include <linux/kcov.h>
> > > #include <linux/property.h>
> > > #include <linux/suspend.h>
> > > #include <linux/wait.h>
> > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> > >
> > > BT_DBG("%s", hdev->name);
> > >
> > > - while ((skb = skb_dequeue(&hdev->rx_q))) {
> > > + /* The kcov_remote functions used for collecting packet parsing
> > > + * coverage information from this background thread and associate
> > > + * the coverage with the syscall's thread which originally injected
> > > + * the packet. This helps fuzzing the kernel.
> > > + */
> > > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > > + kcov_remote_start_common(skb_get_kcov_handle(skb));
> > > +
> > > /* Send copy to monitor */
> > > hci_send_to_monitor(hdev, skb);
> > >
> > > --
> > > 2.36.1.255.ge46751e96f-goog
> > >
On Wed, 22 Jun 2022 at 12:20, Aleksandr Nogikh <[email protected]> wrote:
>
> (Resending the reply I sent to the v1 of the patch. I sent it by
> mistake with HTML content, so it did not reach lore.)
>
> I checked out v5.18.1, applied this patch and fuzzed it with syzkaller
> for a day. The fuzzer was indeed able to find and report more coverage
> of the BT subsystem than without the patch.
>
> Tested-by: Aleksandr Nogikh <[email protected]>
>
>
> On Tue, Jun 14, 2022 at 3:34 PM Tamás Koczka <[email protected]> wrote:
> >
> > Hello Marcel,
> >
> > I hope this was the change you originally requested, and I did not
> > misunderstand anything, but if you need any additional modification to
> > the code or the commit, please feel free to let me know!
> >
> > Thank you,
> > Tamas
> >
> > On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <[email protected]> wrote:
> > >
> > > Hello Marcel,
> > >
> > > I added some comments into the code about what the kcov_remote calls do and
> > > why they were implemented and I also added some reasoning to the commit
> > > message.
> > >
> > > I did not mention in the commit but these functions only run if the kernel
> > > is compiled with CONFIG_KCOV.
> > >
> > > Thank you again for reviewing the patch!
> > >
> > > --
> > > Tamas
> > >
> > > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <[email protected]> wrote:
> > > >
> > > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > > > calls, so remote KCOV coverage is collected while processing the rx_q
> > > > queue which is the main incoming Bluetooth packet queue.
> > > >
> > > > Coverage is associated with the thread which created the packet skb.
> > > >
> > > > The collected extra coverage helps kernel fuzzing efforts in finding
> > > > vulnerabilities.
> > > >
> > > > Signed-off-by: Tamas Koczka <[email protected]>
> > > > ---
> > > > Changelog since v1:
> > > > - add comment about why kcov_remote functions are called
> > > >
> > > > v1: https://lore.kernel.org/all/[email protected]/
> > > >
> > > > net/bluetooth/hci_core.c | 10 +++++++++-
> > > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > > index 45c2dd2e1590..0af43844c55a 100644
> > > > --- a/net/bluetooth/hci_core.c
> > > > +++ b/net/bluetooth/hci_core.c
> > > > @@ -29,6 +29,7 @@
> > > > #include <linux/rfkill.h>
> > > > #include <linux/debugfs.h>
> > > > #include <linux/crypto.h>
> > > > +#include <linux/kcov.h>
> > > > #include <linux/property.h>
> > > > #include <linux/suspend.h>
> > > > #include <linux/wait.h>
> > > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> > > >
> > > > BT_DBG("%s", hdev->name);
> > > >
> > > > - while ((skb = skb_dequeue(&hdev->rx_q))) {
> > > > + /* The kcov_remote functions used for collecting packet parsing
> > > > + * coverage information from this background thread and associate
> > > > + * the coverage with the syscall's thread which originally injected
> > > > + * the packet. This helps fuzzing the kernel.
> > > > + */
> > > > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > > > + kcov_remote_start_common(skb_get_kcov_handle(skb));
> > > > +
> > > > /* Send copy to monitor */
> > > > hci_send_to_monitor(hdev, skb);
Looks good to me.
Anything else needed to merge this patch?
Reviewed-by: Dmitry Vyukov <[email protected]>
Hello,
If you need any clarification about the patch or if you have questions
or if the patch needs to be modified, please feel free to tell me.
Basically the patch should not have any effect on a kernel which is
not compiled with CONFIG_KCOV and we'd like to use the patch to make
the coverage of the hci_rx_work background thread visible to
Syzkaller, because the BT packet parsing / handling logic happens
there and this way Syzkaller will be able to more effectively mutate
the packets used for fuzzing, hopefully reaching new code paths, maybe
discovering and reporting new vulnerabilities before they reach the
mainline.
Thank you,
Tamas
On Thu, Jun 23, 2022 at 11:18 AM Dmitry Vyukov <[email protected]> wrote:
>
> On Wed, 22 Jun 2022 at 12:20, Aleksandr Nogikh <[email protected]> wrote:
> >
> > (Resending the reply I sent to the v1 of the patch. I sent it by
> > mistake with HTML content, so it did not reach lore.)
> >
> > I checked out v5.18.1, applied this patch and fuzzed it with syzkaller
> > for a day. The fuzzer was indeed able to find and report more coverage
> > of the BT subsystem than without the patch.
> >
> > Tested-by: Aleksandr Nogikh <[email protected]>
> >
> >
> > On Tue, Jun 14, 2022 at 3:34 PM Tamás Koczka <[email protected]> wrote:
> > >
> > > Hello Marcel,
> > >
> > > I hope this was the change you originally requested, and I did not
> > > misunderstand anything, but if you need any additional modification to
> > > the code or the commit, please feel free to let me know!
> > >
> > > Thank you,
> > > Tamas
> > >
> > > On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <[email protected]> wrote:
> > > >
> > > > Hello Marcel,
> > > >
> > > > I added some comments into the code about what the kcov_remote calls do and
> > > > why they were implemented and I also added some reasoning to the commit
> > > > message.
> > > >
> > > > I did not mention in the commit but these functions only run if the kernel
> > > > is compiled with CONFIG_KCOV.
> > > >
> > > > Thank you again for reviewing the patch!
> > > >
> > > > --
> > > > Tamas
> > > >
> > > > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <[email protected]> wrote:
> > > > >
> > > > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > > > > calls, so remote KCOV coverage is collected while processing the rx_q
> > > > > queue which is the main incoming Bluetooth packet queue.
> > > > >
> > > > > Coverage is associated with the thread which created the packet skb.
> > > > >
> > > > > The collected extra coverage helps kernel fuzzing efforts in finding
> > > > > vulnerabilities.
> > > > >
> > > > > Signed-off-by: Tamas Koczka <[email protected]>
> > > > > ---
> > > > > Changelog since v1:
> > > > > - add comment about why kcov_remote functions are called
> > > > >
> > > > > v1: https://lore.kernel.org/all/[email protected]/
> > > > >
> > > > > net/bluetooth/hci_core.c | 10 +++++++++-
> > > > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > > > index 45c2dd2e1590..0af43844c55a 100644
> > > > > --- a/net/bluetooth/hci_core.c
> > > > > +++ b/net/bluetooth/hci_core.c
> > > > > @@ -29,6 +29,7 @@
> > > > > #include <linux/rfkill.h>
> > > > > #include <linux/debugfs.h>
> > > > > #include <linux/crypto.h>
> > > > > +#include <linux/kcov.h>
> > > > > #include <linux/property.h>
> > > > > #include <linux/suspend.h>
> > > > > #include <linux/wait.h>
> > > > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> > > > >
> > > > > BT_DBG("%s", hdev->name);
> > > > >
> > > > > - while ((skb = skb_dequeue(&hdev->rx_q))) {
> > > > > + /* The kcov_remote functions used for collecting packet parsing
> > > > > + * coverage information from this background thread and associate
> > > > > + * the coverage with the syscall's thread which originally injected
> > > > > + * the packet. This helps fuzzing the kernel.
> > > > > + */
> > > > > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > > > > + kcov_remote_start_common(skb_get_kcov_handle(skb));
> > > > > +
> > > > > /* Send copy to monitor */
> > > > > hci_send_to_monitor(hdev, skb);
>
> Looks good to me.
> Anything else needed to merge this patch?
>
> Reviewed-by: Dmitry Vyukov <[email protected]>