Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp95214imw; Mon, 4 Jul 2022 05:56:24 -0700 (PDT) X-Google-Smtp-Source: AGRyM1v5VgRj62j3WgIXPIrioDV9PqBYYRaxZIpE2dbIVK3mPHz21Qs17/Kq65JowSo9qsTDFQvT X-Received: by 2002:a17:907:2ce3:b0:722:e1b0:68b7 with SMTP id hz3-20020a1709072ce300b00722e1b068b7mr29151903ejc.14.1656939384348; Mon, 04 Jul 2022 05:56:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656939384; cv=none; d=google.com; s=arc-20160816; b=AJF0FlqkvQrfYGfQJrMtkN8pg+joMi00FcD5i1e2PUgNF/9mFMccgJ4iMp3kJZI2yo ylxE2gN0Av3QVWp4XipW1hR5gNe537+O/pFHqecB564V6/6FrCdWYUBmPN/zeT6m1HXO KJFj2uSRAoLOa5QmLFcW7oKkvR+PyiyuVyLy8dAAtZY6w4knx+wHHfEynarxkFJHcIGQ Njx9LHCN/nrEgDGdE2RxMuOlZUkjlqxWMllxAXgcQexC7vIhaIwh1BUL7a0bMAhG4xYf 0TC3G5b68ks/DaGxDpC5qSedxxErPZ7MjL9UXw9fEZ58NocOIIJxZFuifcCn5ugnutpq 3vbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ZvGPHzqXOjO0+1seQCszr1VbWo5HG6fo0/oOceTIlxI=; b=cRJAhg4AyjZK3UqhCkkYs7fO4viBI3NuYkmySgr9gvCpnjNLjQZ/zHei3iM3mYG3ea YN2IVCxkMDlMQP3bOMpM/b8HbuXF+P6qjePYj7ZBEttjOpuBr3uUqGn/qd7leYJKTK4f JJjNeGYIZwCVilq/wehClHgcfP0h4hiUlNw+mZvH0STqFX9E/R7tpgHX3WA/uqoLT812 H9XeT+eSFx9xE11LOzcWURhiDT+WRJnG8hVuhL/zvo6H85xN0nTxBtJ/ol7jcfG/t6cF FAmmIQLkD/TtmVd6cUaFXoV2KcymXv6VK8Z+ScBVCCg6ZxkDDKWTbg/ZCAaMkI7Ksi2h Ebvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=DzYh9WvY; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u5-20020a17090617c500b00726f9797afbsi12081197eje.569.2022.07.04.05.55.23; Mon, 04 Jul 2022 05:56:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=DzYh9WvY; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232850AbiGDMyA (ORCPT + 99 others); Mon, 4 Jul 2022 08:54:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34334 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233176AbiGDMxq (ORCPT ); Mon, 4 Jul 2022 08:53:46 -0400 Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33D6A12773 for ; Mon, 4 Jul 2022 05:53:09 -0700 (PDT) Received: by mail-oi1-x22b.google.com with SMTP id r82so12861927oig.2 for ; Mon, 04 Jul 2022 05:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ZvGPHzqXOjO0+1seQCszr1VbWo5HG6fo0/oOceTIlxI=; b=DzYh9WvYkucJEo1Xux7VQItw8IFc5+GEOk3dWV8oaIG8y1h8e/tOO9J1qRSXkQj5n2 jraaPaLFRdRg67fFcbmK3VbbuH1y/juhUq+F4MrXEr7hirF8zS571i57uzweOod1S8S4 RPPjsu8uf+9KE2UkxQk7q2ZqszGac9RBvxo7tNO6nxRsKAl+U5pG8mzOoEZ6Fp8X2MZ0 qyrvqdk9DC21MPEewATS291wS+ekCCIY5DDkl/8FbEH+gjk86XG80sm3xsy3RwP1h5w4 eT2emv4/4iEIuBlJYAUuWKFqxp1Lu/LFYoCkauctfLpPPIpFTsiXw+f36mzQonhLhxiw IlNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ZvGPHzqXOjO0+1seQCszr1VbWo5HG6fo0/oOceTIlxI=; b=1QjkBPylLmrRrKpl/yu1A9awb0+m2Qinw+DQI8wDH0f9a6REG8uWs0Pg3CZ2lvHH8k UPEoMif2OZD5l8CdmXQ7R546KtnSzl4WW57ZXuBqZQMAoJbvpHoSjUSe2s3nof9F7tlt YoJs89xKvV0FdECqiKMceN0Z9g2AdcGtigFrXlrox5SEPFxcPOSRl5MCbUOHA5pwkxt5 pTW9QALsQPZrMaCvFD+2d/JhTIQnYbvZDsP9pXu8353D7f5s5RTLhglX569BcdM0VPSD cNMWowf0GtK2W64ATi7o+6T8FQe/EuLEZCg1gNnxTBWQAFnYz/PwiH20Sk00aDO4pvuy RipA== X-Gm-Message-State: AJIora/4EcJ1rWZsGtsgNX6jQLshd5fp2wNyusYUCllf2rRM0KQMFJPo Pg/H5zAiVERuWY9DbokcOA+oQVZXkHlF3POt7l5Cgq+O2nTGYgZI X-Received: by 2002:a05:6808:181c:b0:335:710d:e107 with SMTP id bh28-20020a056808181c00b00335710de107mr18804789oib.154.1656939184593; Mon, 04 Jul 2022 05:53:04 -0700 (PDT) MIME-Version: 1.0 References: <20220607104015.2126118-1-poprdi@google.com> In-Reply-To: From: =?UTF-8?Q?Tam=C3=A1s_Koczka?= Date: Mon, 4 Jul 2022 14:52:53 +0200 Message-ID: Subject: Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work To: Marcel Holtmann , "David S. Miller" Cc: Aleksandr Nogikh , Johan Hedberg , Luiz Augusto von Dentz , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-bluetooth , netdev , LKML , Andy Nguyen , Dmitry Vyukov Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hello, If you need any clarification about the patch or if you have questions or if the patch needs to be modified, please feel free to tell me. Basically the patch should not have any effect on a kernel which is not compiled with CONFIG_KCOV and we'd like to use the patch to make the coverage of the hci_rx_work background thread visible to Syzkaller, because the BT packet parsing / handling logic happens there and this way Syzkaller will be able to more effectively mutate the packets used for fuzzing, hopefully reaching new code paths, maybe discovering and reporting new vulnerabilities before they reach the mainline. Thank you, Tamas On Thu, Jun 23, 2022 at 11:18 AM Dmitry Vyukov wrote: > > On Wed, 22 Jun 2022 at 12:20, Aleksandr Nogikh wrote: > > > > (Resending the reply I sent to the v1 of the patch. I sent it by > > mistake with HTML content, so it did not reach lore.) > > > > I checked out v5.18.1, applied this patch and fuzzed it with syzkaller > > for a day. The fuzzer was indeed able to find and report more coverage > > of the BT subsystem than without the patch. > > > > Tested-by: Aleksandr Nogikh > > > > > > On Tue, Jun 14, 2022 at 3:34 PM Tam=C3=A1s Koczka w= rote: > > > > > > Hello Marcel, > > > > > > I hope this was the change you originally requested, and I did not > > > misunderstand anything, but if you need any additional modification t= o > > > the code or the commit, please feel free to let me know! > > > > > > Thank you, > > > Tamas > > > > > > On Tue, Jun 7, 2022 at 1:44 PM Tam=C3=A1s Koczka = wrote: > > > > > > > > Hello Marcel, > > > > > > > > I added some comments into the code about what the kcov_remote call= s do and > > > > why they were implemented and I also added some reasoning to the co= mmit > > > > message. > > > > > > > > I did not mention in the commit but these functions only run if the= kernel > > > > is compiled with CONFIG_KCOV. > > > > > > > > Thank you again for reviewing the patch! > > > > > > > > -- > > > > Tamas > > > > > > > > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka wr= ote: > > > > > > > > > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_s= top() > > > > > calls, so remote KCOV coverage is collected while processing the = rx_q > > > > > queue which is the main incoming Bluetooth packet queue. > > > > > > > > > > Coverage is associated with the thread which created the packet s= kb. > > > > > > > > > > The collected extra coverage helps kernel fuzzing efforts in find= ing > > > > > vulnerabilities. > > > > > > > > > > Signed-off-by: Tamas Koczka > > > > > --- > > > > > Changelog since v1: > > > > > - add comment about why kcov_remote functions are called > > > > > > > > > > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@g= oogle.com/ > > > > > > > > > > net/bluetooth/hci_core.c | 10 +++++++++- > > > > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > > > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c > > > > > index 45c2dd2e1590..0af43844c55a 100644 > > > > > --- a/net/bluetooth/hci_core.c > > > > > +++ b/net/bluetooth/hci_core.c > > > > > @@ -29,6 +29,7 @@ > > > > > #include > > > > > #include > > > > > #include > > > > > +#include > > > > > #include > > > > > #include > > > > > #include > > > > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct= *work) > > > > > > > > > > BT_DBG("%s", hdev->name); > > > > > > > > > > - while ((skb =3D skb_dequeue(&hdev->rx_q))) { > > > > > + /* The kcov_remote functions used for collecting packet p= arsing > > > > > + * coverage information from this background thread and a= ssociate > > > > > + * the coverage with the syscall's thread which originall= y injected > > > > > + * the packet. This helps fuzzing the kernel. > > > > > + */ > > > > > + for (; (skb =3D skb_dequeue(&hdev->rx_q)); kcov_remote_st= op()) { > > > > > + kcov_remote_start_common(skb_get_kcov_handle(skb)= ); > > > > > + > > > > > /* Send copy to monitor */ > > > > > hci_send_to_monitor(hdev, skb); > > Looks good to me. > Anything else needed to merge this patch? > > Reviewed-by: Dmitry Vyukov