From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1AE90C43334 for ; Mon, 4 Jul 2022 12:54:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234552AbiGDMyM (ORCPT ); Mon, 4 Jul 2022 08:54:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34354 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233901AbiGDMxq (ORCPT ); Mon, 4 Jul 2022 08:53:46 -0400 Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7AC4012776 for ; Mon, 4 Jul 2022 05:53:10 -0700 (PDT) Received: by mail-oi1-x232.google.com with SMTP id u9so12758269oiv.12 for ; Mon, 04 Jul 2022 05:53:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ZvGPHzqXOjO0+1seQCszr1VbWo5HG6fo0/oOceTIlxI=; b=DzYh9WvYkucJEo1Xux7VQItw8IFc5+GEOk3dWV8oaIG8y1h8e/tOO9J1qRSXkQj5n2 jraaPaLFRdRg67fFcbmK3VbbuH1y/juhUq+F4MrXEr7hirF8zS571i57uzweOod1S8S4 RPPjsu8uf+9KE2UkxQk7q2ZqszGac9RBvxo7tNO6nxRsKAl+U5pG8mzOoEZ6Fp8X2MZ0 qyrvqdk9DC21MPEewATS291wS+ekCCIY5DDkl/8FbEH+gjk86XG80sm3xsy3RwP1h5w4 eT2emv4/4iEIuBlJYAUuWKFqxp1Lu/LFYoCkauctfLpPPIpFTsiXw+f36mzQonhLhxiw IlNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ZvGPHzqXOjO0+1seQCszr1VbWo5HG6fo0/oOceTIlxI=; b=T3EcaJstvIkwfduSX5mZcACP6WG5t666IPgwII5RBFQRWzUr1ThjcqreNpZ7lrB9as 1n9UnDtMrojsDJyMepg5yocyP6y5TP9z7q48Ke9sp+YqiiIplqg3Xpwl/+HGFfsKBHAL p3nN90vWua6TBKBxnba8ALUZFC4h66pxLBXjJqHY2qtQagJkddkWSNCCZljNYvD9BCvT Q6w0SL5Kanb+Zktv5kji+zQPbc5v15mGl/gaMG/X+cOlDRI51MZRW8dCdZCoE0bl9neW mwVqNGGxZbemINVIyk5ZO6mt+vi2gsY0zg6bjub0m8Z4J6Dv92TwE8e5SzD7a4mfm3sL yKWg== X-Gm-Message-State: AJIora/+wF/RFtdz4d7WqG9tf17bOzCZAnzJ2OUTndwDaXWSAb2MA7st TOwz9AjZa3qfSCZYXz2XPDEpQ6lIZR/oOSPR9rQtoA== X-Google-Smtp-Source: AGRyM1uHniRW1a2E9ScUGtXXGttDuZbOISycUxLl7bqwCgMINEt/GiaEPBtw94Z4fYLR2Ex5XTh4H4eP2InoBIuayBw= X-Received: by 2002:a05:6808:181c:b0:335:710d:e107 with SMTP id bh28-20020a056808181c00b00335710de107mr18804789oib.154.1656939184593; Mon, 04 Jul 2022 05:53:04 -0700 (PDT) MIME-Version: 1.0 References: <20220607104015.2126118-1-poprdi@google.com> In-Reply-To: From: =?UTF-8?Q?Tam=C3=A1s_Koczka?= Date: Mon, 4 Jul 2022 14:52:53 +0200 Message-ID: Subject: Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work To: Marcel Holtmann , "David S. Miller" Cc: Aleksandr Nogikh , Johan Hedberg , Luiz Augusto von Dentz , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-bluetooth , netdev , LKML , Andy Nguyen , Dmitry Vyukov Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, If you need any clarification about the patch or if you have questions or if the patch needs to be modified, please feel free to tell me. Basically the patch should not have any effect on a kernel which is not compiled with CONFIG_KCOV and we'd like to use the patch to make the coverage of the hci_rx_work background thread visible to Syzkaller, because the BT packet parsing / handling logic happens there and this way Syzkaller will be able to more effectively mutate the packets used for fuzzing, hopefully reaching new code paths, maybe discovering and reporting new vulnerabilities before they reach the mainline. Thank you, Tamas On Thu, Jun 23, 2022 at 11:18 AM Dmitry Vyukov wrote: > > On Wed, 22 Jun 2022 at 12:20, Aleksandr Nogikh wrote: > > > > (Resending the reply I sent to the v1 of the patch. I sent it by > > mistake with HTML content, so it did not reach lore.) > > > > I checked out v5.18.1, applied this patch and fuzzed it with syzkaller > > for a day. The fuzzer was indeed able to find and report more coverage > > of the BT subsystem than without the patch. > > > > Tested-by: Aleksandr Nogikh > > > > > > On Tue, Jun 14, 2022 at 3:34 PM Tam=C3=A1s Koczka w= rote: > > > > > > Hello Marcel, > > > > > > I hope this was the change you originally requested, and I did not > > > misunderstand anything, but if you need any additional modification t= o > > > the code or the commit, please feel free to let me know! > > > > > > Thank you, > > > Tamas > > > > > > On Tue, Jun 7, 2022 at 1:44 PM Tam=C3=A1s Koczka = wrote: > > > > > > > > Hello Marcel, > > > > > > > > I added some comments into the code about what the kcov_remote call= s do and > > > > why they were implemented and I also added some reasoning to the co= mmit > > > > message. > > > > > > > > I did not mention in the commit but these functions only run if the= kernel > > > > is compiled with CONFIG_KCOV. > > > > > > > > Thank you again for reviewing the patch! > > > > > > > > -- > > > > Tamas > > > > > > > > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka wr= ote: > > > > > > > > > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_s= top() > > > > > calls, so remote KCOV coverage is collected while processing the = rx_q > > > > > queue which is the main incoming Bluetooth packet queue. > > > > > > > > > > Coverage is associated with the thread which created the packet s= kb. > > > > > > > > > > The collected extra coverage helps kernel fuzzing efforts in find= ing > > > > > vulnerabilities. > > > > > > > > > > Signed-off-by: Tamas Koczka > > > > > --- > > > > > Changelog since v1: > > > > > - add comment about why kcov_remote functions are called > > > > > > > > > > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@g= oogle.com/ > > > > > > > > > > net/bluetooth/hci_core.c | 10 +++++++++- > > > > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > > > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c > > > > > index 45c2dd2e1590..0af43844c55a 100644 > > > > > --- a/net/bluetooth/hci_core.c > > > > > +++ b/net/bluetooth/hci_core.c > > > > > @@ -29,6 +29,7 @@ > > > > > #include > > > > > #include > > > > > #include > > > > > +#include > > > > > #include > > > > > #include > > > > > #include > > > > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct= *work) > > > > > > > > > > BT_DBG("%s", hdev->name); > > > > > > > > > > - while ((skb =3D skb_dequeue(&hdev->rx_q))) { > > > > > + /* The kcov_remote functions used for collecting packet p= arsing > > > > > + * coverage information from this background thread and a= ssociate > > > > > + * the coverage with the syscall's thread which originall= y injected > > > > > + * the packet. This helps fuzzing the kernel. > > > > > + */ > > > > > + for (; (skb =3D skb_dequeue(&hdev->rx_q)); kcov_remote_st= op()) { > > > > > + kcov_remote_start_common(skb_get_kcov_handle(skb)= ); > > > > > + > > > > > /* Send copy to monitor */ > > > > > hci_send_to_monitor(hdev, skb); > > Looks good to me. > Anything else needed to merge this patch? > > Reviewed-by: Dmitry Vyukov