* [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
@ 2022-06-07 10:40 Tamas Koczka
2022-06-07 11:44 ` Tamás Koczka
0 siblings, 1 reply; 8+ messages in thread
From: Tamas Koczka @ 2022-06-07 10:40 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Johan Hedberg, Luiz Augusto von Dentz, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, linux-bluetooth,
netdev, linux-kernel, theflow, nogikh, Tamas Koczka
Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
calls, so remote KCOV coverage is collected while processing the rx_q
queue which is the main incoming Bluetooth packet queue.
Coverage is associated with the thread which created the packet skb.
The collected extra coverage helps kernel fuzzing efforts in finding
vulnerabilities.
Signed-off-by: Tamas Koczka <poprdi@google.com>
---
Changelog since v1:
- add comment about why kcov_remote functions are called
v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
net/bluetooth/hci_core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 45c2dd2e1590..0af43844c55a 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -29,6 +29,7 @@
#include <linux/rfkill.h>
#include <linux/debugfs.h>
#include <linux/crypto.h>
+#include <linux/kcov.h>
#include <linux/property.h>
#include <linux/suspend.h>
#include <linux/wait.h>
@@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
BT_DBG("%s", hdev->name);
- while ((skb = skb_dequeue(&hdev->rx_q))) {
+ /* The kcov_remote functions used for collecting packet parsing
+ * coverage information from this background thread and associate
+ * the coverage with the syscall's thread which originally injected
+ * the packet. This helps fuzzing the kernel.
+ */
+ for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
+ kcov_remote_start_common(skb_get_kcov_handle(skb));
+
/* Send copy to monitor */
hci_send_to_monitor(hdev, skb);
--
2.36.1.255.ge46751e96f-goog
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
2022-06-07 10:40 [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work Tamas Koczka
@ 2022-06-07 11:44 ` Tamás Koczka
2022-06-14 13:34 ` Tamás Koczka
0 siblings, 1 reply; 8+ messages in thread
From: Tamás Koczka @ 2022-06-07 11:44 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Johan Hedberg, Luiz Augusto von Dentz, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, linux-bluetooth,
netdev, linux-kernel, Andy Nguyen, Aleksandr Nogikh
Hello Marcel,
I added some comments into the code about what the kcov_remote calls do and
why they were implemented and I also added some reasoning to the commit
message.
I did not mention in the commit but these functions only run if the kernel
is compiled with CONFIG_KCOV.
Thank you again for reviewing the patch!
--
Tamas
On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <poprdi@google.com> wrote:
>
> Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> calls, so remote KCOV coverage is collected while processing the rx_q
> queue which is the main incoming Bluetooth packet queue.
>
> Coverage is associated with the thread which created the packet skb.
>
> The collected extra coverage helps kernel fuzzing efforts in finding
> vulnerabilities.
>
> Signed-off-by: Tamas Koczka <poprdi@google.com>
> ---
> Changelog since v1:
> - add comment about why kcov_remote functions are called
>
> v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
>
> net/bluetooth/hci_core.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 45c2dd2e1590..0af43844c55a 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -29,6 +29,7 @@
> #include <linux/rfkill.h>
> #include <linux/debugfs.h>
> #include <linux/crypto.h>
> +#include <linux/kcov.h>
> #include <linux/property.h>
> #include <linux/suspend.h>
> #include <linux/wait.h>
> @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
>
> BT_DBG("%s", hdev->name);
>
> - while ((skb = skb_dequeue(&hdev->rx_q))) {
> + /* The kcov_remote functions used for collecting packet parsing
> + * coverage information from this background thread and associate
> + * the coverage with the syscall's thread which originally injected
> + * the packet. This helps fuzzing the kernel.
> + */
> + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> + kcov_remote_start_common(skb_get_kcov_handle(skb));
> +
> /* Send copy to monitor */
> hci_send_to_monitor(hdev, skb);
>
> --
> 2.36.1.255.ge46751e96f-goog
>
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
2022-06-07 11:44 ` Tamás Koczka
@ 2022-06-14 13:34 ` Tamás Koczka
2022-06-22 10:20 ` Aleksandr Nogikh
0 siblings, 1 reply; 8+ messages in thread
From: Tamás Koczka @ 2022-06-14 13:34 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Johan Hedberg, Luiz Augusto von Dentz, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, linux-bluetooth,
netdev, linux-kernel, Andy Nguyen, Aleksandr Nogikh
Hello Marcel,
I hope this was the change you originally requested, and I did not
misunderstand anything, but if you need any additional modification to
the code or the commit, please feel free to let me know!
Thank you,
Tamas
On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <poprdi@google.com> wrote:
>
> Hello Marcel,
>
> I added some comments into the code about what the kcov_remote calls do and
> why they were implemented and I also added some reasoning to the commit
> message.
>
> I did not mention in the commit but these functions only run if the kernel
> is compiled with CONFIG_KCOV.
>
> Thank you again for reviewing the patch!
>
> --
> Tamas
>
> On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <poprdi@google.com> wrote:
> >
> > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > calls, so remote KCOV coverage is collected while processing the rx_q
> > queue which is the main incoming Bluetooth packet queue.
> >
> > Coverage is associated with the thread which created the packet skb.
> >
> > The collected extra coverage helps kernel fuzzing efforts in finding
> > vulnerabilities.
> >
> > Signed-off-by: Tamas Koczka <poprdi@google.com>
> > ---
> > Changelog since v1:
> > - add comment about why kcov_remote functions are called
> >
> > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
> >
> > net/bluetooth/hci_core.c | 10 +++++++++-
> > 1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > index 45c2dd2e1590..0af43844c55a 100644
> > --- a/net/bluetooth/hci_core.c
> > +++ b/net/bluetooth/hci_core.c
> > @@ -29,6 +29,7 @@
> > #include <linux/rfkill.h>
> > #include <linux/debugfs.h>
> > #include <linux/crypto.h>
> > +#include <linux/kcov.h>
> > #include <linux/property.h>
> > #include <linux/suspend.h>
> > #include <linux/wait.h>
> > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> >
> > BT_DBG("%s", hdev->name);
> >
> > - while ((skb = skb_dequeue(&hdev->rx_q))) {
> > + /* The kcov_remote functions used for collecting packet parsing
> > + * coverage information from this background thread and associate
> > + * the coverage with the syscall's thread which originally injected
> > + * the packet. This helps fuzzing the kernel.
> > + */
> > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > + kcov_remote_start_common(skb_get_kcov_handle(skb));
> > +
> > /* Send copy to monitor */
> > hci_send_to_monitor(hdev, skb);
> >
> > --
> > 2.36.1.255.ge46751e96f-goog
> >
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
2022-06-14 13:34 ` Tamás Koczka
@ 2022-06-22 10:20 ` Aleksandr Nogikh
2022-06-23 9:18 ` Dmitry Vyukov
0 siblings, 1 reply; 8+ messages in thread
From: Aleksandr Nogikh @ 2022-06-22 10:20 UTC (permalink / raw)
To: Tamás Koczka, Dmitry Vyukov
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
linux-bluetooth, netdev, LKML, Andy Nguyen
(Resending the reply I sent to the v1 of the patch. I sent it by
mistake with HTML content, so it did not reach lore.)
I checked out v5.18.1, applied this patch and fuzzed it with syzkaller
for a day. The fuzzer was indeed able to find and report more coverage
of the BT subsystem than without the patch.
Tested-by: Aleksandr Nogikh <nogikh@google.com>
On Tue, Jun 14, 2022 at 3:34 PM Tamás Koczka <poprdi@google.com> wrote:
>
> Hello Marcel,
>
> I hope this was the change you originally requested, and I did not
> misunderstand anything, but if you need any additional modification to
> the code or the commit, please feel free to let me know!
>
> Thank you,
> Tamas
>
> On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <poprdi@google.com> wrote:
> >
> > Hello Marcel,
> >
> > I added some comments into the code about what the kcov_remote calls do and
> > why they were implemented and I also added some reasoning to the commit
> > message.
> >
> > I did not mention in the commit but these functions only run if the kernel
> > is compiled with CONFIG_KCOV.
> >
> > Thank you again for reviewing the patch!
> >
> > --
> > Tamas
> >
> > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <poprdi@google.com> wrote:
> > >
> > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > > calls, so remote KCOV coverage is collected while processing the rx_q
> > > queue which is the main incoming Bluetooth packet queue.
> > >
> > > Coverage is associated with the thread which created the packet skb.
> > >
> > > The collected extra coverage helps kernel fuzzing efforts in finding
> > > vulnerabilities.
> > >
> > > Signed-off-by: Tamas Koczka <poprdi@google.com>
> > > ---
> > > Changelog since v1:
> > > - add comment about why kcov_remote functions are called
> > >
> > > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
> > >
> > > net/bluetooth/hci_core.c | 10 +++++++++-
> > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > index 45c2dd2e1590..0af43844c55a 100644
> > > --- a/net/bluetooth/hci_core.c
> > > +++ b/net/bluetooth/hci_core.c
> > > @@ -29,6 +29,7 @@
> > > #include <linux/rfkill.h>
> > > #include <linux/debugfs.h>
> > > #include <linux/crypto.h>
> > > +#include <linux/kcov.h>
> > > #include <linux/property.h>
> > > #include <linux/suspend.h>
> > > #include <linux/wait.h>
> > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> > >
> > > BT_DBG("%s", hdev->name);
> > >
> > > - while ((skb = skb_dequeue(&hdev->rx_q))) {
> > > + /* The kcov_remote functions used for collecting packet parsing
> > > + * coverage information from this background thread and associate
> > > + * the coverage with the syscall's thread which originally injected
> > > + * the packet. This helps fuzzing the kernel.
> > > + */
> > > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > > + kcov_remote_start_common(skb_get_kcov_handle(skb));
> > > +
> > > /* Send copy to monitor */
> > > hci_send_to_monitor(hdev, skb);
> > >
> > > --
> > > 2.36.1.255.ge46751e96f-goog
> > >
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
2022-06-22 10:20 ` Aleksandr Nogikh
@ 2022-06-23 9:18 ` Dmitry Vyukov
2022-07-04 12:52 ` Tamás Koczka
0 siblings, 1 reply; 8+ messages in thread
From: Dmitry Vyukov @ 2022-06-23 9:18 UTC (permalink / raw)
To: Aleksandr Nogikh
Cc: Tamás Koczka, Marcel Holtmann, Johan Hedberg,
Luiz Augusto von Dentz, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, linux-bluetooth, netdev, LKML,
Andy Nguyen
On Wed, 22 Jun 2022 at 12:20, Aleksandr Nogikh <nogikh@google.com> wrote:
>
> (Resending the reply I sent to the v1 of the patch. I sent it by
> mistake with HTML content, so it did not reach lore.)
>
> I checked out v5.18.1, applied this patch and fuzzed it with syzkaller
> for a day. The fuzzer was indeed able to find and report more coverage
> of the BT subsystem than without the patch.
>
> Tested-by: Aleksandr Nogikh <nogikh@google.com>
>
>
> On Tue, Jun 14, 2022 at 3:34 PM Tamás Koczka <poprdi@google.com> wrote:
> >
> > Hello Marcel,
> >
> > I hope this was the change you originally requested, and I did not
> > misunderstand anything, but if you need any additional modification to
> > the code or the commit, please feel free to let me know!
> >
> > Thank you,
> > Tamas
> >
> > On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <poprdi@google.com> wrote:
> > >
> > > Hello Marcel,
> > >
> > > I added some comments into the code about what the kcov_remote calls do and
> > > why they were implemented and I also added some reasoning to the commit
> > > message.
> > >
> > > I did not mention in the commit but these functions only run if the kernel
> > > is compiled with CONFIG_KCOV.
> > >
> > > Thank you again for reviewing the patch!
> > >
> > > --
> > > Tamas
> > >
> > > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <poprdi@google.com> wrote:
> > > >
> > > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > > > calls, so remote KCOV coverage is collected while processing the rx_q
> > > > queue which is the main incoming Bluetooth packet queue.
> > > >
> > > > Coverage is associated with the thread which created the packet skb.
> > > >
> > > > The collected extra coverage helps kernel fuzzing efforts in finding
> > > > vulnerabilities.
> > > >
> > > > Signed-off-by: Tamas Koczka <poprdi@google.com>
> > > > ---
> > > > Changelog since v1:
> > > > - add comment about why kcov_remote functions are called
> > > >
> > > > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
> > > >
> > > > net/bluetooth/hci_core.c | 10 +++++++++-
> > > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > > index 45c2dd2e1590..0af43844c55a 100644
> > > > --- a/net/bluetooth/hci_core.c
> > > > +++ b/net/bluetooth/hci_core.c
> > > > @@ -29,6 +29,7 @@
> > > > #include <linux/rfkill.h>
> > > > #include <linux/debugfs.h>
> > > > #include <linux/crypto.h>
> > > > +#include <linux/kcov.h>
> > > > #include <linux/property.h>
> > > > #include <linux/suspend.h>
> > > > #include <linux/wait.h>
> > > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> > > >
> > > > BT_DBG("%s", hdev->name);
> > > >
> > > > - while ((skb = skb_dequeue(&hdev->rx_q))) {
> > > > + /* The kcov_remote functions used for collecting packet parsing
> > > > + * coverage information from this background thread and associate
> > > > + * the coverage with the syscall's thread which originally injected
> > > > + * the packet. This helps fuzzing the kernel.
> > > > + */
> > > > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > > > + kcov_remote_start_common(skb_get_kcov_handle(skb));
> > > > +
> > > > /* Send copy to monitor */
> > > > hci_send_to_monitor(hdev, skb);
Looks good to me.
Anything else needed to merge this patch?
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
2022-06-23 9:18 ` Dmitry Vyukov
@ 2022-07-04 12:52 ` Tamás Koczka
0 siblings, 0 replies; 8+ messages in thread
From: Tamás Koczka @ 2022-07-04 12:52 UTC (permalink / raw)
To: Marcel Holtmann, David S. Miller
Cc: Aleksandr Nogikh, Johan Hedberg, Luiz Augusto von Dentz,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, linux-bluetooth,
netdev, LKML, Andy Nguyen, Dmitry Vyukov
Hello,
If you need any clarification about the patch or if you have questions
or if the patch needs to be modified, please feel free to tell me.
Basically the patch should not have any effect on a kernel which is
not compiled with CONFIG_KCOV and we'd like to use the patch to make
the coverage of the hci_rx_work background thread visible to
Syzkaller, because the BT packet parsing / handling logic happens
there and this way Syzkaller will be able to more effectively mutate
the packets used for fuzzing, hopefully reaching new code paths, maybe
discovering and reporting new vulnerabilities before they reach the
mainline.
Thank you,
Tamas
On Thu, Jun 23, 2022 at 11:18 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Wed, 22 Jun 2022 at 12:20, Aleksandr Nogikh <nogikh@google.com> wrote:
> >
> > (Resending the reply I sent to the v1 of the patch. I sent it by
> > mistake with HTML content, so it did not reach lore.)
> >
> > I checked out v5.18.1, applied this patch and fuzzed it with syzkaller
> > for a day. The fuzzer was indeed able to find and report more coverage
> > of the BT subsystem than without the patch.
> >
> > Tested-by: Aleksandr Nogikh <nogikh@google.com>
> >
> >
> > On Tue, Jun 14, 2022 at 3:34 PM Tamás Koczka <poprdi@google.com> wrote:
> > >
> > > Hello Marcel,
> > >
> > > I hope this was the change you originally requested, and I did not
> > > misunderstand anything, but if you need any additional modification to
> > > the code or the commit, please feel free to let me know!
> > >
> > > Thank you,
> > > Tamas
> > >
> > > On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <poprdi@google.com> wrote:
> > > >
> > > > Hello Marcel,
> > > >
> > > > I added some comments into the code about what the kcov_remote calls do and
> > > > why they were implemented and I also added some reasoning to the commit
> > > > message.
> > > >
> > > > I did not mention in the commit but these functions only run if the kernel
> > > > is compiled with CONFIG_KCOV.
> > > >
> > > > Thank you again for reviewing the patch!
> > > >
> > > > --
> > > > Tamas
> > > >
> > > > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <poprdi@google.com> wrote:
> > > > >
> > > > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > > > > calls, so remote KCOV coverage is collected while processing the rx_q
> > > > > queue which is the main incoming Bluetooth packet queue.
> > > > >
> > > > > Coverage is associated with the thread which created the packet skb.
> > > > >
> > > > > The collected extra coverage helps kernel fuzzing efforts in finding
> > > > > vulnerabilities.
> > > > >
> > > > > Signed-off-by: Tamas Koczka <poprdi@google.com>
> > > > > ---
> > > > > Changelog since v1:
> > > > > - add comment about why kcov_remote functions are called
> > > > >
> > > > > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
> > > > >
> > > > > net/bluetooth/hci_core.c | 10 +++++++++-
> > > > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > > > index 45c2dd2e1590..0af43844c55a 100644
> > > > > --- a/net/bluetooth/hci_core.c
> > > > > +++ b/net/bluetooth/hci_core.c
> > > > > @@ -29,6 +29,7 @@
> > > > > #include <linux/rfkill.h>
> > > > > #include <linux/debugfs.h>
> > > > > #include <linux/crypto.h>
> > > > > +#include <linux/kcov.h>
> > > > > #include <linux/property.h>
> > > > > #include <linux/suspend.h>
> > > > > #include <linux/wait.h>
> > > > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> > > > >
> > > > > BT_DBG("%s", hdev->name);
> > > > >
> > > > > - while ((skb = skb_dequeue(&hdev->rx_q))) {
> > > > > + /* The kcov_remote functions used for collecting packet parsing
> > > > > + * coverage information from this background thread and associate
> > > > > + * the coverage with the syscall's thread which originally injected
> > > > > + * the packet. This helps fuzzing the kernel.
> > > > > + */
> > > > > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > > > > + kcov_remote_start_common(skb_get_kcov_handle(skb));
> > > > > +
> > > > > /* Send copy to monitor */
> > > > > hci_send_to_monitor(hdev, skb);
>
> Looks good to me.
> Anything else needed to merge this patch?
>
> Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
@ 2022-07-14 10:48 Tamas Koczka
2022-07-14 20:00 ` patchwork-bot+bluetooth
0 siblings, 1 reply; 8+ messages in thread
From: Tamas Koczka @ 2022-07-14 10:48 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
linux-bluetooth, netdev, linux-kernel, theflow, Tamas Koczka,
Aleksandr Nogikh, Dmitry Vyukov
Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
calls, so remote KCOV coverage is collected while processing the rx_q
queue which is the main incoming Bluetooth packet queue.
Coverage is associated with the thread which created the packet skb.
The collected extra coverage helps kernel fuzzing efforts in finding
vulnerabilities.
This change only has effect if the kernel is compiled with CONFIG_KCOV,
otherwise kcov_ functions don't do anything.
Signed-off-by: Tamas Koczka <poprdi@google.com>
Tested-by: Aleksandr Nogikh <nogikh@google.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
---
Changelog since v1:
- add comment about why kcov_remote functions are called
v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
Note: this is a resubmission of https://lore.kernel.org/netdev/CAPUC6bJbVMPn1FMLYnXg2GUX4ikesMSRjj=oPOOrS5H2DOx_bA@mail.gmail.com/T/
net/bluetooth/hci_core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 45c2dd2e1590..0af43844c55a 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -29,6 +29,7 @@
#include <linux/rfkill.h>
#include <linux/debugfs.h>
#include <linux/crypto.h>
+#include <linux/kcov.h>
#include <linux/property.h>
#include <linux/suspend.h>
#include <linux/wait.h>
@@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
BT_DBG("%s", hdev->name);
- while ((skb = skb_dequeue(&hdev->rx_q))) {
+ /* The kcov_remote functions used for collecting packet parsing
+ * coverage information from this background thread and associate
+ * the coverage with the syscall's thread which originally injected
+ * the packet. This helps fuzzing the kernel.
+ */
+ for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
+ kcov_remote_start_common(skb_get_kcov_handle(skb));
+
/* Send copy to monitor */
hci_send_to_monitor(hdev, skb);
--
2.37.0.144.g8ac04bfd2-goog
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
2022-07-14 10:48 Tamas Koczka
@ 2022-07-14 20:00 ` patchwork-bot+bluetooth
0 siblings, 0 replies; 8+ messages in thread
From: patchwork-bot+bluetooth @ 2022-07-14 20:00 UTC (permalink / raw)
To: Tamas Koczka
Cc: marcel, johan.hedberg, luiz.dentz, davem, edumazet, kuba, pabeni,
linux-bluetooth, netdev, linux-kernel, theflow, nogikh, dvyukov
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 14 Jul 2022 10:48:14 +0000 you wrote:
> Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> calls, so remote KCOV coverage is collected while processing the rx_q
> queue which is the main incoming Bluetooth packet queue.
>
> Coverage is associated with the thread which created the packet skb.
>
> The collected extra coverage helps kernel fuzzing efforts in finding
> vulnerabilities.
>
> [...]
Here is the summary with links:
- [v2] Bluetooth: Collect kcov coverage from hci_rx_work
https://git.kernel.org/bluetooth/bluetooth-next/c/b28a31ebc74f
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-07-14 20:00 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-07 10:40 [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work Tamas Koczka
2022-06-07 11:44 ` Tamás Koczka
2022-06-14 13:34 ` Tamás Koczka
2022-06-22 10:20 ` Aleksandr Nogikh
2022-06-23 9:18 ` Dmitry Vyukov
2022-07-04 12:52 ` Tamás Koczka
2022-07-14 10:48 Tamas Koczka
2022-07-14 20:00 ` patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).