lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANp29Y7gb7cop8p8k-LqR1WoLwOLxi+QGRGLEZrbYW8Tw6_i2w@mail.gmail.com>
Date:   Wed, 22 Jun 2022 12:20:22 +0200
From:   Aleksandr Nogikh <nogikh@...gle.com>
To:     Tamás Koczka <poprdi@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Marcel Holtmann <marcel@...tmann.org>,
        Johan Hedberg <johan.hedberg@...il.com>,
        Luiz Augusto von Dentz <luiz.dentz@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        linux-bluetooth <linux-bluetooth@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Andy Nguyen <theflow@...gle.com>
Subject: Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work

(Resending the reply I sent to the v1 of the patch. I sent it by
mistake with HTML content, so it did not reach lore.)

I checked out v5.18.1, applied this patch and fuzzed it with syzkaller
for a day. The fuzzer was indeed able to find and report more coverage
of the BT subsystem than without the patch.

Tested-by: Aleksandr Nogikh <nogikh@...gle.com>


On Tue, Jun 14, 2022 at 3:34 PM Tamás Koczka <poprdi@...gle.com> wrote:
>
> Hello Marcel,
>
> I hope this was the change you originally requested, and I did not
> misunderstand anything, but if you need any additional modification to
> the code or the commit, please feel free to let me know!
>
> Thank you,
> Tamas
>
> On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <poprdi@...gle.com> wrote:
> >
> > Hello Marcel,
> >
> > I added some comments into the code about what the kcov_remote calls do and
> > why they were implemented and I also added some reasoning to the commit
> > message.
> >
> > I did not mention in the commit but these functions only run if the kernel
> > is compiled with CONFIG_KCOV.
> >
> > Thank you again for reviewing the patch!
> >
> > --
> > Tamas
> >
> > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <poprdi@...gle.com> wrote:
> > >
> > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > > calls, so remote KCOV coverage is collected while processing the rx_q
> > > queue which is the main incoming Bluetooth packet queue.
> > >
> > > Coverage is associated with the thread which created the packet skb.
> > >
> > > The collected extra coverage helps kernel fuzzing efforts in finding
> > > vulnerabilities.
> > >
> > > Signed-off-by: Tamas Koczka <poprdi@...gle.com>
> > > ---
> > > Changelog since v1:
> > >  - add comment about why kcov_remote functions are called
> > >
> > > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
> > >
> > >  net/bluetooth/hci_core.c | 10 +++++++++-
> > >  1 file changed, 9 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > index 45c2dd2e1590..0af43844c55a 100644
> > > --- a/net/bluetooth/hci_core.c
> > > +++ b/net/bluetooth/hci_core.c
> > > @@ -29,6 +29,7 @@
> > >  #include <linux/rfkill.h>
> > >  #include <linux/debugfs.h>
> > >  #include <linux/crypto.h>
> > > +#include <linux/kcov.h>
> > >  #include <linux/property.h>
> > >  #include <linux/suspend.h>
> > >  #include <linux/wait.h>
> > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> > >
> > >         BT_DBG("%s", hdev->name);
> > >
> > > -       while ((skb = skb_dequeue(&hdev->rx_q))) {
> > > +       /* The kcov_remote functions used for collecting packet parsing
> > > +        * coverage information from this background thread and associate
> > > +        * the coverage with the syscall's thread which originally injected
> > > +        * the packet. This helps fuzzing the kernel.
> > > +        */
> > > +       for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > > +               kcov_remote_start_common(skb_get_kcov_handle(skb));
> > > +
> > >                 /* Send copy to monitor */
> > >                 hci_send_to_monitor(hdev, skb);
> > >
> > > --
> > > 2.36.1.255.ge46751e96f-goog
> > >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ