| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Jun 2022 12:20:22 +0200
From: Aleksandr Nogikh <nogikh@...gle.com>
To: Tamás Koczka <poprdi@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>
Cc: Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
linux-bluetooth <linux-bluetooth@...r.kernel.org>,
netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Andy Nguyen <theflow@...gle.com>
Subject: Re: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work
(Resending the reply I sent to the v1 of the patch. I sent it by
mistake with HTML content, so it did not reach lore.)
I checked out v5.18.1, applied this patch and fuzzed it with syzkaller
for a day. The fuzzer was indeed able to find and report more coverage
of the BT subsystem than without the patch.
Tested-by: Aleksandr Nogikh <nogikh@...gle.com>
On Tue, Jun 14, 2022 at 3:34 PM Tamás Koczka <poprdi@...gle.com> wrote:
>
> Hello Marcel,
>
> I hope this was the change you originally requested, and I did not
> misunderstand anything, but if you need any additional modification to
> the code or the commit, please feel free to let me know!
>
> Thank you,
> Tamas
>
> On Tue, Jun 7, 2022 at 1:44 PM Tamás Koczka <poprdi@...gle.com> wrote:
> >
> > Hello Marcel,
> >
> > I added some comments into the code about what the kcov_remote calls do and
> > why they were implemented and I also added some reasoning to the commit
> > message.
> >
> > I did not mention in the commit but these functions only run if the kernel
> > is compiled with CONFIG_KCOV.
> >
> > Thank you again for reviewing the patch!
> >
> > --
> > Tamas
> >
> > On Tue, Jun 7, 2022 at 12:40 PM Tamas Koczka <poprdi@...gle.com> wrote:
> > >
> > > Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop()
> > > calls, so remote KCOV coverage is collected while processing the rx_q
> > > queue which is the main incoming Bluetooth packet queue.
> > >
> > > Coverage is associated with the thread which created the packet skb.
> > >
> > > The collected extra coverage helps kernel fuzzing efforts in finding
> > > vulnerabilities.
> > >
> > > Signed-off-by: Tamas Koczka <poprdi@...gle.com>
> > > ---
> > > Changelog since v1:
> > > - add comment about why kcov_remote functions are called
> > >
> > > v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/
> > >
> > > net/bluetooth/hci_core.c | 10 +++++++++-
> > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > index 45c2dd2e1590..0af43844c55a 100644
> > > --- a/net/bluetooth/hci_core.c
> > > +++ b/net/bluetooth/hci_core.c
> > > @@ -29,6 +29,7 @@
> > > #include <linux/rfkill.h>
> > > #include <linux/debugfs.h>
> > > #include <linux/crypto.h>
> > > +#include <linux/kcov.h>
> > > #include <linux/property.h>
> > > #include <linux/suspend.h>
> > > #include <linux/wait.h>
> > > @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work)
> > >
> > > BT_DBG("%s", hdev->name);
> > >
> > > - while ((skb = skb_dequeue(&hdev->rx_q))) {
> > > + /* The kcov_remote functions used for collecting packet parsing
> > > + * coverage information from this background thread and associate
> > > + * the coverage with the syscall's thread which originally injected
> > > + * the packet. This helps fuzzing the kernel.
> > > + */
> > > + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
> > > + kcov_remote_start_common(skb_get_kcov_handle(skb));
> > > +
> > > /* Send copy to monitor */
> > > hci_send_to_monitor(hdev, skb);
> > >
> > > --
> > > 2.36.1.255.ge46751e96f-goog
> > >
Powered by blists - more mailing lists