Commit 6370cc3b authored by Aleksandr Nogikh's avatar Aleksandr Nogikh Committed by Jakub Kicinski
Browse files

net: add kcov handle to skb extensions 



Remote KCOV coverage collection enables coverage-guided fuzzing of the
code that is not reachable during normal system call execution. It is
especially helpful for fuzzing networking subsystems, where it is
common to perform packet handling in separate work queues even for the
packets that originated directly from the user space.

Enable coverage-guided frame injection by adding kcov remote handle to
skb extensions. Default initialization in __alloc_skb and
__build_skb_around ensures that no socket buffer that was generated
during a system call will be missed.

Code that is of interest and that performs packet processing should be
annotated with kcov_remote_start()/kcov_remote_stop().

An alternative approach is to determine kcov_handle solely on the
basis of the device/interface that received the specific socket
buffer. However, in this case it would be impossible to distinguish
between packets that originated during normal background network
processes or were intentionally injected from the user space.

Signed-off-by: default avatarAleksandr Nogikh <nogikh@google.com>
Acked-by: default avatarWillem de Bruijn <willemb@google.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent b08e84da

include/linux/skbuff.h

+33 −0
Original line number Diff line number Diff line
@@ -4150,6 +4150,9 @@ enum skb_ext_id { 
#endif

#if IS_ENABLED(CONFIG_MPTCP)

	SKB_EXT_MPTCP,

#endif

#if IS_ENABLED(CONFIG_KCOV)

	SKB_EXT_KCOV_HANDLE,

#endif

	SKB_EXT_NUM, /* must be last */

};
@@ -4605,5 +4608,35 @@ static inline void skb_reset_redirect(struct sk_buff *skb) 
#endif

}



#ifdef CONFIG_KCOV

static inline void skb_set_kcov_handle(struct sk_buff *skb,

				       const u64 kcov_handle)

{

	/* Do not allocate skb extensions only to set kcov_handle to zero

	 * (as it is zero by default). However, if the extensions are

	 * already allocated, update kcov_handle anyway since

	 * skb_set_kcov_handle can be called to zero a previously set

	 * value.

	 */

	if (skb_has_extensions(skb) || kcov_handle) {

		u64 *kcov_handle_ptr = skb_ext_add(skb, SKB_EXT_KCOV_HANDLE);



		if (kcov_handle_ptr)

			*kcov_handle_ptr = kcov_handle;

	}

}



static inline u64 skb_get_kcov_handle(struct sk_buff *skb)

{

	u64 *kcov_handle = skb_ext_find(skb, SKB_EXT_KCOV_HANDLE);



	return kcov_handle ? *kcov_handle : 0;

}

#else

static inline void skb_set_kcov_handle(struct sk_buff *skb,

				       const u64 kcov_handle) { }

static inline u64 skb_get_kcov_handle(struct sk_buff *skb) { return 0; }

#endif /* CONFIG_KCOV */



#endif	/* __KERNEL__ */

#endif	/* _LINUX_SKBUFF_H */

lib/Kconfig.debug

+1 −0
Original line number Diff line number Diff line
@@ -1870,6 +1870,7 @@ config KCOV 
	depends on CC_HAS_SANCOV_TRACE_PC || GCC_PLUGINS

	select DEBUG_FS

	select GCC_PLUGIN_SANCOV if !CC_HAS_SANCOV_TRACE_PC

	select SKB_EXTENSIONS

	help

	  KCOV exposes kernel code coverage information in a form suitable

	  for coverage-guided fuzzing (randomized testing).

net/core/skbuff.c

+11 −0
Original line number Diff line number Diff line
@@ -249,6 +249,9 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask, 


		fclones->skb2.fclone = SKB_FCLONE_CLONE;

	}



	skb_set_kcov_handle(skb, kcov_common_handle());



out:

	return skb;

nodata:
@@ -282,6 +285,8 @@ static struct sk_buff *__build_skb_around(struct sk_buff *skb, 
	memset(shinfo, 0, offsetof(struct skb_shared_info, dataref));

	atomic_set(&shinfo->dataref, 1);



	skb_set_kcov_handle(skb, kcov_common_handle());



	return skb;

}
@@ -4203,6 +4208,9 @@ static const u8 skb_ext_type_len[] = { 
#if IS_ENABLED(CONFIG_MPTCP)

	[SKB_EXT_MPTCP] = SKB_EXT_CHUNKSIZEOF(struct mptcp_ext),

#endif

#if IS_ENABLED(CONFIG_KCOV)

	[SKB_EXT_KCOV_HANDLE] = SKB_EXT_CHUNKSIZEOF(u64),

#endif

};



static __always_inline unsigned int skb_ext_total_length(void)
@@ -4219,6 +4227,9 @@ static __always_inline unsigned int skb_ext_total_length(void) 
#endif

#if IS_ENABLED(CONFIG_MPTCP)

		skb_ext_type_len[SKB_EXT_MPTCP] +

#endif

#if IS_ENABLED(CONFIG_KCOV)

		skb_ext_type_len[SKB_EXT_KCOV_HANDLE] +

#endif

		0;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE