pkg/flatrpc, pkg/vminfo, executor: introduce readonly coverage

Add a new vminfo feature, FeatureKcovResetIoctl, that is true if the kernel supports ioctl(KCOV_RESET_TRACE) making it possible to reset the coverage buffer on the kernel side. This, in turn, allows us to map the coverage buffer read-only, which will prevent all sorts of userspace-generated corruptions at a cost of an extra syscall per program execution. The corresponding exec env flag, ExecEnv::ReadOnlyCoverage, turns on read-only coverage in the executor. It is enabled by default if FeatureKcovResetIoctl is on.
author: Alexander Potapenko <glider@google.com> 2025-07-30 10:44:47 +0200
committer: Alexander Potapenko <glider@google.com> 2025-07-31 12:27:19 +0000
commit: 9a518853aaea13e0a60411b7be7d3ff1f05962de (patch)
tree: 646ae2c9dc6f44b86ddf90fe2c90a89b7236fe06 /pkg
parent: dc769bad4c765a3c7b54150be90664e7a01caf40 (diff)
5 files changed, 87 insertions, 70 deletions
diff --git a/pkg/flatrpc/flatrpc.fbs b/pkg/flatrpc/flatrpc.fbs
index 58dc7b292..3876af965 100644
--- a/pkg/flatrpc/flatrpc.fbs
+++ b/pkg/flatrpc/flatrpc.fbs
@@ -16,6 +16,7 @@ enum Feature : uint64 (bit_flags) {
 	Comparisons,
 	ExtraCoverage,
 	DelayKcovMmap,
+	KcovResetIoctl,
 	SandboxNone,
 	SandboxSetuid,
 	SandboxNamespace,
@@ -135,6 +136,7 @@ enum RequestFlag : uint64 (bit_flags) {
 enum ExecEnv : uint64 (bit_flags) {
 	Debug,			// debug output from executor
 	Signal,			// collect feedback signals (coverage)
+	ReadOnlyCoverage,	// map coverage as readonly, use an ioctl to reset it
 	ResetState,    		// fully reset executor state befor executing the test
 	SandboxNone,		// minimal sandboxing
 	SandboxSetuid,		// impersonate nobody user
diff --git a/pkg/flatrpc/flatrpc.go b/pkg/flatrpc/flatrpc.go
index d04d5c531..c7afd2c77 100644
--- a/pkg/flatrpc/flatrpc.go
+++ b/pkg/flatrpc/flatrpc.go
@@ -45,23 +45,24 @@ const (
 	FeatureComparisons      Feature = 2
 	FeatureExtraCoverage    Feature = 4
 	FeatureDelayKcovMmap    Feature = 8
-	FeatureSandboxNone      Feature = 16
-	FeatureSandboxSetuid    Feature = 32
-	FeatureSandboxNamespace Feature = 64
-	FeatureSandboxAndroid   Feature = 128
-	FeatureFault            Feature = 256
-	FeatureLeak             Feature = 512
-	FeatureNetInjection     Feature = 1024
-	FeatureNetDevices       Feature = 2048
-	FeatureKCSAN            Feature = 4096
-	FeatureDevlinkPCI       Feature = 8192
-	FeatureNicVF            Feature = 16384
-	FeatureUSBEmulation     Feature = 32768
-	FeatureVhciInjection    Feature = 65536
-	FeatureWifiEmulation    Feature = 131072
-	FeatureLRWPANEmulation  Feature = 262144
-	FeatureBinFmtMisc       Feature = 524288
-	FeatureSwap             Feature = 1048576
+	FeatureKcovResetIoctl   Feature = 16
+	FeatureSandboxNone      Feature = 32
+	FeatureSandboxSetuid    Feature = 64
+	FeatureSandboxNamespace Feature = 128
+	FeatureSandboxAndroid   Feature = 256
+	FeatureFault            Feature = 512
+	FeatureLeak             Feature = 1024
+	FeatureNetInjection     Feature = 2048
+	FeatureNetDevices       Feature = 4096
+	FeatureKCSAN            Feature = 8192
+	FeatureDevlinkPCI       Feature = 16384
+	FeatureNicVF            Feature = 32768
+	FeatureUSBEmulation     Feature = 65536
+	FeatureVhciInjection    Feature = 131072
+	FeatureWifiEmulation    Feature = 262144
+	FeatureLRWPANEmulation  Feature = 524288
+	FeatureBinFmtMisc       Feature = 1048576
+	FeatureSwap             Feature = 2097152
 )
 
 var EnumNamesFeature = map[Feature]string{
@@ -69,6 +70,7 @@ var EnumNamesFeature = map[Feature]string{
 	FeatureComparisons:      "Comparisons",
 	FeatureExtraCoverage:    "ExtraCoverage",
 	FeatureDelayKcovMmap:    "DelayKcovMmap",
+	FeatureKcovResetIoctl:   "KcovResetIoctl",
 	FeatureSandboxNone:      "SandboxNone",
 	FeatureSandboxSetuid:    "SandboxSetuid",
 	FeatureSandboxNamespace: "SandboxNamespace",
@@ -93,6 +95,7 @@ var EnumValuesFeature = map[string]Feature{
 	"Comparisons":      FeatureComparisons,
 	"ExtraCoverage":    FeatureExtraCoverage,
 	"DelayKcovMmap":    FeatureDelayKcovMmap,
+	"KcovResetIoctl":   FeatureKcovResetIoctl,
 	"SandboxNone":      FeatureSandboxNone,
 	"SandboxSetuid":    FeatureSandboxSetuid,
 	"SandboxNamespace": FeatureSandboxNamespace,
@@ -313,27 +316,29 @@ type ExecEnv uint64
 const (
 	ExecEnvDebug               ExecEnv = 1
 	ExecEnvSignal              ExecEnv = 2
-	ExecEnvResetState          ExecEnv = 4
-	ExecEnvSandboxNone         ExecEnv = 8
-	ExecEnvSandboxSetuid       ExecEnv = 16
-	ExecEnvSandboxNamespace    ExecEnv = 32
-	ExecEnvSandboxAndroid      ExecEnv = 64
-	ExecEnvExtraCover          ExecEnv = 128
-	ExecEnvEnableTun           ExecEnv = 256
-	ExecEnvEnableNetDev        ExecEnv = 512
-	ExecEnvEnableNetReset      ExecEnv = 1024
-	ExecEnvEnableCgroups       ExecEnv = 2048
-	ExecEnvEnableCloseFds      ExecEnv = 4096
-	ExecEnvEnableDevlinkPCI    ExecEnv = 8192
-	ExecEnvEnableVhciInjection ExecEnv = 16384
-	ExecEnvEnableWifi          ExecEnv = 32768
-	ExecEnvDelayKcovMmap       ExecEnv = 65536
-	ExecEnvEnableNicVF         ExecEnv = 131072
+	ExecEnvReadOnlyCoverage    ExecEnv = 4
+	ExecEnvResetState          ExecEnv = 8
+	ExecEnvSandboxNone         ExecEnv = 16
+	ExecEnvSandboxSetuid       ExecEnv = 32
+	ExecEnvSandboxNamespace    ExecEnv = 64
+	ExecEnvSandboxAndroid      ExecEnv = 128
+	ExecEnvExtraCover          ExecEnv = 256
+	ExecEnvEnableTun           ExecEnv = 512
+	ExecEnvEnableNetDev        ExecEnv = 1024
+	ExecEnvEnableNetReset      ExecEnv = 2048
+	ExecEnvEnableCgroups       ExecEnv = 4096
+	ExecEnvEnableCloseFds      ExecEnv = 8192
+	ExecEnvEnableDevlinkPCI    ExecEnv = 16384
+	ExecEnvEnableVhciInjection ExecEnv = 32768
+	ExecEnvEnableWifi          ExecEnv = 65536
+	ExecEnvDelayKcovMmap       ExecEnv = 131072
+	ExecEnvEnableNicVF         ExecEnv = 262144
 )
 
 var EnumNamesExecEnv = map[ExecEnv]string{
 	ExecEnvDebug:               "Debug",
 	ExecEnvSignal:              "Signal",
+	ExecEnvReadOnlyCoverage:    "ReadOnlyCoverage",
 	ExecEnvResetState:          "ResetState",
 	ExecEnvSandboxNone:         "SandboxNone",
 	ExecEnvSandboxSetuid:       "SandboxSetuid",
@@ -355,6 +360,7 @@ var EnumNamesExecEnv = map[ExecEnv]string{
 var EnumValuesExecEnv = map[string]ExecEnv{
 	"Debug":               ExecEnvDebug,
 	"Signal":              ExecEnvSignal,
+	"ReadOnlyCoverage":    ExecEnvReadOnlyCoverage,
 	"ResetState":          ExecEnvResetState,
 	"SandboxNone":         ExecEnvSandboxNone,
 	"SandboxSetuid":       ExecEnvSandboxSetuid,
diff --git a/pkg/flatrpc/flatrpc.h b/pkg/flatrpc/flatrpc.h
index def2648ad..6f7c181ec 100644
--- a/pkg/flatrpc/flatrpc.h
+++ b/pkg/flatrpc/flatrpc.h
@@ -141,34 +141,36 @@ enum class Feature : uint64_t {
   Comparisons = 2ULL,
   ExtraCoverage = 4ULL,
   DelayKcovMmap = 8ULL,
-  SandboxNone = 16ULL,
-  SandboxSetuid = 32ULL,
-  SandboxNamespace = 64ULL,
-  SandboxAndroid = 128ULL,
-  Fault = 256ULL,
-  Leak = 512ULL,
-  NetInjection = 1024ULL,
-  NetDevices = 2048ULL,
-  KCSAN = 4096ULL,
-  DevlinkPCI = 8192ULL,
-  NicVF = 16384ULL,
-  USBEmulation = 32768ULL,
-  VhciInjection = 65536ULL,
-  WifiEmulation = 131072ULL,
-  LRWPANEmulation = 262144ULL,
-  BinFmtMisc = 524288ULL,
-  Swap = 1048576ULL,
+  KcovResetIoctl = 16ULL,
+  SandboxNone = 32ULL,
+  SandboxSetuid = 64ULL,
+  SandboxNamespace = 128ULL,
+  SandboxAndroid = 256ULL,
+  Fault = 512ULL,
+  Leak = 1024ULL,
+  NetInjection = 2048ULL,
+  NetDevices = 4096ULL,
+  KCSAN = 8192ULL,
+  DevlinkPCI = 16384ULL,
+  NicVF = 32768ULL,
+  USBEmulation = 65536ULL,
+  VhciInjection = 131072ULL,
+  WifiEmulation = 262144ULL,
+  LRWPANEmulation = 524288ULL,
+  BinFmtMisc = 1048576ULL,
+  Swap = 2097152ULL,
   NONE = 0,
-  ANY = 2097151ULL
+  ANY = 4194303ULL
 };
 FLATBUFFERS_DEFINE_BITMASK_OPERATORS(Feature, uint64_t)
 
-inline const Feature (&EnumValuesFeature())[21] {
+inline const Feature (&EnumValuesFeature())[22] {
   static const Feature values[] = {
     Feature::Coverage,
     Feature::Comparisons,
     Feature::ExtraCoverage,
     Feature::DelayKcovMmap,
+    Feature::KcovResetIoctl,
     Feature::SandboxNone,
     Feature::SandboxSetuid,
     Feature::SandboxNamespace,
@@ -196,6 +198,7 @@ inline const char *EnumNameFeature(Feature e) {
     case Feature::Comparisons: return "Comparisons";
     case Feature::ExtraCoverage: return "ExtraCoverage";
     case Feature::DelayKcovMmap: return "DelayKcovMmap";
+    case Feature::KcovResetIoctl: return "KcovResetIoctl";
     case Feature::SandboxNone: return "SandboxNone";
     case Feature::SandboxSetuid: return "SandboxSetuid";
     case Feature::SandboxNamespace: return "SandboxNamespace";
@@ -557,31 +560,33 @@ inline const char *EnumNameRequestFlag(RequestFlag e) {
 enum class ExecEnv : uint64_t {
   Debug = 1ULL,
   Signal = 2ULL,
-  ResetState = 4ULL,
-  SandboxNone = 8ULL,
-  SandboxSetuid = 16ULL,
-  SandboxNamespace = 32ULL,
-  SandboxAndroid = 64ULL,
-  ExtraCover = 128ULL,
-  EnableTun = 256ULL,
-  EnableNetDev = 512ULL,
-  EnableNetReset = 1024ULL,
-  EnableCgroups = 2048ULL,
-  EnableCloseFds = 4096ULL,
-  EnableDevlinkPCI = 8192ULL,
-  EnableVhciInjection = 16384ULL,
-  EnableWifi = 32768ULL,
-  DelayKcovMmap = 65536ULL,
-  EnableNicVF = 131072ULL,
+  ReadOnlyCoverage = 4ULL,
+  ResetState = 8ULL,
+  SandboxNone = 16ULL,
+  SandboxSetuid = 32ULL,
+  SandboxNamespace = 64ULL,
+  SandboxAndroid = 128ULL,
+  ExtraCover = 256ULL,
+  EnableTun = 512ULL,
+  EnableNetDev = 1024ULL,
+  EnableNetReset = 2048ULL,
+  EnableCgroups = 4096ULL,
+  EnableCloseFds = 8192ULL,
+  EnableDevlinkPCI = 16384ULL,
+  EnableVhciInjection = 32768ULL,
+  EnableWifi = 65536ULL,
+  DelayKcovMmap = 131072ULL,
+  EnableNicVF = 262144ULL,
   NONE = 0,
-  ANY = 262143ULL
+  ANY = 524287ULL
 };
 FLATBUFFERS_DEFINE_BITMASK_OPERATORS(ExecEnv, uint64_t)
 
-inline const ExecEnv (&EnumValuesExecEnv())[18] {
+inline const ExecEnv (&EnumValuesExecEnv())[19] {
   static const ExecEnv values[] = {
     ExecEnv::Debug,
     ExecEnv::Signal,
+    ExecEnv::ReadOnlyCoverage,
     ExecEnv::ResetState,
     ExecEnv::SandboxNone,
     ExecEnv::SandboxSetuid,
@@ -606,6 +611,7 @@ inline const char *EnumNameExecEnv(ExecEnv e) {
   switch (e) {
     case ExecEnv::Debug: return "Debug";
     case ExecEnv::Signal: return "Signal";
+    case ExecEnv::ReadOnlyCoverage: return "ReadOnlyCoverage";
     case ExecEnv::ResetState: return "ResetState";
     case ExecEnv::SandboxNone: return "SandboxNone";
     case ExecEnv::SandboxSetuid: return "SandboxSetuid";
diff --git a/pkg/runtest/run_test.go b/pkg/runtest/run_test.go
index f37c7612c..b566f74dd 100644
--- a/pkg/runtest/run_test.go
+++ b/pkg/runtest/run_test.go
@@ -95,6 +95,7 @@ func test(t *testing.T, sysTarget *targets.Target) {
 			want := flatrpc.FeatureCoverage |
 				flatrpc.FeatureExtraCoverage |
 				flatrpc.FeatureDelayKcovMmap |
+				flatrpc.FeatureKcovResetIoctl |
 				flatrpc.FeatureSandboxNone |
 				flatrpc.FeatureFault |
 				flatrpc.FeatureNetDevices |
diff --git a/pkg/vminfo/features.go b/pkg/vminfo/features.go
index 2be067d32..6c4d6ae6d 100644
--- a/pkg/vminfo/features.go
+++ b/pkg/vminfo/features.go
@@ -138,6 +138,8 @@ func (ctx *checkContext) featureToFlags(feat flatrpc.Feature) (flatrpc.ExecEnv,
 	case flatrpc.FeatureDelayKcovMmap:
 		envFlags |= flatrpc.ExecEnvSignal | flatrpc.ExecEnvDelayKcovMmap
 		execFlags |= flatrpc.ExecFlagCollectSignal | flatrpc.ExecFlagCollectCover
+	case flatrpc.FeatureKcovResetIoctl:
+		envFlags |= flatrpc.ExecEnvReadOnlyCoverage
 	case flatrpc.FeatureSandboxNone:
 		envFlags &= ^ctx.cfg.Sandbox
 		envFlags |= flatrpc.ExecEnvSandboxNone
author	Alexander Potapenko <glider@google.com>	2025-07-30 10:44:47 +0200
committer	Alexander Potapenko <glider@google.com>	2025-07-31 12:27:19 +0000
commit	9a518853aaea13e0a60411b7be7d3ff1f05962de (patch)
tree	646ae2c9dc6f44b86ddf90fe2c90a89b7236fe06 /pkg
parent	dc769bad4c765a3c7b54150be90664e7a01caf40 (diff)