[RFC] hardening/fuzzing project idea: KASAN redzone before skb_shared_info
1 view
Skip to first unread message
Jann Horn
May 19, 2026, 3:19:16 PM (24 hours ago) May 19
to Network Development, linux-h...@vger.kernel.org, Andrey Ryabinin, Alexander Potapenko, Andrey Konovalov, Dmitry Vyukov, Vincenzo Frascino, kasan-dev, kernel list
The following is not something I'm planning to work on in the near
future, but I think this would be helpful to allow fuzzers to more
easily detect OOB access bugs in the networking subsystem - maybe
someone else is interested in working on this?
As described in https://docs.kernel.org/networking/skbuff.html , in
the networking subsystem, SKB head buffers are stored with a "struct
skb_shared_info" at the end. This means that out-of-bounds accesses to
SKB data in the head buffer can't be detected by KASAN unless they go
far enough out of bounds to go beyond the skb_shared_info.
For debugging/fuzzing, it might be useful to have a KASAN redzone
somewhere between legitimate data in an SKB and skb_shared_info
metadata, accesses into which would cause KASAN splats. Maybe we could
split sk_buff::end into two separate members for "end of tailroom" and
"start of skb_shared_info" so that a redzone can be placed in between?
Or let debug builds store the skb_shared_info in a separate memory
allocation?
(We could also try to go further and KASAN-poison the headroom and
tailroom until they're actually used, but that might require an
annoying amount of refactoring of existing code, so probably not great
as an initial goal.)
future, but I think this would be helpful to allow fuzzers to more
easily detect OOB access bugs in the networking subsystem - maybe
someone else is interested in working on this?
As described in https://docs.kernel.org/networking/skbuff.html , in
the networking subsystem, SKB head buffers are stored with a "struct
skb_shared_info" at the end. This means that out-of-bounds accesses to
SKB data in the head buffer can't be detected by KASAN unless they go
far enough out of bounds to go beyond the skb_shared_info.
For debugging/fuzzing, it might be useful to have a KASAN redzone
somewhere between legitimate data in an SKB and skb_shared_info
metadata, accesses into which would cause KASAN splats. Maybe we could
split sk_buff::end into two separate members for "end of tailroom" and
"start of skb_shared_info" so that a redzone can be placed in between?
Or let debug builds store the skb_shared_info in a separate memory
allocation?
(We could also try to go further and KASAN-poison the headroom and
tailroom until they're actually used, but that might require an
annoying amount of refactoring of existing code, so probably not great
as an initial goal.)
Dmitry Vyukov
May 19, 2026, 5:00:29 PM (22 hours ago) May 19
to Jann Horn, Network Development, linux-h...@vger.kernel.org, Andrey Ryabinin, Alexander Potapenko, Andrey Konovalov, Vincenzo Frascino, kasan-dev, kernel list
There was a related issue:
https://bugzilla.kernel.org/show_bug.cgi?id=199055
Not sure if it's better to include this into the existing issue, or
create a new one here:
https://bugzilla.kernel.org/buglist.cgi?bug_status=__open__&component=Sanitizers&product=Memory%20Management
It's also list of things that nobody is actively working on atm, but
it's still to have such a list b/c people periodically ask for things
to work on.
Jann Horn
10:37 AM (5 hours ago) 10:37 AM
to Dmitry Vyukov, Network Development, linux-h...@vger.kernel.org, Andrey Ryabinin, Alexander Potapenko, Andrey Konovalov, Vincenzo Frascino, kasan-dev, kernel list
On Tue, May 19, 2026 at 11:00 PM Dmitry Vyukov <dvy...@google.com> wrote:
> On Tue, 19 May 2026 at 21:19, Jann Horn <ja...@google.com> wrote:
> > For debugging/fuzzing, it might be useful to have a KASAN redzone
> > somewhere between legitimate data in an SKB and skb_shared_info
> > metadata, accesses into which would cause KASAN splats. Maybe we could
> > split sk_buff::end into two separate members for "end of tailroom" and
> > "start of skb_shared_info" so that a redzone can be placed in between?
> > Or let debug builds store the skb_shared_info in a separate memory
> > allocation?
[...]
> On Tue, 19 May 2026 at 21:19, Jann Horn <ja...@google.com> wrote:
> > For debugging/fuzzing, it might be useful to have a KASAN redzone
> > somewhere between legitimate data in an SKB and skb_shared_info
> > metadata, accesses into which would cause KASAN splats. Maybe we could
> > split sk_buff::end into two separate members for "end of tailroom" and
> > "start of skb_shared_info" so that a redzone can be placed in between?
> > Or let debug builds store the skb_shared_info in a separate memory
> > allocation?
> Hi Jann!
>
> There was a related issue:
> https://bugzilla.kernel.org/show_bug.cgi?id=199055
>
> Not sure if it's better to include this into the existing issue, or
> create a new one here:
> https://bugzilla.kernel.org/buglist.cgi?bug_status=__open__&component=Sanitizers&product=Memory%20Management
Ah, thanks for the pointer. I have now filed this as
>
> There was a related issue:
> https://bugzilla.kernel.org/show_bug.cgi?id=199055
>
> Not sure if it's better to include this into the existing issue, or
> create a new one here:
> https://bugzilla.kernel.org/buglist.cgi?bug_status=__open__&component=Sanitizers&product=Memory%20Management
https://bugzilla.kernel.org/show_bug.cgi?id=221554 .
Reply all
Reply to author
Forward
0 new messages