On Tue, 19 May 2026 at 21:19, Jann Horn <[email protected]> wrote: > > The following is not something I'm planning to work on in the near > future, but I think this would be helpful to allow fuzzers to more > easily detect OOB access bugs in the networking subsystem - maybe > someone else is interested in working on this? > > As described in https://docs.kernel.org/networking/skbuff.html , in > the networking subsystem, SKB head buffers are stored with a "struct > skb_shared_info" at the end. This means that out-of-bounds accesses to > SKB data in the head buffer can't be detected by KASAN unless they go > far enough out of bounds to go beyond the skb_shared_info. > > For debugging/fuzzing, it might be useful to have a KASAN redzone > somewhere between legitimate data in an SKB and skb_shared_info > metadata, accesses into which would cause KASAN splats. Maybe we could > split sk_buff::end into two separate members for "end of tailroom" and > "start of skb_shared_info" so that a redzone can be placed in between? > Or let debug builds store the skb_shared_info in a separate memory > allocation? > > (We could also try to go further and KASAN-poison the headroom and > tailroom until they're actually used, but that might require an > annoying amount of refactoring of existing code, so probably not great > as an initial goal.)
Hi Jann! There was a related issue: https://bugzilla.kernel.org/show_bug.cgi?id=199055 Not sure if it's better to include this into the existing issue, or create a new one here: https://bugzilla.kernel.org/buglist.cgi?bug_status=__open__&component=Sanitizers&product=Memory%20Management It's also list of things that nobody is actively working on atm, but it's still to have such a list b/c people periodically ask for things to work on.
