[RFC] hardening/fuzzing project idea: KASAN redzone before skb_shared_info

Next message: Nico Pache: "Re: [PATCH mm-unstable v17 00/14] khugepaged: mTHP support"
Previous message: Ewan D. Milne: "[PATCH] drivers: base: Remove statistics group if encryption group not created"
Next in thread: Dmitry Vyukov: "Re: [RFC] hardening/fuzzing project idea: KASAN redzone before skb_shared_info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jann Horn

Date: Tue May 19 2026 - 15:19:35 EST

The following is not something I'm planning to work on in the near
future, but I think this would be helpful to allow fuzzers to more
easily detect OOB access bugs in the networking subsystem - maybe
someone else is interested in working on this?

As described in https://docs.kernel.org/networking/skbuff.html , in
the networking subsystem, SKB head buffers are stored with a "struct
skb_shared_info" at the end. This means that out-of-bounds accesses to
SKB data in the head buffer can't be detected by KASAN unless they go
far enough out of bounds to go beyond the skb_shared_info.

For debugging/fuzzing, it might be useful to have a KASAN redzone
somewhere between legitimate data in an SKB and skb_shared_info
metadata, accesses into which would cause KASAN splats. Maybe we could
split sk_buff::end into two separate members for "end of tailroom" and
"start of skb_shared_info" so that a redzone can be placed in between?
Or let debug builds store the skb_shared_info in a separate memory
allocation?

(We could also try to go further and KASAN-poison the headroom and
tailroom until they're actually used, but that might require an
annoying amount of refactoring of existing code, so probably not great
as an initial goal.)