Bug 199055 - KASAN: poison skb linear data tail
Summary: KASAN: poison skb linear data tail
Status: REOPENED
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Sanitizers (show other bugs)
Hardware: All Linux
: P1 enhancement
Assignee: Dmitry Vyukov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-08 09:20 UTC by Dmitry Vyukov
Modified: 2018-03-08 15:57 UTC (History)
2 users (show)

See Also:
Kernel Version: ALL
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dmitry Vyukov 2018-03-08 09:20:21 UTC 
Filing here so it's not get lost:

As far as I understand pskb_may_pull() plays important role in packet
parsing for all protocols. And we did custom fragmentation of packets
emitted via tun (IFF_NAPI_FRAGS). However, it seems that it does not
give any results (bugs found), and I think the reason for this is that
linear data is rounded up and is usually quite large. So if a parsing
function does pskb_may_pull(1), or does not do it at all, it can
usually access more and it will go unnoticed. KASAN has an ability to
do custom poisoning: it can poison/unpoison any memory range, and then
detect any reads/writes to that range. What do you think about adding
custom KASAN poisoning to pskb_may_pull() and switching it to
non-eager mode (pull only what was requested) under KASAN? Do you
think it has potential for finding important bugs? What amount of work
is this?
Comment 1 Stephen Hemminger 2018-03-08 15:47:50 UTC 
Kernel bugzilla is only for upstream kernel code.
It is not used for design discussions (use mailing list) or custom code (not our problem).
Comment 2 Dmitry Vyukov 2018-03-08 15:57:40 UTC 
This is all about upstream code. Bugzilla is better than mailing lists, because things get lost on kernel mailing lists too easily.
This is not in networking component. Please don't manage this bug.
Note You need to log in before you can comment on or make changes to this bug.