Re: [PATCH net-next v4] net: Implement fault injection forcing skb reallocation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Jakub,

On Wed, Oct 30, 2024 at 05:31:52PM -0700, Jakub Kicinski wrote:
> On Wed, 23 Oct 2024 04:38:01 -0700 Breno Leitao wrote:

> > +  no longer reference valid memory locations. This deliberate invalidation
> > +  helps expose code paths where proper pointer updating is neglected after a
> > +  reallocation event.
> > +
> > +  By creating these controlled fault scenarios, the system can catch instances
> > +  where stale pointers are used, potentially leading to memory corruption or
> > +  system instability.
> > +
> > +  To select the interface to act on, write the network name to the following file:
> > +  `/sys/kernel/debug/fail_skb_realloc/devname`
> > +  If this field is left empty (which is the default value), skb reallocation
> > +  will be forced on all network interfaces.
> 
> Should we mention here that KASAN or some such is needed to catch 
> the bugs? Chances are the resulting UAF will not crash and go unnoticed
> without KASAN.

What about adding something like this in the fail_skb_realloc section in
the fault-injection.rst file:


	The effectiveness of this fault detection is enhanced when KASAN is
	enabled, as it helps identify invalid memory references and
	use-after-free (UAF) issues.


> > --- /dev/null
> > +++ b/net/core/skb_fault_injection.c
> > @@ -0,0 +1,103 @@
> > +// SPDX-License-Identifier: GPL-2.0-only
> > +
> > +#include <linux/fault-inject.h>
> > +#include <linux/netdevice.h>
> > +#include <linux/debugfs.h>
> > +#include <linux/skbuff.h>
> 
> alphabetic sort, please?

I thought I should use the reverse xmas tree structure. I will re-order
them alphabetically.

> > +static void reset_settings(void)
> > +{
> > +	skb_realloc.filtered = false;
> > +	memzero_explicit(&skb_realloc.devname, IFNAMSIZ);
> 
> why _explicit ?

I thought the extra barrier would be helpful, but, it might not. I will
change it to a regular memset() if you think it is better.

> > +static ssize_t devname_write(struct file *file, const char __user *buffer,
> > +			     size_t count, loff_t *ppos)
> > +{
> > +	ssize_t ret;
> > +
> > +	reset_settings();
> > +	ret = simple_write_to_buffer(&skb_realloc.devname, IFNAMSIZ,
> > +				     ppos, buffer, count);
> > +	if (ret < 0)
> > +		return ret;
> 
> the buffer needs to be null terminated, like:
> 
> skb_realloc.devname[IFNAMSIZ - 1] = '\0';
> 
> no?

Yes, but isn't it what the next line do, with strim()?

> > +	strim(skb_realloc.devname);
> > +
> > +	if (strnlen(skb_realloc.devname, IFNAMSIZ))
> > +		skb_realloc.filtered = true;
> > +
> > +	return count;
> > +}

Thanks for the review!
--breno




[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux