Tooling and Prerequisites :: Domus Digitalis

Static Analysis: Coccinelle

Coccinelle writes semantic patches — structural patterns that match C code based on meaning, not text. This is the right tool for "find all places where sg_set_page is called on a page obtained from splice without an intervening copy."

# Install on Arch
pacman -S coccinelle

# Run kernel's built-in Coccinelle checks
make coccicheck MODE=report

Writing a custom semantic patch

// File: splice-page-write.cocci
// Find: sg_set_page on a page without prior copy
@@
expression page, sg, len, off;
@@

* sg_set_page(sg, page, len, off);
  ... when != alloc_page(...)
      when != skb_cow_data(...)
      when != copy_page(...)
* sg_crypto_transform(sg, ...);

Coccinelle is already used in the kernel build system. Learning it gives you a tool the kernel community already trusts and reviews patches from.

Dynamic Analysis: KASAN

Kernel Address Sanitizer (KASAN) detects invalid memory accesses at runtime. Build a debug kernel with KASAN enabled to catch writes to pages that shouldn’t be modified.

# Kernel config options for a debug build
CONFIG_KASAN=y
CONFIG_KASAN_GENERIC=y
CONFIG_KASAN_INLINE=y

# Build and boot in QEMU
make -j$(nproc)
qemu-system-x86_64 -kernel arch/x86/boot/bzImage \
  -append "console=ttyS0 kasan.fault=panic" \
  -nographic -m 2G

KASAN will flag invalid writes to shared pages at runtime, producing a stack trace pointing directly to the offending code path.

Fuzzing: syzkaller

Google’s kernel fuzzer, purpose-built for finding kernel bugs. It discovered Dirty Pipe and hundreds of other vulnerabilities.

Repository: github.com/google/syzkaller
Documentation: github.com/google/syzkaller/blob/master/docs/setup.md

syzkaller generates random sequences of system calls and monitors the kernel for crashes, KASAN reports, and other anomalies. You can write custom syzlang descriptions to focus it on specific subsystems (AF_ALG, splice paths).

Source Browsing

Resource	URL
Bootlin Elixir (cross-referenced)	elixir.bootlin.com/linux/latest/source
GitHub mirror	github.com/torvalds/linux
Kernel documentation	docs.kernel.org/
Networking docs	docs.kernel.org/networking/
Crypto API docs	docs.kernel.org/crypto/

Resource

URL

Bootlin Elixir (cross-referenced)

elixir.bootlin.com/linux/latest/source

GitHub mirror

github.com/torvalds/linux

Kernel documentation

docs.kernel.org/

Networking docs

docs.kernel.org/networking/

Crypto API docs

docs.kernel.org/crypto/

Debug Kernel VM Setup

Use a throwaway VM — never test kernel exploits on your workstation.

# Create a minimal rootfs with debootstrap or archbootstrap
# Boot custom kernel in QEMU with virtme-ng (recommended)
pip install virtme-ng
vng --build --kconfig CONFIG_KASAN=y CONFIG_CRYPTO_USER_API_AEAD=m

# Or manual QEMU
qemu-system-x86_64 \
  -kernel arch/x86/boot/bzImage \
  -initrd rootfs.cpio.gz \
  -append "console=ttyS0 nokaslr" \
  -nographic -m 4G -smp 2 \
  -enable-kvm

Prerequisites

Kernel vulnerability research requires competency in several areas. These are not gates — they are a path you walk concurrently with research.

Skill What You Need Current Status

Skill	What You Need	Current Status
Kernel C	Pointer arithmetic, reference counting, memory management	Phase 1 of C curriculum
Memory subsystem	Page cache, `struct page`, `vm_area_struct`, COW semantics	Study via kernel roadmap
Custom kernel builds	`make menuconfig`, KASAN, debug options	Available on home enterprise KVM
`splice()` / `sendfile()`	Zero-copy I/O semantics, how page references propagate	Read `fs/splice.c` + man pages
Coccinelle	Semantic patch language for C	Install and run `make coccicheck` first

Kernel C

Pointer arithmetic, reference counting, memory management

Phase 1 of C curriculum

Memory subsystem

Page cache, struct page, vm_area_struct, COW semantics

Study via kernel roadmap

Custom kernel builds

make menuconfig, KASAN, debug options

Available on home enterprise KVM

splice() / sendfile()

Zero-copy I/O semantics, how page references propagate

Read fs/splice.c + man pages

Coccinelle

Semantic patch language for C

Install and run make coccicheck first

Practical Starting Points

Read the actual patches — CopyFail (commit a664bf3d603d) and Dirty Frag (f4c50a4034e6) are small and surgical. Understanding why a one-line fix works teaches the surrounding architecture.
Compare algif_aead.c and algif_skcipher.c side-by-side. If one had the bug, does the other?
Set up a throwaway VM with a debug kernel and KASAN enabled. Reproduce CopyFail on a vulnerable kernel version. Seeing the exploit work teaches more than reading about it.
Start with Coccinelle — write structural patterns without manually reading every file.

Responsible Disclosure

If you find a vulnerability:

Do not post publicly before the fix is available
Email security@kernel.org with the full data flow and PoC
Follow the kernel’s disclosure process: docs.kernel.org/process/security-bugs.html
Typical embargo: 7-14 days for straightforward fixes
Request a CVE via the kernel CVE process or MITRE

The kernel security team values clear, minimal reproductions. Include: affected kernel versions, the exact code path, a PoC program, and the proposed fix if you have one.