| Message ID | 20181023213504.28905-14-igor.stoppa@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | prmem: protected memory | expand |
On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote: > Some of the data structures used in list management are composed by two > pointers. Since the kernel is now configured by default to randomize the > layout of data structures soleley composed by pointers, Isn't this true for function pointers?
On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote: > Some of the data structures used in list management are composed by two > pointers. Since the kernel is now configured by default to randomize the > layout of data structures soleley composed by pointers, this might > prevent correct type punning between these structures and their write > rare counterpart. 'might' doesn't really work for me. Either it does or it does not.
On Fri, Oct 26, 2018 at 11:32:05AM +0200, Peter Zijlstra wrote: > On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote: > > Some of the data structures used in list management are composed by two > > pointers. Since the kernel is now configured by default to randomize the > > layout of data structures soleley composed by pointers, this might > > prevent correct type punning between these structures and their write > > rare counterpart. > > 'might' doesn't really work for me. Either it does or it does not. He means "Depending on the random number generator, the two pointers might be AB or BA. If they're of opposite polarity (50% of the time), it _will_ break, and 50% of the time it _won't_ break."
On 24/10/2018 14:43, Alexey Dobriyan wrote: > On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote: >> Some of the data structures used in list management are composed by two >> pointers. Since the kernel is now configured by default to randomize the >> layout of data structures soleley composed by pointers, > > Isn't this true for function pointers? Yes, you are right. Thanks for pointing this out. I can drop this patch. -- igor
On Fri, Oct 26, 2018 at 03:17:07AM -0700, Matthew Wilcox wrote: > On Fri, Oct 26, 2018 at 11:32:05AM +0200, Peter Zijlstra wrote: > > On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote: > > > Some of the data structures used in list management are composed by two > > > pointers. Since the kernel is now configured by default to randomize the > > > layout of data structures soleley composed by pointers, this might > > > prevent correct type punning between these structures and their write > > > rare counterpart. > > > > 'might' doesn't really work for me. Either it does or it does not. > > He means "Depending on the random number generator, the two pointers > might be AB or BA. If they're of opposite polarity (50% of the time), > it _will_ break, and 50% of the time it _won't_ break." So don't do that then. If he were to include struct list_head inside his prlist_head, then there is only the one randomization and things will just work. Also, I really don't see why he needs that second type and all that type punning crap in the first place.
diff --git a/include/linux/types.h b/include/linux/types.h index 53609bbdcf0f..a9f6f6515fdc 100644 --- a/include/linux/types.h +++ b/include/linux/types.h @@ -187,12 +187,12 @@ typedef struct { struct list_head { struct list_head *next __aligned(sizeof(void *)); struct list_head *prev __aligned(sizeof(void *)); -} __aligned(sizeof(void *)); +} __no_randomize_layout __aligned(sizeof(void *)); struct hlist_node { struct hlist_node *next __aligned(sizeof(void *)); struct hlist_node **pprev __aligned(sizeof(void *)); -} __aligned(sizeof(void *)); +} __no_randomize_layout __aligned(sizeof(void *)); #else struct list_head { struct list_head *next, *prev;
Some of the data structures used in list management are composed by two pointers. Since the kernel is now configured by default to randomize the layout of data structures soleley composed by pointers, this might prevent correct type punning between these structures and their write rare counterpart. It shouldn't be anyway a big loss, in terms of security: with only two fields, there is a 50% chance of guessing correctly the layout. The randomization is disabled only when write rare is enabled. Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com> CC: Kees Cook <keescook@chromium.org> CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org> CC: Andrew Morton <akpm@linux-foundation.org> CC: Masahiro Yamada <yamada.masahiro@socionext.com> CC: Alexey Dobriyan <adobriyan@gmail.com> CC: Pekka Enberg <penberg@kernel.org> CC: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> CC: Lihao Liang <lianglihao@huawei.com> CC: linux-kernel@vger.kernel.org --- include/linux/types.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)