From patchwork Mon Oct 31 14:04:01 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 9405499 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CC04F601C0 for ; Mon, 31 Oct 2016 14:04:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB60828C23 for ; Mon, 31 Oct 2016 14:04:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C005828D47; Mon, 31 Oct 2016 14:04:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id F18E728C23 for ; Mon, 31 Oct 2016 14:04:28 +0000 (UTC) Received: (qmail 23621 invoked by uid 550); 31 Oct 2016 14:04:26 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: kernel-hardening@lists.openwall.com Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 23595 invoked from network); 31 Oct 2016 14:04:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=thejh.net; s=s2016; t=1477922654; bh=sv3hQ3Mw0dsxJmAX3hoBY0kHDSA1IsiogbNZdb+PMz8=; h=From:To:Cc:Subject:Date:From; b=rBUEN0vRFnF8l+wVJzUYUKDT3EPLQ3sQnfuLI09eep0ZDVBZqs5cUb8YO/u88R1Xe BZ2otYY+dA/2hEQW7H/Fp1l0t+h2U/qlE7qgBOPY3SDWtV2c2yV32knfnvO+7bMSSr Ie7bleGtn4IPI8MVz0jl0QVhQyr53AB6SAKu5Efcy8DcDBuefrhJ9JhX0ab8l9O+0d OhewNFo4ZbEFTxk35xVzI/yv5hqJXCrzIT97CXdFRGBpWz8EfhZMoBAu80UyJknFWh opgGpuEUOZXApyYxVQQ0SPvp2HTiaV/lS50wzp66HbxAwBGwss+ORv+KZxchW9r86m 4Z7BLsE7HDD+w== From: Jann Horn To: Andrew Morton , Michal Hocko , Ingo Molnar , Andy Lutomirski , Kees Cook Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Daniel Micay Date: Mon, 31 Oct 2016 15:04:01 +0100 Message-Id: <1477922641-2221-1-git-send-email-jann@thejh.net> X-Mailer: git-send-email 2.1.4 Subject: [kernel-hardening] [PATCH] fork: make whole stack_canary random X-Virus-Scanned: ClamAV using ClamSMTP On machines with sizeof(unsigned long)==8, this ensures that the more significant 32 bits of stack_canary are random, too. stack_canary is defined as unsigned long, all the architectures with stack protector support already pick the stack_canary of init as a random unsigned long, and get_random_long() should be as fast as get_random_int(), so there seems to be no good reason against this. This should help if someone tries to guess a stack canary with brute force. (This change has been made in PaX already, with a different RNG.) Signed-off-by: Jann Horn Acked-by: Kees Cook --- kernel/fork.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/fork.c b/kernel/fork.c index 623259fc794d..d577e2c5d14f 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -518,7 +518,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node) set_task_stack_end_magic(tsk); #ifdef CONFIG_CC_STACKPROTECTOR - tsk->stack_canary = get_random_int(); + tsk->stack_canary = get_random_long(); #endif /*