Some of the data structures used in list management are composed by two
pointers. Since the kernel is now configured by default to randomize the
layout of data structures soleley composed by pointers, this might
prevent correct type punning between these structures and their write
rare counterpart.
It shouldn't be anyway a big loss, in terms of security: with only two
fields, there is a 50% chance of guessing correctly the layout.
The randomization is disabled only when write rare is enabled.
Signed-off-by: Igor Stoppa <[email protected]>
CC: Kees Cook <[email protected]>
CC: Greg Kroah-Hartman <[email protected]>
CC: Andrew Morton <[email protected]>
CC: Masahiro Yamada <[email protected]>
CC: Alexey Dobriyan <[email protected]>
CC: Pekka Enberg <[email protected]>
CC: "Paul E. McKenney" <[email protected]>
CC: Lihao Liang <[email protected]>
CC: [email protected]
---
include/linux/types.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/types.h b/include/linux/types.h
index 53609bbdcf0f..a9f6f6515fdc 100644
--- a/include/linux/types.h
+++ b/include/linux/types.h
@@ -187,12 +187,12 @@ typedef struct {
struct list_head {
struct list_head *next __aligned(sizeof(void *));
struct list_head *prev __aligned(sizeof(void *));
-} __aligned(sizeof(void *));
+} __no_randomize_layout __aligned(sizeof(void *));
struct hlist_node {
struct hlist_node *next __aligned(sizeof(void *));
struct hlist_node **pprev __aligned(sizeof(void *));
-} __aligned(sizeof(void *));
+} __no_randomize_layout __aligned(sizeof(void *));
#else
struct list_head {
struct list_head *next, *prev;
--
2.17.1
On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote:
> Some of the data structures used in list management are composed by two
> pointers. Since the kernel is now configured by default to randomize the
> layout of data structures soleley composed by pointers,
Isn't this true for function pointers?
On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote:
> Some of the data structures used in list management are composed by two
> pointers. Since the kernel is now configured by default to randomize the
> layout of data structures soleley composed by pointers, this might
> prevent correct type punning between these structures and their write
> rare counterpart.
'might' doesn't really work for me. Either it does or it does not.
On Fri, Oct 26, 2018 at 11:32:05AM +0200, Peter Zijlstra wrote:
> On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote:
> > Some of the data structures used in list management are composed by two
> > pointers. Since the kernel is now configured by default to randomize the
> > layout of data structures soleley composed by pointers, this might
> > prevent correct type punning between these structures and their write
> > rare counterpart.
>
> 'might' doesn't really work for me. Either it does or it does not.
He means "Depending on the random number generator, the two pointers
might be AB or BA. If they're of opposite polarity (50% of the time),
it _will_ break, and 50% of the time it _won't_ break."
On 24/10/2018 14:43, Alexey Dobriyan wrote:
> On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote:
>> Some of the data structures used in list management are composed by two
>> pointers. Since the kernel is now configured by default to randomize the
>> layout of data structures soleley composed by pointers,
>
> Isn't this true for function pointers?
Yes, you are right.
Thanks for pointing this out.
I can drop this patch.
--
igor
On Fri, Oct 26, 2018 at 03:17:07AM -0700, Matthew Wilcox wrote:
> On Fri, Oct 26, 2018 at 11:32:05AM +0200, Peter Zijlstra wrote:
> > On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote:
> > > Some of the data structures used in list management are composed by two
> > > pointers. Since the kernel is now configured by default to randomize the
> > > layout of data structures soleley composed by pointers, this might
> > > prevent correct type punning between these structures and their write
> > > rare counterpart.
> >
> > 'might' doesn't really work for me. Either it does or it does not.
>
> He means "Depending on the random number generator, the two pointers
> might be AB or BA. If they're of opposite polarity (50% of the time),
> it _will_ break, and 50% of the time it _won't_ break."
So don't do that then. If he were to include struct list_head inside his
prlist_head, then there is only the one randomization and things will
just work.
Also, I really don't see why he needs that second type and all that type
punning crap in the first place.