Received: by 10.223.185.116 with SMTP id b49csp1273218wrg;
        Wed, 21 Feb 2018 15:35:35 -0800 (PST)
X-Google-Smtp-Source: AH8x2262+IpynovrxSGjKz41L8mMlJWgAmXe2kbOHNHkDjvEZktKx3TBLUlmEp9tdWVOfNEkK5Sg
X-Received: by 2002:a17:902:8f89:: with SMTP id z9-v6mr4713193plo.370.1519256135009;
        Wed, 21 Feb 2018 15:35:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519256134; cv=none;
        d=google.com; s=arc-20160816;
        b=PFxgeqVJt3H1yPXjS7VrBocRsZRYJYmr4QThu9oO8Pj7YTpDCK3bd/e34/S+X7SqEL
         AHkliISUt1m8B7FukI7JrWQUiiLF3OTrlcjZaYtRROg87Y4UaXaYVAgFkhIrIM0VtuWl
         bdNX2wUxr447roQtsDDt9huRZdZkFfwHFF3RAG0qxKpF30zzXJVMyjTWv3a6tt28klO/
         NyUitZfJZeHzOfUJjrthL3Bk/dKtWcVh4jZtNTHoWF+DPyzGdv+pBuh8csQiFK5dalFz
         ql6pxDddbWyVB9X+EgCmbu5ochE1zh8UaYotUdfG199VKQtt2GJzjC7t+o7Wp7uuKhXe
         FePg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:references:in-reply-to:mime-version
         :dkim-signature:dkim-signature:arc-authentication-results;
        bh=o6DqJNfOgH3nYE82vx50b9CcHkB0V50Dl3KssZOVJi8=;
        b=NVbwv1CA8KnzmXbMOSsXdWFuZWuG1q/ek/NDI87tKF/gJHoIA2+btYsS3Mr1U7MJjh
         OGR4TA3oAazut1rZKKIApUyE2TA1Q1N5jqWe3KWDKcp/aYzrIEimEEpBmjMRa2vcTSPP
         3MZk6k23m7xSSrvBpfFGKSEsBkxGPYNxv493PGLfzP96Gg5/KdVK5fA+nHaDvV5OL+WY
         vosT1aMpm5p8hWrnaSxXnLSvOhV5Ecm801K7EkO9PjmXFABeNeIA3wMrE48fLa7BZLHZ
         utQ5wfx9IOasRwHU1++CtEuedP+ku5ZdkkEhnrdAtu1A0BkGgwGXDi8VI3HVKUQGr3zt
         EdjQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=nJ0R1NhD;
       dkim=fail header.i=@chromium.org header.s=google header.b=EGVutQ1J;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f5-v6si2333892plf.223.2018.02.21.15.35.20;
        Wed, 21 Feb 2018 15:35:34 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=nJ0R1NhD;
       dkim=fail header.i=@chromium.org header.s=google header.b=EGVutQ1J;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751276AbeBUXei (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Wed, 21 Feb 2018 18:34:38 -0500
Received: from mail-vk0-f66.google.com ([209.85.213.66]:45629 "EHLO
        mail-vk0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751017AbeBUXeg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Feb 2018 18:34:36 -0500
Received: by mail-vk0-f66.google.com with SMTP id k187so2047589vke.12
        for <linux-kernel@vger.kernel.org>; Wed, 21 Feb 2018 15:34:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-transfer-encoding;
        bh=o6DqJNfOgH3nYE82vx50b9CcHkB0V50Dl3KssZOVJi8=;
        b=nJ0R1NhDtGxchjPPyD7qs/WY+y8eljAMSi8QhFbnP7abbYIQyYdav7f7juDvrGtcLn
         CUwchvlkMAvBxia3u8jPlEsRkFTbsPoJLMfYkn6PFkgijo6ByCTF7Rl1RIfUC//fD6Xi
         MEWHam1JiJ+EnV4SmpHRfKSb23QOwUupamiQ66JNFQeqQkyR+ey1VnAtUqBlQThhm5nV
         Slo5oVrkHMK0+X4DPDOlwiQz3xg9w7cbDv6IGuAOE+VH91Zgk+agx0TFA5ggHsE9fEO0
         McKL8NHvevcWYpkpj5YQY67UrKEvZn9uVqRR5/DOytY9OV/t7OAHjC8l2wi8NjrvJet3
         Cxjg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-transfer-encoding;
        bh=o6DqJNfOgH3nYE82vx50b9CcHkB0V50Dl3KssZOVJi8=;
        b=EGVutQ1JBr5elLLbdy7lBt4US4SJD2kVuRUM2iQM8PPvTxsKLxUbJufTCrTqUOO+1A
         S8I7+gX+ZYu2v0ZypczqbED4BA6QhkbO/dM8QcmWNwYI6T/2cooYpiX5/H6ZwPz5F085
         Zg8wOmtQs5CVWrPB015E3q+ZlHSyumI0I9Ks0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-transfer-encoding;
        bh=o6DqJNfOgH3nYE82vx50b9CcHkB0V50Dl3KssZOVJi8=;
        b=nUNomyW5SZ1wBLE+t9S8C7iXntvQdzl2uu53PeqA00uPKssm91mfm9p24JDjUGdaTg
         C3uVVFYQXQvy/7rZZlxthxoCMz4AbcrDTiV3sxe5it/ZDSBzy3WJ93BxDhyNtEA5OwJI
         5OsZj4/PepgegjfdsQK7Z9qQ9XuGpJpFDga5/NRjv9He5ok/j5hHcagEiCJ/xWddRi3x
         7uoG+skwtdFOsPZSd3CKEgtEGXLp8lg4y7MPNObp9+OOyg2EQ/58euFgpDB7eU8kDd8L
         9lhn2OmnHI8hNQRowjN6aGzgMfS+XZIeWZaEWKlbKWPF2NLItFib8CddJrpjJkA221qe
         KxAg==
X-Gm-Message-State: APf1xPDVMDGI6cX8YlI+1VSZHblAvz05ajxwQutrFqMFg20kQnLavRUM
        KkoLNpVGpyGilgzRtOb6GeAd+IkXx50JQtqrF8ybjw==
X-Received: by 10.31.47.194 with SMTP id v185mr3673331vkv.121.1519256075494;
 Wed, 21 Feb 2018 15:34:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.242.140 with HTTP; Wed, 21 Feb 2018 15:34:34 -0800 (PST)
In-Reply-To: <CA+55aFz-AD8rWb66rjN-YhAtPXukMiGSFfW3nBMCp8k1RYUvOQ@mail.gmail.com>
References: <CAGXu5jLc_A1w4FM8FvQHGSPjLfOu80L_vbt_FkcE6+Bh_XMjxw@mail.gmail.com>
 <6be06ce5-87e6-0d9d-55b9-6c70c3578ecf@maciej.szmigiero.name> <CA+55aFz-AD8rWb66rjN-YhAtPXukMiGSFfW3nBMCp8k1RYUvOQ@mail.gmail.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Wed, 21 Feb 2018 15:34:34 -0800
X-Google-Sender-Auth: vGP1LJdVqZuU7F5i1OK_bfc07_E
Message-ID: <CAGXu5jK3ZEs5SauEMHA3BnAyM1zbOkoG5cbM3B44_67TH1EZ=A@mail.gmail.com>
Subject: Re: RANDSTRUCT structs need linux/compiler_types.h (Was: [nfsd4]
 potentially hardware breaking regression in 4.14-rc and 4.13.11)
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>,
        Patrick McLean <chutzpah@gentoo.org>,
        Emese Revfy <re.emese@gmail.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Bruce Fields <bfields@redhat.com>,
        "Darrick J. Wong" <darrick.wong@oracle.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
        Thorsten Leemhuis <regressions@leemhuis.info>,
        "kernel-hardening@lists.openwall.com" 
        <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Feb 21, 2018 at 2:47 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> And other attribute specifiers we encourage people to put in other
> parts of the type, like __user etc, so they don't have that same
> parsing issue.

Looking at other attributes we use on structs, we may have similar
risks for these:

__packed
____cacheline_aligned
____cacheline_aligned_in_smp
____cacheline_internodealigned_in_smp

But they just haven't been used in places that we could trip over it
as badly, AFAICT.

> I guess one _extreme_ fix for this would be to put
>
>     extern struct nostruct __randomize_layout;
>
> in our include/linux/kconfig.h, which I think we end up always
> including first thanks to having it on the command line.

We could do that for all the above, but I wonder if the real problem
is our convention of using "regular" names for these kinds of
attributes instead of parameterized names. If we always used something
like:

#define __struct(x)   __attribute__(x)

We'd avoid it, but we'd uglify our struct attributes:

struct thing { ... } __struct(randomize_layout);

though trying this now creates other problems. Hmmm.

(Regardless, let me send the nfs fix separately...)

-Kees

>
> Because if you do that, you actually get an error:
>
>     CC [M]  fs/nfsd/nfs4xdr.o
>   In file included from ./include/linux/fs_struct.h:5:0,
>                    from fs/nfsd/nfs4xdr.c:36:
>   ./include/linux/path.h:11:3: error: conflicting types for =E2=80=98__ra=
ndomize_layout=E2=80=99
>    } __randomize_layout;
>      ^~~~~~~~~~~~~~~~~~
>   In file included from <command-line>:0:0:
>   ././include/linux/kconfig.h:8:28: note: previous declaration of
> =E2=80=98__randomize_layout=E2=80=99 was here
>        extern struct nostruct __randomize_layout;
>                               ^~~~~~~~~~~~~~~~~~
>   make[1]: *** [scripts/Makefile.build:317: fs/nfsd/nfs4xdr.o] Error 1
>
> and we would have figured this out immediately.
>
> Broken example patch appended, in case somebody wants to play with
> something like this or comes up with a better model entirely..
>
>                Linus
>
> ---
>
> diff --git a/include/linux/kconfig.h b/include/linux/kconfig.h
> index fec5076eda91..537dacb83380 100644
> --- a/include/linux/kconfig.h
> +++ b/include/linux/kconfig.h
> @@ -4,6 +4,10 @@
>
>  #include <generated/autoconf.h>
>
> +#ifndef __ASSEMBLY__
> + extern struct nostruct __randomize_layout;
> +#endif
> +
>  #define __ARG_PLACEHOLDER_1 0,
>  #define __take_second_arg(__ignored, val, ...) val



--=20
Kees Cook
Pixel Security