* [PATCH v5 0/3] Replace invocations of prandom_u32() with get_random_u32()
@ 2023-04-15 17:35 david.keisarschm
0 siblings, 0 replies; 2+ messages in thread
From: david.keisarschm @ 2023-04-15 17:35 UTC (permalink / raw)
To: linux-kernel
Cc: Jason, linux-mm, akpm, vbabka, 42.hyeyoo, mingo, hpa, keescook,
David Keisar Schmidt, ilay.bahat1, aksecurity
From: David Keisar Schmidt <david.keisarschm@mail.huji.ac.il>
Hi,
The security improvements for prandom_u32 done in commits c51f8f88d705
from October 2020 and d4150779e60f from May 2022 didn't handle the cases
when prandom_bytes_state() and prandom_u32_state() are used.
Specifically, this weak randomization takes place in three cases:
1. mm/slab.c
2. mm/slab_common.c
3. arch/x86/mm/kaslr.c
The first two invocations (mm/slab.c, mm/slab_common.c) are used to create
randomization in the slab allocator freelists.
This is done to make sure attackers can’t obtain information on the heap state.
The last invocation, inside arch/x86/mm/kaslr.c,
randomizes the virtual address space of kernel memory regions.
Hence, we have added the necessary changes to make those randomizations stronger,
switching prandom_u32 instance to siphash.
Changes since v4:
* This fifth series changes only the arch/x86/mm/kaslr patch.
In particular, we replaced the use of prandom_bytes_state and
prandom_seed_state with siphash inside arch/x86/mm/kaslr.c.
Changes since v3:
* edited commit messages
Changes since v2:
* edited commit message.
* replaced instances of get_random_u32 with get_random_u32_below
in mm/slab.c, mm/slab_common.c
Regards,
David Keisar Schmidt (3):
Replace invocation of weak PRNG in mm/slab.c
Replace invocation of weak PRNG inside mm/slab_common.c
Replace invocation of weak PRNG in arch/x86/mm/kaslr.c
arch/x86/mm/kaslr.c | 18 +-
include/uapi/linux/netfilter/xt_connmark.h | 40 +-
include/uapi/linux/netfilter/xt_dscp.h | 27 +-
include/uapi/linux/netfilter/xt_mark.h | 17 +-
include/uapi/linux/netfilter/xt_rateest.h | 38 +-
include/uapi/linux/netfilter/xt_tcpmss.h | 13 +-
include/uapi/linux/netfilter_ipv4/ipt_ecn.h | 40 +-
include/uapi/linux/netfilter_ipv4/ipt_ttl.h | 14 +-
include/uapi/linux/netfilter_ipv6/ip6t_hl.h | 14 +-
mm/slab.c | 25 +-
mm/slab_common.c | 11 +-
net/netfilter/xt_dscp.c | 149 ++++---
net/netfilter/xt_hl.c | 164 +++++---
net/netfilter/xt_rateest.c | 282 ++++++++-----
net/netfilter/xt_tcpmss.c | 378 ++++++++++++++----
...Z6.0+pooncelock+pooncelock+pombonce.litmus | 12 +-
16 files changed, 815 insertions(+), 427 deletions(-)
--
2.37.3
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH v5 0/3] Replace invocations of prandom_u32() with get_random_u32()
@ 2023-04-16 17:20 david.keisarschm
0 siblings, 0 replies; 2+ messages in thread
From: david.keisarschm @ 2023-04-16 17:20 UTC (permalink / raw)
To: linux-kernel
Cc: Jason, linux-mm, akpm, vbabka, 42.hyeyoo, mingo, hpa, keescook,
David Keisar Schmidt, ilay.bahat1, aksecurity
From: David Keisar Schmidt <david.keisarschm@mail.huji.ac.il>
Hi,
The security improvements for prandom_u32 done in commits c51f8f88d705
from October 2020 and d4150779e60f from May 2022 didn't handle the cases
when prandom_bytes_state() and prandom_u32_state() are used.
Specifically, this weak randomization takes place in three cases:
1. mm/slab.c
2. mm/slab_common.c
3. arch/x86/mm/kaslr.c
The first two invocations (mm/slab.c, mm/slab_common.c) are used to create
randomization in the slab allocator freelists.
This is done to make sure attackers can’t obtain information on the heap state.
The last invocation, inside arch/x86/mm/kaslr.c,
randomizes the virtual address space of kernel memory regions.
Hence, we have added the necessary changes to make those randomizations stronger,
switching prandom_u32 instance to siphash.
Changes since v4:
* This fifth series changes only the arch/x86/mm/kaslr patch.
In particular, we replaced the use of prandom_bytes_state and
prandom_seed_state with siphash inside arch/x86/mm/kaslr.c.
Changes since v3:
* edited commit messages
Changes since v2:
* edited commit message.
* replaced instances of get_random_u32 with get_random_u32_below
in mm/slab.c, mm/slab_common.c
Regards,
David Keisar Schmidt (3):
Replace invocation of weak PRNG in mm/slab.c
Replace invocation of weak PRNG inside mm/slab_common.c
Replace invocation of weak PRNG in arch/x86/mm/kaslr.c
arch/x86/mm/kaslr.c | 18 +-
include/uapi/linux/netfilter/xt_connmark.h | 40 +-
include/uapi/linux/netfilter/xt_dscp.h | 27 +-
include/uapi/linux/netfilter/xt_mark.h | 17 +-
include/uapi/linux/netfilter/xt_rateest.h | 38 +-
include/uapi/linux/netfilter/xt_tcpmss.h | 13 +-
include/uapi/linux/netfilter_ipv4/ipt_ecn.h | 40 +-
include/uapi/linux/netfilter_ipv4/ipt_ttl.h | 14 +-
include/uapi/linux/netfilter_ipv6/ip6t_hl.h | 14 +-
mm/slab.c | 25 +-
mm/slab_common.c | 11 +-
net/netfilter/xt_dscp.c | 149 ++++---
net/netfilter/xt_hl.c | 164 +++++---
net/netfilter/xt_rateest.c | 282 ++++++++-----
net/netfilter/xt_tcpmss.c | 378 ++++++++++++++----
...Z6.0+pooncelock+pooncelock+pombonce.litmus | 12 +-
16 files changed, 815 insertions(+), 427 deletions(-)
--
2.37.3
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-04-16 17:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-15 17:35 [PATCH v5 0/3] Replace invocations of prandom_u32() with get_random_u32() david.keisarschm
2023-04-16 17:20 david.keisarschm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).