On mar., 2015-09-22 at 15:24 +0300, Dan Carpenter wrote:
> On Mon, Aug 24, 2015 at 09:35:50AM -0700, Kees Cook wrote:
> > As an example, making the kernel code memory read-only means an
> > attacker cannot just directly change the kernel's execution path when
> > they use an arbitrary memory-writing flaw.
> 
> Part of the problem is that C defaults to writable and you have to
> explicitly add a const if you want it read only.  Then when you are
> reading the code and you see:
> 
> static struct uvc_format_desc uvc_fmts[] = {
> 
> You can't immediately tell if it is writeable because it needs to be or
> because that's just the default.  We should make a new keyword that
> means non constant then we could grep for structs which have a function
> pointer and complain if they weren't specified as const or __writable.
> 
> Maybe there is a way to do this with GCC attributes but I have never
> used them before and I couldn't immediately see how to do it.

If you look at the constify plugin (part of PaX), you'll see it uses a
gcc plugin to do something like this for structure containing only
function pointers. Historically it was done manually by adding “const”
where needed.

Now with the gcc plugin it's the opposite. All structure like these are
const by default, and a no_const attribute has been added for some of
them (around a hundred afair).

Regards,
-- 
Yves-Alexis