Kernel-hardening archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] randstruct: fix a bug in is_pure_ops_struct()
@ 2019-07-27 15:58 Joonwon Kang
  2019-07-30 17:11 ` Kees Cook
  0 siblings, 1 reply; 3+ messages in thread
From: Joonwon Kang @ 2019-07-27 15:58 UTC (permalink / raw)
  To: keescook; +Cc: re.emese, kernel-hardening, linux-kernel, kernel-janitors

Before this, there were false negatives in the case where a struct
contains other structs which contain only function pointers because
of unreachable code in is_pure_ops_struct().

Signed-off-by: Joonwon Kang <kjw1627@gmail.com>
---
 scripts/gcc-plugins/randomize_layout_plugin.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
index 6d5bbd31db7f..a123282a4fcd 100644
--- a/scripts/gcc-plugins/randomize_layout_plugin.c
+++ b/scripts/gcc-plugins/randomize_layout_plugin.c
@@ -443,13 +443,12 @@ static int is_pure_ops_struct(const_tree node)
 		if (node == fieldtype)
 			continue;
 
-		if (!is_fptr(fieldtype))
-			return 0;
-
-		if (code != RECORD_TYPE && code != UNION_TYPE)
-			continue;
+		if (code == RECORD_TYPE || code == UNION_TYPE) {
+			if (!is_pure_ops_struct(fieldtype))
+				return 0;
+		}
 
-		if (!is_pure_ops_struct(fieldtype))
+		if (!is_fptr(fieldtype))
 			return 0;
 	}
 
-- 
2.17.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] randstruct: fix a bug in is_pure_ops_struct()
  2019-07-27 15:58 [PATCH] randstruct: fix a bug in is_pure_ops_struct() Joonwon Kang
@ 2019-07-30 17:11 ` Kees Cook
  2019-07-31 16:25   ` Joonwon Kang
  0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2019-07-30 17:11 UTC (permalink / raw)
  To: Joonwon Kang; +Cc: re.emese, kernel-hardening, linux-kernel, kernel-janitors

On Sun, Jul 28, 2019 at 12:58:41AM +0900, Joonwon Kang wrote:
> Before this, there were false negatives in the case where a struct
> contains other structs which contain only function pointers because
> of unreachable code in is_pure_ops_struct().

Ah, very true. Something like:

struct internal {
	void (*callback)(void);
};

struct wrapper {
	struct internal foo;
	void (*other_callback)(void);
};

would have not been detected as is_pure_ops_struct()?

How did you notice this? (Are there cases of this in the kernel?)

> Signed-off-by: Joonwon Kang <kjw1627@gmail.com>

Applied; thanks!

-Kees

> ---
>  scripts/gcc-plugins/randomize_layout_plugin.c | 11 +++++------
>  1 file changed, 5 insertions(+), 6 deletions(-)
> 
> diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
> index 6d5bbd31db7f..a123282a4fcd 100644
> --- a/scripts/gcc-plugins/randomize_layout_plugin.c
> +++ b/scripts/gcc-plugins/randomize_layout_plugin.c
> @@ -443,13 +443,12 @@ static int is_pure_ops_struct(const_tree node)
>  		if (node == fieldtype)
>  			continue;
>  
> -		if (!is_fptr(fieldtype))
> -			return 0;
> -
> -		if (code != RECORD_TYPE && code != UNION_TYPE)
> -			continue;
> +		if (code == RECORD_TYPE || code == UNION_TYPE) {
> +			if (!is_pure_ops_struct(fieldtype))
> +				return 0;
> +		}
>  
> -		if (!is_pure_ops_struct(fieldtype))
> +		if (!is_fptr(fieldtype))
>  			return 0;
>  	}
>  
> -- 
> 2.17.1
> 

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] randstruct: fix a bug in is_pure_ops_struct()
  2019-07-30 17:11 ` Kees Cook
@ 2019-07-31 16:25   ` Joonwon Kang
  0 siblings, 0 replies; 3+ messages in thread
From: Joonwon Kang @ 2019-07-31 16:25 UTC (permalink / raw)
  To: Kees Cook
  Cc: re.emese, kernel-hardening, linux-kernel, kernel-janitors, jinb.park7

On Tue, Jul 30, 2019 at 10:11:19AM -0700, Kees Cook wrote:
> On Sun, Jul 28, 2019 at 12:58:41AM +0900, Joonwon Kang wrote:
> > Before this, there were false negatives in the case where a struct
> > contains other structs which contain only function pointers because
> > of unreachable code in is_pure_ops_struct().
> 
> Ah, very true. Something like:
> 
> struct internal {
> 	void (*callback)(void);
> };
> 
> struct wrapper {
> 	struct internal foo;
> 	void (*other_callback)(void);
> };
> 
> would have not been detected as is_pure_ops_struct()?
> 
> How did you notice this? (Are there cases of this in the kernel?)

When I compiled kernel with allyesconfig, there seemed to be no such cases,
but I found the bug just by code review and test.
However, I would like to slightly modify this patch and add one more patch.
I will send the patch set soon.

> 
> > Signed-off-by: Joonwon Kang <kjw1627@gmail.com>
> 
> Applied; thanks!
> 
> -Kees
> 
> > ---
> >  scripts/gcc-plugins/randomize_layout_plugin.c | 11 +++++------
> >  1 file changed, 5 insertions(+), 6 deletions(-)
> > 
> > diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
> > index 6d5bbd31db7f..a123282a4fcd 100644
> > --- a/scripts/gcc-plugins/randomize_layout_plugin.c
> > +++ b/scripts/gcc-plugins/randomize_layout_plugin.c
> > @@ -443,13 +443,12 @@ static int is_pure_ops_struct(const_tree node)
> >  		if (node == fieldtype)
> >  			continue;
> >  
> > -		if (!is_fptr(fieldtype))
> > -			return 0;
> > -
> > -		if (code != RECORD_TYPE && code != UNION_TYPE)
> > -			continue;
> > +		if (code == RECORD_TYPE || code == UNION_TYPE) {
> > +			if (!is_pure_ops_struct(fieldtype))
> > +				return 0;
> > +		}
> >  
> > -		if (!is_pure_ops_struct(fieldtype))
> > +		if (!is_fptr(fieldtype))
> >  			return 0;
> >  	}
> >  
> > -- 
> > 2.17.1
> > 
> 
> -- 
> Kees Cook

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-27 15:58 [PATCH] randstruct: fix a bug in is_pure_ops_struct() Joonwon Kang
2019-07-30 17:11 ` Kees Cook
2019-07-31 16:25   ` Joonwon Kang

Kernel-hardening archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/kernel-hardening/0 kernel-hardening/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 kernel-hardening kernel-hardening/ https://lore.kernel.org/kernel-hardening \
		kernel-hardening@lists.openwall.com kernel-hardening@archiver.kernel.org
	public-inbox-index kernel-hardening


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.openwall.lists.kernel-hardening


AGPL code for this site: git clone https://public-inbox.org/ public-inbox