[PATCH] uts: Don't randomize "struct uts_namespace".

[PATCH] uts: Don't randomize "struct uts_namespace".

[Tetsuo Handa]

I noticed that makedumpfile utility is failing to check kernel version, for
it depends on offset of "struct uts_namespace"->name being sizeof(int).

----------
int
check_release(void)
{
	unsigned long utsname;

	/*
	 * Get the kernel version.
	 */
	if (SYMBOL(system_utsname) != NOT_FOUND_SYMBOL) {
		utsname = SYMBOL(system_utsname);
	} else if (SYMBOL(init_uts_ns) != NOT_FOUND_SYMBOL) {
		utsname = SYMBOL(init_uts_ns) + sizeof(int);
	} else {
		ERRMSG("Can't get the symbol of system_utsname.\n");
		return FALSE;
	}
	if (!readmem(VADDR, utsname, &info->system_utsname,
					sizeof(struct utsname))) {
		ERRMSG("Can't get the address of system_utsname.\n");
		return FALSE;
	}
----------

Since there is no way to tell the offset to userspace, let's not randomize
"struct uts_namespace".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: 3859a271a003aba0 ("randstruct: Mark various structs for randomization")
Cc: stable <stable@vger.kernel.org> # v4.13+
---
 include/linux/utsname.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/utsname.h b/include/linux/utsname.h
index 44429d9..85c206f 100644
--- a/include/linux/utsname.h
+++ b/include/linux/utsname.h
@@ -27,7 +27,7 @@ struct uts_namespace {
 	struct user_namespace *user_ns;
 	struct ucounts *ucounts;
 	struct ns_common ns;
-} __randomize_layout;
+};
 extern struct uts_namespace init_uts_ns;
 
 #ifdef CONFIG_UTS_NS
-- 
1.8.3.1

Re: [PATCH] uts: Don't randomize "struct uts_namespace".

[Linus Torvalds]

On Fri, Jul 6, 2018 at 3:07 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> I noticed that makedumpfile utility is failing to check kernel version, for
> it depends on offset of "struct uts_namespace"->name being sizeof(int).

For something like this, we fix makedumpfile instead. This is not a
"user program" using system calls etc, this is something that delves
into the kernel dump and tries to make sense of it.

Where is the makedumpfile source code? What is it trying to do, and why?

One option is to just say "hey, you can't make much sense of a
randomized kernel dump anyway, so don't even try".

                 Linus

Re: [PATCH] uts: Don't randomize "struct uts_namespace".

[Tetsuo Handa]

Hello Ken'ichi,

I noticed that makedumpfile ( https://sourceforge.net/p/makedumpfile/code/ )
can no longer detect kernel version correctly because "struct uts_namespace"
(which is exposed to userspace via vmcoreinfo) is subjected to randomization
by GCC_PLUGIN_RANDSTRUCT kernel config option since 4.13.

The code was introduced by below commit.

  commit bfc8fe181c822ad0d8495ceda3c7109a407192f0
  Author: ken1_ohmichi <ken1_ohmichi>
  Date:   Fri Dec 22 07:41:14 2006 +0000

      linux-2.6.19 support.
      On linux-2.6.18 or former, the release information could be gotten from
      the symbol "system_utsname". But on linux-2.6.19, it can be done from the
      symbol "init_uts_ns". A new makedumpfile can get the release information
      from the existing symbol.

Can you detect kernel version without using "struct uts_namespace" ?

On 2018/07/07 1:11, Linus Torvalds wrote:
> On Fri, Jul 6, 2018 at 3:07 AM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>
>> I noticed that makedumpfile utility is failing to check kernel version, for
>> it depends on offset of "struct uts_namespace"->name being sizeof(int).
> 
> For something like this, we fix makedumpfile instead. This is not a
> "user program" using system calls etc, this is something that delves
> into the kernel dump and tries to make sense of it.
> 
> Where is the makedumpfile source code? What is it trying to do, and why?
> 
> One option is to just say "hey, you can't make much sense of a
> randomized kernel dump anyway, so don't even try".
> 
>                  Linus
> 

Re: [PATCH] uts: Don't randomize "struct uts_namespace".

[Kees Cook]

On Fri, Jul 6, 2018 at 9:11 AM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Fri, Jul 6, 2018 at 3:07 AM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>
>> I noticed that makedumpfile utility is failing to check kernel version, for
>> it depends on offset of "struct uts_namespace"->name being sizeof(int).
>
> For something like this, we fix makedumpfile instead. This is not a
> "user program" using system calls etc, this is something that delves
> into the kernel dump and tries to make sense of it.
>
> Where is the makedumpfile source code? What is it trying to do, and why?
>
> One option is to just say "hey, you can't make much sense of a
> randomized kernel dump anyway, so don't even try".

I would second this -- trying to deal with a randomized layout kernel
dump is going to be much worse than just looking at uts_namespace. :)

-Kees

-- 
Kees Cook
Pixel Security

Re: [PATCH] uts: Don't randomize "struct uts_namespace".

[Tetsuo Handa]

I'm waiting for response from makedumpfile developers.

But makedumpfile is a tool for saving kernel crash dump.
If makedumpfile cannot work, we cannot use kernel crash dump.

On 2018/07/07 8:19, Kees Cook wrote:
> On Fri, Jul 6, 2018 at 9:11 AM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>> On Fri, Jul 6, 2018 at 3:07 AM Tetsuo Handa
>> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>>
>>> I noticed that makedumpfile utility is failing to check kernel version, for
>>> it depends on offset of "struct uts_namespace"->name being sizeof(int).
>>
>> For something like this, we fix makedumpfile instead. This is not a
>> "user program" using system calls etc, this is something that delves
>> into the kernel dump and tries to make sense of it.
>>
>> Where is the makedumpfile source code? What is it trying to do, and why?
>>
>> One option is to just say "hey, you can't make much sense of a
>> randomized kernel dump anyway, so don't even try".
> 
> I would second this -- trying to deal with a randomized layout kernel
> dump is going to be much worse than just looking at uts_namespace. :)
> 
> -Kees
> 

Re: [PATCH] uts: Don't randomize "struct uts_namespace".

[Eric W. Biederman]

Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> writes:

> I'm waiting for response from makedumpfile developers.
>
> But makedumpfile is a tool for saving kernel crash dump.
> If makedumpfile cannot work, we cannot use kernel crash dump.

I suspect the version string is comparable in size to the pointer to the
version string and as such would be a better candidate to include in the
handful of elf notes we provide for the mkdumpfile & it's ilk to bootstram.

I assume getting the kernel's version string will be enough to track
back to an individual vmlinux and figure out the layout of everything
else.

Eric

RE: [PATCH] uts: Don't randomize "struct uts_namespace".

[Kazuhito Hagio]

Hi Tetsuo,

Thanks for your report.

On Friday, July 6, 2018 7:10 PM, Tetsuo Handa wrote:
> Hello Ken'ichi,
> 
> I noticed that makedumpfile ( https://sourceforge.net/p/makedumpfile/code/ )
> can no longer detect kernel version correctly because "struct uts_namespace"
> (which is exposed to userspace via vmcoreinfo) is subjected to randomization
> by GCC_PLUGIN_RANDSTRUCT kernel config option since 4.13.
> 
> The code was introduced by below commit.
> 
>   commit bfc8fe181c822ad0d8495ceda3c7109a407192f0
>   Author: ken1_ohmichi <ken1_ohmichi>
>   Date:   Fri Dec 22 07:41:14 2006 +0000
> 
>       linux-2.6.19 support.
>       On linux-2.6.18 or former, the release information could be gotten from
>       the symbol "system_utsname". But on linux-2.6.19, it can be done from the
>       symbol "init_uts_ns". A new makedumpfile can get the release information
>       from the existing symbol.
> 
> Can you detect kernel version without using "struct uts_namespace" ?

makedumpfile needs a whole "struct new_utsname" data in "struct uts_namespace"
because it has to write the data out to dump file header, so we need to add
the offset of uts_namespace.name to vmcoreinfo or get it from vmlinux.
But I'm not sure whether it is all to get makedumpfile working well with the
randomization, e.g. some additional offset exposures might be needed.

And I saw a report to the crash utility mailing list that crash also couldn't
work with the randomization due to a vmlinux issue, so if it is still not fixed,
even if makedumpfile (and kernel) is fixed, we cannot use crash.

* [Crash-utility] Using crash with structure layout randomized kernel
  https://www.redhat.com/archives/crash-utility/2018-January/thread.html#00035

Thanks,
Kazu

> 
> On 2018/07/07 1:11, Linus Torvalds wrote:
> > On Fri, Jul 6, 2018 at 3:07 AM Tetsuo Handa
> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >>
> >> I noticed that makedumpfile utility is failing to check kernel version, for
> >> it depends on offset of "struct uts_namespace"->name being sizeof(int).
> >
> > For something like this, we fix makedumpfile instead. This is not a
> > "user program" using system calls etc, this is something that delves
> > into the kernel dump and tries to make sense of it.
> >
> > Where is the makedumpfile source code? What is it trying to do, and why?
> >
> > One option is to just say "hey, you can't make much sense of a
> > randomized kernel dump anyway, so don't even try".
> >
> >                  Linus
> >
>