From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751372AbdGQUYj (ORCPT <rfc822;w@1wt.eu>);
        Mon, 17 Jul 2017 16:24:39 -0400
Received: from mail-pg0-f54.google.com ([74.125.83.54]:36005 "EHLO
        mail-pg0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751318AbdGQUYi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 Jul 2017 16:24:38 -0400
Date: Mon, 17 Jul 2017 13:24:35 -0700
From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org
Subject: [GIT PULL] gcc-plugins updates for v4.13-rc2
Message-ID: <20170717202435.GA55380@beast>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

Please pull these gcc-plugins changes for v4.13-rc2. Now that IPC and
other trees have landed, it's sensible to pull the manual markings
portion of randstruct. This is the rest of what was staged in -next for
the gcc-plugins, and comes in three patches, largest first:
- mark "easy" structs with __randomize_layout
- mark task_struct with an optional anonymous struct to isolate the
  __randomize_layout section
- mark structs to opt _out_ of automated marking (which will come later)

Various (trivial) merge conflicts exist due to additions to structures.
Since there were more than a couple, I thought I'd just send along how
I solved the conflicts when I did the merge to your tree this morning,
if it helps:

diff --cc fs/proc/internal.h
index 18694598bebf,07b16318223f..aa2b89071630
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@@ -67,10 -67,10 +67,10 @@@ struct proc_inode 
  	struct proc_dir_entry *pde;
  	struct ctl_table_header *sysctl;
  	struct ctl_table *sysctl_entry;
 -	struct list_head sysctl_inodes;
 +	struct hlist_node sysctl_inodes;
  	const struct proc_ns_operations *ns_ops;
  	struct inode vfs_inode;
- };
+ } __randomize_layout;
  
  /*
   * General functions
diff --cc include/linux/fs.h
index 7b5d6816542b,8f28143486c4..6e1fd5d21248
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@@ -295,8 -275,7 +295,8 @@@ struct kiocb 
  	void (*ki_complete)(struct kiocb *iocb, long ret, long ret2);
  	void			*private;
  	int			ki_flags;
 +	enum rw_hint		ki_hint;
- };
+ } __randomize_layout;
  
  static inline bool is_sync_kiocb(struct kiocb *kiocb)
  {
@@@ -403,8 -392,7 +403,8 @@@ struct address_space 
  	gfp_t			gfp_mask;	/* implicit gfp mask for allocations */
  	struct list_head	private_list;	/* ditto */
  	void			*private_data;	/* ditto */
 +	errseq_t		wb_err;
- } __attribute__((aligned(sizeof(long))));
+ } __attribute__((aligned(sizeof(long)))) __randomize_layout;
  	/*
  	 * On most architectures that alignment is already the case; but
  	 * must be enforced here for CRIS, to let the least significant bit
@@@ -882,8 -868,8 +882,9 @@@ struct file 
  	struct list_head	f_tfile_llink;
  #endif /* #ifdef CONFIG_EPOLL */
  	struct address_space	*f_mapping;
 +	errseq_t		f_wb_err;
- } __attribute__((aligned(4)));	/* lest something weird decides that 2 is OK */
+ } __randomize_layout
+   __attribute__((aligned(4)));	/* lest something weird decides that 2 is OK */
  
  struct file_handle {
  	__u32 handle_bytes;
diff --cc include/linux/ipc.h
index 5591f055e13f,ea0eb0b5f98c..fadd579d577d
--- a/include/linux/ipc.h
+++ b/include/linux/ipc.h
@@@ -20,9 -20,6 +20,9 @@@ struct kern_ipc_perm 
  	umode_t		mode;
  	unsigned long	seq;
  	void		*security;
 +
 +	struct rcu_head rcu;
 +	atomic_t refcount;
- } ____cacheline_aligned_in_smp;
+ } ____cacheline_aligned_in_smp __randomize_layout;
  
  #endif /* _LINUX_IPC_H */
diff --cc include/linux/sem.h
index be5cf2ea14ad,23bcbdfad4a6..de2deb8676bd
--- a/include/linux/sem.h
+++ b/include/linux/sem.h
@@@ -39,9 -21,7 +39,9 @@@ struct sem_array 
  	int			sem_nsems;	/* no. of semaphores in array */
  	int			complex_count;	/* pending complex operations */
  	unsigned int		use_global_lock;/* >0: global lock required */
 +
 +	struct sem		sems[];
- };
+ } __randomize_layout;
  
  #ifdef CONFIG_SYSVIPC
  

And, FWIW, this continues to pass allmodconfig (normal and patched to
enable gcc-plugins) builds of x86_64, i386, arm64, arm, powerpc, and
s390 for me.

Thanks!

-Kees

The following changes since commit ffa47aa678cfaa9b88e8a26cfb115b4768325121:

  ARM: Prepare for randomized task_struct (2017-06-30 12:00:50 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/gcc-plugins-v4.13-rc2

for you to fetch changes up to 8acdf5055974e49d337d51ac7011449cfd7b7d05:

  randstruct: opt-out externally exposed function pointer structs (2017-06-30 12:00:52 -0700)

----------------------------------------------------------------
Now that IPC and other changes have landed, enable manual markings for
randstruct plugin, including the task_struct.

----------------------------------------------------------------
Kees Cook (3):
      randstruct: Mark various structs for randomization
      task_struct: Allow randomized layout
      randstruct: opt-out externally exposed function pointer structs

 arch/arm/include/asm/cacheflush.h     |  2 +-
 arch/x86/include/asm/paravirt_types.h | 16 ++++++++--------
 arch/x86/include/asm/processor.h      |  2 +-
 fs/mount.h                            |  4 ++--
 fs/namei.c                            |  2 +-
 fs/proc/internal.h                    |  6 +++---
 include/linux/binfmts.h               |  4 ++--
 include/linux/cdev.h                  |  2 +-
 include/linux/compiler-gcc.h          | 13 ++++++++++++-
 include/linux/compiler.h              |  5 +++++
 include/linux/cred.h                  |  4 ++--
 include/linux/dcache.h                |  2 +-
 include/linux/fs.h                    | 17 +++++++++--------
 include/linux/fs_struct.h             |  2 +-
 include/linux/ipc.h                   |  2 +-
 include/linux/ipc_namespace.h         |  2 +-
 include/linux/key-type.h              |  4 ++--
 include/linux/kmod.h                  |  2 +-
 include/linux/kobject.h               |  2 +-
 include/linux/lsm_hooks.h             |  4 ++--
 include/linux/mm_types.h              |  4 ++--
 include/linux/module.h                |  4 ++--
 include/linux/mount.h                 |  2 +-
 include/linux/msg.h                   |  2 +-
 include/linux/path.h                  |  2 +-
 include/linux/pid_namespace.h         |  2 +-
 include/linux/proc_ns.h               |  2 +-
 include/linux/sched.h                 | 16 +++++++++++++++-
 include/linux/sched/signal.h          |  2 +-
 include/linux/sem.h                   |  2 +-
 include/linux/shm.h                   |  2 +-
 include/linux/sysctl.h                |  2 +-
 include/linux/tty.h                   |  2 +-
 include/linux/tty_driver.h            |  4 ++--
 include/linux/user_namespace.h        |  2 +-
 include/linux/utsname.h               |  2 +-
 include/net/af_unix.h                 |  2 +-
 include/net/neighbour.h               |  2 +-
 include/net/net_namespace.h           |  2 +-
 include/net/sock.h                    |  2 +-
 kernel/futex.c                        |  4 ++--
 security/keys/internal.h              |  2 +-
 42 files changed, 97 insertions(+), 66 deletions(-)

-- 
Kees Cook
Pixel Security