[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87twlsaw92.fsf@rasmusvillemoes.dk>
Date: Mon, 01 Feb 2016 23:42:01 +0100
From: Rasmus Villemoes <linux@...musvillemoes.dk>
To: kernel-hardening@...ts.openwall.com
Cc: abhiram@...utah.edu, Scott Bauer <sbauer@....utah.edu>
Subject: Re: [RFC PATCH 1/2] SROP Mitigation: Architecture independent code for signal cookies
On Sun, Jan 24 2016, Scott Bauer <sbauer@....utah.edu> wrote:
> This patch adds a per-process secret to the task struct which
> will be used during signal delivery and during a sigreturn.
> Also, logic is added in signal.c to generate, place, extract,
> clear and verify the signal cookie.
>
>
> +static unsigned long gen_sigcookie(unsigned long __user *location)
> +{
> +
> + unsigned long sig_cookie;
> +
> + sig_cookie = (unsigned long) location ^ current->sig_cookie;
> +
> + sig_cookie = hash_long(sig_cookie, sizeof(sig_cookie) * BITS_PER_BYTE);
> +
> + return sig_cookie;
> +}
Is current->sig_cookie supposed to be secret, as in unknown to
userspace? If so, this won't work, as hash_long (with BIT_PER_LONG as
nbits parameter) is invertible (since we've just multiplied by an odd
number and right-shifted by 0). Maybe xoring with some global secret
afterwards would fix this, though I'm not sure.
Rasmus
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
