[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Kernel building with GCC plugins

Kernel building with GCC plugins

Posted Jun 17, 2016 15:36 UTC (Fri) by dskoll (subscriber, #1630)
Parent article: Kernel building with GCC plugins

Does Randomize_layout change only the padding of a structure? Or does it also change the ordering? Because the C standard does guarantee that structure members are laid out in memory in the order they are declared. I'm struggling to think of a use-case for something that changes the order of structure members.

to post comments

Kernel building with GCC plugins

Posted Jun 21, 2016 12:29 UTC (Tue) by mathstuf (subscriber, #69389) [Link]

I'm not sure, but I imagine it means that exploits would need to discover what the order of struts were before they could exfiltrate data or chain function calls together.

Kernel building with GCC plugins

Posted Jun 21, 2016 15:46 UTC (Tue) by kdave (subscriber, #44472) [Link]

The exploit code searches for a pattern uid and gid in creds and the overwrites it to zeros (http://lxr.free-electrons.com/source/include/linux/cred.h...). With random layout, the pattern won't be found. Examples:
https://github.com/offensive-security/exploit-database/bl...
https://github.com/offensive-security/exploit-database/bl...

To make such exploits "work" and not hang, a fake copy of the credentials can be added to the expected location, all updates to the true creds would update both values. This needs more changes to code, so it's out of scope of the plugin.

Kernel building with GCC plugins

Posted Jan 4, 2017 6:12 UTC (Wed) by kaiwantech (subscriber, #108966) [Link] (1 responses)

Won't changing the order of members in a structure adversely affect cpu caching (thus violating the 'keep important/hotspot members together and at the top' rule)? AFAIK there are several instances of data structures in the kernel codebase which rely on a particular ordering, if nothing else then for cache optimization.

Kernel building with GCC plugins

Posted Jan 4, 2017 6:39 UTC (Wed) by kaiwantech (subscriber, #108966) [Link]

Okay, looks like I found the answer to my question (above) in a comment by 'joib' here [ https://lwn.net/Articles/705262/ ]:
"[...] It says in the article that it only affects structs which contain only function pointers (which all have the same size, AFAICS). Furthermore, the slides say that it can be configured to randomize only within a cache line."


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds