Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 01 Feb 2016 23:42:01 +0100
From: Rasmus Villemoes <linux@...musvillemoes.dk>
To: kernel-hardening@...ts.openwall.com
Cc: abhiram@...utah.edu,  Scott Bauer <sbauer@....utah.edu>
Subject: Re: [RFC PATCH 1/2] SROP Mitigation: Architecture independent code for signal cookies

On Sun, Jan 24 2016, Scott Bauer <sbauer@....utah.edu> wrote:

> This patch adds a per-process secret to the task struct which
> will be used during signal delivery and during a sigreturn.
> Also, logic is added in signal.c to generate, place, extract,
> clear and verify the signal cookie.
>
>  
> +static unsigned long gen_sigcookie(unsigned long __user *location)
> +{
> +
> +	unsigned long sig_cookie;
> +
> +	sig_cookie = (unsigned long) location ^ current->sig_cookie;
> +
> +	sig_cookie = hash_long(sig_cookie, sizeof(sig_cookie) * BITS_PER_BYTE);
> +
> +	return sig_cookie;
> +}

Is current->sig_cookie supposed to be secret, as in unknown to
userspace? If so, this won't work, as hash_long (with BIT_PER_LONG as
nbits parameter) is invertible (since we've just multiplied by an odd
number and right-shifted by 0). Maybe xoring with some global secret
afterwards would fix this, though I'm not sure.

Rasmus

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.