tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

security: don't treat structure as an array of struct hlist_head

The initialization of "security_hook_heads" is done by casting it to
another structure pointer type, and treating it as an array of "struct
hlist_head" objects. This requires an exception be made in "randstruct",
because otherwise it will emit an error, reducing the effectiveness of
the hardening technique.

Instead of using a cast, initialize the individual struct hlist_head
elements in security_hook_heads explicitly. This removes the need for
the cast and randstruct exception.

Signed-off-by: Bill Wendling <morbo@google.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220407175930.471870-1-morbo@google.com

authored by

Bill Wendling and committed by
Kees Cook 75c1182e 1109a5d9

+4 -7
-2
scripts/gcc-plugins/randomize_layout_plugin.c
··· 52 52 { "net/unix/af_unix.c", "unix_skb_parms", "char" }, 53 53 /* big_key payload.data struct splashing */ 54 54 { "security/keys/big_key.c", "path", "void *" }, 55 - /* walk struct security_hook_heads as an array of struct hlist_head */ 56 - { "security/security.c", "hlist_head", "security_hook_heads" }, 57 55 { } 58 56 }; 59 57
+4 -5
security/security.c
··· 365 365 366 366 int __init early_security_init(void) 367 367 { 368 - int i; 369 - struct hlist_head *list = (struct hlist_head *) &security_hook_heads; 370 368 struct lsm_info *lsm; 371 369 372 - for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head); 373 - i++) 374 - INIT_HLIST_HEAD(&list[i]); 370 + #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ 371 + INIT_HLIST_HEAD(&security_hook_heads.NAME); 372 + #include "linux/lsm_hook_defs.h" 373 + #undef LSM_HOOK 375 374 376 375 for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { 377 376 if (!lsm->enabled)