Skip to content
Browse files
netns: provide pure entropy for net_hash_mix()
net_hash_mix() currently uses kernel address of a struct net,
and is used in many places that could be used to reveal this
address to a patient attacker, thus defeating KASLR, for
the typical case (initial net namespace, &init_net is
not dynamically allocated)

I believe the original implementation tried to avoid spending
too many cycles in this function, but security comes first.

Also provide entropy regardless of CONFIG_NET_NS.

Fixes: 0b44191 ("netns: introduce the net_hash_mix "salt" for hashes")
Signed-off-by: Eric Dumazet <>
Reported-by: Amit Klein <>
Reported-by: Benny Pinkas <>
Cc: Pavel Emelyanov <>
Signed-off-by: David S. Miller <>
  • Loading branch information
Eric Dumazet authored and davem330 committed Mar 29, 2019
1 parent 6289d0f commit 355b98553789b646ed97ad801a619ff898471b92
Showing with 4 additions and 8 deletions.
  1. +1 −0 include/net/net_namespace.h
  2. +2 −8 include/net/netns/hash.h
  3. +1 −0 net/core/net_namespace.c
@@ -59,6 +59,7 @@ struct net {
spinlock_t rules_mod_lock;

u32 hash_mix;
atomic64_t cookie_gen;

struct list_head list; /* list of network namespaces */
@@ -2,16 +2,10 @@
#ifndef __NET_NS_HASH_H__
#define __NET_NS_HASH_H__

#include <asm/cache.h>

struct net;
#include <net/net_namespace.h>

static inline u32 net_hash_mix(const struct net *net)
return (u32)(((unsigned long)net) >> ilog2(sizeof(*net)));
return 0;
return net->hash_mix;
@@ -304,6 +304,7 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns)

refcount_set(&net->count, 1);
refcount_set(&net->passive, 1);
get_random_bytes(&net->hash_mix, sizeof(u32));
net->dev_base_seq = 1;
net->user_ns = user_ns;

0 comments on commit 355b985

Please sign in to comment.