Skip to content


netns: provide pure entropy for net_hash_mix()
Browse files Browse the repository at this point in the history
net_hash_mix() currently uses kernel address of a struct net,
and is used in many places that could be used to reveal this
address to a patient attacker, thus defeating KASLR, for
the typical case (initial net namespace, &init_net is
not dynamically allocated)

I believe the original implementation tried to avoid spending
too many cycles in this function, but security comes first.

Also provide entropy regardless of CONFIG_NET_NS.

Fixes: 0b44191 ("netns: introduce the net_hash_mix "salt" for hashes")
Signed-off-by: Eric Dumazet <>
Reported-by: Amit Klein <>
Reported-by: Benny Pinkas <>
Cc: Pavel Emelyanov <>
Signed-off-by: David S. Miller <>
  • Loading branch information
Eric Dumazet authored and davem330 committed Mar 29, 2019
1 parent 6289d0f commit 355b985
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 8 deletions.
1 change: 1 addition & 0 deletions include/net/net_namespace.h
Expand Up @@ -59,6 +59,7 @@ struct net {
spinlock_t rules_mod_lock;

u32 hash_mix;
atomic64_t cookie_gen;

struct list_head list; /* list of network namespaces */
Expand Down
10 changes: 2 additions & 8 deletions include/net/netns/hash.h
Expand Up @@ -2,16 +2,10 @@
#ifndef __NET_NS_HASH_H__
#define __NET_NS_HASH_H__

#include <asm/cache.h>

struct net;
#include <net/net_namespace.h>

static inline u32 net_hash_mix(const struct net *net)
return (u32)(((unsigned long)net) >> ilog2(sizeof(*net)));
return 0;
return net->hash_mix;
1 change: 1 addition & 0 deletions net/core/net_namespace.c
Expand Up @@ -304,6 +304,7 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns)

refcount_set(&net->count, 1);
refcount_set(&net->passive, 1);
get_random_bytes(&net->hash_mix, sizeof(u32));
net->dev_base_seq = 1;
net->user_ns = user_ns;
Expand Down

0 comments on commit 355b985

Please sign in to comment.