[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Nov 2017 13:05:00 +1100
From: "Tobin C. Harding" <me@...in.cc>
To: kernel-hardening@...ts.openwall.com
Cc: "Tobin C. Harding" <me@...in.cc>,
Linus Torvalds <torvalds@...ux-foundation.org>,
"Jason A. Donenfeld" <Jason@...c4.com>, Theodore Ts'o <tytso@....edu>,
Kees Cook <keescook@...omium.org>, Paolo Bonzini <pbonzini@...hat.com>,
Tycho Andersen <tycho@...ho.ws>, "Roberts,
William C" <william.c.roberts@...el.com>, Tejun Heo <tj@...nel.org>,
Jordan Glover <Golden_Miller83@...tonmail.ch>,
Greg KH <gregkh@...uxfoundation.org>, Petr Mladek <pmladek@...e.com>,
Joe Perches <joe@...ches.com>, Ian Campbell <ijc@...lion.org.uk>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <wilal.deacon@....com>, Steven Rostedt <rostedt@...dmis.org>,
Chris Fries <cfries@...gle.com>, Dave Weinstein <olorin@...gle.com>,
Daniel Micay <danielmicay@...il.com>, Djalal Harouni <tixxdz@...il.com>,
Radim Krčmář <rkrcmar@...hat.com>,
linux-kernel@...r.kernel.org,
Network Development <netdev@...r.kernel.org>,
David Miller <davem@...emloft.net>,
Stephen Rothwell <sfr@...b.auug.org.au>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH V11 0/5] hash addresses printed with %p
Currently there exist approximately 14 000 places in the Kernel where
addresses are being printed using an unadorned %p. This potentially
leaks sensitive information regarding the Kernel layout in memory. Many
of these calls are stale, instead of fixing every call lets hash the
address by default before printing. This will of course break some
users, forcing code printing needed addresses to be updated. We can add
a printk specifier for this purpose (%px) to give developers a clear
upgrade path for breakages caused by applying this patch set.
The added advantage of hashing %p is that security is now opt-out, if
you _really_ want the address you have to work a little harder and use
%px.
The idea for creating the printk specifier %px to print the actual
address was suggested by Kees Cook (see below for email threads by
subject).
Newbie question: I don't know who is potentially going to want to apply
this, I've CC'd Andrew Morton. I'm guessing this should go into
linux-next so we can see what breaks? I do not know exactly how code
gets into linux-next. I've CC'd Stephen Rothwell.
Here is the behaviour that this series implements.
For kpt_restrict==0
Randomness not ready:
printed with %p: (ptrval) # NOTE: with padding
Valid pointer:
printed with %pK: deadbeefdeadbeef
printed with %p: 00000000deadbeef
malformed specifier (eg %i): 00000000deadbeef
NULL pointer:
printed with %pK: 0000000000000000
printed with %p: (null) # NOTE: with padding
malformed specifier (eg %i): (null)
For kpt_restrict==2
Valid pointer:
printed with %pK: 0000000000000000
All other output as for kptr_restrict==0
V11:
- Add patch fixing %pK documentation.
- Refactor %pK as a separate patch.
- Add patch adding printk specifier %px, which prints the actual
address (i.e replaces original %p behaviour).
- Use %px for KASAN patch.
V10:
- Add patch so KASAN uses %pK instead of %p.
- Add documentation to Documentation/printk-formats.txt
- Add tests to lib/test_printf.c
- Change "(pointer value)" -> "(ptrval)" to fit within columns on 32
bit machines.
V9:
- Drop the initial patch from V8, leaving null pointer handling as is.
- Print the hashed ID _without_ a '0x' suffix.
- Mask the first 32 bits of the hashed ID to all zeros on 64 bit
architectures.
V8:
- Add second patch cleaning up null pointer printing in pointer()
- Move %pK handling to separate function, further cleaning up pointer()
- Move ptr_to_id() call outside of switch statement making hashing
the default behaviour (including malformed specifiers).
- Remove use of static_key, replace with simple boolean.
V7:
- Use tabs instead of spaces (ouch!).
V6:
- Use __early_initcall() to fill the SipHash key.
- Use static keys to guard hashing before the key is available.
V5:
- Remove spin lock.
- Add Jason A. Donenfeld to CC list by request.
- Add Theodore Ts'o to CC list due to comment on previous version.
V4:
- Remove changes to siphash.{ch}
- Do word size check, and return value cast, directly in ptr_to_id().
- Use add_ready_random_callback() to guard call to get_random_bytes()
V3:
- Use atomic_xchg() to guard setting [random] key.
- Remove erroneous white space change.
V2:
- Use SipHash to do the hashing.
The discussion related to this patch has been fragmented. There are
three threads associated with this patch. Email threads by subject:
[PATCH 0/5] add printk specifier %px, unique identifier
[PATCH] printk: hash addresses printed with %p
[PATCH 0/3] add %pX specifier
[kernel-hardening] [RFC V2 0/6] add more kernel pointer filter options
Tobin C. Harding (5):
docs: correct documentation for %pK
vsprintf: refactor %pK code out of pointer()
printk: hash addresses printed with %p
vsprintf: add printk specifier %px
kasan: use %px to print addresses instead of %p
Documentation/printk-formats.txt | 31 ++++++-
lib/test_printf.c | 108 ++++++++++++++--------
lib/vsprintf.c | 194 +++++++++++++++++++++++++++++----------
mm/kasan/report.c | 8 +-
scripts/checkpatch.pl | 2 +-
5 files changed, 248 insertions(+), 95 deletions(-)
--
2.7.4
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
